* [zeus][PATCH 01/32] python3: Upgrade 3.7.7 -> 3.7.8
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 02/32] timezone: upgrade 2019c -> 2020a Anuj Mittal
` (31 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Adrian Bunk <bunk@stusta.de>
Backported patch removed.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
...20-8492-Fix-AbstractBasicAuthHandler.patch | 248 ------------------
.../{python3_3.7.7.bb => python3_3.7.8.bb} | 5 +-
2 files changed, 2 insertions(+), 251 deletions(-)
delete mode 100644 meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
rename meta/recipes-devtools/python/{python3_3.7.7.bb => python3_3.7.8.bb} (98%)
diff --git a/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch b/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
deleted file mode 100644
index e16b99bcb9..0000000000
--- a/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
+++ /dev/null
@@ -1,248 +0,0 @@
-From 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 Mon Sep 17 00:00:00 2001
-From: Victor Stinner <vstinner@python.org>
-Date: Thu, 2 Apr 2020 02:52:20 +0200
-Subject: [PATCH] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler
- (GH-18284)
-
-Upstream-Status: Backport
-(https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
-
-CVE: CVE-2020-8492
-
-The AbstractBasicAuthHandler class of the urllib.request module uses
-an inefficient regular expression which can be exploited by an
-attacker to cause a denial of service. Fix the regex to prevent the
-catastrophic backtracking. Vulnerability reported by Ben Caller
-and Matt Schwager.
-
-AbstractBasicAuthHandler of urllib.request now parses all
-WWW-Authenticate HTTP headers and accepts multiple challenges per
-header: use the realm of the first Basic challenge.
-
-Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
-Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
----
- Lib/test/test_urllib2.py | 90 ++++++++++++-------
- Lib/urllib/request.py | 69 ++++++++++----
- .../2020-03-25-16-02-16.bpo-39503.YmMbYn.rst | 3 +
- .../2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 5 ++
- 4 files changed, 115 insertions(+), 52 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
- create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
-
-diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
-index 8abedaac98..e69ac3e213 100644
---- a/Lib/test/test_urllib2.py
-+++ b/Lib/test/test_urllib2.py
-@@ -1446,40 +1446,64 @@ class HandlerTests(unittest.TestCase):
- bypass = {'exclude_simple': True, 'exceptions': []}
- self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass))
-
-- def test_basic_auth(self, quote_char='"'):
-- opener = OpenerDirector()
-- password_manager = MockPasswordManager()
-- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
-- realm = "ACME Widget Store"
-- http_handler = MockHTTPHandler(
-- 401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' %
-- (quote_char, realm, quote_char))
-- opener.add_handler(auth_handler)
-- opener.add_handler(http_handler)
-- self._test_basic_auth(opener, auth_handler, "Authorization",
-- realm, http_handler, password_manager,
-- "http://acme.example.com/protected",
-- "http://acme.example.com/protected",
-- )
--
-- def test_basic_auth_with_single_quoted_realm(self):
-- self.test_basic_auth(quote_char="'")
--
-- def test_basic_auth_with_unquoted_realm(self):
-- opener = OpenerDirector()
-- password_manager = MockPasswordManager()
-- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
-- realm = "ACME Widget Store"
-- http_handler = MockHTTPHandler(
-- 401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm)
-- opener.add_handler(auth_handler)
-- opener.add_handler(http_handler)
-- with self.assertWarns(UserWarning):
-+ def check_basic_auth(self, headers, realm):
-+ with self.subTest(realm=realm, headers=headers):
-+ opener = OpenerDirector()
-+ password_manager = MockPasswordManager()
-+ auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
-+ body = '\r\n'.join(headers) + '\r\n\r\n'
-+ http_handler = MockHTTPHandler(401, body)
-+ opener.add_handler(auth_handler)
-+ opener.add_handler(http_handler)
- self._test_basic_auth(opener, auth_handler, "Authorization",
-- realm, http_handler, password_manager,
-- "http://acme.example.com/protected",
-- "http://acme.example.com/protected",
-- )
-+ realm, http_handler, password_manager,
-+ "http://acme.example.com/protected",
-+ "http://acme.example.com/protected")
-+
-+ def test_basic_auth(self):
-+ realm = "realm2@example.com"
-+ realm2 = "realm2@example.com"
-+ basic = f'Basic realm="{realm}"'
-+ basic2 = f'Basic realm="{realm2}"'
-+ other_no_realm = 'Otherscheme xxx'
-+ digest = (f'Digest realm="{realm2}", '
-+ f'qop="auth, auth-int", '
-+ f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", '
-+ f'opaque="5ccc069c403ebaf9f0171e9517f40e41"')
-+ for realm_str in (
-+ # test "quote" and 'quote'
-+ f'Basic realm="{realm}"',
-+ f"Basic realm='{realm}'",
-+
-+ # charset is ignored
-+ f'Basic realm="{realm}", charset="UTF-8"',
-+
-+ # Multiple challenges per header
-+ f'{basic}, {basic2}',
-+ f'{basic}, {other_no_realm}',
-+ f'{other_no_realm}, {basic}',
-+ f'{basic}, {digest}',
-+ f'{digest}, {basic}',
-+ ):
-+ headers = [f'WWW-Authenticate: {realm_str}']
-+ self.check_basic_auth(headers, realm)
-+
-+ # no quote: expect a warning
-+ with support.check_warnings(("Basic Auth Realm was unquoted",
-+ UserWarning)):
-+ headers = [f'WWW-Authenticate: Basic realm={realm}']
-+ self.check_basic_auth(headers, realm)
-+
-+ # Multiple headers: one challenge per header.
-+ # Use the first Basic realm.
-+ for challenges in (
-+ [basic, basic2],
-+ [basic, digest],
-+ [digest, basic],
-+ ):
-+ headers = [f'WWW-Authenticate: {challenge}'
-+ for challenge in challenges]
-+ self.check_basic_auth(headers, realm)
-
- def test_proxy_basic_auth(self):
- opener = OpenerDirector()
-diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
-index 7fe50535da..2a3d71554f 100644
---- a/Lib/urllib/request.py
-+++ b/Lib/urllib/request.py
-@@ -937,8 +937,15 @@ class AbstractBasicAuthHandler:
-
- # allow for double- and single-quoted realm values
- # (single quotes are a violation of the RFC, but appear in the wild)
-- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
-- 'realm=(["\']?)([^"\']*)\\2', re.I)
-+ rx = re.compile('(?:^|,)' # start of the string or ','
-+ '[ \t]*' # optional whitespaces
-+ '([^ \t]+)' # scheme like "Basic"
-+ '[ \t]+' # mandatory whitespaces
-+ # realm=xxx
-+ # realm='xxx'
-+ # realm="xxx"
-+ 'realm=(["\']?)([^"\']*)\\2',
-+ re.I)
-
- # XXX could pre-emptively send auth info already accepted (RFC 2617,
- # end of section 2, and section 1.2 immediately after "credentials"
-@@ -950,27 +957,51 @@ class AbstractBasicAuthHandler:
- self.passwd = password_mgr
- self.add_password = self.passwd.add_password
-
-+ def _parse_realm(self, header):
-+ # parse WWW-Authenticate header: accept multiple challenges per header
-+ found_challenge = False
-+ for mo in AbstractBasicAuthHandler.rx.finditer(header):
-+ scheme, quote, realm = mo.groups()
-+ if quote not in ['"', "'"]:
-+ warnings.warn("Basic Auth Realm was unquoted",
-+ UserWarning, 3)
-+
-+ yield (scheme, realm)
-+
-+ found_challenge = True
-+
-+ if not found_challenge:
-+ if header:
-+ scheme = header.split()[0]
-+ else:
-+ scheme = ''
-+ yield (scheme, None)
-+
- def http_error_auth_reqed(self, authreq, host, req, headers):
- # host may be an authority (without userinfo) or a URL with an
- # authority
-- # XXX could be multiple headers
-- authreq = headers.get(authreq, None)
-+ headers = headers.get_all(authreq)
-+ if not headers:
-+ # no header found
-+ return
-
-- if authreq:
-- scheme = authreq.split()[0]
-- if scheme.lower() != 'basic':
-- raise ValueError("AbstractBasicAuthHandler does not"
-- " support the following scheme: '%s'" %
-- scheme)
-- else:
-- mo = AbstractBasicAuthHandler.rx.search(authreq)
-- if mo:
-- scheme, quote, realm = mo.groups()
-- if quote not in ['"',"'"]:
-- warnings.warn("Basic Auth Realm was unquoted",
-- UserWarning, 2)
-- if scheme.lower() == 'basic':
-- return self.retry_http_basic_auth(host, req, realm)
-+ unsupported = None
-+ for header in headers:
-+ for scheme, realm in self._parse_realm(header):
-+ if scheme.lower() != 'basic':
-+ unsupported = scheme
-+ continue
-+
-+ if realm is not None:
-+ # Use the first matching Basic challenge.
-+ # Ignore following challenges even if they use the Basic
-+ # scheme.
-+ return self.retry_http_basic_auth(host, req, realm)
-+
-+ if unsupported is not None:
-+ raise ValueError("AbstractBasicAuthHandler does not "
-+ "support the following scheme: %r"
-+ % (scheme,))
-
- def retry_http_basic_auth(self, host, req, realm):
- user, pw = self.passwd.find_user_password(realm, host)
-diff --git a/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
-new file mode 100644
-index 0000000000..be80ce79d9
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
-@@ -0,0 +1,3 @@
-+:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request`
-+now parses all WWW-Authenticate HTTP headers and accepts multiple challenges
-+per header: use the realm of the first Basic challenge.
-diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
-new file mode 100644
-index 0000000000..9f2800581c
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
-@@ -0,0 +1,5 @@
-+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
-+:mod:`urllib.request` module uses an inefficient regular expression which can
-+be exploited by an attacker to cause a denial of service. Fix the regex to
-+prevent the catastrophic backtracking. Vulnerability reported by Ben Caller
-+and Matt Schwager.
---
-2.24.1
-
diff --git a/meta/recipes-devtools/python/python3_3.7.7.bb b/meta/recipes-devtools/python/python3_3.7.8.bb
similarity index 98%
rename from meta/recipes-devtools/python/python3_3.7.7.bb
rename to meta/recipes-devtools/python/python3_3.7.8.bb
index 4d2578c817..5230fe0ee6 100644
--- a/meta/recipes-devtools/python/python3_3.7.7.bb
+++ b/meta/recipes-devtools/python/python3_3.7.8.bb
@@ -29,7 +29,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-Use-FLAG_REF-always-for-interned-strings.patch \
file://0001-test_locale.py-correct-the-test-output-format.patch \
file://0017-setup.py-do-not-report-missing-dependencies-for-disa.patch \
- file://0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch \
"
SRC_URI_append_class-native = " \
@@ -41,8 +40,8 @@ SRC_URI_append_class-nativesdk = " \
file://0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch \
"
-SRC_URI[md5sum] = "172c650156f7bea68ce31b2fd01fa766"
-SRC_URI[sha256sum] = "06a0a9f1bf0d8cd1e4121194d666c4e28ddae4dd54346de6c343206599f02136"
+SRC_URI[md5sum] = "a224ef2249a18824f48fba9812f4006f"
+SRC_URI[sha256sum] = "43a543404b363f0037f89df8478f19db2dbc0d6f3ffee310bc2997fa71854a63"
# exclude pre-releases for both python 2.x and 3.x
UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 02/32] timezone: upgrade 2019c -> 2020a
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 01/32] python3: Upgrade 3.7.7 -> 3.7.8 Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 03/32] gcr: depends on gnupg-native Anuj Mittal
` (30 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Pierre-Jean Texier <pjtexier@koncepto.io>
See full changelog https://github.com/eggert/tz/blob/master/NEWS#L11
(From OE-Core rev: 9d74b048e3a160d7a9a20e85817e9eb3a558af63)
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-extended/timezone/timezone.inc | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc
index f6bab1acb4..e542290c3c 100644
--- a/meta/recipes-extended/timezone/timezone.inc
+++ b/meta/recipes-extended/timezone/timezone.inc
@@ -4,7 +4,7 @@ SECTION = "base"
LICENSE = "PD & BSD & BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
-PV = "2019c"
+PV = "2020a"
SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \
http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \
@@ -12,7 +12,7 @@ SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz
UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones"
-SRC_URI[tzcode.md5sum] = "195a17454c5db05cab96595380650391"
-SRC_URI[tzcode.sha256sum] = "f6ebd3668e02d5ed223d3b7b1947561bf2d2da2f4bd1db61efefd9e06c167ed4"
-SRC_URI[tzdata.md5sum] = "f6987e6dfdb2eb83a1b5076a50b80894"
-SRC_URI[tzdata.sha256sum] = "79c7806dab09072308da0e3d22c37d3b245015a591891ea147d3b133b60ffc7c"
+SRC_URI[tzcode.md5sum] = "f87c3477e85a5c4b00df0def6c6a0055"
+SRC_URI[tzcode.sha256sum] = "7d2af7120ee03df71fbca24031ccaf42404752e639196fe93c79a41b38a6d669"
+SRC_URI[tzdata.md5sum] = "96a985bb8eeab535fb8aa2132296763a"
+SRC_URI[tzdata.sha256sum] = "547161eca24d344e0b5f96aff6a76b454da295dc14ed4ca50c2355043fb899a2"
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 03/32] gcr: depends on gnupg-native
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 01/32] python3: Upgrade 3.7.7 -> 3.7.8 Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 02/32] timezone: upgrade 2019c -> 2020a Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 04/32] file: add bzip2-replacement-native to DEPENDS to fix sstate issue Anuj Mittal
` (29 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
It fails to build gcr if no commmand gpg on build host:
| meson.build:44:0: ERROR: Program(s) ['gpg2', 'gpg'] not found or not executable
Add dependency gnupg-native to fix the error.
(From OE-Core rev: da7360247995d7c8e79dfcaa0c0761952a9013f1)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
(cherry picked from commit e4a6eda4c246b2bca059defed796bdab19a7ab5f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-gnome/gcr/gcr_3.28.1.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-gnome/gcr/gcr_3.28.1.bb b/meta/recipes-gnome/gcr/gcr_3.28.1.bb
index 2299199c31..64b0569f04 100644
--- a/meta/recipes-gnome/gcr/gcr_3.28.1.bb
+++ b/meta/recipes-gnome/gcr/gcr_3.28.1.bb
@@ -5,7 +5,7 @@ BUGTRACKER = "https://bugzilla.gnome.org/"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=55ca817ccb7d5b5b66355690e9abc605"
-DEPENDS = "intltool-native gtk+3 p11-kit glib-2.0 libgcrypt \
+DEPENDS = "intltool-native gtk+3 p11-kit glib-2.0 libgcrypt gnupg-native \
${@bb.utils.contains('GI_DATA_ENABLED', 'True', 'libxslt-native', '', d)}"
inherit gnomebase gtk-icon-cache gtk-doc distro_features_check upstream-version-is-even vala gobject-introspection
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 04/32] file: add bzip2-replacement-native to DEPENDS to fix sstate issue
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (2 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 03/32] gcr: depends on gnupg-native Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 05/32] cve-check: Run it after do_fetch Anuj Mittal
` (28 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Jan-Simon Moeller <dl9pf@gmx.de>
file-native when built on a Debian 10 host will embed a dependency to
'libbz2.so.1.0' (instead of 'libbz2.so.1'). This can cause issues
when sharing the sstate between hosts e.g.:
recipe-sysroot-native/usr/lib/rpm/rpmdeps:
error while loading shared libraries: libbz2.so.1.0: \
cannot open shared object file: No such file or directory
To avoid this situation, let's add the bzip2-replacement-native to the
file recipe's DEPENDS_class-native .
Details in https://bugzilla.yoctoproject.org/show_bug.cgi?id=13915 .
(From OE-Core rev: 5a2bc3bfa9e1a4f37b6e26a5c40a4a9c025d03f1)
Signed-off-by: Jan-Simon Moeller <dl9pf@gmx.de>
(cherry picked from commit 4a996574464028bd5d57b90920d0887d1a81e9e9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-devtools/file/file_5.37.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/file/file_5.37.bb b/meta/recipes-devtools/file/file_5.37.bb
index 60fc66131e..eb0f40b54d 100644
--- a/meta/recipes-devtools/file/file_5.37.bb
+++ b/meta/recipes-devtools/file/file_5.37.bb
@@ -9,7 +9,7 @@ LICENSE = "BSD"
LIC_FILES_CHKSUM = "file://COPYING;beginline=2;md5=0251eaec1188b20d9a72c502ecfdda1b"
DEPENDS = "zlib file-replacement-native"
-DEPENDS_class-native = "zlib-native"
+DEPENDS_class-native = "zlib-native bzip2-replacement-native"
# Blacklist a bogus tag in upstream check
UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P<pver>(?!6_23).+)"
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 05/32] cve-check: Run it after do_fetch
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (3 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 04/32] file: add bzip2-replacement-native to DEPENDS to fix sstate issue Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 06/32] libexif: fix CVE-2020-13114 Anuj Mittal
` (27 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Khem Raj <raj.khem@gmail.com>
Certain recipes e.g. bash readline ( from meta-gplv2 ) download patches instead of having them in
metadata, this could fail cve_check
ERROR: readline-5.2-r9 do_cve_check: File Not found: qemuarm/build/../downloads/readline52-001
This patch ensures that download is done before running CVE scan, even
though these will be external patches and may not contain CVE tags as it
expects, but it will fix the run failures as seen above
(From OE-Core rev: dbf143d79476e54e8da93101fc16eaedeec88362)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e406fcb6c609a0d2456d7da0d2406d2d9fa52dd2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/classes/cve-check.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 2a530a0489..556ac6e67f 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -65,7 +65,7 @@ python do_cve_check () {
}
-addtask cve_check before do_build
+addtask cve_check before do_build after do_fetch
do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db"
do_cve_check[nostamp] = "1"
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 06/32] libexif: fix CVE-2020-13114
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (4 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 05/32] cve-check: Run it after do_fetch Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 07/32] cve-check: include epoch in product version output Anuj Mittal
` (26 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
(From OE-Core rev: 2e497029ee00babbc50f3c1d99580230bc46155c)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../libexif/libexif/CVE-2020-13114.patch | 73 +++++++++++++++++++
.../recipes-support/libexif/libexif_0.6.21.bb | 4 +-
2 files changed, 76 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
diff --git a/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
new file mode 100644
index 0000000000..06b8b46c21
--- /dev/null
+++ b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
@@ -0,0 +1,73 @@
+From 47f51be021f4dfd800d4ff4630659887378baa3a Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Sat, 16 May 2020 19:32:30 +0200
+Subject: [PATCH] Add a failsafe on the maximum number of Canon MakerNote
+
+ subtags.
+
+A malicious file could be crafted to cause extremely large values in some
+tags without tripping any buffer range checks. This is bad with the libexif
+representation of Canon MakerNotes because some arrays are turned into
+individual tags that the application must loop around.
+
+The largest value I've seen for failsafe_size in a (very small) sample of valid
+Canon files is <5000. The limit is set two orders of magnitude larger to avoid
+tripping up falsely in case some models use much larger values.
+
+Patch from Google.
+
+CVE-2020-13114
+
+Upstream-Status: Backport [https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab]
+CVE: CVE-2020-13114
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
+index eb53598..72fd7a3 100644
+--- a/libexif/canon/exif-mnote-data-canon.c
++++ b/libexif/canon/exif-mnote-data-canon.c
+@@ -32,6 +32,9 @@
+
+ #define DEBUG
+
++/* Total size limit to prevent abuse by DoS */
++#define FAILSAFE_SIZE_MAX 1000000L
++
+ static void
+ exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
+ {
+@@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+ ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
+ ExifShort c;
+ size_t i, tcount, o, datao;
++ long failsafe_size = 0;
+
+ if (!n || !buf || !buf_size) {
+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+@@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+ memcpy (n->entries[tcount].data, buf + dataofs, s);
+ }
+
++ /* Track the size of decoded tag data. A malicious file could
++ * be crafted to cause extremely large values here without
++ * tripping any buffer range checks. This is especially bad
++ * with the libexif representation of Canon MakerNotes because
++ * some arrays are turned into individual tags that the
++ * application must loop around. */
++ failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]);
++
++ if (failsafe_size > FAILSAFE_SIZE_MAX) {
++ /* Abort if the total size of the data in the tags extraordinarily large, */
++ exif_mem_free (ne->mem, n->entries[tcount].data);
++ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
++ "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)",
++ failsafe_size, FAILSAFE_SIZE_MAX);
++ break;
++ }
++
+ /* Tag was successfully parsed */
+ ++tcount;
+ }
diff --git a/meta/recipes-support/libexif/libexif_0.6.21.bb b/meta/recipes-support/libexif/libexif_0.6.21.bb
index d847beab18..3f6fa32b25 100644
--- a/meta/recipes-support/libexif/libexif_0.6.21.bb
+++ b/meta/recipes-support/libexif/libexif_0.6.21.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad"
SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
file://CVE-2017-7544.patch \
file://CVE-2016-6328.patch \
- file://CVE-2018-20030.patch"
+ file://CVE-2018-20030.patch \
+ file://CVE-2020-13114.patch \
+"
SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27"
SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 07/32] cve-check: include epoch in product version output
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (5 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 06/32] libexif: fix CVE-2020-13114 Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 08/32] patchelf: Add patch to address corrupt shared library issue Anuj Mittal
` (25 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Ralph Siemsen <ralph.siemsen@linaro.org>
In the generated cve.log files, include the epoch in the product
version. This better matches how versions are displayed elsewhere,
in particular the bb.warn("Found unpatched CVE...") that appears
on the terminal when CVEs are found.
(From OE-Core rev: 99f6de1c74b581054c74c6b4598a5d47facc9964)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
(cherry picked from commit e1c3c0b6e5b01304e2127f5058986697e82adf93)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/classes/cve-check.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 556ac6e67f..514897e8b8 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -301,7 +301,7 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
for cve in sorted(cve_data):
write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
- write_string += "PACKAGE VERSION: %s\n" % d.getVar("PV")
+ write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
write_string += "CVE: %s\n" % cve
if cve in whitelisted:
write_string += "CVE STATUS: Whitelisted\n"
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 08/32] patchelf: Add patch to address corrupt shared library issue
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (6 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 07/32] cve-check: include epoch in product version output Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 09/32] vim: _FORTIFY_SOURCE=2 be gone Anuj Mittal
` (24 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
patchelf can corrupt shared libraries if the program headers don't
immediately follow the elf header. Add a patch submitted upstream
to address this.
(From OE-Core rev: faaf5f34332290708f3720a5488b3d1549d9e95a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e7811c787bbe2f5d49b3506309499acc27189988)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../patchelf/patchelf/fix-phdrs.patch | 37 +++++++++++++++++++
.../patchelf/patchelf_0.10.bb | 1 +
2 files changed, 38 insertions(+)
create mode 100644 meta/recipes-devtools/patchelf/patchelf/fix-phdrs.patch
diff --git a/meta/recipes-devtools/patchelf/patchelf/fix-phdrs.patch b/meta/recipes-devtools/patchelf/patchelf/fix-phdrs.patch
new file mode 100644
index 0000000000..d087bd7855
--- /dev/null
+++ b/meta/recipes-devtools/patchelf/patchelf/fix-phdrs.patch
@@ -0,0 +1,37 @@
+When running patchelf on some existing patchelf'd binaries to change to longer
+RPATHS, ldd would report the binaries as invalid. The output of objdump -x on
+those libraryies should show the top of the .dynamic section is getting trashed,
+something like:
+
+0x600000001 0x0000000000429000
+0x335000 0x0000000000335000
+0xc740 0x000000000000c740
+0x1000 0x0000000000009098
+SONAME libglib-2.0.so.0
+
+(which should be RPATH and DT_NEEDED entries)
+
+This was tracked down to the code which injects the PT_LOAD section.
+
+The issue is that if the program headers were previously relocated to the end
+of the file which was how patchelf operated previously, the relocation code
+wouldn't work properly on a second run as it now assumes they're located after
+the elf header. This change forces them back to immediately follow the elf
+header which is where the code has made space for them.
+
+Upstream-Status: Submitted [https://github.com/NixOS/patchelf/pull/202]
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+RP 2020/6/2
+
+Index: git/src/patchelf.cc
+===================================================================
+--- git.orig/src/patchelf.cc
++++ git/src/patchelf.cc
+@@ -762,6 +762,7 @@ void ElfFile<ElfFileParamNames>::rewrite
+ }
+
+ /* Add a segment that maps the replaced sections into memory. */
++ wri(hdr->e_phoff, sizeof(Elf_Ehdr));
+ phdrs.resize(rdi(hdr->e_phnum) + 1);
+ wri(hdr->e_phnum, rdi(hdr->e_phnum) + 1);
+ Elf_Phdr & phdr = phdrs[rdi(hdr->e_phnum) - 1];
diff --git a/meta/recipes-devtools/patchelf/patchelf_0.10.bb b/meta/recipes-devtools/patchelf/patchelf_0.10.bb
index cc983e033a..e4a604ec70 100644
--- a/meta/recipes-devtools/patchelf/patchelf_0.10.bb
+++ b/meta/recipes-devtools/patchelf/patchelf_0.10.bb
@@ -1,6 +1,7 @@
SRC_URI = "https://nixos.org/releases/${BPN}/${BPN}-${PV}/${BPN}-${PV}.tar.bz2 \
file://handle-read-only-files.patch \
file://fix-adjusting-startPage.patch \
+ file://fix-phdrs.patch \
"
LICENSE = "GPLv3"
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 09/32] vim: _FORTIFY_SOURCE=2 be gone
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (7 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 08/32] patchelf: Add patch to address corrupt shared library issue Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 10/32] wpa-supplicant: remove service templates from SYSTEMD_SERVICE Anuj Mittal
` (23 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Joe Slater <joe.slater@windriver.com>
vim will abort in many places with this setting. Replace
it with the benign _FORTIFY_SOURCE=1.
(From OE-Core rev: d9de155f6452f916edd3131addd0c2eebaf4d639)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
(cherry picked from commit 18129cbaeddb3278efe9963718556e3765f06c1e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-support/vim/vim_8.1.1518.bb | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/meta/recipes-support/vim/vim_8.1.1518.bb b/meta/recipes-support/vim/vim_8.1.1518.bb
index 60946a181f..709b6ddb55 100644
--- a/meta/recipes-support/vim/vim_8.1.1518.bb
+++ b/meta/recipes-support/vim/vim_8.1.1518.bb
@@ -8,3 +8,8 @@ BBCLASSEXTEND = "native"
ALTERNATIVE_${PN}_append = " xxd"
ALTERNATIVE_TARGET[xxd] = "${bindir}/xxd"
ALTERNATIVE_LINK_NAME[xxd] = "${bindir}/xxd"
+
+# We override the default in security_flags.inc because vim (not vim-tiny!) will abort
+# in many places for _FORTIFY_SOURCE=2. Security flags become part of CC.
+#
+lcl_maybe_fortify = "${@oe.utils.conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=1',d)}"
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 10/32] wpa-supplicant: remove service templates from SYSTEMD_SERVICE
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (8 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 09/32] vim: _FORTIFY_SOURCE=2 be gone Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 11/32] encodings: clear postinst script Anuj Mittal
` (22 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
Remove service templates wpa_supplicant-nl80211@.service and
wpa_supplicant-wired@.service from SYSTEMD_SERVICE that they should NOT
be started/stopped by calling 'systemctl' in postinst and prerm scripts.
(From OE-Core rev: 7910a0d6f332253608767a9576a0d521dd87efd7)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
(cherry picked from commit fe9b8e50461ab00ab3ad8b065ebd32f0eea2a255)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../wpa-supplicant/wpa-supplicant_2.9.bb | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
index 2db09ad2c6..0e74d21a76 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -15,7 +15,7 @@ PACKAGECONFIG[openssl] = ",,openssl"
inherit pkgconfig systemd
-SYSTEMD_SERVICE_${PN} = "wpa_supplicant.service wpa_supplicant-nl80211@.service wpa_supplicant-wired@.service"
+SYSTEMD_SERVICE_${PN} = "wpa_supplicant.service"
SYSTEMD_AUTO_ENABLE = "disable"
SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
@@ -37,13 +37,13 @@ S = "${WORKDIR}/wpa_supplicant-${PV}"
PACKAGES_prepend = "wpa-supplicant-passphrase wpa-supplicant-cli "
FILES_wpa-supplicant-passphrase = "${bindir}/wpa_passphrase"
FILES_wpa-supplicant-cli = "${sbindir}/wpa_cli"
-FILES_${PN} += "${datadir}/dbus-1/system-services/*"
+FILES_${PN} += "${datadir}/dbus-1/system-services/* ${systemd_system_unitdir}/*"
CONFFILES_${PN} += "${sysconfdir}/wpa_supplicant.conf"
do_configure () {
${MAKE} -C wpa_supplicant clean
install -m 0755 ${WORKDIR}/defconfig wpa_supplicant/.config
-
+
if echo "${PACKAGECONFIG}" | grep -qw "openssl"; then
ssl=openssl
elif echo "${PACKAGECONFIG}" | grep -qw "gnutls"; then
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 11/32] encodings: clear postinst script
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (9 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 10/32] wpa-supplicant: remove service templates from SYSTEMD_SERVICE Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 12/32] mtd-utils: Fix return value of ubiformat Anuj Mittal
` (21 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
Postinst script from xorg-font-common.inc doesn't apply to this recipe.
So clear the postinst script of encodings.
(From OE-Core rev: ba94c908b99713ce115e9240df525c6442a60c7a)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
(cherry picked from commit 99ae6dbb7278dfd264453af852c108fa56a0d4e3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-graphics/xorg-font/encodings_1.0.5.bb | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/meta/recipes-graphics/xorg-font/encodings_1.0.5.bb b/meta/recipes-graphics/xorg-font/encodings_1.0.5.bb
index a39609b5da..74014ff91b 100644
--- a/meta/recipes-graphics/xorg-font/encodings_1.0.5.bb
+++ b/meta/recipes-graphics/xorg-font/encodings_1.0.5.bb
@@ -19,3 +19,7 @@ SRC_URI[sha256sum] = "bd96e16143a044b19e87f217cf6a3763a70c561d1076aad6f6d862ec41
inherit allarch
EXTRA_OECONF += "--with-encodingsdir=${datadir}/fonts/X11/encodings"
+
+# postinst from .inc doesn't apply to this recipe
+pkg_postinst_${PN} () {
+}
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 12/32] mtd-utils: Fix return value of ubiformat
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (10 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 11/32] encodings: clear postinst script Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 13/32] bind: update 9.11.5-P4 -> 9.11.13 Anuj Mittal
` (20 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Otavio Salvador <otavio.salvador@gmail.com>
This changeset fixes a feature regression in ubiformat. Older versions
of ubiformat, when invoked with a flash-image, would return 0 in the
case no error was encountered. Upon upgrading to latest, it was
discovered that ubiformat returned 255 even without encountering an
error condition.
This changeset corrects the above issue and causes ubiformat, when given an
image file, to return 0 when no errors are detected.
Backport fix from 2.1.2
(From OE-Core rev: 3ee98b6c9ddd1dd0825245ca672236b7befb9859)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
(cherry picked from commit 7ebacd9cbaec98fbc406e8ae99c9805a24fdadc6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
...-utils-Fix-return-value-of-ubiformat.patch | 62 +++++++++++++++++++
meta/recipes-devtools/mtd/mtd-utils_git.bb | 1 +
2 files changed, 63 insertions(+)
create mode 100644 meta/recipes-devtools/mtd/mtd-utils/0001-mtd-utils-Fix-return-value-of-ubiformat.patch
diff --git a/meta/recipes-devtools/mtd/mtd-utils/0001-mtd-utils-Fix-return-value-of-ubiformat.patch b/meta/recipes-devtools/mtd/mtd-utils/0001-mtd-utils-Fix-return-value-of-ubiformat.patch
new file mode 100644
index 0000000000..d43f7e1a7a
--- /dev/null
+++ b/meta/recipes-devtools/mtd/mtd-utils/0001-mtd-utils-Fix-return-value-of-ubiformat.patch
@@ -0,0 +1,62 @@
+From 4d19bffcfd66e25d3ee74536ae2d2da7ad52e8e2 Mon Sep 17 00:00:00 2001
+From: Barry Grussling <barry@grussling.com>
+Date: Sun, 12 Jan 2020 12:33:32 -0800
+Subject: [PATCH] mtd-utils: Fix return value of ubiformat
+Organization: O.S. Systems Software LTDA.
+
+This changeset fixes a feature regression in ubiformat. Older versions of
+ubiformat, when invoked with a flash-image, would return 0 in the case no error
+was encountered. Upon upgrading to latest, it was discovered that ubiformat
+returned 255 even without encountering an error condition.
+
+This changeset corrects the above issue and causes ubiformat, when given an
+image file, to return 0 when no errors are detected.
+
+Tested by running through my loading scripts and verifying ubiformat returned
+0.
+
+Upstream-Status: Backport [2.1.2]
+
+Signed-off-by: Barry Grussling <barry@grussling.com>
+Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
+Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
+---
+ ubi-utils/ubiformat.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/ubi-utils/ubiformat.c b/ubi-utils/ubiformat.c
+index a90627c..5377b12 100644
+--- a/ubi-utils/ubiformat.c
++++ b/ubi-utils/ubiformat.c
+@@ -550,6 +550,7 @@ static int format(libmtd_t libmtd, const struct mtd_dev_info *mtd,
+ struct ubi_vtbl_record *vtbl;
+ int eb1 = -1, eb2 = -1;
+ long long ec1 = -1, ec2 = -1;
++ int ret = -1;
+
+ write_size = UBI_EC_HDR_SIZE + mtd->subpage_size - 1;
+ write_size /= mtd->subpage_size;
+@@ -643,8 +644,10 @@ static int format(libmtd_t libmtd, const struct mtd_dev_info *mtd,
+ if (!args.quiet && !args.verbose)
+ printf("\n");
+
+- if (novtbl)
++ if (novtbl) {
++ ret = 0;
+ goto out_free;
++ }
+
+ if (eb1 == -1 || eb2 == -1) {
+ errmsg("no eraseblocks for volume table");
+@@ -669,7 +672,7 @@ static int format(libmtd_t libmtd, const struct mtd_dev_info *mtd,
+
+ out_free:
+ free(hdr);
+- return -1;
++ return ret;
+ }
+
+ int main(int argc, char * const argv[])
+--
+2.27.0
+
diff --git a/meta/recipes-devtools/mtd/mtd-utils_git.bb b/meta/recipes-devtools/mtd/mtd-utils_git.bb
index 810fe40f4e..d1658a739b 100644
--- a/meta/recipes-devtools/mtd/mtd-utils_git.bb
+++ b/meta/recipes-devtools/mtd/mtd-utils_git.bb
@@ -15,6 +15,7 @@ PV = "2.1.1"
SRCREV = "4443221ce9b88440cd9f5bb78e6fe95621d36c8a"
SRC_URI = "git://git.infradead.org/mtd-utils.git \
file://add-exclusion-to-mkfs-jffs2-git-2.patch \
+ file://0001-mtd-utils-Fix-return-value-of-ubiformat.patch \
"
S = "${WORKDIR}/git/"
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 13/32] bind: update 9.11.5-P4 -> 9.11.13
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (11 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 12/32] mtd-utils: Fix return value of ubiformat Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 14/32] bind: update to 9.11.19 Anuj Mittal
` (19 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
Drop backports.
Drop 0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch and
0001-lib-dns-gen.c-fix-too-long-error.patch as problem is fixed
upstream.
(From OE-Core rev: 6965ec5c491e71d5951dfb58fc060bd0b717e33d)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../bind/0001-bind-fix-CVE-2019-6471.patch | 64 --
....in-remove-useless-L-use_openssl-lib.patch | 18 +-
...01-fix-enforcement-of-tcp-clients-v1.patch | 60 --
...c-extend-DIRNAMESIZE-from-256-to-512.patch | 22 -
...001-lib-dns-gen.c-fix-too-long-error.patch | 31 -
...p-clients-could-still-be-exceeded-v2.patch | 670 -------------
...rence-counter-for-pipeline-groups-v3.patch | 278 ------
...accounting-and-client-mortality-chec.patch | 512 ----------
...a-and-pipeline-refs-allow-special-ca.patch | 911 ------------------
...allowance-for-tcp-clients-interfaces.patch | 80 --
...perations-in-bin-named-client.c-with.patch | 140 ---
| 15 +-
.../{bind_9.11.5-P4.bb => bind_9.11.13.bb} | 20 +-
13 files changed, 20 insertions(+), 2801 deletions(-)
delete mode 100644 meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch
delete mode 100644 meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch
delete mode 100644 meta/recipes-connectivity/bind/bind/0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch
delete mode 100644 meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch
delete mode 100644 meta/recipes-connectivity/bind/bind/0002-tcp-clients-could-still-be-exceeded-v2.patch
delete mode 100644 meta/recipes-connectivity/bind/bind/0003-use-reference-counter-for-pipeline-groups-v3.patch
delete mode 100644 meta/recipes-connectivity/bind/bind/0004-better-tcpquota-accounting-and-client-mortality-chec.patch
delete mode 100644 meta/recipes-connectivity/bind/bind/0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch
delete mode 100644 meta/recipes-connectivity/bind/bind/0006-restore-allowance-for-tcp-clients-interfaces.patch
delete mode 100644 meta/recipes-connectivity/bind/bind/0007-Replace-atomic-operations-in-bin-named-client.c-with.patch
rename meta/recipes-connectivity/bind/{bind_9.11.5-P4.bb => bind_9.11.13.bb} (85%)
diff --git a/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch b/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch
deleted file mode 100644
index 2fed99e1bb..0000000000
--- a/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-Backport patch to fix CVE-2019-6471.
-
-Ref:
-https://security-tracker.debian.org/tracker/CVE-2019-6471
-
-CVE: CVE-2019-6471
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/3a9c7bb]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From 3a9c7bb80d4a609b86427406d9dd783199920b5b Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka@isc.org>
-Date: Tue, 19 Mar 2019 14:14:21 +1100
-Subject: [PATCH] move item_out test inside lock in dns_dispatch_getnext()
-
-(cherry picked from commit 60c42f849d520564ed42e5ed0ba46b4b69c07712)
----
- lib/dns/dispatch.c | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
-index 408beda367..3278db4a07 100644
---- a/lib/dns/dispatch.c
-+++ b/lib/dns/dispatch.c
-@@ -134,7 +134,7 @@ struct dns_dispentry {
- isc_task_t *task;
- isc_taskaction_t action;
- void *arg;
-- bool item_out;
-+ bool item_out;
- dispsocket_t *dispsocket;
- ISC_LIST(dns_dispatchevent_t) items;
- ISC_LINK(dns_dispentry_t) link;
-@@ -3422,13 +3422,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) {
- disp = resp->disp;
- REQUIRE(VALID_DISPATCH(disp));
-
-- REQUIRE(resp->item_out == true);
-- resp->item_out = false;
--
- ev = *sockevent;
- *sockevent = NULL;
-
- LOCK(&disp->lock);
-+
-+ REQUIRE(resp->item_out == true);
-+ resp->item_out = false;
-+
- if (ev->buffer.base != NULL)
- free_buffer(disp, ev->buffer.base, ev->buffer.length);
- free_devent(disp, ev);
-@@ -3573,6 +3574,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
- isc_task_send(disp->task[0], &disp->ctlevent);
- }
-
-+/*
-+ * disp must be locked.
-+ */
- static void
- do_cancel(dns_dispatch_t *disp) {
- dns_dispatchevent_t *ev;
---
-2.20.1
-
diff --git a/meta/recipes-connectivity/bind/bind/0001-configure.in-remove-useless-L-use_openssl-lib.patch b/meta/recipes-connectivity/bind/bind/0001-configure.in-remove-useless-L-use_openssl-lib.patch
index 871bb2a5f6..9d31b98080 100644
--- a/meta/recipes-connectivity/bind/bind/0001-configure.in-remove-useless-L-use_openssl-lib.patch
+++ b/meta/recipes-connectivity/bind/bind/0001-configure.in-remove-useless-L-use_openssl-lib.patch
@@ -1,4 +1,4 @@
-From 950867d9fd3f690e271c8c807b6eed144b2935b2 Mon Sep 17 00:00:00 2001
+From 2325a92f1896a2a7f586611686801b41fbc91b50 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Mon, 27 Aug 2018 15:00:51 +0800
Subject: [PATCH] configure.in: remove useless `-L$use_openssl/lib'
@@ -10,15 +10,16 @@ and helpful for clean up host build path in isc-config.sh
Upstream-Status: Inappropriate [oe-core specific]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+
---
- configure.in | 2 +-
+ configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/configure.in b/configure.in
-index 54efc55..76ac0eb 100644
---- a/configure.in
-+++ b/configure.in
-@@ -1691,7 +1691,7 @@ If you don't want OpenSSL, use --without-openssl])
+diff --git a/configure.ac b/configure.ac
+index e85a5c6..2bbfc58 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1631,7 +1631,7 @@ If you don't want OpenSSL, use --without-openssl])
fi
;;
*)
@@ -27,6 +28,3 @@ index 54efc55..76ac0eb 100644
;;
esac
fi
---
-2.7.4
-
diff --git a/meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch b/meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch
deleted file mode 100644
index 48ae125f84..0000000000
--- a/meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-Backport patch to fix CVE-2018-5743.
-
-Ref:
-https://security-tracker.debian.org/tracker/CVE-2018-5743
-
-CVE: CVE-2018-5743
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/ec2d50d]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From ec2d50da8d81814640e28593d912f4b96c7efece Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org>
-Date: Thu, 3 Jan 2019 14:17:43 +0100
-Subject: [PATCH 1/6] fix enforcement of tcp-clients (v1)
-
-tcp-clients settings could be exceeded in some cases by
-creating more and more active TCP clients that are over
-the set quota limit, which in the end could lead to a
-DoS attack by e.g. exhaustion of file descriptors.
-
-If TCP client we're closing went over the quota (so it's
-not attached to a quota) mark it as mortal - so that it
-will be destroyed and not set up to listen for new
-connections - unless it's the last client for a specific
-interface.
-
-(cherry picked from commit f97131d21b97381cef72b971b157345c1f9b4115)
-(cherry picked from commit 9689ffc485df8f971f0ad81ab8ab1f5389493776)
----
- bin/named/client.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/bin/named/client.c b/bin/named/client.c
-index d482da7121..0739dd48af 100644
---- a/bin/named/client.c
-+++ b/bin/named/client.c
-@@ -421,8 +421,19 @@ exit_check(ns_client_t *client) {
- isc_socket_detach(&client->tcpsocket);
- }
-
-- if (client->tcpquota != NULL)
-+ if (client->tcpquota != NULL) {
- isc_quota_detach(&client->tcpquota);
-+ } else {
-+ /*
-+ * We went over quota with this client, we don't
-+ * want to restart listening unless this is the
-+ * last client on this interface, which is
-+ * checked later.
-+ */
-+ if (TCP_CLIENT(client)) {
-+ client->mortal = true;
-+ }
-+ }
-
- if (client->timerset) {
- (void)isc_timer_reset(client->timer,
---
-2.20.1
-
diff --git a/meta/recipes-connectivity/bind/bind/0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch b/meta/recipes-connectivity/bind/bind/0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch
deleted file mode 100644
index a8d601dcaa..0000000000
--- a/meta/recipes-connectivity/bind/bind/0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Upstream-Status: Pending
-
-Subject: gen.c: extend DIRNAMESIZE from 256 to 512
-
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
----
- lib/dns/gen.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: bind-9.11.3/lib/dns/gen.c
-===================================================================
---- bind-9.11.3.orig/lib/dns/gen.c
-+++ bind-9.11.3/lib/dns/gen.c
-@@ -130,7 +130,7 @@ static const char copyright[] =
- #define TYPECLASSBUF (TYPECLASSLEN + 1)
- #define TYPECLASSFMT "%" STR(TYPECLASSLEN) "[-0-9a-z]_%d"
- #define ATTRIBUTESIZE 256
--#define DIRNAMESIZE 256
-+#define DIRNAMESIZE 512
-
- static struct cc {
- struct cc *next;
diff --git a/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch b/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch
deleted file mode 100644
index 01874a4407..0000000000
--- a/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 5bc3167a8b714ec0c4a3f1c7f3b9411296ec0a23 Mon Sep 17 00:00:00 2001
-From: Robert Yang <liezhi.yang@windriver.com>
-Date: Wed, 16 Sep 2015 20:23:47 -0700
-Subject: [PATCH] lib/dns/gen.c: fix too long error
-
-The 512 is a little short when build in deep dir, and cause "too long"
-error, use PATH_MAX if defined.
-
-Upstream-Status: Pending
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
----
- lib/dns/gen.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-Index: bind-9.11.3/lib/dns/gen.c
-===================================================================
---- bind-9.11.3.orig/lib/dns/gen.c
-+++ bind-9.11.3/lib/dns/gen.c
-@@ -130,7 +130,11 @@ static const char copyright[] =
- #define TYPECLASSBUF (TYPECLASSLEN + 1)
- #define TYPECLASSFMT "%" STR(TYPECLASSLEN) "[-0-9a-z]_%d"
- #define ATTRIBUTESIZE 256
-+#ifdef PATH_MAX
-+#define DIRNAMESIZE PATH_MAX
-+#else
- #define DIRNAMESIZE 512
-+#endif
-
- static struct cc {
- struct cc *next;
diff --git a/meta/recipes-connectivity/bind/bind/0002-tcp-clients-could-still-be-exceeded-v2.patch b/meta/recipes-connectivity/bind/bind/0002-tcp-clients-could-still-be-exceeded-v2.patch
deleted file mode 100644
index ca4e8b1a66..0000000000
--- a/meta/recipes-connectivity/bind/bind/0002-tcp-clients-could-still-be-exceeded-v2.patch
+++ /dev/null
@@ -1,670 +0,0 @@
-Backport patch to fix CVE-2018-5743.
-
-Ref:
-https://security-tracker.debian.org/tracker/CVE-2018-5743
-
-CVE: CVE-2018-5743
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/719f604]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From 719f604e3fad5b7479bd14e2fa0ef4413f0a8fdc Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org>
-Date: Fri, 4 Jan 2019 12:50:51 +0100
-Subject: [PATCH 2/6] tcp-clients could still be exceeded (v2)
-
-the TCP client quota could still be ineffective under some
-circumstances. this change:
-
-- improves quota accounting to ensure that TCP clients are
- properly limited, while still guaranteeing that at least one client
- is always available to serve TCP connections on each interface.
-- uses more descriptive names and removes one (ntcptarget) that
- was no longer needed
-- adds comments
-
-(cherry picked from commit 924651f1d5e605cd186d03f4f7340bcc54d77cc2)
-(cherry picked from commit 55a7a458e30e47874d34bdf1079eb863a0512396)
----
- bin/named/client.c | 311 ++++++++++++++++++++-----
- bin/named/include/named/client.h | 14 +-
- bin/named/include/named/interfacemgr.h | 11 +-
- bin/named/interfacemgr.c | 8 +-
- 4 files changed, 267 insertions(+), 77 deletions(-)
-
-diff --git a/bin/named/client.c b/bin/named/client.c
-index 0739dd48af..a7b49a0f71 100644
---- a/bin/named/client.c
-+++ b/bin/named/client.c
-@@ -246,10 +246,11 @@ static void ns_client_dumpmessage(ns_client_t *client, const char *reason);
- static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
- dns_dispatch_t *disp, bool tcp);
- static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp,
-- isc_socket_t *sock);
-+ isc_socket_t *sock, ns_client_t *oldclient);
- static inline bool
--allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr,
-- uint8_t ecs_addrlen, uint8_t *ecs_scope, dns_acl_t *acl);
-+allowed(isc_netaddr_t *addr, dns_name_t *signer,
-+ isc_netaddr_t *ecs_addr, uint8_t ecs_addrlen,
-+ uint8_t *ecs_scope, dns_acl_t *acl)
- static void compute_cookie(ns_client_t *client, uint32_t when,
- uint32_t nonce, const unsigned char *secret,
- isc_buffer_t *buf);
-@@ -405,8 +406,11 @@ exit_check(ns_client_t *client) {
- */
- INSIST(client->recursionquota == NULL);
- INSIST(client->newstate <= NS_CLIENTSTATE_READY);
-- if (client->nreads > 0)
-+
-+ if (client->nreads > 0) {
- dns_tcpmsg_cancelread(&client->tcpmsg);
-+ }
-+
- if (client->nreads != 0) {
- /* Still waiting for read cancel completion. */
- return (true);
-@@ -416,25 +420,58 @@ exit_check(ns_client_t *client) {
- dns_tcpmsg_invalidate(&client->tcpmsg);
- client->tcpmsg_valid = false;
- }
-+
- if (client->tcpsocket != NULL) {
- CTRACE("closetcp");
- isc_socket_detach(&client->tcpsocket);
-+
-+ if (client->tcpactive) {
-+ LOCK(&client->interface->lock);
-+ INSIST(client->interface->ntcpactive > 0);
-+ client->interface->ntcpactive--;
-+ UNLOCK(&client->interface->lock);
-+ client->tcpactive = false;
-+ }
- }
-
- if (client->tcpquota != NULL) {
-- isc_quota_detach(&client->tcpquota);
-- } else {
- /*
-- * We went over quota with this client, we don't
-- * want to restart listening unless this is the
-- * last client on this interface, which is
-- * checked later.
-+ * If we are not in a pipeline group, or
-+ * we are the last client in the group, detach from
-+ * tcpquota; otherwise, transfer the quota to
-+ * another client in the same group.
- */
-- if (TCP_CLIENT(client)) {
-- client->mortal = true;
-+ if (!ISC_LINK_LINKED(client, glink) ||
-+ (client->glink.next == NULL &&
-+ client->glink.prev == NULL))
-+ {
-+ isc_quota_detach(&client->tcpquota);
-+ } else if (client->glink.next != NULL) {
-+ INSIST(client->glink.next->tcpquota == NULL);
-+ client->glink.next->tcpquota = client->tcpquota;
-+ client->tcpquota = NULL;
-+ } else {
-+ INSIST(client->glink.prev->tcpquota == NULL);
-+ client->glink.prev->tcpquota = client->tcpquota;
-+ client->tcpquota = NULL;
- }
- }
-
-+ /*
-+ * Unlink from pipeline group.
-+ */
-+ if (ISC_LINK_LINKED(client, glink)) {
-+ if (client->glink.next != NULL) {
-+ client->glink.next->glink.prev =
-+ client->glink.prev;
-+ }
-+ if (client->glink.prev != NULL) {
-+ client->glink.prev->glink.next =
-+ client->glink.next;
-+ }
-+ ISC_LINK_INIT(client, glink);
-+ }
-+
- if (client->timerset) {
- (void)isc_timer_reset(client->timer,
- isc_timertype_inactive,
-@@ -455,15 +492,16 @@ exit_check(ns_client_t *client) {
- * that already. Check whether this client needs to remain
- * active and force it to go inactive if not.
- *
-- * UDP clients go inactive at this point, but TCP clients
-- * may remain active if we have fewer active TCP client
-- * objects than desired due to an earlier quota exhaustion.
-+ * UDP clients go inactive at this point, but a TCP client
-+ * will needs to remain active if no other clients are
-+ * listening for TCP requests on this interface, to
-+ * prevent this interface from going nonresponsive.
- */
- if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) {
- LOCK(&client->interface->lock);
-- if (client->interface->ntcpcurrent <
-- client->interface->ntcptarget)
-+ if (client->interface->ntcpaccepting == 0) {
- client->mortal = false;
-+ }
- UNLOCK(&client->interface->lock);
- }
-
-@@ -472,15 +510,17 @@ exit_check(ns_client_t *client) {
- * queue for recycling.
- */
- if (client->mortal) {
-- if (client->newstate > NS_CLIENTSTATE_INACTIVE)
-+ if (client->newstate > NS_CLIENTSTATE_INACTIVE) {
- client->newstate = NS_CLIENTSTATE_INACTIVE;
-+ }
- }
-
- if (NS_CLIENTSTATE_READY == client->newstate) {
- if (TCP_CLIENT(client)) {
- client_accept(client);
-- } else
-+ } else {
- client_udprecv(client);
-+ }
- client->newstate = NS_CLIENTSTATE_MAX;
- return (true);
- }
-@@ -492,41 +532,57 @@ exit_check(ns_client_t *client) {
- /*
- * We are trying to enter the inactive state.
- */
-- if (client->naccepts > 0)
-+ if (client->naccepts > 0) {
- isc_socket_cancel(client->tcplistener, client->task,
- ISC_SOCKCANCEL_ACCEPT);
-+ }
-
- /* Still waiting for accept cancel completion. */
-- if (! (client->naccepts == 0))
-+ if (! (client->naccepts == 0)) {
- return (true);
-+ }
-
- /* Accept cancel is complete. */
-- if (client->nrecvs > 0)
-+ if (client->nrecvs > 0) {
- isc_socket_cancel(client->udpsocket, client->task,
- ISC_SOCKCANCEL_RECV);
-+ }
-
- /* Still waiting for recv cancel completion. */
-- if (! (client->nrecvs == 0))
-+ if (! (client->nrecvs == 0)) {
- return (true);
-+ }
-
- /* Still waiting for control event to be delivered */
-- if (client->nctls > 0)
-+ if (client->nctls > 0) {
- return (true);
--
-- /* Deactivate the client. */
-- if (client->interface)
-- ns_interface_detach(&client->interface);
-+ }
-
- INSIST(client->naccepts == 0);
- INSIST(client->recursionquota == NULL);
-- if (client->tcplistener != NULL)
-+ if (client->tcplistener != NULL) {
- isc_socket_detach(&client->tcplistener);
-
-- if (client->udpsocket != NULL)
-+ if (client->tcpactive) {
-+ LOCK(&client->interface->lock);
-+ INSIST(client->interface->ntcpactive > 0);
-+ client->interface->ntcpactive--;
-+ UNLOCK(&client->interface->lock);
-+ client->tcpactive = false;
-+ }
-+ }
-+ if (client->udpsocket != NULL) {
- isc_socket_detach(&client->udpsocket);
-+ }
-
-- if (client->dispatch != NULL)
-+ /* Deactivate the client. */
-+ if (client->interface != NULL) {
-+ ns_interface_detach(&client->interface);
-+ }
-+
-+ if (client->dispatch != NULL) {
- dns_dispatch_detach(&client->dispatch);
-+ }
-
- client->attributes = 0;
- client->mortal = false;
-@@ -551,10 +607,13 @@ exit_check(ns_client_t *client) {
- client->newstate = NS_CLIENTSTATE_MAX;
- if (!ns_g_clienttest && manager != NULL &&
- !manager->exiting)
-+ {
- ISC_QUEUE_PUSH(manager->inactive, client,
- ilink);
-- if (client->needshutdown)
-+ }
-+ if (client->needshutdown) {
- isc_task_shutdown(client->task);
-+ }
- return (true);
- }
- }
-@@ -675,7 +734,6 @@ client_start(isc_task_t *task, isc_event_t *event) {
- }
- }
-
--
- /*%
- * The client's task has received a shutdown event.
- */
-@@ -2507,17 +2565,12 @@ client_request(isc_task_t *task, isc_event_t *event) {
- /*
- * Pipeline TCP query processing.
- */
-- if (client->message->opcode != dns_opcode_query)
-+ if (client->message->opcode != dns_opcode_query) {
- client->pipelined = false;
-+ }
- if (TCP_CLIENT(client) && client->pipelined) {
-- result = isc_quota_reserve(&ns_g_server->tcpquota);
-- if (result == ISC_R_SUCCESS)
-- result = ns_client_replace(client);
-+ result = ns_client_replace(client);
- if (result != ISC_R_SUCCESS) {
-- ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
-- "no more TCP clients(read): %s",
-- isc_result_totext(result));
- client->pipelined = false;
- }
- }
-@@ -3087,6 +3140,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
- client->filter_aaaa = dns_aaaa_ok;
- #endif
- client->needshutdown = ns_g_clienttest;
-+ client->tcpactive = false;
-
- ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
- NS_EVENT_CLIENTCONTROL, client_start, client, client,
-@@ -3100,6 +3154,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
- client->formerrcache.id = 0;
- ISC_LINK_INIT(client, link);
- ISC_LINK_INIT(client, rlink);
-+ ISC_LINK_INIT(client, glink);
- ISC_QLINK_INIT(client, ilink);
- client->keytag = NULL;
- client->keytag_len = 0;
-@@ -3193,12 +3248,19 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
-
- INSIST(client->state == NS_CLIENTSTATE_READY);
-
-+ /*
-+ * The accept() was successful and we're now establishing a new
-+ * connection. We need to make note of it in the client and
-+ * interface objects so client objects can do the right thing
-+ * when going inactive in exit_check() (see comments in
-+ * client_accept() for details).
-+ */
- INSIST(client->naccepts == 1);
- client->naccepts--;
-
- LOCK(&client->interface->lock);
-- INSIST(client->interface->ntcpcurrent > 0);
-- client->interface->ntcpcurrent--;
-+ INSIST(client->interface->ntcpaccepting > 0);
-+ client->interface->ntcpaccepting--;
- UNLOCK(&client->interface->lock);
-
- /*
-@@ -3232,6 +3294,9 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
- "accept failed: %s",
- isc_result_totext(nevent->result));
-+ if (client->tcpquota != NULL) {
-+ isc_quota_detach(&client->tcpquota);
-+ }
- }
-
- if (exit_check(client))
-@@ -3270,18 +3335,12 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- * deny service to legitimate TCP clients.
- */
- client->pipelined = false;
-- result = isc_quota_attach(&ns_g_server->tcpquota,
-- &client->tcpquota);
-- if (result == ISC_R_SUCCESS)
-- result = ns_client_replace(client);
-- if (result != ISC_R_SUCCESS) {
-- ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
-- "no more TCP clients(accept): %s",
-- isc_result_totext(result));
-- } else if (ns_g_server->keepresporder == NULL ||
-- !allowed(&netaddr, NULL, NULL, 0, NULL,
-- ns_g_server->keepresporder)) {
-+ result = ns_client_replace(client);
-+ if (result == ISC_R_SUCCESS &&
-+ (client->sctx->keepresporder == NULL ||
-+ !allowed(&netaddr, NULL, NULL, 0, NULL,
-+ ns_g_server->keepresporder)))
-+ {
- client->pipelined = true;
- }
-
-@@ -3298,12 +3357,80 @@ client_accept(ns_client_t *client) {
-
- CTRACE("accept");
-
-+ /*
-+ * The tcpquota object can only be simultaneously referenced a
-+ * pre-defined number of times; this is configured by 'tcp-clients'
-+ * in named.conf. If we can't attach to it here, that means the TCP
-+ * client quota has been exceeded.
-+ */
-+ result = isc_quota_attach(&client->sctx->tcpquota,
-+ &client->tcpquota);
-+ if (result != ISC_R_SUCCESS) {
-+ bool exit;
-+
-+ ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-+ NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
-+ "no more TCP clients: %s",
-+ isc_result_totext(result));
-+
-+ /*
-+ * We have exceeded the system-wide TCP client
-+ * quota. But, we can't just block this accept
-+ * in all cases, because if we did, a heavy TCP
-+ * load on other interfaces might cause this
-+ * interface to be starved, with no clients able
-+ * to accept new connections.
-+ *
-+ * So, we check here to see if any other client
-+ * is already servicing TCP queries on this
-+ * interface (whether accepting, reading, or
-+ * processing).
-+ *
-+ * If so, then it's okay *not* to call
-+ * accept - we can let this client to go inactive
-+ * and the other one handle the next connection
-+ * when it's ready.
-+ *
-+ * But if not, then we need to be a little bit
-+ * flexible about the quota. We allow *one* extra
-+ * TCP client through, to ensure we're listening on
-+ * every interface.
-+ *
-+ * (Note: In practice this means that the *real*
-+ * TCP client quota is tcp-clients plus the number
-+ * of interfaces.)
-+ */
-+ LOCK(&client->interface->lock);
-+ exit = (client->interface->ntcpactive > 0);
-+ UNLOCK(&client->interface->lock);
-+
-+ if (exit) {
-+ client->newstate = NS_CLIENTSTATE_INACTIVE;
-+ (void)exit_check(client);
-+ return;
-+ }
-+ }
-+
-+ /*
-+ * By incrementing the interface's ntcpactive counter we signal
-+ * that there is at least one client servicing TCP queries for the
-+ * interface.
-+ *
-+ * We also make note of the fact in the client itself with the
-+ * tcpactive flag. This ensures proper accounting by preventing
-+ * us from accidentally incrementing or decrementing ntcpactive
-+ * more than once per client object.
-+ */
-+ if (!client->tcpactive) {
-+ LOCK(&client->interface->lock);
-+ client->interface->ntcpactive++;
-+ UNLOCK(&client->interface->lock);
-+ client->tcpactive = true;
-+ }
-+
- result = isc_socket_accept(client->tcplistener, client->task,
- client_newconn, client);
- if (result != ISC_R_SUCCESS) {
-- UNEXPECTED_ERROR(__FILE__, __LINE__,
-- "isc_socket_accept() failed: %s",
-- isc_result_totext(result));
- /*
- * XXXRTH What should we do? We're trying to accept but
- * it didn't work. If we just give up, then TCP
-@@ -3311,12 +3438,39 @@ client_accept(ns_client_t *client) {
- *
- * For now, we just go idle.
- */
-+ UNEXPECTED_ERROR(__FILE__, __LINE__,
-+ "isc_socket_accept() failed: %s",
-+ isc_result_totext(result));
-+ if (client->tcpquota != NULL) {
-+ isc_quota_detach(&client->tcpquota);
-+ }
- return;
- }
-+
-+ /*
-+ * The client's 'naccepts' counter indicates that this client has
-+ * called accept() and is waiting for a new connection. It should
-+ * never exceed 1.
-+ */
- INSIST(client->naccepts == 0);
- client->naccepts++;
-+
-+ /*
-+ * The interface's 'ntcpaccepting' counter is incremented when
-+ * any client calls accept(), and decremented in client_newconn()
-+ * once the connection is established.
-+ *
-+ * When the client object is shutting down after handling a TCP
-+ * request (see exit_check()), it looks to see whether this value is
-+ * non-zero. If so, that means another client has already called
-+ * accept() and is waiting to establish the next connection, which
-+ * means the first client is free to go inactive. Otherwise,
-+ * the first client must come back and call accept() again; this
-+ * guarantees there will always be at least one client listening
-+ * for new TCP connections on each interface.
-+ */
- LOCK(&client->interface->lock);
-- client->interface->ntcpcurrent++;
-+ client->interface->ntcpaccepting++;
- UNLOCK(&client->interface->lock);
- }
-
-@@ -3390,13 +3544,14 @@ ns_client_replace(ns_client_t *client) {
- tcp = TCP_CLIENT(client);
- if (tcp && client->pipelined) {
- result = get_worker(client->manager, client->interface,
-- client->tcpsocket);
-+ client->tcpsocket, client);
- } else {
- result = get_client(client->manager, client->interface,
- client->dispatch, tcp);
- }
-- if (result != ISC_R_SUCCESS)
-+ if (result != ISC_R_SUCCESS) {
- return (result);
-+ }
-
- /*
- * The responsibility for listening for new requests is hereby
-@@ -3585,6 +3740,7 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
- client->attributes |= NS_CLIENTATTR_TCP;
- isc_socket_attach(ifp->tcpsocket,
- &client->tcplistener);
-+
- } else {
- isc_socket_t *sock;
-
-@@ -3602,7 +3758,8 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
- }
-
- static isc_result_t
--get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
-+get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
-+ ns_client_t *oldclient)
- {
- isc_result_t result = ISC_R_SUCCESS;
- isc_event_t *ev;
-@@ -3610,6 +3767,7 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
- MTRACE("get worker");
-
- REQUIRE(manager != NULL);
-+ REQUIRE(oldclient != NULL);
-
- if (manager->exiting)
- return (ISC_R_SHUTTINGDOWN);
-@@ -3642,7 +3800,28 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
- ns_interface_attach(ifp, &client->interface);
- client->newstate = client->state = NS_CLIENTSTATE_WORKING;
- INSIST(client->recursionquota == NULL);
-- client->tcpquota = &ns_g_server->tcpquota;
-+
-+ /*
-+ * Transfer TCP quota to the new client.
-+ */
-+ INSIST(client->tcpquota == NULL);
-+ INSIST(oldclient->tcpquota != NULL);
-+ client->tcpquota = oldclient->tcpquota;
-+ oldclient->tcpquota = NULL;
-+
-+ /*
-+ * Link to a pipeline group, creating it if needed.
-+ */
-+ if (!ISC_LINK_LINKED(oldclient, glink)) {
-+ oldclient->glink.next = NULL;
-+ oldclient->glink.prev = NULL;
-+ }
-+ client->glink.next = oldclient->glink.next;
-+ client->glink.prev = oldclient;
-+ if (oldclient->glink.next != NULL) {
-+ oldclient->glink.next->glink.prev = client;
-+ }
-+ oldclient->glink.next = client;
-
- client->dscp = ifp->dscp;
-
-@@ -3656,6 +3835,12 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
- (void)isc_socket_getpeername(client->tcpsocket, &client->peeraddr);
- client->peeraddr_valid = true;
-
-+ LOCK(&client->interface->lock);
-+ client->interface->ntcpactive++;
-+ UNLOCK(&client->interface->lock);
-+
-+ client->tcpactive = true;
-+
- INSIST(client->tcpmsg_valid == false);
- dns_tcpmsg_init(client->mctx, client->tcpsocket, &client->tcpmsg);
- client->tcpmsg_valid = true;
-diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
-index b23a7b191d..1f7973f9c5 100644
---- a/bin/named/include/named/client.h
-+++ b/bin/named/include/named/client.h
-@@ -94,7 +94,8 @@ struct ns_client {
- int nupdates;
- int nctls;
- int references;
-- bool needshutdown; /*
-+ bool tcpactive;
-+ bool needshutdown; /*
- * Used by clienttest to get
- * the client to go from
- * inactive to free state
-@@ -130,9 +131,9 @@ struct ns_client {
- isc_stdtime_t now;
- isc_time_t tnow;
- dns_name_t signername; /*%< [T]SIG key name */
-- dns_name_t * signer; /*%< NULL if not valid sig */
-- bool mortal; /*%< Die after handling request */
-- bool pipelined; /*%< TCP queries not in sequence */
-+ dns_name_t *signer; /*%< NULL if not valid sig */
-+ bool mortal; /*%< Die after handling request */
-+ bool pipelined; /*%< TCP queries not in sequence */
- isc_quota_t *tcpquota;
- isc_quota_t *recursionquota;
- ns_interface_t *interface;
-@@ -143,8 +144,8 @@ struct ns_client {
- isc_sockaddr_t destsockaddr;
-
- isc_netaddr_t ecs_addr; /*%< EDNS client subnet */
-- uint8_t ecs_addrlen;
-- uint8_t ecs_scope;
-+ uint8_t ecs_addrlen;
-+ uint8_t ecs_scope;
-
- struct in6_pktinfo pktinfo;
- isc_dscp_t dscp;
-@@ -166,6 +167,7 @@ struct ns_client {
-
- ISC_LINK(ns_client_t) link;
- ISC_LINK(ns_client_t) rlink;
-+ ISC_LINK(ns_client_t) glink;
- ISC_QLINK(ns_client_t) ilink;
- unsigned char cookie[8];
- uint32_t expire;
-diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
-index 7d1883e1e8..61b08826a6 100644
---- a/bin/named/include/named/interfacemgr.h
-+++ b/bin/named/include/named/interfacemgr.h
-@@ -77,9 +77,14 @@ struct ns_interface {
- /*%< UDP dispatchers. */
- isc_socket_t * tcpsocket; /*%< TCP socket. */
- isc_dscp_t dscp; /*%< "listen-on" DSCP value */
-- int ntcptarget; /*%< Desired number of concurrent
-- TCP accepts */
-- int ntcpcurrent; /*%< Current ditto, locked */
-+ int ntcpaccepting; /*%< Number of clients
-+ ready to accept new
-+ TCP connections on this
-+ interface */
-+ int ntcpactive; /*%< Number of clients
-+ servicing TCP queries
-+ (whether accepting or
-+ connected) */
- int nudpdispatch; /*%< Number of UDP dispatches */
- ns_clientmgr_t * clientmgr; /*%< Client manager. */
- ISC_LINK(ns_interface_t) link;
-diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
-index 419927bf54..955096ef47 100644
---- a/bin/named/interfacemgr.c
-+++ b/bin/named/interfacemgr.c
-@@ -386,8 +386,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
- * connections will be handled in parallel even though there is
- * only one client initially.
- */
-- ifp->ntcptarget = 1;
-- ifp->ntcpcurrent = 0;
-+ ifp->ntcpaccepting = 0;
-+ ifp->ntcpactive = 0;
- ifp->nudpdispatch = 0;
-
- ifp->dscp = -1;
-@@ -522,9 +522,7 @@ ns_interface_accepttcp(ns_interface_t *ifp) {
- */
- (void)isc_socket_filter(ifp->tcpsocket, "dataready");
-
-- result = ns_clientmgr_createclients(ifp->clientmgr,
-- ifp->ntcptarget, ifp,
-- true);
-+ result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, true);
- if (result != ISC_R_SUCCESS) {
- UNEXPECTED_ERROR(__FILE__, __LINE__,
- "TCP ns_clientmgr_createclients(): %s",
---
-2.20.1
-
diff --git a/meta/recipes-connectivity/bind/bind/0003-use-reference-counter-for-pipeline-groups-v3.patch b/meta/recipes-connectivity/bind/bind/0003-use-reference-counter-for-pipeline-groups-v3.patch
deleted file mode 100644
index 032cfb8c44..0000000000
--- a/meta/recipes-connectivity/bind/bind/0003-use-reference-counter-for-pipeline-groups-v3.patch
+++ /dev/null
@@ -1,278 +0,0 @@
-Backport patch to fix CVE-2018-5743.
-
-Ref:
-https://security-tracker.debian.org/tracker/CVE-2018-5743
-
-CVE: CVE-2018-5743
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/366b4e1]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From 366b4e1ede8aed690e981e07137cb1cb77879c36 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
-Date: Thu, 17 Jan 2019 15:53:38 +0100
-Subject: [PATCH 3/6] use reference counter for pipeline groups (v3)
-
-Track pipeline groups using a shared reference counter
-instead of a linked list.
-
-(cherry picked from commit 513afd33eb17d5dc41a3f0d2d38204ef8c5f6f91)
-(cherry picked from commit 9446629b730c59c4215f08d37fbaf810282fbccb)
----
- bin/named/client.c | 171 ++++++++++++++++++++-----------
- bin/named/include/named/client.h | 2 +-
- 2 files changed, 110 insertions(+), 63 deletions(-)
-
-diff --git a/bin/named/client.c b/bin/named/client.c
-index a7b49a0f71..277656cef0 100644
---- a/bin/named/client.c
-+++ b/bin/named/client.c
-@@ -299,6 +299,75 @@ ns_client_settimeout(ns_client_t *client, unsigned int seconds) {
- }
- }
-
-+/*%
-+ * Allocate a reference counter that will track the number of client structures
-+ * using the TCP connection that 'client' called accept() for. This counter
-+ * will be shared between all client structures associated with this TCP
-+ * connection.
-+ */
-+static void
-+pipeline_init(ns_client_t *client) {
-+ isc_refcount_t *refs;
-+
-+ REQUIRE(client->pipeline_refs == NULL);
-+
-+ /*
-+ * A global memory context is used for the allocation as different
-+ * client structures may have different memory contexts assigned and a
-+ * reference counter allocated here might need to be freed by a
-+ * different client. The performance impact caused by memory context
-+ * contention here is expected to be negligible, given that this code
-+ * is only executed for TCP connections.
-+ */
-+ refs = isc_mem_allocate(client->sctx->mctx, sizeof(*refs));
-+ isc_refcount_init(refs, 1);
-+ client->pipeline_refs = refs;
-+}
-+
-+/*%
-+ * Increase the count of client structures using the TCP connection that
-+ * 'source' is associated with and put a pointer to that count in 'target',
-+ * thus associating it with the same TCP connection.
-+ */
-+static void
-+pipeline_attach(ns_client_t *source, ns_client_t *target) {
-+ int old_refs;
-+
-+ REQUIRE(source->pipeline_refs != NULL);
-+ REQUIRE(target->pipeline_refs == NULL);
-+
-+ old_refs = isc_refcount_increment(source->pipeline_refs);
-+ INSIST(old_refs > 0);
-+ target->pipeline_refs = source->pipeline_refs;
-+}
-+
-+/*%
-+ * Decrease the count of client structures using the TCP connection that
-+ * 'client' is associated with. If this is the last client using this TCP
-+ * connection, free the reference counter and return true; otherwise, return
-+ * false.
-+ */
-+static bool
-+pipeline_detach(ns_client_t *client) {
-+ isc_refcount_t *refs;
-+ int old_refs;
-+
-+ REQUIRE(client->pipeline_refs != NULL);
-+
-+ refs = client->pipeline_refs;
-+ client->pipeline_refs = NULL;
-+
-+ old_refs = isc_refcount_decrement(refs);
-+ INSIST(old_refs > 0);
-+
-+ if (old_refs == 1) {
-+ isc_mem_free(client->sctx->mctx, refs);
-+ return (true);
-+ }
-+
-+ return (false);
-+}
-+
- /*%
- * Check for a deactivation or shutdown request and take appropriate
- * action. Returns true if either is in progress; in this case
-@@ -421,6 +490,40 @@ exit_check(ns_client_t *client) {
- client->tcpmsg_valid = false;
- }
-
-+ if (client->tcpquota != NULL) {
-+ if (client->pipeline_refs == NULL ||
-+ pipeline_detach(client))
-+ {
-+ /*
-+ * Only detach from the TCP client quota if
-+ * there are no more client structures using
-+ * this TCP connection.
-+ *
-+ * Note that we check 'pipeline_refs' and not
-+ * 'pipelined' because in some cases (e.g.
-+ * after receiving a request with an opcode
-+ * different than QUERY) 'pipelined' is set to
-+ * false after the reference counter gets
-+ * allocated in pipeline_init() and we must
-+ * still drop our reference as failing to do so
-+ * would prevent the reference counter itself
-+ * from being freed.
-+ */
-+ isc_quota_detach(&client->tcpquota);
-+ } else {
-+ /*
-+ * There are other client structures using this
-+ * TCP connection, so we cannot detach from the
-+ * TCP client quota to prevent excess TCP
-+ * connections from being accepted. However,
-+ * this client structure might later be reused
-+ * for accepting new connections and thus must
-+ * have its 'tcpquota' field set to NULL.
-+ */
-+ client->tcpquota = NULL;
-+ }
-+ }
-+
- if (client->tcpsocket != NULL) {
- CTRACE("closetcp");
- isc_socket_detach(&client->tcpsocket);
-@@ -434,44 +537,6 @@ exit_check(ns_client_t *client) {
- }
- }
-
-- if (client->tcpquota != NULL) {
-- /*
-- * If we are not in a pipeline group, or
-- * we are the last client in the group, detach from
-- * tcpquota; otherwise, transfer the quota to
-- * another client in the same group.
-- */
-- if (!ISC_LINK_LINKED(client, glink) ||
-- (client->glink.next == NULL &&
-- client->glink.prev == NULL))
-- {
-- isc_quota_detach(&client->tcpquota);
-- } else if (client->glink.next != NULL) {
-- INSIST(client->glink.next->tcpquota == NULL);
-- client->glink.next->tcpquota = client->tcpquota;
-- client->tcpquota = NULL;
-- } else {
-- INSIST(client->glink.prev->tcpquota == NULL);
-- client->glink.prev->tcpquota = client->tcpquota;
-- client->tcpquota = NULL;
-- }
-- }
--
-- /*
-- * Unlink from pipeline group.
-- */
-- if (ISC_LINK_LINKED(client, glink)) {
-- if (client->glink.next != NULL) {
-- client->glink.next->glink.prev =
-- client->glink.prev;
-- }
-- if (client->glink.prev != NULL) {
-- client->glink.prev->glink.next =
-- client->glink.next;
-- }
-- ISC_LINK_INIT(client, glink);
-- }
--
- if (client->timerset) {
- (void)isc_timer_reset(client->timer,
- isc_timertype_inactive,
-@@ -3130,6 +3195,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
- dns_name_init(&client->signername, NULL);
- client->mortal = false;
- client->pipelined = false;
-+ client->pipeline_refs = NULL;
- client->tcpquota = NULL;
- client->recursionquota = NULL;
- client->interface = NULL;
-@@ -3154,7 +3220,6 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
- client->formerrcache.id = 0;
- ISC_LINK_INIT(client, link);
- ISC_LINK_INIT(client, rlink);
-- ISC_LINK_INIT(client, glink);
- ISC_QLINK_INIT(client, ilink);
- client->keytag = NULL;
- client->keytag_len = 0;
-@@ -3341,6 +3406,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- !allowed(&netaddr, NULL, NULL, 0, NULL,
- ns_g_server->keepresporder)))
- {
-+ pipeline_init(client);
- client->pipelined = true;
- }
-
-@@ -3800,35 +3866,16 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
- ns_interface_attach(ifp, &client->interface);
- client->newstate = client->state = NS_CLIENTSTATE_WORKING;
- INSIST(client->recursionquota == NULL);
--
-- /*
-- * Transfer TCP quota to the new client.
-- */
-- INSIST(client->tcpquota == NULL);
-- INSIST(oldclient->tcpquota != NULL);
-- client->tcpquota = oldclient->tcpquota;
-- oldclient->tcpquota = NULL;
--
-- /*
-- * Link to a pipeline group, creating it if needed.
-- */
-- if (!ISC_LINK_LINKED(oldclient, glink)) {
-- oldclient->glink.next = NULL;
-- oldclient->glink.prev = NULL;
-- }
-- client->glink.next = oldclient->glink.next;
-- client->glink.prev = oldclient;
-- if (oldclient->glink.next != NULL) {
-- oldclient->glink.next->glink.prev = client;
-- }
-- oldclient->glink.next = client;
-+ client->tcpquota = &client->sctx->tcpquota;
-
- client->dscp = ifp->dscp;
-
- client->attributes |= NS_CLIENTATTR_TCP;
-- client->pipelined = true;
- client->mortal = true;
-
-+ pipeline_attach(oldclient, client);
-+ client->pipelined = true;
-+
- isc_socket_attach(ifp->tcpsocket, &client->tcplistener);
- isc_socket_attach(sock, &client->tcpsocket);
- isc_socket_setname(client->tcpsocket, "worker-tcp", NULL);
-diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
-index 1f7973f9c5..aeed9ccdda 100644
---- a/bin/named/include/named/client.h
-+++ b/bin/named/include/named/client.h
-@@ -134,6 +134,7 @@ struct ns_client {
- dns_name_t *signer; /*%< NULL if not valid sig */
- bool mortal; /*%< Die after handling request */
- bool pipelined; /*%< TCP queries not in sequence */
-+ isc_refcount_t *pipeline_refs;
- isc_quota_t *tcpquota;
- isc_quota_t *recursionquota;
- ns_interface_t *interface;
-@@ -167,7 +168,6 @@ struct ns_client {
-
- ISC_LINK(ns_client_t) link;
- ISC_LINK(ns_client_t) rlink;
-- ISC_LINK(ns_client_t) glink;
- ISC_QLINK(ns_client_t) ilink;
- unsigned char cookie[8];
- uint32_t expire;
---
-2.20.1
-
diff --git a/meta/recipes-connectivity/bind/bind/0004-better-tcpquota-accounting-and-client-mortality-chec.patch b/meta/recipes-connectivity/bind/bind/0004-better-tcpquota-accounting-and-client-mortality-chec.patch
deleted file mode 100644
index 034ab13303..0000000000
--- a/meta/recipes-connectivity/bind/bind/0004-better-tcpquota-accounting-and-client-mortality-chec.patch
+++ /dev/null
@@ -1,512 +0,0 @@
-Backport patch to fix CVE-2018-5743.
-
-Ref:
-https://security-tracker.debian.org/tracker/CVE-2018-5743
-
-CVE: CVE-2018-5743
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/2ab8a08]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From 2ab8a085b3c666f28f1f9229bd6ecb59915b26c3 Mon Sep 17 00:00:00 2001
-From: Evan Hunt <each@isc.org>
-Date: Fri, 5 Apr 2019 16:12:18 -0700
-Subject: [PATCH 4/6] better tcpquota accounting and client mortality checks
-
-- ensure that tcpactive is cleaned up correctly when accept() fails.
-- set 'client->tcpattached' when the client is attached to the tcpquota.
- carry this value on to new clients sharing the same pipeline group.
- don't call isc_quota_detach() on the tcpquota unless tcpattached is
- set. this way clients that were allowed to accept TCP connections
- despite being over quota (and therefore, were never attached to the
- quota) will not inadvertently detach from it and mess up the
- accounting.
-- simplify the code for tcpquota disconnection by using a new function
- tcpquota_disconnect().
-- before deciding whether to reject a new connection due to quota
- exhaustion, check to see whether there are at least two active
- clients. previously, this was "at least one", but that could be
- insufficient if there was one other client in READING state (waiting
- for messages on an open connection) but none in READY (listening
- for new connections).
-- before deciding whether a TCP client object can to go inactive, we
- must ensure there are enough other clients to maintain service
- afterward -- both accepting new connections and reading/processing new
- queries. A TCP client can't shut down unless at least one
- client is accepting new connections and (in the case of pipelined
- clients) at least one additional client is waiting to read.
-
-(cherry picked from commit c7394738b2445c16f728a88394864dd61baad900)
-(cherry picked from commit e965d5f11d3d0f6d59704e614fceca2093cb1856)
-(cherry picked from commit 87d431161450777ea093821212abfb52d51b36e3)
----
- bin/named/client.c | 244 +++++++++++++++++++------------
- bin/named/include/named/client.h | 3 +-
- 2 files changed, 152 insertions(+), 95 deletions(-)
-
-diff --git a/bin/named/client.c b/bin/named/client.c
-index 277656cef0..61e96dd28c 100644
---- a/bin/named/client.c
-+++ b/bin/named/client.c
-@@ -244,13 +244,14 @@ static void client_start(isc_task_t *task, isc_event_t *event);
- static void client_request(isc_task_t *task, isc_event_t *event);
- static void ns_client_dumpmessage(ns_client_t *client, const char *reason);
- static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
-- dns_dispatch_t *disp, bool tcp);
-+ dns_dispatch_t *disp, ns_client_t *oldclient,
-+ bool tcp);
- static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp,
- isc_socket_t *sock, ns_client_t *oldclient);
- static inline bool
- allowed(isc_netaddr_t *addr, dns_name_t *signer,
- isc_netaddr_t *ecs_addr, uint8_t ecs_addrlen,
-- uint8_t *ecs_scope, dns_acl_t *acl)
-+ uint8_t *ecs_scope, dns_acl_t *acl);
- static void compute_cookie(ns_client_t *client, uint32_t when,
- uint32_t nonce, const unsigned char *secret,
- isc_buffer_t *buf);
-@@ -319,7 +320,7 @@ pipeline_init(ns_client_t *client) {
- * contention here is expected to be negligible, given that this code
- * is only executed for TCP connections.
- */
-- refs = isc_mem_allocate(client->sctx->mctx, sizeof(*refs));
-+ refs = isc_mem_allocate(ns_g_mctx, sizeof(*refs));
- isc_refcount_init(refs, 1);
- client->pipeline_refs = refs;
- }
-@@ -331,13 +332,13 @@ pipeline_init(ns_client_t *client) {
- */
- static void
- pipeline_attach(ns_client_t *source, ns_client_t *target) {
-- int old_refs;
-+ int refs;
-
- REQUIRE(source->pipeline_refs != NULL);
- REQUIRE(target->pipeline_refs == NULL);
-
-- old_refs = isc_refcount_increment(source->pipeline_refs);
-- INSIST(old_refs > 0);
-+ isc_refcount_increment(source->pipeline_refs, &refs);
-+ INSIST(refs > 1);
- target->pipeline_refs = source->pipeline_refs;
- }
-
-@@ -349,25 +350,51 @@ pipeline_attach(ns_client_t *source, ns_client_t *target) {
- */
- static bool
- pipeline_detach(ns_client_t *client) {
-- isc_refcount_t *refs;
-- int old_refs;
-+ isc_refcount_t *refcount;
-+ int refs;
-
- REQUIRE(client->pipeline_refs != NULL);
-
-- refs = client->pipeline_refs;
-+ refcount = client->pipeline_refs;
- client->pipeline_refs = NULL;
-
-- old_refs = isc_refcount_decrement(refs);
-- INSIST(old_refs > 0);
-+ isc_refcount_decrement(refcount, refs);
-
-- if (old_refs == 1) {
-- isc_mem_free(client->sctx->mctx, refs);
-+ if (refs == 0) {
-+ isc_mem_free(ns_g_mctx, refs);
- return (true);
- }
-
- return (false);
- }
-
-+/*
-+ * Detach a client from the TCP client quota if appropriate, and set
-+ * the quota pointer to NULL.
-+ *
-+ * Sometimes when the TCP client quota is exhausted but there are no other
-+ * clients servicing the interface, a client will be allowed to continue
-+ * running despite not having been attached to the quota. In this event,
-+ * the TCP quota was never attached to the client, so when the client (or
-+ * associated pipeline group) shuts down, the quota must NOT be detached.
-+ *
-+ * Otherwise, if the quota pointer is set, it should be detached. If not
-+ * set at all, we just return without doing anything.
-+ */
-+static void
-+tcpquota_disconnect(ns_client_t *client) {
-+ if (client->tcpquota == NULL) {
-+ return;
-+ }
-+
-+ if (client->tcpattached) {
-+ isc_quota_detach(&client->tcpquota);
-+ client->tcpattached = false;
-+ } else {
-+ client->tcpquota = NULL;
-+ }
-+}
-+
- /*%
- * Check for a deactivation or shutdown request and take appropriate
- * action. Returns true if either is in progress; in this case
-@@ -490,38 +517,31 @@ exit_check(ns_client_t *client) {
- client->tcpmsg_valid = false;
- }
-
-- if (client->tcpquota != NULL) {
-- if (client->pipeline_refs == NULL ||
-- pipeline_detach(client))
-- {
-- /*
-- * Only detach from the TCP client quota if
-- * there are no more client structures using
-- * this TCP connection.
-- *
-- * Note that we check 'pipeline_refs' and not
-- * 'pipelined' because in some cases (e.g.
-- * after receiving a request with an opcode
-- * different than QUERY) 'pipelined' is set to
-- * false after the reference counter gets
-- * allocated in pipeline_init() and we must
-- * still drop our reference as failing to do so
-- * would prevent the reference counter itself
-- * from being freed.
-- */
-- isc_quota_detach(&client->tcpquota);
-- } else {
-- /*
-- * There are other client structures using this
-- * TCP connection, so we cannot detach from the
-- * TCP client quota to prevent excess TCP
-- * connections from being accepted. However,
-- * this client structure might later be reused
-- * for accepting new connections and thus must
-- * have its 'tcpquota' field set to NULL.
-- */
-- client->tcpquota = NULL;
-- }
-+ /*
-+ * Detach from pipeline group and from TCP client quota,
-+ * if appropriate.
-+ *
-+ * - If no pipeline group is active, attempt to
-+ * detach from the TCP client quota.
-+ *
-+ * - If a pipeline group is active, detach from it;
-+ * if the return code indicates that there no more
-+ * clients left if this pipeline group, we also detach
-+ * from the TCP client quota.
-+ *
-+ * - Otherwise we don't try to detach, we just set the
-+ * TCP quota pointer to NULL if it wasn't NULL already.
-+ *
-+ * tcpquota_disconnect() will set tcpquota to NULL, either
-+ * by detaching it or by assignment, depending on the
-+ * needs of the client. See the comments on that function
-+ * for further information.
-+ */
-+ if (client->pipeline_refs == NULL || pipeline_detach(client)) {
-+ tcpquota_disconnect(client);
-+ } else {
-+ client->tcpquota = NULL;
-+ client->tcpattached = false;
- }
-
- if (client->tcpsocket != NULL) {
-@@ -544,8 +564,6 @@ exit_check(ns_client_t *client) {
- client->timerset = false;
- }
-
-- client->pipelined = false;
--
- client->peeraddr_valid = false;
-
- client->state = NS_CLIENTSTATE_READY;
-@@ -558,18 +576,27 @@ exit_check(ns_client_t *client) {
- * active and force it to go inactive if not.
- *
- * UDP clients go inactive at this point, but a TCP client
-- * will needs to remain active if no other clients are
-- * listening for TCP requests on this interface, to
-- * prevent this interface from going nonresponsive.
-+ * may need to remain active and go into ready state if
-+ * no other clients are available to listen for TCP
-+ * requests on this interface or (in the case of pipelined
-+ * clients) to read for additional messages on the current
-+ * connection.
- */
- if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) {
- LOCK(&client->interface->lock);
-- if (client->interface->ntcpaccepting == 0) {
-+ if ((client->interface->ntcpaccepting == 0 ||
-+ (client->pipelined &&
-+ client->interface->ntcpactive < 2)) &&
-+ client->newstate != NS_CLIENTSTATE_FREED)
-+ {
- client->mortal = false;
-+ client->newstate = NS_CLIENTSTATE_READY;
- }
- UNLOCK(&client->interface->lock);
- }
-
-+ client->pipelined = false;
-+
- /*
- * We don't need the client; send it to the inactive
- * queue for recycling.
-@@ -2634,6 +2661,18 @@ client_request(isc_task_t *task, isc_event_t *event) {
- client->pipelined = false;
- }
- if (TCP_CLIENT(client) && client->pipelined) {
-+ /*
-+ * We're pipelining. Replace the client; the
-+ * the replacement can read the TCP socket looking
-+ * for new messages and this client can process the
-+ * current message asynchronously.
-+ *
-+ * There are now at least three clients using this
-+ * TCP socket - one accepting new connections,
-+ * one reading an existing connection to get new
-+ * messages, and one answering the message already
-+ * received.
-+ */
- result = ns_client_replace(client);
- if (result != ISC_R_SUCCESS) {
- client->pipelined = false;
-@@ -3197,6 +3236,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
- client->pipelined = false;
- client->pipeline_refs = NULL;
- client->tcpquota = NULL;
-+ client->tcpattached = false;
- client->recursionquota = NULL;
- client->interface = NULL;
- client->peeraddr_valid = false;
-@@ -3359,9 +3399,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
- "accept failed: %s",
- isc_result_totext(nevent->result));
-- if (client->tcpquota != NULL) {
-- isc_quota_detach(&client->tcpquota);
-- }
-+ tcpquota_disconnect(client);
- }
-
- if (exit_check(client))
-@@ -3402,7 +3440,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- client->pipelined = false;
- result = ns_client_replace(client);
- if (result == ISC_R_SUCCESS &&
-- (client->sctx->keepresporder == NULL ||
-+ (ns_g_server->keepresporder == NULL ||
- !allowed(&netaddr, NULL, NULL, 0, NULL,
- ns_g_server->keepresporder)))
- {
-@@ -3429,7 +3467,7 @@ client_accept(ns_client_t *client) {
- * in named.conf. If we can't attach to it here, that means the TCP
- * client quota has been exceeded.
- */
-- result = isc_quota_attach(&client->sctx->tcpquota,
-+ result = isc_quota_attach(&ns_g_server->tcpquota,
- &client->tcpquota);
- if (result != ISC_R_SUCCESS) {
- bool exit;
-@@ -3447,27 +3485,27 @@ client_accept(ns_client_t *client) {
- * interface to be starved, with no clients able
- * to accept new connections.
- *
-- * So, we check here to see if any other client
-- * is already servicing TCP queries on this
-+ * So, we check here to see if any other clients
-+ * are already servicing TCP queries on this
- * interface (whether accepting, reading, or
-- * processing).
-- *
-- * If so, then it's okay *not* to call
-- * accept - we can let this client to go inactive
-- * and the other one handle the next connection
-- * when it's ready.
-+ * processing). If there are at least two
-+ * (one reading and one processing a request)
-+ * then it's okay *not* to call accept - we
-+ * can let this client go inactive and another
-+ * one will resume accepting when it's done.
- *
-- * But if not, then we need to be a little bit
-- * flexible about the quota. We allow *one* extra
-- * TCP client through, to ensure we're listening on
-- * every interface.
-+ * If there aren't enough active clients on the
-+ * interface, then we can be a little bit
-+ * flexible about the quota. We'll allow *one*
-+ * extra client through to ensure we're listening
-+ * on every interface.
- *
-- * (Note: In practice this means that the *real*
-- * TCP client quota is tcp-clients plus the number
-- * of interfaces.)
-+ * (Note: In practice this means that the real
-+ * TCP client quota is tcp-clients plus the
-+ * number of listening interfaces plus 2.)
- */
- LOCK(&client->interface->lock);
-- exit = (client->interface->ntcpactive > 0);
-+ exit = (client->interface->ntcpactive > 1);
- UNLOCK(&client->interface->lock);
-
- if (exit) {
-@@ -3475,6 +3513,9 @@ client_accept(ns_client_t *client) {
- (void)exit_check(client);
- return;
- }
-+
-+ } else {
-+ client->tcpattached = true;
- }
-
- /*
-@@ -3507,9 +3548,16 @@ client_accept(ns_client_t *client) {
- UNEXPECTED_ERROR(__FILE__, __LINE__,
- "isc_socket_accept() failed: %s",
- isc_result_totext(result));
-- if (client->tcpquota != NULL) {
-- isc_quota_detach(&client->tcpquota);
-+
-+ tcpquota_disconnect(client);
-+
-+ if (client->tcpactive) {
-+ LOCK(&client->interface->lock);
-+ client->interface->ntcpactive--;
-+ UNLOCK(&client->interface->lock);
-+ client->tcpactive = false;
- }
-+
- return;
- }
-
-@@ -3527,13 +3575,12 @@ client_accept(ns_client_t *client) {
- * once the connection is established.
- *
- * When the client object is shutting down after handling a TCP
-- * request (see exit_check()), it looks to see whether this value is
-- * non-zero. If so, that means another client has already called
-- * accept() and is waiting to establish the next connection, which
-- * means the first client is free to go inactive. Otherwise,
-- * the first client must come back and call accept() again; this
-- * guarantees there will always be at least one client listening
-- * for new TCP connections on each interface.
-+ * request (see exit_check()), if this value is at least one, that
-+ * means another client has called accept() and is waiting to
-+ * establish the next connection. That means the client may be
-+ * be free to become inactive; otherwise it may need to start
-+ * listening for connections itself to prevent the interface
-+ * going dead.
- */
- LOCK(&client->interface->lock);
- client->interface->ntcpaccepting++;
-@@ -3613,19 +3660,19 @@ ns_client_replace(ns_client_t *client) {
- client->tcpsocket, client);
- } else {
- result = get_client(client->manager, client->interface,
-- client->dispatch, tcp);
-+ client->dispatch, client, tcp);
-+
-+ /*
-+ * The responsibility for listening for new requests is hereby
-+ * transferred to the new client. Therefore, the old client
-+ * should refrain from listening for any more requests.
-+ */
-+ client->mortal = true;
- }
- if (result != ISC_R_SUCCESS) {
- return (result);
- }
-
-- /*
-- * The responsibility for listening for new requests is hereby
-- * transferred to the new client. Therefore, the old client
-- * should refrain from listening for any more requests.
-- */
-- client->mortal = true;
--
- return (ISC_R_SUCCESS);
- }
-
-@@ -3759,7 +3806,7 @@ ns_clientmgr_destroy(ns_clientmgr_t **managerp) {
-
- static isc_result_t
- get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
-- dns_dispatch_t *disp, bool tcp)
-+ dns_dispatch_t *disp, ns_client_t *oldclient, bool tcp)
- {
- isc_result_t result = ISC_R_SUCCESS;
- isc_event_t *ev;
-@@ -3803,6 +3850,16 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
- client->dscp = ifp->dscp;
-
- if (tcp) {
-+ client->tcpattached = false;
-+ if (oldclient != NULL) {
-+ client->tcpattached = oldclient->tcpattached;
-+ }
-+
-+ LOCK(&client->interface->lock);
-+ client->interface->ntcpactive++;
-+ UNLOCK(&client->interface->lock);
-+ client->tcpactive = true;
-+
- client->attributes |= NS_CLIENTATTR_TCP;
- isc_socket_attach(ifp->tcpsocket,
- &client->tcplistener);
-@@ -3866,7 +3923,8 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
- ns_interface_attach(ifp, &client->interface);
- client->newstate = client->state = NS_CLIENTSTATE_WORKING;
- INSIST(client->recursionquota == NULL);
-- client->tcpquota = &client->sctx->tcpquota;
-+ client->tcpquota = &ns_g_server->tcpquota;
-+ client->tcpattached = oldclient->tcpattached;
-
- client->dscp = ifp->dscp;
-
-@@ -3885,7 +3943,6 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
- LOCK(&client->interface->lock);
- client->interface->ntcpactive++;
- UNLOCK(&client->interface->lock);
--
- client->tcpactive = true;
-
- INSIST(client->tcpmsg_valid == false);
-@@ -3913,7 +3970,8 @@ ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
- MTRACE("createclients");
-
- for (disp = 0; disp < n; disp++) {
-- result = get_client(manager, ifp, ifp->udpdispatch[disp], tcp);
-+ result = get_client(manager, ifp, ifp->udpdispatch[disp],
-+ NULL, tcp);
- if (result != ISC_R_SUCCESS)
- break;
- }
-diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
-index aeed9ccdda..e2c40acd28 100644
---- a/bin/named/include/named/client.h
-+++ b/bin/named/include/named/client.h
-@@ -9,8 +9,6 @@
- * information regarding copyright ownership.
- */
-
--/* $Id: client.h,v 1.96 2012/01/31 23:47:31 tbox Exp $ */
--
- #ifndef NAMED_CLIENT_H
- #define NAMED_CLIENT_H 1
-
-@@ -136,6 +134,7 @@ struct ns_client {
- bool pipelined; /*%< TCP queries not in sequence */
- isc_refcount_t *pipeline_refs;
- isc_quota_t *tcpquota;
-+ bool tcpattached;
- isc_quota_t *recursionquota;
- ns_interface_t *interface;
-
---
-2.20.1
-
diff --git a/meta/recipes-connectivity/bind/bind/0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch b/meta/recipes-connectivity/bind/bind/0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch
deleted file mode 100644
index 987e75bc0e..0000000000
--- a/meta/recipes-connectivity/bind/bind/0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch
+++ /dev/null
@@ -1,911 +0,0 @@
-Backport patch to fix CVE-2018-5743.
-
-Ref:
-https://security-tracker.debian.org/tracker/CVE-2018-5743
-
-CVE: CVE-2018-5743
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/c47ccf6]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From c47ccf630f147378568b33e8fdb7b754f228c346 Mon Sep 17 00:00:00 2001
-From: Evan Hunt <each@isc.org>
-Date: Fri, 5 Apr 2019 16:26:05 -0700
-Subject: [PATCH 5/6] refactor tcpquota and pipeline refs; allow special-case
- overrun in isc_quota
-
-- if the TCP quota has been exceeded but there are no clients listening
- for new connections on the interface, we can now force attachment to the
- quota using isc_quota_force(), instead of carrying on with the quota not
- attached.
-- the TCP client quota is now referenced via a reference-counted
- 'ns_tcpconn' object, one of which is created whenever a client begins
- listening for new connections, and attached to by members of that
- client's pipeline group. when the last reference to the tcpconn
- object is detached, it is freed and the TCP quota slot is released.
-- reduce code duplication by adding mark_tcp_active() function.
-- convert counters to atomic.
-
-(cherry picked from commit 7e8222378ca24f1302a0c1c638565050ab04681b)
-(cherry picked from commit 4939451275722bfda490ea86ca13e84f6bc71e46)
-(cherry picked from commit 13f7c918b8720d890408f678bd73c20e634539d9)
----
- bin/named/client.c | 444 +++++++++++--------------
- bin/named/include/named/client.h | 12 +-
- bin/named/include/named/interfacemgr.h | 6 +-
- bin/named/interfacemgr.c | 1 +
- lib/isc/include/isc/quota.h | 7 +
- lib/isc/quota.c | 33 +-
- lib/isc/win32/libisc.def.in | 1 +
- 7 files changed, 236 insertions(+), 268 deletions(-)
-
-diff --git a/bin/named/client.c b/bin/named/client.c
-index 61e96dd28c..d826ab32bf 100644
---- a/bin/named/client.c
-+++ b/bin/named/client.c
-@@ -244,8 +244,7 @@ static void client_start(isc_task_t *task, isc_event_t *event);
- static void client_request(isc_task_t *task, isc_event_t *event);
- static void ns_client_dumpmessage(ns_client_t *client, const char *reason);
- static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
-- dns_dispatch_t *disp, ns_client_t *oldclient,
-- bool tcp);
-+ dns_dispatch_t *disp, bool tcp);
- static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp,
- isc_socket_t *sock, ns_client_t *oldclient);
- static inline bool
-@@ -301,16 +300,32 @@ ns_client_settimeout(ns_client_t *client, unsigned int seconds) {
- }
-
- /*%
-- * Allocate a reference counter that will track the number of client structures
-- * using the TCP connection that 'client' called accept() for. This counter
-- * will be shared between all client structures associated with this TCP
-- * connection.
-+ * Allocate a reference-counted object that will maintain a single pointer to
-+ * the (also reference-counted) TCP client quota, shared between all the
-+ * clients processing queries on a single TCP connection, so that all
-+ * clients sharing the one socket will together consume only one slot in
-+ * the 'tcp-clients' quota.
- */
--static void
--pipeline_init(ns_client_t *client) {
-- isc_refcount_t *refs;
-+static isc_result_t
-+tcpconn_init(ns_client_t *client, bool force) {
-+ isc_result_t result;
-+ isc_quota_t *quota = NULL;
-+ ns_tcpconn_t *tconn = NULL;
-
-- REQUIRE(client->pipeline_refs == NULL);
-+ REQUIRE(client->tcpconn == NULL);
-+
-+ /*
-+ * Try to attach to the quota first, so we won't pointlessly
-+ * allocate memory for a tcpconn object if we can't get one.
-+ */
-+ if (force) {
-+ result = isc_quota_force(&ns_g_server->tcpquota, "a);
-+ } else {
-+ result = isc_quota_attach(&ns_g_server->tcpquota, "a);
-+ }
-+ if (result != ISC_R_SUCCESS) {
-+ return (result);
-+ }
-
- /*
- * A global memory context is used for the allocation as different
-@@ -320,78 +335,80 @@ pipeline_init(ns_client_t *client) {
- * contention here is expected to be negligible, given that this code
- * is only executed for TCP connections.
- */
-- refs = isc_mem_allocate(ns_g_mctx, sizeof(*refs));
-- isc_refcount_init(refs, 1);
-- client->pipeline_refs = refs;
-+ tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn));
-+
-+ isc_refcount_init(&tconn->refs, 1);
-+ tconn->tcpquota = quota;
-+ quota = NULL;
-+ tconn->pipelined = false;
-+
-+ client->tcpconn = tconn;
-+
-+ return (ISC_R_SUCCESS);
- }
-
- /*%
-- * Increase the count of client structures using the TCP connection that
-- * 'source' is associated with and put a pointer to that count in 'target',
-- * thus associating it with the same TCP connection.
-+ * Increase the count of client structures sharing the TCP connection
-+ * that 'source' is associated with; add a pointer to the same tcpconn
-+ * to 'target', thus associating it with the same TCP connection.
- */
- static void
--pipeline_attach(ns_client_t *source, ns_client_t *target) {
-+tcpconn_attach(ns_client_t *source, ns_client_t *target) {
- int refs;
-
-- REQUIRE(source->pipeline_refs != NULL);
-- REQUIRE(target->pipeline_refs == NULL);
-+ REQUIRE(source->tcpconn != NULL);
-+ REQUIRE(target->tcpconn == NULL);
-+ REQUIRE(source->tcpconn->pipelined);
-
-- isc_refcount_increment(source->pipeline_refs, &refs);
-+ isc_refcount_increment(&source->tcpconn->refs, &refs);
- INSIST(refs > 1);
-- target->pipeline_refs = source->pipeline_refs;
-+ target->tcpconn = source->tcpconn;
- }
-
- /*%
-- * Decrease the count of client structures using the TCP connection that
-+ * Decrease the count of client structures sharing the TCP connection that
- * 'client' is associated with. If this is the last client using this TCP
-- * connection, free the reference counter and return true; otherwise, return
-- * false.
-+ * connection, we detach from the TCP quota and free the tcpconn
-+ * object. Either way, client->tcpconn is set to NULL.
- */
--static bool
--pipeline_detach(ns_client_t *client) {
-- isc_refcount_t *refcount;
-+static void
-+tcpconn_detach(ns_client_t *client) {
-+ ns_tcpconn_t *tconn = NULL;
- int refs;
-
-- REQUIRE(client->pipeline_refs != NULL);
--
-- refcount = client->pipeline_refs;
-- client->pipeline_refs = NULL;
-+ REQUIRE(client->tcpconn != NULL);
-
-- isc_refcount_decrement(refcount, refs);
-+ tconn = client->tcpconn;
-+ client->tcpconn = NULL;
-
-+ isc_refcount_decrement(&tconn->refs, &refs);
- if (refs == 0) {
-- isc_mem_free(ns_g_mctx, refs);
-- return (true);
-+ isc_quota_detach(&tconn->tcpquota);
-+ isc_mem_free(ns_g_mctx, tconn);
- }
--
-- return (false);
- }
-
--/*
-- * Detach a client from the TCP client quota if appropriate, and set
-- * the quota pointer to NULL.
-- *
-- * Sometimes when the TCP client quota is exhausted but there are no other
-- * clients servicing the interface, a client will be allowed to continue
-- * running despite not having been attached to the quota. In this event,
-- * the TCP quota was never attached to the client, so when the client (or
-- * associated pipeline group) shuts down, the quota must NOT be detached.
-+/*%
-+ * Mark a client as active and increment the interface's 'ntcpactive'
-+ * counter, as a signal that there is at least one client servicing
-+ * TCP queries for the interface. If we reach the TCP client quota at
-+ * some point, this will be used to determine whether a quota overrun
-+ * should be permitted.
- *
-- * Otherwise, if the quota pointer is set, it should be detached. If not
-- * set at all, we just return without doing anything.
-+ * Marking the client active with the 'tcpactive' flag ensures proper
-+ * accounting, by preventing us from incrementing or decrementing
-+ * 'ntcpactive' more than once per client.
- */
- static void
--tcpquota_disconnect(ns_client_t *client) {
-- if (client->tcpquota == NULL) {
-- return;
-- }
--
-- if (client->tcpattached) {
-- isc_quota_detach(&client->tcpquota);
-- client->tcpattached = false;
-- } else {
-- client->tcpquota = NULL;
-+mark_tcp_active(ns_client_t *client, bool active) {
-+ if (active && !client->tcpactive) {
-+ isc_atomic_xadd(&client->interface->ntcpactive, 1);
-+ client->tcpactive = active;
-+ } else if (!active && client->tcpactive) {
-+ uint32_t old =
-+ isc_atomic_xadd(&client->interface->ntcpactive, -1);
-+ INSIST(old > 0);
-+ client->tcpactive = active;
- }
- }
-
-@@ -484,7 +501,8 @@ exit_check(ns_client_t *client) {
- INSIST(client->recursionquota == NULL);
-
- if (NS_CLIENTSTATE_READING == client->newstate) {
-- if (!client->pipelined) {
-+ INSIST(client->tcpconn != NULL);
-+ if (!client->tcpconn->pipelined) {
- client_read(client);
- client->newstate = NS_CLIENTSTATE_MAX;
- return (true); /* We're done. */
-@@ -507,8 +525,8 @@ exit_check(ns_client_t *client) {
- dns_tcpmsg_cancelread(&client->tcpmsg);
- }
-
-- if (client->nreads != 0) {
-- /* Still waiting for read cancel completion. */
-+ /* Still waiting for read cancel completion. */
-+ if (client->nreads > 0) {
- return (true);
- }
-
-@@ -518,43 +536,45 @@ exit_check(ns_client_t *client) {
- }
-
- /*
-- * Detach from pipeline group and from TCP client quota,
-- * if appropriate.
-+ * Soon the client will be ready to accept a new TCP
-+ * connection or UDP request, but we may have enough
-+ * clients doing that already. Check whether this client
-+ * needs to remain active and allow it go inactive if
-+ * not.
- *
-- * - If no pipeline group is active, attempt to
-- * detach from the TCP client quota.
-+ * UDP clients always go inactive at this point, but a TCP
-+ * client may need to stay active and return to READY
-+ * state if no other clients are available to listen
-+ * for TCP requests on this interface.
- *
-- * - If a pipeline group is active, detach from it;
-- * if the return code indicates that there no more
-- * clients left if this pipeline group, we also detach
-- * from the TCP client quota.
-- *
-- * - Otherwise we don't try to detach, we just set the
-- * TCP quota pointer to NULL if it wasn't NULL already.
-- *
-- * tcpquota_disconnect() will set tcpquota to NULL, either
-- * by detaching it or by assignment, depending on the
-- * needs of the client. See the comments on that function
-- * for further information.
-+ * Regardless, if we're going to FREED state, that means
-+ * the system is shutting down and we don't need to
-+ * retain clients.
- */
-- if (client->pipeline_refs == NULL || pipeline_detach(client)) {
-- tcpquota_disconnect(client);
-- } else {
-- client->tcpquota = NULL;
-- client->tcpattached = false;
-+ if (client->mortal && TCP_CLIENT(client) &&
-+ client->newstate != NS_CLIENTSTATE_FREED &&
-+ !ns_g_clienttest &&
-+ isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
-+ {
-+ /* Nobody else is accepting */
-+ client->mortal = false;
-+ client->newstate = NS_CLIENTSTATE_READY;
-+ }
-+
-+ /*
-+ * Detach from TCP connection and TCP client quota,
-+ * if appropriate. If this is the last reference to
-+ * the TCP connection in our pipeline group, the
-+ * TCP quota slot will be released.
-+ */
-+ if (client->tcpconn) {
-+ tcpconn_detach(client);
- }
-
- if (client->tcpsocket != NULL) {
- CTRACE("closetcp");
- isc_socket_detach(&client->tcpsocket);
--
-- if (client->tcpactive) {
-- LOCK(&client->interface->lock);
-- INSIST(client->interface->ntcpactive > 0);
-- client->interface->ntcpactive--;
-- UNLOCK(&client->interface->lock);
-- client->tcpactive = false;
-- }
-+ mark_tcp_active(client, false);
- }
-
- if (client->timerset) {
-@@ -567,35 +587,6 @@ exit_check(ns_client_t *client) {
- client->peeraddr_valid = false;
-
- client->state = NS_CLIENTSTATE_READY;
-- INSIST(client->recursionquota == NULL);
--
-- /*
-- * Now the client is ready to accept a new TCP connection
-- * or UDP request, but we may have enough clients doing
-- * that already. Check whether this client needs to remain
-- * active and force it to go inactive if not.
-- *
-- * UDP clients go inactive at this point, but a TCP client
-- * may need to remain active and go into ready state if
-- * no other clients are available to listen for TCP
-- * requests on this interface or (in the case of pipelined
-- * clients) to read for additional messages on the current
-- * connection.
-- */
-- if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) {
-- LOCK(&client->interface->lock);
-- if ((client->interface->ntcpaccepting == 0 ||
-- (client->pipelined &&
-- client->interface->ntcpactive < 2)) &&
-- client->newstate != NS_CLIENTSTATE_FREED)
-- {
-- client->mortal = false;
-- client->newstate = NS_CLIENTSTATE_READY;
-- }
-- UNLOCK(&client->interface->lock);
-- }
--
-- client->pipelined = false;
-
- /*
- * We don't need the client; send it to the inactive
-@@ -630,7 +621,7 @@ exit_check(ns_client_t *client) {
- }
-
- /* Still waiting for accept cancel completion. */
-- if (! (client->naccepts == 0)) {
-+ if (client->naccepts > 0) {
- return (true);
- }
-
-@@ -641,7 +632,7 @@ exit_check(ns_client_t *client) {
- }
-
- /* Still waiting for recv cancel completion. */
-- if (! (client->nrecvs == 0)) {
-+ if (client->nrecvs > 0) {
- return (true);
- }
-
-@@ -654,14 +645,7 @@ exit_check(ns_client_t *client) {
- INSIST(client->recursionquota == NULL);
- if (client->tcplistener != NULL) {
- isc_socket_detach(&client->tcplistener);
--
-- if (client->tcpactive) {
-- LOCK(&client->interface->lock);
-- INSIST(client->interface->ntcpactive > 0);
-- client->interface->ntcpactive--;
-- UNLOCK(&client->interface->lock);
-- client->tcpactive = false;
-- }
-+ mark_tcp_active(client, false);
- }
- if (client->udpsocket != NULL) {
- isc_socket_detach(&client->udpsocket);
-@@ -816,7 +800,7 @@ client_start(isc_task_t *task, isc_event_t *event) {
- return;
-
- if (TCP_CLIENT(client)) {
-- if (client->pipelined) {
-+ if (client->tcpconn != NULL) {
- client_read(client);
- } else {
- client_accept(client);
-@@ -2470,6 +2454,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
- client->nrecvs--;
- } else {
- INSIST(TCP_CLIENT(client));
-+ INSIST(client->tcpconn != NULL);
- REQUIRE(event->ev_type == DNS_EVENT_TCPMSG);
- REQUIRE(event->ev_sender == &client->tcpmsg);
- buffer = &client->tcpmsg.buffer;
-@@ -2657,17 +2642,19 @@ client_request(isc_task_t *task, isc_event_t *event) {
- /*
- * Pipeline TCP query processing.
- */
-- if (client->message->opcode != dns_opcode_query) {
-- client->pipelined = false;
-+ if (TCP_CLIENT(client) &&
-+ client->message->opcode != dns_opcode_query)
-+ {
-+ client->tcpconn->pipelined = false;
- }
-- if (TCP_CLIENT(client) && client->pipelined) {
-+ if (TCP_CLIENT(client) && client->tcpconn->pipelined) {
- /*
- * We're pipelining. Replace the client; the
-- * the replacement can read the TCP socket looking
-- * for new messages and this client can process the
-+ * replacement can read the TCP socket looking
-+ * for new messages and this one can process the
- * current message asynchronously.
- *
-- * There are now at least three clients using this
-+ * There will now be at least three clients using this
- * TCP socket - one accepting new connections,
- * one reading an existing connection to get new
- * messages, and one answering the message already
-@@ -2675,7 +2662,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
- */
- result = ns_client_replace(client);
- if (result != ISC_R_SUCCESS) {
-- client->pipelined = false;
-+ client->tcpconn->pipelined = false;
- }
- }
-
-@@ -3233,10 +3220,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
- client->signer = NULL;
- dns_name_init(&client->signername, NULL);
- client->mortal = false;
-- client->pipelined = false;
-- client->pipeline_refs = NULL;
-- client->tcpquota = NULL;
-- client->tcpattached = false;
-+ client->tcpconn = NULL;
- client->recursionquota = NULL;
- client->interface = NULL;
- client->peeraddr_valid = false;
-@@ -3341,9 +3325,10 @@ client_read(ns_client_t *client) {
-
- static void
- client_newconn(isc_task_t *task, isc_event_t *event) {
-+ isc_result_t result;
- ns_client_t *client = event->ev_arg;
- isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
-- isc_result_t result;
-+ uint32_t old;
-
- REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
- REQUIRE(NS_CLIENT_VALID(client));
-@@ -3363,10 +3348,8 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- INSIST(client->naccepts == 1);
- client->naccepts--;
-
-- LOCK(&client->interface->lock);
-- INSIST(client->interface->ntcpaccepting > 0);
-- client->interface->ntcpaccepting--;
-- UNLOCK(&client->interface->lock);
-+ old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
-+ INSIST(old > 0);
-
- /*
- * We must take ownership of the new socket before the exit
-@@ -3399,7 +3382,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
- "accept failed: %s",
- isc_result_totext(nevent->result));
-- tcpquota_disconnect(client);
-+ tcpconn_detach(client);
- }
-
- if (exit_check(client))
-@@ -3437,15 +3420,13 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- * telnetting to port 53 (once per CPU) will
- * deny service to legitimate TCP clients.
- */
-- client->pipelined = false;
- result = ns_client_replace(client);
- if (result == ISC_R_SUCCESS &&
- (ns_g_server->keepresporder == NULL ||
- !allowed(&netaddr, NULL, NULL, 0, NULL,
- ns_g_server->keepresporder)))
- {
-- pipeline_init(client);
-- client->pipelined = true;
-+ client->tcpconn->pipelined = true;
- }
-
- client_read(client);
-@@ -3462,78 +3443,59 @@ client_accept(ns_client_t *client) {
- CTRACE("accept");
-
- /*
-- * The tcpquota object can only be simultaneously referenced a
-- * pre-defined number of times; this is configured by 'tcp-clients'
-- * in named.conf. If we can't attach to it here, that means the TCP
-- * client quota has been exceeded.
-+ * Set up a new TCP connection. This means try to attach to the
-+ * TCP client quota (tcp-clients), but fail if we're over quota.
- */
-- result = isc_quota_attach(&ns_g_server->tcpquota,
-- &client->tcpquota);
-+ result = tcpconn_init(client, false);
- if (result != ISC_R_SUCCESS) {
-- bool exit;
-+ bool exit;
-
-- ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-- NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
-- "no more TCP clients: %s",
-- isc_result_totext(result));
--
-- /*
-- * We have exceeded the system-wide TCP client
-- * quota. But, we can't just block this accept
-- * in all cases, because if we did, a heavy TCP
-- * load on other interfaces might cause this
-- * interface to be starved, with no clients able
-- * to accept new connections.
-- *
-- * So, we check here to see if any other clients
-- * are already servicing TCP queries on this
-- * interface (whether accepting, reading, or
-- * processing). If there are at least two
-- * (one reading and one processing a request)
-- * then it's okay *not* to call accept - we
-- * can let this client go inactive and another
-- * one will resume accepting when it's done.
-- *
-- * If there aren't enough active clients on the
-- * interface, then we can be a little bit
-- * flexible about the quota. We'll allow *one*
-- * extra client through to ensure we're listening
-- * on every interface.
-- *
-- * (Note: In practice this means that the real
-- * TCP client quota is tcp-clients plus the
-- * number of listening interfaces plus 2.)
-- */
-- LOCK(&client->interface->lock);
-- exit = (client->interface->ntcpactive > 1);
-- UNLOCK(&client->interface->lock);
-+ ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-+ NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
-+ "TCP client quota reached: %s",
-+ isc_result_totext(result));
-
-- if (exit) {
-- client->newstate = NS_CLIENTSTATE_INACTIVE;
-- (void)exit_check(client);
-- return;
-- }
-+ /*
-+ * We have exceeded the system-wide TCP client quota. But,
-+ * we can't just block this accept in all cases, because if
-+ * we did, a heavy TCP load on other interfaces might cause
-+ * this interface to be starved, with no clients able to
-+ * accept new connections.
-+ *
-+ * So, we check here to see if any other clients are
-+ * already servicing TCP queries on this interface (whether
-+ * accepting, reading, or processing). If we find at least
-+ * one, then it's okay *not* to call accept - we can let this
-+ * client go inactive and another will take over when it's
-+ * done.
-+ *
-+ * If there aren't enough active clients on the interface,
-+ * then we can be a little bit flexible about the quota.
-+ * We'll allow *one* extra client through to ensure we're
-+ * listening on every interface; we do this by setting the
-+ * 'force' option to tcpconn_init().
-+ *
-+ * (Note: In practice this means that the real TCP client
-+ * quota is tcp-clients plus the number of listening
-+ * interfaces plus 1.)
-+ */
-+ exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) > 0);
-+ if (exit) {
-+ client->newstate = NS_CLIENTSTATE_INACTIVE;
-+ (void)exit_check(client);
-+ return;
-+ }
-
-- } else {
-- client->tcpattached = true;
-+ result = tcpconn_init(client, true);
-+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
- }
-
- /*
-- * By incrementing the interface's ntcpactive counter we signal
-- * that there is at least one client servicing TCP queries for the
-- * interface.
-- *
-- * We also make note of the fact in the client itself with the
-- * tcpactive flag. This ensures proper accounting by preventing
-- * us from accidentally incrementing or decrementing ntcpactive
-- * more than once per client object.
-+ * If this client was set up using get_client() or get_worker(),
-+ * then TCP is already marked active. However, if it was restarted
-+ * from exit_check(), it might not be, so we take care of it now.
- */
-- if (!client->tcpactive) {
-- LOCK(&client->interface->lock);
-- client->interface->ntcpactive++;
-- UNLOCK(&client->interface->lock);
-- client->tcpactive = true;
-- }
-+ mark_tcp_active(client, true);
-
- result = isc_socket_accept(client->tcplistener, client->task,
- client_newconn, client);
-@@ -3549,15 +3511,8 @@ client_accept(ns_client_t *client) {
- "isc_socket_accept() failed: %s",
- isc_result_totext(result));
-
-- tcpquota_disconnect(client);
--
-- if (client->tcpactive) {
-- LOCK(&client->interface->lock);
-- client->interface->ntcpactive--;
-- UNLOCK(&client->interface->lock);
-- client->tcpactive = false;
-- }
--
-+ tcpconn_detach(client);
-+ mark_tcp_active(client, false);
- return;
- }
-
-@@ -3582,9 +3537,7 @@ client_accept(ns_client_t *client) {
- * listening for connections itself to prevent the interface
- * going dead.
- */
-- LOCK(&client->interface->lock);
-- client->interface->ntcpaccepting++;
-- UNLOCK(&client->interface->lock);
-+ isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
- }
-
- static void
-@@ -3655,24 +3608,25 @@ ns_client_replace(ns_client_t *client) {
- REQUIRE(client->manager != NULL);
-
- tcp = TCP_CLIENT(client);
-- if (tcp && client->pipelined) {
-+ if (tcp && client->tcpconn != NULL && client->tcpconn->pipelined) {
- result = get_worker(client->manager, client->interface,
- client->tcpsocket, client);
- } else {
- result = get_client(client->manager, client->interface,
-- client->dispatch, client, tcp);
-+ client->dispatch, tcp);
-
-- /*
-- * The responsibility for listening for new requests is hereby
-- * transferred to the new client. Therefore, the old client
-- * should refrain from listening for any more requests.
-- */
-- client->mortal = true;
- }
- if (result != ISC_R_SUCCESS) {
- return (result);
- }
-
-+ /*
-+ * The responsibility for listening for new requests is hereby
-+ * transferred to the new client. Therefore, the old client
-+ * should refrain from listening for any more requests.
-+ */
-+ client->mortal = true;
-+
- return (ISC_R_SUCCESS);
- }
-
-@@ -3806,7 +3760,7 @@ ns_clientmgr_destroy(ns_clientmgr_t **managerp) {
-
- static isc_result_t
- get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
-- dns_dispatch_t *disp, ns_client_t *oldclient, bool tcp)
-+ dns_dispatch_t *disp, bool tcp)
- {
- isc_result_t result = ISC_R_SUCCESS;
- isc_event_t *ev;
-@@ -3850,15 +3804,7 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
- client->dscp = ifp->dscp;
-
- if (tcp) {
-- client->tcpattached = false;
-- if (oldclient != NULL) {
-- client->tcpattached = oldclient->tcpattached;
-- }
--
-- LOCK(&client->interface->lock);
-- client->interface->ntcpactive++;
-- UNLOCK(&client->interface->lock);
-- client->tcpactive = true;
-+ mark_tcp_active(client, true);
-
- client->attributes |= NS_CLIENTATTR_TCP;
- isc_socket_attach(ifp->tcpsocket,
-@@ -3923,16 +3869,14 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
- ns_interface_attach(ifp, &client->interface);
- client->newstate = client->state = NS_CLIENTSTATE_WORKING;
- INSIST(client->recursionquota == NULL);
-- client->tcpquota = &ns_g_server->tcpquota;
-- client->tcpattached = oldclient->tcpattached;
-
- client->dscp = ifp->dscp;
-
- client->attributes |= NS_CLIENTATTR_TCP;
- client->mortal = true;
-
-- pipeline_attach(oldclient, client);
-- client->pipelined = true;
-+ tcpconn_attach(oldclient, client);
-+ mark_tcp_active(client, true);
-
- isc_socket_attach(ifp->tcpsocket, &client->tcplistener);
- isc_socket_attach(sock, &client->tcpsocket);
-@@ -3940,11 +3884,6 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
- (void)isc_socket_getpeername(client->tcpsocket, &client->peeraddr);
- client->peeraddr_valid = true;
-
-- LOCK(&client->interface->lock);
-- client->interface->ntcpactive++;
-- UNLOCK(&client->interface->lock);
-- client->tcpactive = true;
--
- INSIST(client->tcpmsg_valid == false);
- dns_tcpmsg_init(client->mctx, client->tcpsocket, &client->tcpmsg);
- client->tcpmsg_valid = true;
-@@ -3970,8 +3909,7 @@ ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
- MTRACE("createclients");
-
- for (disp = 0; disp < n; disp++) {
-- result = get_client(manager, ifp, ifp->udpdispatch[disp],
-- NULL, tcp);
-+ result = get_client(manager, ifp, ifp->udpdispatch[disp], tcp);
- if (result != ISC_R_SUCCESS)
- break;
- }
-diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
-index e2c40acd28..969ee4c08f 100644
---- a/bin/named/include/named/client.h
-+++ b/bin/named/include/named/client.h
-@@ -78,6 +78,13 @@
- *** Types
- ***/
-
-+/*% reference-counted TCP connection object */
-+typedef struct ns_tcpconn {
-+ isc_refcount_t refs;
-+ isc_quota_t *tcpquota;
-+ bool pipelined;
-+} ns_tcpconn_t;
-+
- /*% nameserver client structure */
- struct ns_client {
- unsigned int magic;
-@@ -131,10 +138,7 @@ struct ns_client {
- dns_name_t signername; /*%< [T]SIG key name */
- dns_name_t *signer; /*%< NULL if not valid sig */
- bool mortal; /*%< Die after handling request */
-- bool pipelined; /*%< TCP queries not in sequence */
-- isc_refcount_t *pipeline_refs;
-- isc_quota_t *tcpquota;
-- bool tcpattached;
-+ ns_tcpconn_t *tcpconn;
- isc_quota_t *recursionquota;
- ns_interface_t *interface;
-
-diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
-index 61b08826a6..3535ef22a8 100644
---- a/bin/named/include/named/interfacemgr.h
-+++ b/bin/named/include/named/interfacemgr.h
-@@ -9,8 +9,6 @@
- * information regarding copyright ownership.
- */
-
--/* $Id: interfacemgr.h,v 1.35 2011/07/28 23:47:58 tbox Exp $ */
--
- #ifndef NAMED_INTERFACEMGR_H
- #define NAMED_INTERFACEMGR_H 1
-
-@@ -77,11 +75,11 @@ struct ns_interface {
- /*%< UDP dispatchers. */
- isc_socket_t * tcpsocket; /*%< TCP socket. */
- isc_dscp_t dscp; /*%< "listen-on" DSCP value */
-- int ntcpaccepting; /*%< Number of clients
-+ int32_t ntcpaccepting; /*%< Number of clients
- ready to accept new
- TCP connections on this
- interface */
-- int ntcpactive; /*%< Number of clients
-+ int32_t ntcpactive; /*%< Number of clients
- servicing TCP queries
- (whether accepting or
- connected) */
-diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
-index 955096ef47..d9f6df5802 100644
---- a/bin/named/interfacemgr.c
-+++ b/bin/named/interfacemgr.c
-@@ -388,6 +388,7 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
- */
- ifp->ntcpaccepting = 0;
- ifp->ntcpactive = 0;
-+
- ifp->nudpdispatch = 0;
-
- ifp->dscp = -1;
-diff --git a/lib/isc/include/isc/quota.h b/lib/isc/include/isc/quota.h
-index b9bf59877a..36c5830242 100644
---- a/lib/isc/include/isc/quota.h
-+++ b/lib/isc/include/isc/quota.h
-@@ -100,6 +100,13 @@ isc_quota_attach(isc_quota_t *quota, isc_quota_t **p);
- * quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
- */
-
-+isc_result_t
-+isc_quota_force(isc_quota_t *quota, isc_quota_t **p);
-+/*%<
-+ * Like isc_quota_attach, but will attach '*p' to the quota
-+ * even if the hard quota has been exceeded.
-+ */
-+
- void
- isc_quota_detach(isc_quota_t **p);
- /*%<
-diff --git a/lib/isc/quota.c b/lib/isc/quota.c
-index 3ddff0d875..556a61f21d 100644
---- a/lib/isc/quota.c
-+++ b/lib/isc/quota.c
-@@ -74,20 +74,39 @@ isc_quota_release(isc_quota_t *quota) {
- UNLOCK("a->lock);
- }
-
--isc_result_t
--isc_quota_attach(isc_quota_t *quota, isc_quota_t **p)
--{
-+static isc_result_t
-+doattach(isc_quota_t *quota, isc_quota_t **p, bool force) {
- isc_result_t result;
-- INSIST(p != NULL && *p == NULL);
-+ REQUIRE(p != NULL && *p == NULL);
-+
- result = isc_quota_reserve(quota);
-- if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA)
-+ if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) {
-+ *p = quota;
-+ } else if (result == ISC_R_QUOTA && force) {
-+ /* attach anyway */
-+ LOCK("a->lock);
-+ quota->used++;
-+ UNLOCK("a->lock);
-+
- *p = quota;
-+ result = ISC_R_SUCCESS;
-+ }
-+
- return (result);
- }
-
-+isc_result_t
-+isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) {
-+ return (doattach(quota, p, false));
-+}
-+
-+isc_result_t
-+isc_quota_force(isc_quota_t *quota, isc_quota_t **p) {
-+ return (doattach(quota, p, true));
-+}
-+
- void
--isc_quota_detach(isc_quota_t **p)
--{
-+isc_quota_detach(isc_quota_t **p) {
- INSIST(p != NULL && *p != NULL);
- isc_quota_release(*p);
- *p = NULL;
-diff --git a/lib/isc/win32/libisc.def.in b/lib/isc/win32/libisc.def.in
-index a82facec0f..7b9f23d776 100644
---- a/lib/isc/win32/libisc.def.in
-+++ b/lib/isc/win32/libisc.def.in
-@@ -519,6 +519,7 @@ isc_portset_removerange
- isc_quota_attach
- isc_quota_destroy
- isc_quota_detach
-+isc_quota_force
- isc_quota_init
- isc_quota_max
- isc_quota_release
---
-2.20.1
-
diff --git a/meta/recipes-connectivity/bind/bind/0006-restore-allowance-for-tcp-clients-interfaces.patch b/meta/recipes-connectivity/bind/bind/0006-restore-allowance-for-tcp-clients-interfaces.patch
deleted file mode 100644
index 3821d18501..0000000000
--- a/meta/recipes-connectivity/bind/bind/0006-restore-allowance-for-tcp-clients-interfaces.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-Backport patch to fix CVE-2018-5743.
-
-Ref:
-https://security-tracker.debian.org/tracker/CVE-2018-5743
-
-CVE: CVE-2018-5743
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/59434b9]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From 59434b987e8eb436b08c24e559ee094c4e939daa Mon Sep 17 00:00:00 2001
-From: Evan Hunt <each@isc.org>
-Date: Fri, 5 Apr 2019 16:26:19 -0700
-Subject: [PATCH 6/6] restore allowance for tcp-clients < interfaces
-
-in the "refactor tcpquota and pipeline refs" commit, the counting
-of active interfaces was tightened in such a way that named could
-fail to listen on an interface if there were more interfaces than
-tcp-clients. when checking the quota to start accepting on an
-interface, if the number of active clients was above zero, then
-it was presumed that some other client was able to handle accepting
-new connections. this, however, ignored the fact that the current client
-could be included in that count, so if the quota was already exceeded
-before all the interfaces were listening, some interfaces would never
-listen.
-
-we now check whether the current client has been marked active; if so,
-then the number of active clients on the interface must be greater
-than 1, not 0.
-
-(cherry picked from commit 0b4e2cd4c3192ba88569dd344f542a8cc43742b5)
-(cherry picked from commit d01023aaac35543daffbdf48464e320150235d41)
----
- bin/named/client.c | 8 +++++---
- doc/arm/Bv9ARM-book.xml | 3 ++-
- 2 files changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/bin/named/client.c b/bin/named/client.c
-index d826ab32bf..845326abc0 100644
---- a/bin/named/client.c
-+++ b/bin/named/client.c
-@@ -3464,8 +3464,9 @@ client_accept(ns_client_t *client) {
- *
- * So, we check here to see if any other clients are
- * already servicing TCP queries on this interface (whether
-- * accepting, reading, or processing). If we find at least
-- * one, then it's okay *not* to call accept - we can let this
-+ * accepting, reading, or processing). If we find that at
-+ * least one client other than this one is active, then
-+ * it's okay *not* to call accept - we can let this
- * client go inactive and another will take over when it's
- * done.
- *
-@@ -3479,7 +3480,8 @@ client_accept(ns_client_t *client) {
- * quota is tcp-clients plus the number of listening
- * interfaces plus 1.)
- */
-- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) > 0);
-+ exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
-+ (client->tcpactive ? 1 : 0));
- if (exit) {
- client->newstate = NS_CLIENTSTATE_INACTIVE;
- (void)exit_check(client);
-diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
-index 381768d540..9c76d3cd6f 100644
---- a/doc/arm/Bv9ARM-book.xml
-+++ b/doc/arm/Bv9ARM-book.xml
-@@ -8493,7 +8493,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
- <para>
- The number of file descriptors reserved for TCP, stdio,
- etc. This needs to be big enough to cover the number of
-- interfaces <command>named</command> listens on, <command>tcp-clients</command> as well as
-+ interfaces <command>named</command> listens on plus
-+ <command>tcp-clients</command>, as well as
- to provide room for outgoing TCP queries and incoming zone
- transfers. The default is <literal>512</literal>.
- The minimum value is <literal>128</literal> and the
---
-2.20.1
-
diff --git a/meta/recipes-connectivity/bind/bind/0007-Replace-atomic-operations-in-bin-named-client.c-with.patch b/meta/recipes-connectivity/bind/bind/0007-Replace-atomic-operations-in-bin-named-client.c-with.patch
deleted file mode 100644
index 1a84eca58a..0000000000
--- a/meta/recipes-connectivity/bind/bind/0007-Replace-atomic-operations-in-bin-named-client.c-with.patch
+++ /dev/null
@@ -1,140 +0,0 @@
-Backport commit to fix compile error on arm caused by commits which are
-to fix CVE-2018-5743.
-
-CVE: CVE-2018-5743
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/ef49780]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From ef49780d30d3ddc5735cfc32561b678a634fa72f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
-Date: Wed, 17 Apr 2019 15:22:27 +0200
-Subject: [PATCH] Replace atomic operations in bin/named/client.c with
- isc_refcount reference counting
-
----
- bin/named/client.c | 18 +++++++-----------
- bin/named/include/named/interfacemgr.h | 5 +++--
- bin/named/interfacemgr.c | 7 +++++--
- 3 files changed, 15 insertions(+), 15 deletions(-)
-
-diff --git a/bin/named/client.c b/bin/named/client.c
-index 845326abc0..29fecadca8 100644
---- a/bin/named/client.c
-+++ b/bin/named/client.c
-@@ -402,12 +402,10 @@ tcpconn_detach(ns_client_t *client) {
- static void
- mark_tcp_active(ns_client_t *client, bool active) {
- if (active && !client->tcpactive) {
-- isc_atomic_xadd(&client->interface->ntcpactive, 1);
-+ isc_refcount_increment0(&client->interface->ntcpactive, NULL);
- client->tcpactive = active;
- } else if (!active && client->tcpactive) {
-- uint32_t old =
-- isc_atomic_xadd(&client->interface->ntcpactive, -1);
-- INSIST(old > 0);
-+ isc_refcount_decrement(&client->interface->ntcpactive, NULL);
- client->tcpactive = active;
- }
- }
-@@ -554,7 +552,7 @@ exit_check(ns_client_t *client) {
- if (client->mortal && TCP_CLIENT(client) &&
- client->newstate != NS_CLIENTSTATE_FREED &&
- !ns_g_clienttest &&
-- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
-+ isc_refcount_current(&client->interface->ntcpaccepting) == 0)
- {
- /* Nobody else is accepting */
- client->mortal = false;
-@@ -3328,7 +3326,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- isc_result_t result;
- ns_client_t *client = event->ev_arg;
- isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
-- uint32_t old;
-
- REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
- REQUIRE(NS_CLIENT_VALID(client));
-@@ -3348,8 +3345,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- INSIST(client->naccepts == 1);
- client->naccepts--;
-
-- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
-- INSIST(old > 0);
-+ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL);
-
- /*
- * We must take ownership of the new socket before the exit
-@@ -3480,8 +3476,8 @@ client_accept(ns_client_t *client) {
- * quota is tcp-clients plus the number of listening
- * interfaces plus 1.)
- */
-- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
-- (client->tcpactive ? 1 : 0));
-+ exit = (isc_refcount_current(&client->interface->ntcpactive) >
-+ (client->tcpactive ? 1U : 0U));
- if (exit) {
- client->newstate = NS_CLIENTSTATE_INACTIVE;
- (void)exit_check(client);
-@@ -3539,7 +3535,7 @@ client_accept(ns_client_t *client) {
- * listening for connections itself to prevent the interface
- * going dead.
- */
-- isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
-+ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL);
- }
-
- static void
-diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
-index 3535ef22a8..6e10f210fd 100644
---- a/bin/named/include/named/interfacemgr.h
-+++ b/bin/named/include/named/interfacemgr.h
-@@ -45,6 +45,7 @@
- #include <isc/magic.h>
- #include <isc/mem.h>
- #include <isc/socket.h>
-+#include <isc/refcount.h>
-
- #include <dns/result.h>
-
-@@ -75,11 +76,11 @@ struct ns_interface {
- /*%< UDP dispatchers. */
- isc_socket_t * tcpsocket; /*%< TCP socket. */
- isc_dscp_t dscp; /*%< "listen-on" DSCP value */
-- int32_t ntcpaccepting; /*%< Number of clients
-+ isc_refcount_t ntcpaccepting; /*%< Number of clients
- ready to accept new
- TCP connections on this
- interface */
-- int32_t ntcpactive; /*%< Number of clients
-+ isc_refcount_t ntcpactive; /*%< Number of clients
- servicing TCP queries
- (whether accepting or
- connected) */
-diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
-index d9f6df5802..135533be6b 100644
---- a/bin/named/interfacemgr.c
-+++ b/bin/named/interfacemgr.c
-@@ -386,8 +386,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
- * connections will be handled in parallel even though there is
- * only one client initially.
- */
-- ifp->ntcpaccepting = 0;
-- ifp->ntcpactive = 0;
-+ isc_refcount_init(&ifp->ntcpaccepting, 0);
-+ isc_refcount_init(&ifp->ntcpactive, 0);
-
- ifp->nudpdispatch = 0;
-
-@@ -618,6 +618,9 @@ ns_interface_destroy(ns_interface_t *ifp) {
-
- ns_interfacemgr_detach(&ifp->mgr);
-
-+ isc_refcount_destroy(&ifp->ntcpactive);
-+ isc_refcount_destroy(&ifp->ntcpaccepting);
-+
- ifp->magic = 0;
- isc_mem_put(mctx, ifp, sizeof(*ifp));
- }
---
-2.20.1
-
--git a/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
index 37e210e6da..84559e5f37 100644
--- a/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
+++ b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
@@ -1,4 +1,4 @@
-From 9473d29843579802e96b0293a3e953fed93de82c Mon Sep 17 00:00:00 2001
+From edda20fb5a6e88548f85e39d34d6c074306e15bc Mon Sep 17 00:00:00 2001
From: Paul Gortmaker <paul.gortmaker@windriver.com>
Date: Tue, 9 Jun 2015 11:22:00 -0400
Subject: [PATCH] bind: ensure searching for json headers searches sysroot
@@ -27,15 +27,16 @@ to make use of the combination some day.
Upstream-Status: Inappropriate [OE Specific]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
---
- configure.in | 2 +-
+ configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-Index: bind-9.11.3/configure.in
-===================================================================
---- bind-9.11.3.orig/configure.in
-+++ bind-9.11.3/configure.in
-@@ -2574,7 +2574,7 @@ case "$use_libjson" in
+diff --git a/configure.ac b/configure.ac
+index 17392fd..e85a5c6 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2449,7 +2449,7 @@ case "$use_libjson" in
libjson_libs=""
;;
auto|yes)
diff --git a/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb b/meta/recipes-connectivity/bind/bind_9.11.13.bb
similarity index 85%
rename from meta/recipes-connectivity/bind/bind_9.11.5-P4.bb
rename to meta/recipes-connectivity/bind/bind_9.11.13.bb
index 68316e26ee..79275bb1ca 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.13.bb
@@ -15,25 +15,13 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://make-etc-initd-bind-stop-work.patch \
file://init.d-add-support-for-read-only-rootfs.patch \
file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
- file://0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch \
- file://0001-lib-dns-gen.c-fix-too-long-error.patch \
file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
file://0001-avoid-start-failure-with-bind-user.patch \
- file://0001-bind-fix-CVE-2019-6471.patch \
- file://0001-fix-enforcement-of-tcp-clients-v1.patch \
- file://0002-tcp-clients-could-still-be-exceeded-v2.patch \
- file://0003-use-reference-counter-for-pipeline-groups-v3.patch \
- file://0004-better-tcpquota-accounting-and-client-mortality-chec.patch \
- file://0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch \
- file://0006-restore-allowance-for-tcp-clients-interfaces.patch \
- file://0007-Replace-atomic-operations-in-bin-named-client.c-with.patch \
- file://CVE-2020-8616.patch \
- file://CVE-2020-8617.patch \
-"
-
-SRC_URI[md5sum] = "8ddab4b61fa4516fe404679c74e37960"
-SRC_URI[sha256sum] = "7e8c08192bcbaeb6e9f2391a70e67583b027b90e8c4bc1605da6eb126edde434"
+ "
+
+SRC_URI[md5sum] = "17de0d024ab1eac377f1c2854dc25057"
+SRC_URI[sha256sum] = "fd3f3cc9fcfcdaa752db35eb24598afa1fdcc2509d3227fc90a8631b7b400f7d"
UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
# stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 14/32] bind: update to 9.11.19
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (12 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 13/32] bind: update 9.11.5-P4 -> 9.11.13 Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 15/32] perl: Fix host specific modules problems Anuj Mittal
` (18 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: akuster <akuster808@gmail.com>
Bug fix only updates.
suitable for Stable branch updates where applicable.
Drop CVE patches included in update
LIC_FILES_CHKSUM update copyright year to 2020
Full changes found at : https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_11/CHANGES
(From OE-Core rev: c672d2b6c98607f1fda917f4a3189a53712e8fc2)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit a6ba66cf5e754cdcd41f01d233fbef7b94a10225)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../bind/bind/CVE-2020-8616.patch | 206 ------------------
.../bind/bind/CVE-2020-8617.patch | 29 ---
.../bind/{bind_9.11.13.bb => bind_9.11.19.bb} | 5 +-
3 files changed, 2 insertions(+), 238 deletions(-)
delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch
delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
rename meta/recipes-connectivity/bind/{bind_9.11.13.bb => bind_9.11.19.bb} (96%)
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch
deleted file mode 100644
index 8f00231919..0000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch
+++ /dev/null
@@ -1,206 +0,0 @@
-Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8616.patch]
-CVE: CVE-2020-8616
-Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
----
-diff --git a/lib/dns/adb.c b/lib/dns/adb.c
-index 058495f6a5..6b8a9537f0 100644
---- a/lib/dns/adb.c
-+++ b/lib/dns/adb.c
-@@ -404,14 +404,13 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...)
- */
- #define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
- #define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
--#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
-- != 0)
--#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \
-- != 0)
--#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
--#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
--#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
--#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
-+#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0)
-+#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0)
-+#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
-+#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
-+#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
-+#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
-+#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0)
-
- /*
- * These are currently used on simple unsigned ints, so they are
-@@ -3155,21 +3154,26 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
- * Listen to negative cache hints, and don't start
- * another query.
- */
-- if (NCACHE_RESULT(result) || AUTH_NX(result))
-+ if (NCACHE_RESULT(result) || AUTH_NX(result)) {
- goto fetch;
-+ }
-
-- if (!NAME_FETCH_V6(adbname))
-+ if (!NAME_FETCH_V6(adbname)) {
- wanted_fetches |= DNS_ADBFIND_INET6;
-+ }
- }
-
- fetch:
- if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) ||
- (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
-+ {
- have_address = true;
-- else
-+ } else {
- have_address = false;
-- if (wanted_fetches != 0 &&
-- ! (FIND_AVOIDFETCHES(find) && have_address)) {
-+ }
-+ if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) &&
-+ !FIND_NOFETCH(find))
-+ {
- /*
- * We're missing at least one address family. Either the
- * caller hasn't instructed us to avoid fetches, or we don't
-@@ -3177,8 +3181,9 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
- * be acceptable so we have to launch fetches.
- */
-
-- if (FIND_STARTATZONE(find))
-+ if (FIND_STARTATZONE(find)) {
- start_at_zone = true;
-+ }
-
- /*
- * Start V4.
-diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
-index 63a13c4e41..edf6e54935 100644
---- a/lib/dns/include/dns/adb.h
-+++ b/lib/dns/include/dns/adb.h
-@@ -207,6 +207,10 @@ struct dns_adbfind {
- * lame for this query.
- */
- #define DNS_ADBFIND_OVERQUOTA 0x00000400
-+/*%
-+ * Don't perform a fetch even if there are no address records available.
-+ */
-+#define DNS_ADBFIND_NOFETCH 0x00000800
-
- /*%
- * The answers to queries come back as a list of these.
-diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index 7c44478a26..0a40859d08 100644
---- a/lib/dns/resolver.c
-+++ b/lib/dns/resolver.c
-@@ -172,6 +172,14 @@
- #define DEFAULT_MAX_QUERIES 75
- #endif
-
-+/*
-+ * After NS_FAIL_LIMIT attempts to fetch a name server address,
-+ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT,
-+ * stop trying to fetch, in order to avoid wasting resources.
-+ */
-+#define NS_FAIL_LIMIT 4
-+#define NS_RR_LIMIT 5
-+
- /* Number of hash buckets for zone counters */
- #ifndef RES_DOMAIN_BUCKETS
- #define RES_DOMAIN_BUCKETS 523
-@@ -3130,8 +3138,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) {
- static void
- findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
- unsigned int options, unsigned int flags, isc_stdtime_t now,
-- bool *overquota, bool *need_alternate)
--{
-+ bool *overquota, bool *need_alternate, unsigned int *no_addresses) {
- dns_adbaddrinfo_t *ai;
- dns_adbfind_t *find;
- dns_resolver_t *res;
-@@ -3219,7 +3226,12 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
- find->result_v6 != DNS_R_NXDOMAIN) ||
- (res->dispatches6 == NULL &&
- find->result_v4 != DNS_R_NXDOMAIN)))
-+ {
- *need_alternate = true;
-+ }
-+ if (no_addresses != NULL) {
-+ (*no_addresses)++;
-+ }
- } else {
- if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) {
- if (overquota != NULL)
-@@ -3270,6 +3282,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
- dns_rdata_ns_t ns;
- bool need_alternate = false;
- bool all_spilled = true;
-+ unsigned int no_addresses = 0;
-
- FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
-
-@@ -3437,20 +3450,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
- * Extract the name from the NS record.
- */
- result = dns_rdata_tostruct(&rdata, &ns, NULL);
-- if (result != ISC_R_SUCCESS)
-+ if (result != ISC_R_SUCCESS) {
- continue;
-+ }
-
-- findname(fctx, &ns.name, 0, stdoptions, 0, now,
-- &overquota, &need_alternate);
-+ if (no_addresses > NS_FAIL_LIMIT &&
-+ dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT)
-+ {
-+ stdoptions |= DNS_ADBFIND_NOFETCH;
-+ }
-+ findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota,
-+ &need_alternate, &no_addresses);
-
-- if (!overquota)
-+ if (!overquota) {
- all_spilled = false;
-+ }
-
- dns_rdata_reset(&rdata);
- dns_rdata_freestruct(&ns);
- }
-- if (result != ISC_R_NOMORE)
-+ if (result != ISC_R_NOMORE) {
- return (result);
-+ }
-
- /*
- * Do we need to use 6 to 4?
-@@ -3465,7 +3486,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
- if (!a->isaddress) {
- findname(fctx, &a->_u._n.name, a->_u._n.port,
- stdoptions, FCTX_ADDRINFO_FORWARDER,
-- now, NULL, NULL);
-+ now, NULL, NULL, NULL);
- continue;
- }
- if (isc_sockaddr_pf(&a->_u.addr) != family)
-@@ -3827,16 +3827,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
- }
- }
-
-- if (dns_name_countlabels(&fctx->domain) > 2) {
-- result = isc_counter_increment(fctx->qc);
-- if (result != ISC_R_SUCCESS) {
-- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-- DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
-- "exceeded max queries resolving '%s'",
-- fctx->info);
-- fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-- return;
-- }
-+ result = isc_counter_increment(fctx->qc);
-+ if (result != ISC_R_SUCCESS) {
-+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
-+ "exceeded max queries resolving '%s'",
-+ fctx->info);
-+ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-+ return;
- }
-
- bucketnum = fctx->bucketnum;
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
deleted file mode 100644
index d8769c45cc..0000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8617.patch]
-CVE: CVE-2020-8617
-Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
----
-diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
-index b597a18d49..6357a3a486 100644
---- a/lib/dns/tsig.c
-+++ b/lib/dns/tsig.c
-@@ -1427,8 +1424,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
- goto cleanup_context;
- }
- msg->verified_sig = 1;
-- } else if (tsig.error != dns_tsigerror_badsig &&
-- tsig.error != dns_tsigerror_badkey) {
-+ } else if (!response || (tsig.error != dns_tsigerror_badsig &&
-+ tsig.error != dns_tsigerror_badkey))
-+ {
- tsig_log(msg->tsigkey, 2, "signature was empty");
- return (DNS_R_TSIGVERIFYFAILURE);
- }
-@@ -1484,7 +1482,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
- }
- }
-
-- if (tsig.error != dns_rcode_noerror) {
-+ if (response && tsig.error != dns_rcode_noerror) {
- msg->tsigstatus = tsig.error;
- if (tsig.error == dns_tsigerror_badtime)
- ret = DNS_R_CLOCKSKEW;
diff --git a/meta/recipes-connectivity/bind/bind_9.11.13.bb b/meta/recipes-connectivity/bind/bind_9.11.19.bb
similarity index 96%
rename from meta/recipes-connectivity/bind/bind_9.11.13.bb
rename to meta/recipes-connectivity/bind/bind_9.11.19.bb
index 79275bb1ca..a77be8678f 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.13.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.19.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.isc.org/sw/bind/"
SECTION = "console/network"
LICENSE = "ISC & BSD"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=8f17f64e47e83b60cd920a1e4b54419e"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bf39058a7f64b2a934ce14dc9ec1dd45"
DEPENDS = "openssl libcap zlib"
@@ -20,8 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://0001-avoid-start-failure-with-bind-user.patch \
"
-SRC_URI[md5sum] = "17de0d024ab1eac377f1c2854dc25057"
-SRC_URI[sha256sum] = "fd3f3cc9fcfcdaa752db35eb24598afa1fdcc2509d3227fc90a8631b7b400f7d"
+SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329"
UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
# stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 15/32] perl: Fix host specific modules problems
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (13 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 14/32] bind: update to 9.11.19 Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 16/32] dbus: fix CVE-2020-12049 Anuj Mittal
` (17 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
We were seeing a ton of empty perl modules being created such as
"perl-module-x86-64-linux-encoding" where the name would include
${TARGET_ARCH}-linux. These files were already being filtered in an
earlier do_split_packages() expression so exclude them from the latter
one to remove the pointless empty modules in PACKAGES.
This doesn't explain why some were not deterministic but will recude
the do_package execution time and clean up the build directories
at the very least.
(From OE-Core rev: 5aaf9d3a748cbad17a4a3e5d9715ac2f289b007d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9f1a959d9831f43dda656e3b0c4d059db3363877)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-devtools/perl/perl_5.30.1.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/perl/perl_5.30.1.bb b/meta/recipes-devtools/perl/perl_5.30.1.bb
index 32746c7095..149885f692 100644
--- a/meta/recipes-devtools/perl/perl_5.30.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.30.1.bb
@@ -271,7 +271,7 @@ python split_perl_packages () {
do_split_packages(d, libdir, r'Module/([^\/]*)\.pm', '${PN}-module-%s', 'perl module %s', recursive=True, allow_dirs=False, match_path=True, prepend=False)
do_split_packages(d, libdir, r'Module/([^\/]*)/.*', '${PN}-module-%s', 'perl module %s', recursive=True, allow_dirs=False, match_path=True, prepend=False)
do_split_packages(d, libdir, r'.*linux/([^\/].*)\.(pm|pl|e2x)', '${PN}-module-%s', 'perl module %s', recursive=True, allow_dirs=False, match_path=True, prepend=False)
- do_split_packages(d, libdir, r'(^(?!(CPAN\/|CPANPLUS\/|Module\/|unicore\/)[^\/]).*)\.(pm|pl|e2x)', '${PN}-module-%s', 'perl module %s', recursive=True, allow_dirs=False, match_path=True, prepend=False)
+ do_split_packages(d, libdir, r'(^(?!(CPAN\/|CPANPLUS\/|Module\/|unicore\/|.*linux\/)[^\/]).*)\.(pm|pl|e2x)', '${PN}-module-%s', 'perl module %s', recursive=True, allow_dirs=False, match_path=True, prepend=False)
# perl-modules should recommend every perl module, and only the
# modules. Don't attempt to use the result of do_split_packages() as some
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 16/32] dbus: fix CVE-2020-12049
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (14 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 15/32] perl: Fix host specific modules problems Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 17/32] perl: fix CVE-2020-10543 & CVE-2020-10878 Anuj Mittal
` (16 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
(From OE-Core rev: 3f69946c6159fa359bc5800ee72ef6151d9ecd36)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../dbus/dbus/CVE-2020-12049.patch | 78 +++++++++++++++++++
meta/recipes-core/dbus/dbus_1.12.16.bb | 1 +
2 files changed, 79 insertions(+)
create mode 100644 meta/recipes-core/dbus/dbus/CVE-2020-12049.patch
diff --git a/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch b/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch
new file mode 100644
index 0000000000..ac7a4b7a71
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch
@@ -0,0 +1,78 @@
+From 872b085f12f56da25a2dbd9bd0b2dff31d5aea63 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Thu, 16 Apr 2020 14:45:11 +0100
+Subject: [PATCH] sysdeps-unix: On MSG_CTRUNC, close the fds we did receive
+
+MSG_CTRUNC indicates that we have received fewer fds that we should
+have done because the buffer was too small, but we were treating it
+as though it indicated that we received *no* fds. If we received any,
+we still have to make sure we close them, otherwise they will be leaked.
+
+On the system bus, if an attacker can induce us to leak fds in this
+way, that's a local denial of service via resource exhaustion.
+
+Reported-by: Kevin Backhouse, GitHub Security Lab
+Fixes: dbus#294
+Fixes: CVE-2020-12049
+Fixes: GHSL-2020-057
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/dbus/dbus/-/commit/872b085f12f56da25a2dbd9bd0b2dff31d5aea63]
+CVE: CVE-2020-12049
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ dbus/dbus-sysdeps-unix.c | 32 ++++++++++++++++++++------------
+ 1 file changed, 20 insertions(+), 12 deletions(-)
+
+diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
+index b5fc2466..b176dae1 100644
+--- a/dbus/dbus-sysdeps-unix.c
++++ b/dbus/dbus-sysdeps-unix.c
+@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
+ struct cmsghdr *cm;
+ dbus_bool_t found = FALSE;
+
+- if (m.msg_flags & MSG_CTRUNC)
+- {
+- /* Hmm, apparently the control data was truncated. The bad
+- thing is that we might have completely lost a couple of fds
+- without chance to recover them. Hence let's treat this as a
+- serious error. */
+-
+- errno = ENOSPC;
+- _dbus_string_set_length (buffer, start);
+- return -1;
+- }
+-
+ for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
+ if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
+ {
+@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
+ if (!found)
+ *n_fds = 0;
+
++ if (m.msg_flags & MSG_CTRUNC)
++ {
++ unsigned int i;
++
++ /* Hmm, apparently the control data was truncated. The bad
++ thing is that we might have completely lost a couple of fds
++ without chance to recover them. Hence let's treat this as a
++ serious error. */
++
++ /* We still need to close whatever fds we *did* receive,
++ * otherwise they'll never get closed. (CVE-2020-12049) */
++ for (i = 0; i < *n_fds; i++)
++ close (fds[i]);
++
++ *n_fds = 0;
++ errno = ENOSPC;
++ _dbus_string_set_length (buffer, start);
++ return -1;
++ }
++
+ /* put length back (doesn't actually realloc) */
+ _dbus_string_set_length (buffer, start + bytes_read);
+
+--
+2.25.1
+
diff --git a/meta/recipes-core/dbus/dbus_1.12.16.bb b/meta/recipes-core/dbus/dbus_1.12.16.bb
index cfdbec09d0..92508cbeb8 100644
--- a/meta/recipes-core/dbus/dbus_1.12.16.bb
+++ b/meta/recipes-core/dbus/dbus_1.12.16.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
file://tmpdir.patch \
file://dbus-1.init \
file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+ file://CVE-2020-12049.patch \
"
SRC_URI[md5sum] = "2dbeae80dfc9e3632320c6a53d5e8890"
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 17/32] perl: fix CVE-2020-10543 & CVE-2020-10878
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (15 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 16/32] dbus: fix CVE-2020-12049 Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 18/32] wpa-supplicant: Security fix CVE-2020-12695 Anuj Mittal
` (15 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
(From OE-Core rev: d9c5d9c52eb1f03ff9c907a76dda31042fb26edb)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../perl/files/CVE-2020-10543.patch | 36 +++++
.../perl/files/CVE-2020-10878_1.patch | 152 ++++++++++++++++++
.../perl/files/CVE-2020-10878_2.patch | 36 +++++
meta/recipes-devtools/perl/perl_5.30.1.bb | 3 +
4 files changed, 227 insertions(+)
create mode 100644 meta/recipes-devtools/perl/files/CVE-2020-10543.patch
create mode 100644 meta/recipes-devtools/perl/files/CVE-2020-10878_1.patch
create mode 100644 meta/recipes-devtools/perl/files/CVE-2020-10878_2.patch
diff --git a/meta/recipes-devtools/perl/files/CVE-2020-10543.patch b/meta/recipes-devtools/perl/files/CVE-2020-10543.patch
new file mode 100644
index 0000000000..36dff0aac9
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2020-10543.patch
@@ -0,0 +1,36 @@
+From 897d1f7fd515b828e4b198d8b8bef76c6faf03ed Mon Sep 17 00:00:00 2001
+From: John Lightsey <jd@cpanel.net>
+Date: Wed, 20 Nov 2019 20:02:45 -0600
+Subject: [PATCH] regcomp.c: Prevent integer overflow from nested regex
+ quantifiers.
+
+(CVE-2020-10543) On 32bit systems the size calculations for nested regular
+expression quantifiers could overflow causing heap memory corruption.
+
+Fixes: Perl/perl5-security#125
+(cherry picked from commit bfd31397db5dc1a5c5d3e0a1f753a4f89a736e71)
+
+Upstream-Status: Backport [https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed]
+CVE: CVE-2020-10543
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ regcomp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/regcomp.c b/regcomp.c
+index 93c8d98fbb0..5f86be8086d 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -5489,6 +5489,12 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ RExC_precomp)));
+ }
+
++ if ( ( minnext > 0 && mincount >= SSize_t_MAX / minnext )
++ || min >= SSize_t_MAX - minnext * mincount )
++ {
++ FAIL("Regexp out of space");
++ }
++
+ min += minnext * mincount;
+ is_inf_internal |= deltanext == SSize_t_MAX
+ || (maxcount == REG_INFTY && minnext + deltanext > 0);
diff --git a/meta/recipes-devtools/perl/files/CVE-2020-10878_1.patch b/meta/recipes-devtools/perl/files/CVE-2020-10878_1.patch
new file mode 100644
index 0000000000..b86085a551
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2020-10878_1.patch
@@ -0,0 +1,152 @@
+From 0a320d753fe7fca03df259a4dfd8e641e51edaa8 Mon Sep 17 00:00:00 2001
+From: Hugo van der Sanden <hv@crypt.org>
+Date: Tue, 18 Feb 2020 13:51:16 +0000
+Subject: [PATCH] study_chunk: extract rck_elide_nothing
+
+(CVE-2020-10878)
+
+(cherry picked from commit 93dee06613d4e1428fb10905ce1c3c96f53113dc)
+
+Upstream-Status: Backport [https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8]
+CVE: CVE-2020-10878
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ embed.fnc | 1 +
+ embed.h | 1 +
+ proto.h | 3 +++
+ regcomp.c | 70 ++++++++++++++++++++++++++++++++++---------------------
+ 4 files changed, 48 insertions(+), 27 deletions(-)
+
+diff --git a/embed.fnc b/embed.fnc
+index aedb4baef19..d7cd04d3fc3 100644
+--- a/embed.fnc
++++ b/embed.fnc
+@@ -2481,6 +2481,7 @@ Es |SSize_t|study_chunk |NN RExC_state_t *pRExC_state \
+ |I32 stopparen|U32 recursed_depth \
+ |NULLOK regnode_ssc *and_withp \
+ |U32 flags|U32 depth
++Es |void |rck_elide_nothing|NN regnode *node
+ EsR |SV * |get_ANYOFM_contents|NN const regnode * n
+ EsRn |U32 |add_data |NN RExC_state_t* const pRExC_state \
+ |NN const char* const s|const U32 n
+diff --git a/embed.h b/embed.h
+index 75c91f77f45..356a8b98d96 100644
+--- a/embed.h
++++ b/embed.h
+@@ -1208,6 +1208,7 @@
+ #define parse_lparen_question_flags(a) S_parse_lparen_question_flags(aTHX_ a)
+ #define parse_uniprop_string(a,b,c,d,e,f,g,h,i) Perl_parse_uniprop_string(aTHX_ a,b,c,d,e,f,g,h,i)
+ #define populate_ANYOF_from_invlist(a,b) S_populate_ANYOF_from_invlist(aTHX_ a,b)
++#define rck_elide_nothing(a) S_rck_elide_nothing(aTHX_ a)
+ #define reg(a,b,c,d) S_reg(aTHX_ a,b,c,d)
+ #define reg2Lanode(a,b,c,d) S_reg2Lanode(aTHX_ a,b,c,d)
+ #define reg_node(a,b) S_reg_node(aTHX_ a,b)
+diff --git a/proto.h b/proto.h
+index 141ddbaee6d..f316fe134e1 100644
+--- a/proto.h
++++ b/proto.h
+@@ -5543,6 +5543,9 @@ PERL_CALLCONV SV * Perl_parse_uniprop_string(pTHX_ const char * const name, cons
+ STATIC void S_populate_ANYOF_from_invlist(pTHX_ regnode *node, SV** invlist_ptr);
+ #define PERL_ARGS_ASSERT_POPULATE_ANYOF_FROM_INVLIST \
+ assert(node); assert(invlist_ptr)
++STATIC void S_rck_elide_nothing(pTHX_ regnode *node);
++#define PERL_ARGS_ASSERT_RCK_ELIDE_NOTHING \
++ assert(node)
+ PERL_STATIC_NO_RET void S_re_croak2(pTHX_ bool utf8, const char* pat1, const char* pat2, ...)
+ __attribute__noreturn__;
+ #define PERL_ARGS_ASSERT_RE_CROAK2 \
+diff --git a/regcomp.c b/regcomp.c
+index 5f86be8086d..4ba2980db66 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -4450,6 +4450,44 @@ S_unwind_scan_frames(pTHX_ const void *p)
+ } while (f);
+ }
+
++/* Follow the next-chain of the current node and optimize away
++ all the NOTHINGs from it.
++ */
++STATIC void
++S_rck_elide_nothing(pTHX_ regnode *node)
++{
++ dVAR;
++
++ PERL_ARGS_ASSERT_RCK_ELIDE_NOTHING;
++
++ if (OP(node) != CURLYX) {
++ const int max = (reg_off_by_arg[OP(node)]
++ ? I32_MAX
++ /* I32 may be smaller than U16 on CRAYs! */
++ : (I32_MAX < U16_MAX ? I32_MAX : U16_MAX));
++ int off = (reg_off_by_arg[OP(node)] ? ARG(node) : NEXT_OFF(node));
++ int noff;
++ regnode *n = node;
++
++ /* Skip NOTHING and LONGJMP. */
++ while (
++ (n = regnext(n))
++ && (
++ (PL_regkind[OP(n)] == NOTHING && (noff = NEXT_OFF(n)))
++ || ((OP(n) == LONGJMP) && (noff = ARG(n)))
++ )
++ && off + noff < max
++ ) {
++ off += noff;
++ }
++ if (reg_off_by_arg[OP(node)])
++ ARG(node) = off;
++ else
++ NEXT_OFF(node) = off;
++ }
++ return;
++}
++
+ /* the return from this sub is the minimum length that could possibly match */
+ STATIC SSize_t
+ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+@@ -4550,28 +4588,10 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+ */
+ JOIN_EXACT(scan,&min_subtract, &unfolded_multi_char, 0);
+
+- /* Follow the next-chain of the current node and optimize
+- away all the NOTHINGs from it. */
+- if (OP(scan) != CURLYX) {
+- const int max = (reg_off_by_arg[OP(scan)]
+- ? I32_MAX
+- /* I32 may be smaller than U16 on CRAYs! */
+- : (I32_MAX < U16_MAX ? I32_MAX : U16_MAX));
+- int off = (reg_off_by_arg[OP(scan)] ? ARG(scan) : NEXT_OFF(scan));
+- int noff;
+- regnode *n = scan;
+-
+- /* Skip NOTHING and LONGJMP. */
+- while ((n = regnext(n))
+- && ((PL_regkind[OP(n)] == NOTHING && (noff = NEXT_OFF(n)))
+- || ((OP(n) == LONGJMP) && (noff = ARG(n))))
+- && off + noff < max)
+- off += noff;
+- if (reg_off_by_arg[OP(scan)])
+- ARG(scan) = off;
+- else
+- NEXT_OFF(scan) = off;
+- }
++ /* Follow the next-chain of the current node and optimize
++ away all the NOTHINGs from it.
++ */
++ rck_elide_nothing(scan);
+
+ /* The principal pseudo-switch. Cannot be a switch, since we
+ look into several different things. */
+@@ -5745,11 +5765,7 @@ Perl_re_printf( aTHX_ "LHS=%" UVuf " RHS=%" UVuf "\n",
+ if (data && (fl & SF_HAS_EVAL))
+ data->flags |= SF_HAS_EVAL;
+ optimize_curly_tail:
+- if (OP(oscan) != CURLYX) {
+- while (PL_regkind[OP(next = regnext(oscan))] == NOTHING
+- && NEXT_OFF(next))
+- NEXT_OFF(oscan) += NEXT_OFF(next);
+- }
++ rck_elide_nothing(oscan);
+ continue;
+
+ default:
diff --git a/meta/recipes-devtools/perl/files/CVE-2020-10878_2.patch b/meta/recipes-devtools/perl/files/CVE-2020-10878_2.patch
new file mode 100644
index 0000000000..0bacd6b192
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2020-10878_2.patch
@@ -0,0 +1,36 @@
+From 3295b48defa0f8570114877b063fe546dd348b3c Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Thu, 20 Feb 2020 17:49:36 +0000
+Subject: [PATCH] regcomp: use long jumps if there is any possibility of
+ overflow
+
+(CVE-2020-10878) Be conservative for backporting, we'll aim to do
+something more aggressive for bleadperl.
+
+(cherry picked from commit 9d7759db46f3b31b1d3f79c44266b6ba42a47fc6)
+
+Upstream-Status: Backport [https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c]
+CVE: CVE-2020-10878
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ regcomp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/regcomp.c b/regcomp.c
+index 4ba2980db66..73c35a67020 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -7762,6 +7762,13 @@ Perl_re_op_compile(pTHX_ SV ** const patternp, int pat_count,
+
+ /* We have that number in RExC_npar */
+ RExC_total_parens = RExC_npar;
++
++ /* XXX For backporting, use long jumps if there is any possibility of
++ * overflow */
++ if (RExC_size > U16_MAX && ! RExC_use_BRANCHJ) {
++ RExC_use_BRANCHJ = TRUE;
++ flags |= RESTART_PARSE;
++ }
+ }
+ else if (! MUST_RESTART(flags)) {
+ ReREFCNT_dec(Rx);
diff --git a/meta/recipes-devtools/perl/perl_5.30.1.bb b/meta/recipes-devtools/perl/perl_5.30.1.bb
index 149885f692..b633acfcea 100644
--- a/meta/recipes-devtools/perl/perl_5.30.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.30.1.bb
@@ -23,6 +23,9 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
file://0001-tests-adjust-to-correctly-exclude-unbuilt-extensions.patch \
file://determinism.patch \
file://racefix.patch \
+ file://CVE-2020-10543.patch \
+ file://CVE-2020-10878_1.patch \
+ file://CVE-2020-10878_2.patch \
"
SRC_URI_append_class-native = " \
file://perl-configpm-switch.patch \
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 18/32] wpa-supplicant: Security fix CVE-2020-12695
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (16 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 17/32] perl: fix CVE-2020-10543 & CVE-2020-10878 Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 19/32] systemd: fix CVE-2020-13776 Anuj Mittal
` (14 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: http://w1.fi/security/
Disposition: Backport from http://w1.fi/security/2020-1/
Affects <= 2.9 wpa-supplicant
(From OE-Core rev: 720d29cbfce34375402c6a4c17e440ffbb2659bf)
Signed-off-by: Armin Kuster <akuster@mvista.com>
(cherry picked from commit e9c696397ae1b4344b8329a13076f265980ee74d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
...allow-event-subscriptions-with-URLs-.patch | 151 ++++++++++++++++++
...nt-message-generation-using-a-long-U.patch | 62 +++++++
...HTTP-initiation-failures-for-events-.patch | 50 ++++++
.../wpa-supplicant/wpa-supplicant_2.9.bb | 5 +-
4 files changed, 267 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
new file mode 100644
index 0000000000..53ad5d028a
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
@@ -0,0 +1,151 @@
+From 5b78c8f961f25f4dc22d6f2b77ddd06d712cec63 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 3 Jun 2020 23:17:35 +0300
+Subject: [PATCH 1/3] WPS UPnP: Do not allow event subscriptions with URLs to
+ other networks
+
+The UPnP Device Architecture 2.0 specification errata ("UDA errata
+16-04-2020.docx") addresses a problem with notifications being allowed
+to go out to other domains by disallowing such cases. Do such filtering
+for the notification callback URLs to avoid undesired connections to
+external networks based on subscriptions that any device in the local
+network could request when WPS support for external registrars is
+enabled (the upnp_iface parameter in hostapd configuration).
+
+Upstream-Status: Backport
+CVE: CVE-2020-12695 patch #1
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/wps/wps_er.c | 2 +-
+ src/wps/wps_upnp.c | 38 ++++++++++++++++++++++++++++++++++++--
+ src/wps/wps_upnp_i.h | 3 ++-
+ 3 files changed, 39 insertions(+), 4 deletions(-)
+
+Index: wpa_supplicant-2.9/src/wps/wps_er.c
+===================================================================
+--- wpa_supplicant-2.9.orig/src/wps/wps_er.c
++++ wpa_supplicant-2.9/src/wps/wps_er.c
+@@ -1298,7 +1298,7 @@ wps_er_init(struct wps_context *wps, con
+ "with %s", filter);
+ }
+ if (get_netif_info(er->ifname, &er->ip_addr, &er->ip_addr_text,
+- er->mac_addr)) {
++ NULL, er->mac_addr)) {
+ wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
+ "for %s. Does it have IP address?", er->ifname);
+ wps_er_deinit(er, NULL, NULL);
+Index: wpa_supplicant-2.9/src/wps/wps_upnp.c
+===================================================================
+--- wpa_supplicant-2.9.orig/src/wps/wps_upnp.c
++++ wpa_supplicant-2.9/src/wps/wps_upnp.c
+@@ -303,6 +303,14 @@ static void subscr_addr_free_all(struct
+ }
+
+
++static int local_network_addr(struct upnp_wps_device_sm *sm,
++ struct sockaddr_in *addr)
++{
++ return (addr->sin_addr.s_addr & sm->netmask.s_addr) ==
++ (sm->ip_addr & sm->netmask.s_addr);
++}
++
++
+ /* subscr_addr_add_url -- add address(es) for one url to subscription */
+ static void subscr_addr_add_url(struct subscription *s, const char *url,
+ size_t url_len)
+@@ -381,6 +389,7 @@ static void subscr_addr_add_url(struct s
+
+ for (rp = result; rp; rp = rp->ai_next) {
+ struct subscr_addr *a;
++ struct sockaddr_in *addr = (struct sockaddr_in *) rp->ai_addr;
+
+ /* Limit no. of address to avoid denial of service attack */
+ if (dl_list_len(&s->addr_list) >= MAX_ADDR_PER_SUBSCRIPTION) {
+@@ -389,6 +398,13 @@ static void subscr_addr_add_url(struct s
+ break;
+ }
+
++ if (!local_network_addr(s->sm, addr)) {
++ wpa_printf(MSG_INFO,
++ "WPS UPnP: Ignore a delivery URL that points to another network %s",
++ inet_ntoa(addr->sin_addr));
++ continue;
++ }
++
+ a = os_zalloc(sizeof(*a) + alloc_len);
+ if (a == NULL)
+ break;
+@@ -889,11 +905,12 @@ static int eth_get(const char *device, u
+ * @net_if: Selected network interface name
+ * @ip_addr: Buffer for returning IP address in network byte order
+ * @ip_addr_text: Buffer for returning a pointer to allocated IP address text
++ * @netmask: Buffer for returning netmask or %NULL if not needed
+ * @mac: Buffer for returning MAC address
+ * Returns: 0 on success, -1 on failure
+ */
+ int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
+- u8 mac[ETH_ALEN])
++ struct in_addr *netmask, u8 mac[ETH_ALEN])
+ {
+ struct ifreq req;
+ int sock = -1;
+@@ -919,6 +936,19 @@ int get_netif_info(const char *net_if, u
+ in_addr.s_addr = *ip_addr;
+ os_snprintf(*ip_addr_text, 16, "%s", inet_ntoa(in_addr));
+
++ if (netmask) {
++ os_memset(&req, 0, sizeof(req));
++ os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
++ if (ioctl(sock, SIOCGIFNETMASK, &req) < 0) {
++ wpa_printf(MSG_ERROR,
++ "WPS UPnP: SIOCGIFNETMASK failed: %d (%s)",
++ errno, strerror(errno));
++ goto fail;
++ }
++ addr = (struct sockaddr_in *) &req.ifr_netmask;
++ netmask->s_addr = addr->sin_addr.s_addr;
++ }
++
+ #ifdef __linux__
+ os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
+ if (ioctl(sock, SIOCGIFHWADDR, &req) < 0) {
+@@ -1025,11 +1055,15 @@ static int upnp_wps_device_start(struct
+
+ /* Determine which IP and mac address we're using */
+ if (get_netif_info(net_if, &sm->ip_addr, &sm->ip_addr_text,
+- sm->mac_addr)) {
++ &sm->netmask, sm->mac_addr)) {
+ wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
+ "for %s. Does it have IP address?", net_if);
+ goto fail;
+ }
++ wpa_printf(MSG_DEBUG, "WPS UPnP: Local IP address %s netmask %s hwaddr "
++ MACSTR,
++ sm->ip_addr_text, inet_ntoa(sm->netmask),
++ MAC2STR(sm->mac_addr));
+
+ /* Listen for incoming TCP connections so that others
+ * can fetch our "xml files" from us.
+Index: wpa_supplicant-2.9/src/wps/wps_upnp_i.h
+===================================================================
+--- wpa_supplicant-2.9.orig/src/wps/wps_upnp_i.h
++++ wpa_supplicant-2.9/src/wps/wps_upnp_i.h
+@@ -128,6 +128,7 @@ struct upnp_wps_device_sm {
+ u8 mac_addr[ETH_ALEN]; /* mac addr of network i.f. we use */
+ char *ip_addr_text; /* IP address of network i.f. we use */
+ unsigned ip_addr; /* IP address of network i.f. we use (host order) */
++ struct in_addr netmask;
+ int multicast_sd; /* send multicast messages over this socket */
+ int ssdp_sd; /* receive discovery UPD packets on socket */
+ int ssdp_sd_registered; /* nonzero if we must unregister */
+@@ -158,7 +159,7 @@ struct subscription * subscription_find(
+ const u8 uuid[UUID_LEN]);
+ void subscr_addr_delete(struct subscr_addr *a);
+ int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
+- u8 mac[ETH_ALEN]);
++ struct in_addr *netmask, u8 mac[ETH_ALEN]);
+
+ /* wps_upnp_ssdp.c */
+ void msearchreply_state_machine_stop(struct advertisement_state_machine *a);
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
new file mode 100644
index 0000000000..59640859dd
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
@@ -0,0 +1,62 @@
+From f7d268864a2660b7239b9a8ff5ad37faeeb751ba Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 3 Jun 2020 22:41:02 +0300
+Subject: [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL
+ path
+
+More than about 700 character URL ended up overflowing the wpabuf used
+for building the event notification and this resulted in the wpabuf
+buffer overflow checks terminating the hostapd process. Fix this by
+allocating the buffer to be large enough to contain the full URL path.
+However, since that around 700 character limit has been the practical
+limit for more than ten years, start explicitly enforcing that as the
+limit or the callback URLs since any longer ones had not worked before
+and there is no need to enable them now either.
+
+Upstream-Status: Backport
+CVE: CVE-2020-12695 patch #2
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/wps/wps_upnp.c | 9 +++++++--
+ src/wps/wps_upnp_event.c | 3 ++-
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
+index 7d4b7439940e..ab685d52ecab 100644
+--- a/src/wps/wps_upnp.c
++++ b/src/wps/wps_upnp.c
+@@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
+ int rerr;
+ size_t host_len, path_len;
+
+- /* url MUST begin with http: */
+- if (url_len < 7 || os_strncasecmp(url, "http://", 7))
++ /* URL MUST begin with HTTP scheme. In addition, limit the length of
++ * the URL to 700 characters which is around the limit that was
++ * implicitly enforced for more than 10 years due to a bug in
++ * generating the event messages. */
++ if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) {
++ wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
+ goto fail;
++ }
+ url += 7;
+ url_len -= 7;
+
+diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
+index d7e6edcc6503..08a23612f338 100644
+--- a/src/wps/wps_upnp_event.c
++++ b/src/wps/wps_upnp_event.c
+@@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e)
+ struct wpabuf *buf;
+ char *b;
+
+- buf = wpabuf_alloc(1000 + wpabuf_len(e->data));
++ buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
++ wpabuf_len(e->data));
+ if (buf == NULL)
+ return NULL;
+ wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);
+--
+2.20.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
new file mode 100644
index 0000000000..8a014ef28a
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
@@ -0,0 +1,50 @@
+From 85aac526af8612c21b3117dadc8ef5944985b476 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Thu, 4 Jun 2020 21:24:04 +0300
+Subject: [PATCH 3/3] WPS UPnP: Handle HTTP initiation failures for events more
+ properly
+
+While it is appropriate to try to retransmit the event to another
+callback URL on a failure to initiate the HTTP client connection, there
+is no point in trying the exact same operation multiple times in a row.
+Replve the event_retry() calls with event_addr_failure() for these cases
+to avoid busy loops trying to repeat the same failing operation.
+
+These potential busy loops would go through eloop callbacks, so the
+process is not completely stuck on handling them, but unnecessary CPU
+would be used to process the continues retries that will keep failing
+for the same reason.
+
+Upstream-Status: Backport
+CVE: CVE-2020-12695 patch #2
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/wps/wps_upnp_event.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
+index 08a23612f338..c0d9e41d9a38 100644
+--- a/src/wps/wps_upnp_event.c
++++ b/src/wps/wps_upnp_event.c
+@@ -294,7 +294,7 @@ static int event_send_start(struct subscription *s)
+
+ buf = event_build_message(e);
+ if (buf == NULL) {
+- event_retry(e, 0);
++ event_addr_failure(e);
+ return -1;
+ }
+
+@@ -302,7 +302,7 @@ static int event_send_start(struct subscription *s)
+ event_http_cb, e);
+ if (e->http_event == NULL) {
+ wpabuf_free(buf);
+- event_retry(e, 0);
++ event_addr_failure(e);
+ return -1;
+ }
+
+--
+2.20.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
index 0e74d21a76..de882fad55 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -25,7 +25,10 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
file://wpa_supplicant.conf-sane \
file://99_wpa_supplicant \
file://0001-replace-systemd-install-Alias-with-WantedBy.patch \
- file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \
+ file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \
+ file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
+ file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
+ file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
"
SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 19/32] systemd: fix CVE-2020-13776
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (17 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 18/32] wpa-supplicant: Security fix CVE-2020-12695 Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 20/32] python3: fix CVE-2020-14422 Anuj Mittal
` (13 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: "wenlin.kang@windriver.com" <wenlin.kang@windriver.com>
Backport from systemd.git.
(OE-Core master rev: a1b22b2263da6d11a4e0cbfa792d2bd1e56f5346)
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../systemd/systemd/CVE-2020-13776.patch | 96 +++++++++++++++++++
meta/recipes-core/systemd/systemd_243.2.bb | 1 +
2 files changed, 97 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2020-13776.patch
diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch b/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch
new file mode 100644
index 0000000000..7b5e3e7f7a
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch
@@ -0,0 +1,96 @@
+From 156a5fd297b61bce31630d7a52c15614bf784843 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sun, 31 May 2020 18:21:09 +0200
+Subject: [PATCH 1/1] basic/user-util: always use base 10 for user/group
+ numbers
+
+We would parse numbers with base prefixes as user identifiers. For example,
+"0x2b3bfa0" would be interpreted as UID==45334432 and "01750" would be
+interpreted as UID==1000. This parsing was used also in cases where either a
+user/group name or number may be specified. This means that names like
+0x2b3bfa0 would be ambiguous: they are a valid user name according to our
+documented relaxed rules, but they would also be parsed as numeric uids.
+
+This behaviour is definitely not expected by users, since tools generally only
+accept decimal numbers (e.g. id, getent passwd), while other tools only accept
+user names and thus will interpret such strings as user names without even
+attempting to convert them to numbers (su, ssh). So let's follow suit and only
+accept numbers in decimal notation. Effectively this means that we will reject
+such strings as a username/uid/groupname/gid where strict mode is used, and try
+to look up a user/group with such a name in relaxed mode.
+
+Since the function changed is fairly low-level and fairly widely used, this
+affects multiple tools: loginctl show-user/enable-linger/disable-linger foo',
+the third argument in sysusers.d, fourth and fifth arguments in tmpfiles.d,
+etc.
+
+Fixes #15985.
+---
+ src/basic/user-util.c | 2 +-
+ src/test/test-user-util.c | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+--- end of commit 156a5fd297b61bce31630d7a52c15614bf784843 ---
+
+
+Add definition of safe_atou32_full() from commit b934ac3d6e7dcad114776ef30ee9098693e7ab7e
+
+CVE: CVE-2020-13776
+
+Upstream-Status: Backport [https://github.com/systemd/systemd.git]
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+
+
+--- git.orig/src/basic/user-util.c
++++ git/src/basic/user-util.c
+@@ -49,7 +49,7 @@ int parse_uid(const char *s, uid_t *ret)
+ assert(s);
+
+ assert_cc(sizeof(uid_t) == sizeof(uint32_t));
+- r = safe_atou32(s, &uid);
++ r = safe_atou32_full(s, 10, &uid);
+ if (r < 0)
+ return r;
+
+--- git.orig/src/test/test-user-util.c
++++ git/src/test/test-user-util.c
+@@ -48,9 +48,19 @@ static void test_parse_uid(void) {
+
+ r = parse_uid("65535", &uid);
+ assert_se(r == -ENXIO);
++ assert_se(uid == 100);
++
++ r = parse_uid("0x1234", &uid);
++ assert_se(r == -EINVAL);
++ assert_se(uid == 100);
++
++ r = parse_uid("01234", &uid);
++ assert_se(r == 0);
++ assert_se(uid == 1234);
+
+ r = parse_uid("asdsdas", &uid);
+ assert_se(r == -EINVAL);
++ assert_se(uid == 1234);
+ }
+
+ static void test_uid_ptr(void) {
+--- git.orig/src/basic/parse-util.h
++++ git/src/basic/parse-util.h
+@@ -45,9 +45,13 @@ static inline int safe_atoux16(const cha
+
+ int safe_atoi16(const char *s, int16_t *ret);
+
+-static inline int safe_atou32(const char *s, uint32_t *ret_u) {
++static inline int safe_atou32_full(const char *s, unsigned base, uint32_t *ret_u) {
+ assert_cc(sizeof(uint32_t) == sizeof(unsigned));
+- return safe_atou(s, (unsigned*) ret_u);
++ return safe_atou_full(s, base, (unsigned*) ret_u);
++}
++
++static inline int safe_atou32(const char *s, uint32_t *ret_u) {
++ return safe_atou32_full(s, 0, (unsigned*) ret_u);
+ }
+
+ static inline int safe_atoi32(const char *s, int32_t *ret_i) {
diff --git a/meta/recipes-core/systemd/systemd_243.2.bb b/meta/recipes-core/systemd/systemd_243.2.bb
index 082eb4c384..905348176c 100644
--- a/meta/recipes-core/systemd/systemd_243.2.bb
+++ b/meta/recipes-core/systemd/systemd_243.2.bb
@@ -25,6 +25,7 @@ SRC_URI += "file://touchscreen.rules \
file://0001-unit-file.c-consider-symlink-on-filesystems-like-NFS.patch \
file://99-default.preset \
file://0001-Merge-branch-polkit-ref-count.patch \
+ file://CVE-2020-13776.patch \
"
# patches needed by musl
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 20/32] python3: fix CVE-2020-14422
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (18 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 19/32] systemd: fix CVE-2020-13776 Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 21/32] iso-codes: switch upstream branch master -> main Anuj Mittal
` (12 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
[Rebased for v3.7.8]
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../python/python3/CVE-2020-14422.patch | 79 +++++++++++++++++++
meta/recipes-devtools/python/python3_3.7.8.bb | 1 +
2 files changed, 80 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2020-14422.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-14422.patch b/meta/recipes-devtools/python/python3/CVE-2020-14422.patch
new file mode 100644
index 0000000000..31ad82d7c5
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2020-14422.patch
@@ -0,0 +1,79 @@
+From b98e7790c77a4378ec4b1c71b84138cb930b69b7 Mon Sep 17 00:00:00 2001
+From: Tapas Kundu <39723251+tapakund@users.noreply.github.com>
+Date: Wed, 1 Jul 2020 00:50:21 +0530
+Subject: [PATCH] [3.7] bpo-41004: Resolve hash collisions for IPv4Interface
+ and IPv6Interface (GH-21033) (GH-21231)
+
+CVE-2020-14422
+The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
+of generating constant hash values of 32 and 128 respectively causing hash collisions.
+The fix uses the hash() function to generate hash values for the objects
+instead of XOR operation
+(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28)
+
+Co-authored-by: Ravi Teja P <rvteja92@gmail.com>
+
+Signed-off-by: Tapas Kundu <tkundu@vmware.com>
+
+Upstream-Status: Backport [https://github.com/python/cpython/commit/b98e7790c77a4378ec4b1c71b84138cb930b69b7]
+CVE: CVE-2020-14422
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ Lib/ipaddress.py | 4 ++--
+ Lib/test/test_ipaddress.py | 11 +++++++++++
+ .../Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst | 1 +
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
+
+diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
+index 80249288d73ab..54882934c3dc1 100644
+--- a/Lib/ipaddress.py
++++ b/Lib/ipaddress.py
+@@ -1442,7 +1442,7 @@ def __lt__(self, other):
+ return False
+
+ def __hash__(self):
+- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
+
+ __reduce__ = _IPAddressBase.__reduce__
+
+@@ -2088,7 +2088,7 @@ def __lt__(self, other):
+ return False
+
+ def __hash__(self):
+- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
+
+ __reduce__ = _IPAddressBase.__reduce__
+
+diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
+index 455b893fb126f..1fb6a929dc2d9 100644
+--- a/Lib/test/test_ipaddress.py
++++ b/Lib/test/test_ipaddress.py
+@@ -2091,6 +2091,17 @@ def testsixtofour(self):
+ sixtofouraddr.sixtofour)
+ self.assertFalse(bad_addr.sixtofour)
+
++ # issue41004 Hash collisions in IPv4Interface and IPv6Interface
++ def testV4HashIsNotConstant(self):
++ ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")
++ ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")
++ self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__())
++
++ # issue41004 Hash collisions in IPv4Interface and IPv6Interface
++ def testV6HashIsNotConstant(self):
++ ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
++ ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
++ self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__())
+
+ if __name__ == '__main__':
+ unittest.main()
+diff --git a/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
+new file mode 100644
+index 0000000000000..f5a9db52fff52
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
+@@ -0,0 +1 @@
++CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).
diff --git a/meta/recipes-devtools/python/python3_3.7.8.bb b/meta/recipes-devtools/python/python3_3.7.8.bb
index 5230fe0ee6..b18b3cd47d 100644
--- a/meta/recipes-devtools/python/python3_3.7.8.bb
+++ b/meta/recipes-devtools/python/python3_3.7.8.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-Use-FLAG_REF-always-for-interned-strings.patch \
file://0001-test_locale.py-correct-the-test-output-format.patch \
file://0017-setup.py-do-not-report-missing-dependencies-for-disa.patch \
+ file://CVE-2020-14422.patch \
"
SRC_URI_append_class-native = " \
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 21/32] iso-codes: switch upstream branch master -> main
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (19 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 20/32] python3: fix CVE-2020-14422 Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 22/32] utils: fix gcc 10 version detection Anuj Mittal
` (11 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Hongxu Jia <hongxu.jia@windriver.com>
(From OE-Core rev: 6e16ef0c2e0ec2bbb862231cd84e7650bd5789af)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 75e91b8e52ec77398e6b0fc09456e971662d9d7e)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-support/iso-codes/iso-codes_4.3.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-support/iso-codes/iso-codes_4.3.bb b/meta/recipes-support/iso-codes/iso-codes_4.3.bb
index 5651a96c66..566c147690 100644
--- a/meta/recipes-support/iso-codes/iso-codes_4.3.bb
+++ b/meta/recipes-support/iso-codes/iso-codes_4.3.bb
@@ -5,7 +5,7 @@ BUGTRACKER = "https://salsa.debian.org/iso-codes-team/iso-codes/issues"
LICENSE = "LGPLv2.1"
LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
-SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=http"
+SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=http;branch=main;"
SRCREV = "43398a317371e309361ce43072603863cb2f57e1"
# inherit gettext cannot be used, because it adds gettext-native to BASEDEPENDS which
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 22/32] utils: fix gcc 10 version detection
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (20 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 21/32] iso-codes: switch upstream branch master -> main Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 23/32] perf: fix build for v5.5+ Anuj Mittal
` (10 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Charles-Antoine Couret <charles-antoine.couret@mind.be>
Utils can not detect GCC 10 correctly due to wrong regex.
It generates this error "ERROR: Can't get compiler version from gcc --version output"
Sub-version numbers should be 1 or more digits instead of 1 only.
Signed-off-by: Charles-Antoine Couret <charles-antoine.couret@mind.be>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 186fe4a3d390a52b87282c3e694ce3251e45ee78)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/lib/oe/utils.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/lib/oe/utils.py b/meta/lib/oe/utils.py
index 652b2be145..144c123a0e 100644
--- a/meta/lib/oe/utils.py
+++ b/meta/lib/oe/utils.py
@@ -387,7 +387,7 @@ def host_gcc_version(d, taskcontextonly=False):
except subprocess.CalledProcessError as e:
bb.fatal("Error running %s --version: %s" % (compiler, e.output.decode("utf-8")))
- match = re.match(r".* (\d\.\d)\.\d.*", output.split('\n')[0])
+ match = re.match(r".* (\d+\.\d+)\.\d+.*", output.split('\n')[0])
if not match:
bb.fatal("Can't get compiler version from %s --version output" % compiler)
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 23/32] perf: fix build for v5.5+
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (21 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 22/32] utils: fix gcc 10 version detection Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 24/32] perf: Correct the substitution of python shebangs Anuj Mittal
` (9 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
In kernel 5.5+ there are python3 scripts that explicitly use
/usr/bin/python3 as the interpreter. That will find the host
python and produce undefined results.
We add that interpreter path to our substitutions to ensure
that our sysroot variant is used.
(From OE-Core rev: 103316d50d4947b3c3500eb5cbc4845702a62d22)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e5c4f3127521607742f7cdf62481b64cf4d3e828)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-kernel/perf/perf.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-kernel/perf/perf.bb b/meta/recipes-kernel/perf/perf.bb
index 90f05c0e62..d707b580e2 100644
--- a/meta/recipes-kernel/perf/perf.bb
+++ b/meta/recipes-kernel/perf/perf.bb
@@ -237,6 +237,7 @@ do_configure_prepend () {
sed -i 's,/usr/bin/python,/usr/bin/env python3,' "${s}"
sed -i 's,/usr/bin/python2,/usr/bin/env python3,' "${s}"
sed -i 's,/usr/bin/env python2,/usr/bin/env python3,' "${s}"
+ sed -i 's,/usr/bin/python3,/usr/bin/env python3,' "${s}"
done
# unistd.h can be out of sync between libc-headers and the captured version in the perf source
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 24/32] perf: Correct the substitution of python shebangs
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (22 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 23/32] perf: fix build for v5.5+ Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 25/32] sqlite: backport CVE fix Anuj Mittal
` (8 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: He Zhe <zhe.he@windriver.com>
To make the native python3 always used,
- Use sed one-liner instead
- Add substitution for ${S}/scripts/bpf_helpers_doc.py to fix the
following warning.
File "/usr/lib/python3.6/sysconfig.py", line 421, in _init_posix
_temp = __import__(name, globals(), locals(), ['build_time_vars'], 0)
ModuleNotFoundError: No module named '_sysconfigdata'
This issue is first reported by Joel Stanley <joel@jms.id.au>
The sed one-liner is credited to Anuj Mittal <anuj.mittal@intel.com>
(From OE-Core rev: 3f93173130a94310255389cfc62c67102a4fb21b)
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3a1a18ba9d28adb5562eabe9ec354f6d93154f5c)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-kernel/perf/perf.bb | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/meta/recipes-kernel/perf/perf.bb b/meta/recipes-kernel/perf/perf.bb
index d707b580e2..904aca95de 100644
--- a/meta/recipes-kernel/perf/perf.bb
+++ b/meta/recipes-kernel/perf/perf.bb
@@ -233,11 +233,8 @@ do_configure_prepend () {
fi
# use /usr/bin/env instead of version specific python
- for s in `find ${S}/tools/perf/ -name '*.py'`; do
- sed -i 's,/usr/bin/python,/usr/bin/env python3,' "${s}"
- sed -i 's,/usr/bin/python2,/usr/bin/env python3,' "${s}"
- sed -i 's,/usr/bin/env python2,/usr/bin/env python3,' "${s}"
- sed -i 's,/usr/bin/python3,/usr/bin/env python3,' "${s}"
+ for s in `find ${S}/tools/perf/ -name '*.py'` `find ${S}/scripts/ -name 'bpf_helpers_doc.py'`; do
+ sed -i -e "s,#!.*python.*,#!${USRBINPATH}/env python3," ${s}
done
# unistd.h can be out of sync between libc-headers and the captured version in the perf source
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 25/32] sqlite: backport CVE fix
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (23 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 24/32] perf: Correct the substitution of python shebangs Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 26/32] selftest/context: Avoid tracebacks from tests using multiprocessing Anuj Mittal
` (7 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Sakib Sajal <sakib.sajal@windriver.com>
Fixes CVE-2020-11655
(From OE-Core rev: 3b06a6c73f4e49c6d00f758423c2e8865ec2de00)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[ without the CVE-2020-11656 fix that did not apply cleanly ]
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../sqlite/files/CVE-2020-11655.patch | 32 +++++++++++++++++++
meta/recipes-support/sqlite/sqlite3_3.29.0.bb | 1 +
2 files changed, 33 insertions(+)
create mode 100644 meta/recipes-support/sqlite/files/CVE-2020-11655.patch
diff --git a/meta/recipes-support/sqlite/files/CVE-2020-11655.patch b/meta/recipes-support/sqlite/files/CVE-2020-11655.patch
new file mode 100644
index 0000000000..c2360cb867
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2020-11655.patch
@@ -0,0 +1,32 @@
+From a4601326d61bf1a11151ac6b78b50804bfd03b4d Mon Sep 17 00:00:00 2001
+From: Sakib Sajal <sakib.sajal@windriver.com>
+Date: Thu, 30 Apr 2020 10:46:16 -0700
+Subject: [PATCH 2/2] In the event of a semantic error in an aggregate query,
+ early-out the resetAccumulator() function to prevent problems due to
+ incomplete or incorrect initialization of the AggInfo object. Fix for ticket
+ [af4556bb5c285c08].
+
+FossilOrigin-Name: 4a302b42c7bf5e11ddb5522ca999f74aba397d3a7eb91b1844bb02852f772441
+Upstream-Status: Backport [c415d91007e1680e4eb17def583b202c3c83c718]
+
+CVE: CVE-2020-11655
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ sqlite3.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 1df6633..726adf7 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -133242,6 +133242,7 @@ static void resetAccumulator(Parse *pParse, AggInfo *pAggInfo){
+ struct AggInfo_func *pFunc;
+ int nReg = pAggInfo->nFunc + pAggInfo->nColumn;
+ if( nReg==0 ) return;
++ if( pParse->nErr ) return;
+ #ifdef SQLITE_DEBUG
+ /* Verify that all AggInfo registers are within the range specified by
+ ** AggInfo.mnReg..AggInfo.mxReg */
+--
+2.17.1
+
diff --git a/meta/recipes-support/sqlite/sqlite3_3.29.0.bb b/meta/recipes-support/sqlite/sqlite3_3.29.0.bb
index cf3b179845..95e1174b07 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.29.0.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.29.0.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://www.sqlite.org/2019/sqlite-autoconf-${SQLITE_PV}.tar.gz \
file://CVE-2019-19926.patch \
file://CVE-2019-19959.patch \
file://CVE-2019-20218.patch \
+ file://CVE-2020-11655.patch \
"
SRC_URI[md5sum] = "8f3dfe83387e62ecb91c7c5c09c688dc"
SRC_URI[sha256sum] = "8e7c1e2950b5b04c5944a981cb31fffbf9d2ddda939d536838ebc854481afd5b"
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 26/32] selftest/context: Avoid tracebacks from tests using multiprocessing
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (24 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 25/32] sqlite: backport CVE fix Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 27/32] python3-numpy: Stop shipping manual config files Anuj Mittal
` (6 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
We can see tracebacks where the SIGTERM handler catches things
it shouldn't. Avoid exit(1) unless we're the process that
it was intended for.
[YOCTO #13664]
(From OE-Core rev: d9c62ffac611310efd47ed6397d31dccb72fe868)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dba8c1d5ef0b574b7772d59e5992bfad8b7cca13)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/lib/oeqa/selftest/context.py | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/meta/lib/oeqa/selftest/context.py b/meta/lib/oeqa/selftest/context.py
index c4eb5d614e..3d3b19c6e8 100644
--- a/meta/lib/oeqa/selftest/context.py
+++ b/meta/lib/oeqa/selftest/context.py
@@ -280,11 +280,15 @@ class OESelftestTestContextExecutor(OETestContextExecutor):
return rc
def _signal_clean_handler(self, signum, frame):
- sys.exit(1)
+ if self.ourpid == os.getpid():
+ sys.exit(1)
def run(self, logger, args):
self._process_args(logger, args)
+ # Setup a SIGTERM handler to allow restoration of files like local.conf and bblayers.conf
+ # but don't interfer with other processes
+ self.ourpid = os.getpid()
signal.signal(signal.SIGTERM, self._signal_clean_handler)
rc = None
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 27/32] python3-numpy: Stop shipping manual config files
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (25 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 26/32] selftest/context: Avoid tracebacks from tests using multiprocessing Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 28/32] cve-update: handle baseMetricV2 as optional Anuj Mittal
` (5 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Adrian Bunk <bunk@stusta.de>
Automatic generation seems to work fine,
and does not become outdated.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8993270f8bc65e152418d84fde03f8ead83c054b)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../python-numpy/files/aarch64/_numpyconfig.h | 32 ----
.../python-numpy/files/aarch64/config.h | 139 ------------------
.../python-numpy/files/arm/config.h | 21 ---
.../python-numpy/files/arm/numpyconfig.h | 17 ---
.../python-numpy/files/armeb/config.h | 21 ---
.../python-numpy/files/armeb/numpyconfig.h | 17 ---
.../files/mipsarchn32eb/_numpyconfig.h | 32 ----
.../python-numpy/files/mipsarchn32eb/config.h | 139 ------------------
.../files/mipsarchn32el/_numpyconfig.h | 31 ----
.../python-numpy/files/mipsarchn32el/config.h | 138 -----------------
.../files/mipsarchn64eb/_numpyconfig.h | 32 ----
.../python-numpy/files/mipsarchn64eb/config.h | 139 ------------------
.../files/mipsarchn64el/_numpyconfig.h | 32 ----
.../python-numpy/files/mipsarchn64el/config.h | 138 -----------------
.../files/mipsarcho32eb/_numpyconfig.h | 32 ----
.../python-numpy/files/mipsarcho32eb/config.h | 139 ------------------
.../python-numpy/files/mipsarcho32el/config.h | 21 ---
.../files/mipsarcho32el/numpyconfig.h | 18 ---
.../python-numpy/files/powerpc/_numpyconfig.h | 32 ----
.../python-numpy/files/powerpc/config.h | 139 ------------------
.../files/powerpc64/_numpyconfig.h | 32 ----
.../python-numpy/files/powerpc64/config.h | 139 ------------------
.../python-numpy/files/riscv64/_numpyconfig.h | 32 ----
.../python-numpy/files/riscv64/config.h | 139 ------------------
.../python-numpy/files/x86-64/_numpyconfig.h | 32 ----
.../python-numpy/files/x86-64/config.h | 139 ------------------
.../python-numpy/files/x86/config.h | 108 --------------
.../python-numpy/files/x86/numpyconfig.h | 24 ---
.../python-numpy/python-numpy.inc | 68 ---------
29 files changed, 2022 deletions(-)
delete mode 100644 meta/recipes-devtools/python-numpy/files/aarch64/_numpyconfig.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/aarch64/config.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/arm/config.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/arm/numpyconfig.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/armeb/config.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/armeb/numpyconfig.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/mipsarchn32eb/_numpyconfig.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/mipsarchn32eb/config.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/mipsarchn32el/_numpyconfig.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/mipsarchn32el/config.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/mipsarchn64eb/_numpyconfig.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/mipsarchn64eb/config.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/mipsarchn64el/_numpyconfig.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/mipsarchn64el/config.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/mipsarcho32eb/_numpyconfig.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/mipsarcho32eb/config.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/mipsarcho32el/config.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/mipsarcho32el/numpyconfig.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/powerpc/_numpyconfig.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/powerpc/config.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/powerpc64/_numpyconfig.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/powerpc64/config.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/riscv64/_numpyconfig.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/riscv64/config.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/x86-64/_numpyconfig.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/x86-64/config.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/x86/config.h
delete mode 100644 meta/recipes-devtools/python-numpy/files/x86/numpyconfig.h
diff --git a/meta/recipes-devtools/python-numpy/files/aarch64/_numpyconfig.h b/meta/recipes-devtools/python-numpy/files/aarch64/_numpyconfig.h
deleted file mode 100644
index 109deb0435..0000000000
--- a/meta/recipes-devtools/python-numpy/files/aarch64/_numpyconfig.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#define NPY_HAVE_ENDIAN_H 1
-#define NPY_SIZEOF_SHORT SIZEOF_SHORT
-#define NPY_SIZEOF_INT SIZEOF_INT
-#define NPY_SIZEOF_LONG SIZEOF_LONG
-#define NPY_SIZEOF_FLOAT 4
-#define NPY_SIZEOF_COMPLEX_FLOAT 8
-#define NPY_SIZEOF_DOUBLE 8
-#define NPY_SIZEOF_COMPLEX_DOUBLE 16
-#define NPY_SIZEOF_LONGDOUBLE 16
-#define NPY_SIZEOF_COMPLEX_LONGDOUBLE 32
-#define NPY_SIZEOF_PY_INTPTR_T 8
-#define NPY_SIZEOF_PY_LONG_LONG 8
-#define NPY_SIZEOF_LONGLONG 8
-#define NPY_SIZEOF_OFF_T 8
-#define NPY_NO_SMP 0
-#define NPY_HAVE_DECL_ISNAN
-#define NPY_HAVE_DECL_ISINF
-#define NPY_HAVE_DECL_ISFINITE
-#define NPY_HAVE_DECL_SIGNBIT
-#define NPY_USE_C99_COMPLEX 1
-#define NPY_HAVE_COMPLEX_DOUBLE 1
-#define NPY_HAVE_COMPLEX_FLOAT 1
-#define NPY_HAVE_COMPLEX_LONG_DOUBLE 1
-#define NPY_ENABLE_SEPARATE_COMPILATION 1
-#define NPY_USE_C99_FORMATS 1
-#define NPY_VISIBILITY_HIDDEN __attribute__((visibility("hidden")))
-#define NPY_ABI_VERSION 0x01000009
-#define NPY_API_VERSION 0x0000000A
-
-#ifndef __STDC_FORMAT_MACROS
-#define __STDC_FORMAT_MACROS 1
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/aarch64/config.h b/meta/recipes-devtools/python-numpy/files/aarch64/config.h
deleted file mode 100644
index c30b868f2f..0000000000
--- a/meta/recipes-devtools/python-numpy/files/aarch64/config.h
+++ /dev/null
@@ -1,139 +0,0 @@
-#define HAVE_ENDIAN_H 1
-#define SIZEOF_PY_INTPTR_T 8
-#define SIZEOF_PY_LONG_LONG 8
-#define MATHLIB m
-#define HAVE_SIN 1
-#define HAVE_COS 1
-#define HAVE_TAN 1
-#define HAVE_SINH 1
-#define HAVE_COSH 1
-#define HAVE_TANH 1
-#define HAVE_FABS 1
-#define HAVE_FLOOR 1
-#define HAVE_CEIL 1
-#define HAVE_SQRT 1
-#define HAVE_LOG10 1
-#define HAVE_LOG 1
-#define HAVE_EXP 1
-#define HAVE_ASIN 1
-#define HAVE_ACOS 1
-#define HAVE_ATAN 1
-#define HAVE_FMOD 1
-#define HAVE_MODF 1
-#define HAVE_FREXP 1
-#define HAVE_LDEXP 1
-#define HAVE_RINT 1
-#define HAVE_TRUNC 1
-#define HAVE_EXP2 1
-#define HAVE_LOG2 1
-#define HAVE_ATAN2 1
-#define HAVE_POW 1
-#define HAVE_NEXTAFTER 1
-#define HAVE_SINF 1
-#define HAVE_COSF 1
-#define HAVE_TANF 1
-#define HAVE_SINHF 1
-#define HAVE_COSHF 1
-#define HAVE_TANHF 1
-#define HAVE_FABSF 1
-#define HAVE_FLOORF 1
-#define HAVE_CEILF 1
-#define HAVE_RINTF 1
-#define HAVE_TRUNCF 1
-#define HAVE_SQRTF 1
-#define HAVE_LOG10F 1
-#define HAVE_LOGF 1
-#define HAVE_LOG1PF 1
-#define HAVE_EXPF 1
-#define HAVE_EXPM1F 1
-#define HAVE_ASINF 1
-#define HAVE_ACOSF 1
-#define HAVE_ATANF 1
-#define HAVE_ASINHF 1
-#define HAVE_ACOSHF 1
-#define HAVE_ATANHF 1
-#define HAVE_HYPOTF 1
-#define HAVE_ATAN2F 1
-#define HAVE_POWF 1
-#define HAVE_FMODF 1
-#define HAVE_MODFF 1
-#define HAVE_FREXPF 1
-#define HAVE_LDEXPF 1
-#define HAVE_EXP2F 1
-#define HAVE_LOG2F 1
-#define HAVE_COPYSIGNF 1
-#define HAVE_NEXTAFTERF 1
-#define HAVE_SINL 1
-#define HAVE_COSL 1
-#define HAVE_TANL 1
-#define HAVE_SINHL 1
-#define HAVE_COSHL 1
-#define HAVE_TANHL 1
-#define HAVE_FABSL 1
-#define HAVE_FLOORL 1
-#define HAVE_CEILL 1
-#define HAVE_RINTL 1
-#define HAVE_TRUNCL 1
-#define HAVE_SQRTL 1
-#define HAVE_LOG10L 1
-#define HAVE_LOGL 1
-#define HAVE_LOG1PL 1
-#define HAVE_EXPL 1
-#define HAVE_EXPM1L 1
-#define HAVE_ASINL 1
-#define HAVE_ACOSL 1
-#define HAVE_ATANL 1
-#define HAVE_ASINHL 1
-#define HAVE_ACOSHL 1
-#define HAVE_ATANHL 1
-#define HAVE_HYPOTL 1
-#define HAVE_ATAN2L 1
-#define HAVE_POWL 1
-#define HAVE_FMODL 1
-#define HAVE_MODFL 1
-#define HAVE_FREXPL 1
-#define HAVE_LDEXPL 1
-#define HAVE_EXP2L 1
-#define HAVE_LOG2L 1
-#define HAVE_COPYSIGNL 1
-#define HAVE_NEXTAFTERL 1
-#define HAVE_DECL_SIGNBIT
-#define HAVE_COMPLEX_H 1
-#define HAVE_CREAL 1
-#define HAVE_CIMAG 1
-#define HAVE_CABS 1
-#define HAVE_CARG 1
-#define HAVE_CEXP 1
-#define HAVE_CSQRT 1
-#define HAVE_CLOG 1
-#define HAVE_CCOS 1
-#define HAVE_CSIN 1
-#define HAVE_CPOW 1
-#define HAVE_CREALF 1
-#define HAVE_CIMAGF 1
-#define HAVE_CABSF 1
-#define HAVE_CARGF 1
-#define HAVE_CEXPF 1
-#define HAVE_CSQRTF 1
-#define HAVE_CLOGF 1
-#define HAVE_CCOSF 1
-#define HAVE_CSINF 1
-#define HAVE_CPOWF 1
-#define HAVE_CREALL 1
-#define HAVE_CIMAGL 1
-#define HAVE_CABSL 1
-#define HAVE_CARGL 1
-#define HAVE_CEXPL 1
-#define HAVE_CSQRTL 1
-#define HAVE_CLOGL 1
-#define HAVE_CCOSL 1
-#define HAVE_CSINL 1
-#define HAVE_CPOWL 1
-#define HAVE_LDOUBLE_IEEE_QUAD_LE 1
-#ifndef __cplusplus
-/* #undef inline */
-#endif
-
-#ifndef _NPY_NPY_CONFIG_H_
-#error config.h should never be included directly, include npy_config.h instead
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/arm/config.h b/meta/recipes-devtools/python-numpy/files/arm/config.h
deleted file mode 100644
index 17ef186d56..0000000000
--- a/meta/recipes-devtools/python-numpy/files/arm/config.h
+++ /dev/null
@@ -1,21 +0,0 @@
-/* ./src.linux-i686-2.5/numpy/core/include/numpy/config.h */
-/* #define SIZEOF_SHORT 2 */
-/* #define SIZEOF_INT 4 */
-/* #define SIZEOF_LONG 4 */
-/* #define SIZEOF_FLOAT 4 */
-/* #define SIZEOF_DOUBLE 8 */
-#define SIZEOF_LONG_DOUBLE 12
-#define SIZEOF_PY_INTPTR_T 4
-/* #define SIZEOF_LONG_LONG 8 */
-#define SIZEOF_PY_LONG_LONG 8
-/* #define CHAR_BIT 8 */
-#define MATHLIB m
-#define HAVE_FLOAT_FUNCS
-#define HAVE_LOG1P
-#define HAVE_EXPM1
-#define HAVE_INVERSE_HYPERBOLIC
-#define HAVE_INVERSE_HYPERBOLIC_FLOAT
-#define HAVE_ISNAN
-#define HAVE_ISINF
-#define HAVE_RINT
-
diff --git a/meta/recipes-devtools/python-numpy/files/arm/numpyconfig.h b/meta/recipes-devtools/python-numpy/files/arm/numpyconfig.h
deleted file mode 100644
index c4bf6547f0..0000000000
--- a/meta/recipes-devtools/python-numpy/files/arm/numpyconfig.h
+++ /dev/null
@@ -1,17 +0,0 @@
-/* cat ./src.linux-i686-2.5/numpy/core/include/numpy/numpyconfig.h */
-/*
- * * This file is generated by numpy/core/setup.pyc. DO NOT EDIT
- * */
-#define NPY_SIZEOF_SHORT 2
-#define NPY_SIZEOF_INT 4
-#define NPY_SIZEOF_LONG 4
-#define NPY_SIZEOF_FLOAT 4
-#define NPY_SIZEOF_DOUBLE 8
-#define NPY_SIZEOF_LONGDOUBLE 12
-#define NPY_SIZEOF_PY_INTPTR_T 4
-#define NPY_NO_SMP 0
-
-#define NPY_SIZEOF_LONGLONG 8
-#define NPY_SIZEOF_PY_LONG_LONG 8
-/* #define CHAR_BIT 8 */
-
diff --git a/meta/recipes-devtools/python-numpy/files/armeb/config.h b/meta/recipes-devtools/python-numpy/files/armeb/config.h
deleted file mode 100644
index 17ef186d56..0000000000
--- a/meta/recipes-devtools/python-numpy/files/armeb/config.h
+++ /dev/null
@@ -1,21 +0,0 @@
-/* ./src.linux-i686-2.5/numpy/core/include/numpy/config.h */
-/* #define SIZEOF_SHORT 2 */
-/* #define SIZEOF_INT 4 */
-/* #define SIZEOF_LONG 4 */
-/* #define SIZEOF_FLOAT 4 */
-/* #define SIZEOF_DOUBLE 8 */
-#define SIZEOF_LONG_DOUBLE 12
-#define SIZEOF_PY_INTPTR_T 4
-/* #define SIZEOF_LONG_LONG 8 */
-#define SIZEOF_PY_LONG_LONG 8
-/* #define CHAR_BIT 8 */
-#define MATHLIB m
-#define HAVE_FLOAT_FUNCS
-#define HAVE_LOG1P
-#define HAVE_EXPM1
-#define HAVE_INVERSE_HYPERBOLIC
-#define HAVE_INVERSE_HYPERBOLIC_FLOAT
-#define HAVE_ISNAN
-#define HAVE_ISINF
-#define HAVE_RINT
-
diff --git a/meta/recipes-devtools/python-numpy/files/armeb/numpyconfig.h b/meta/recipes-devtools/python-numpy/files/armeb/numpyconfig.h
deleted file mode 100644
index c4bf6547f0..0000000000
--- a/meta/recipes-devtools/python-numpy/files/armeb/numpyconfig.h
+++ /dev/null
@@ -1,17 +0,0 @@
-/* cat ./src.linux-i686-2.5/numpy/core/include/numpy/numpyconfig.h */
-/*
- * * This file is generated by numpy/core/setup.pyc. DO NOT EDIT
- * */
-#define NPY_SIZEOF_SHORT 2
-#define NPY_SIZEOF_INT 4
-#define NPY_SIZEOF_LONG 4
-#define NPY_SIZEOF_FLOAT 4
-#define NPY_SIZEOF_DOUBLE 8
-#define NPY_SIZEOF_LONGDOUBLE 12
-#define NPY_SIZEOF_PY_INTPTR_T 4
-#define NPY_NO_SMP 0
-
-#define NPY_SIZEOF_LONGLONG 8
-#define NPY_SIZEOF_PY_LONG_LONG 8
-/* #define CHAR_BIT 8 */
-
diff --git a/meta/recipes-devtools/python-numpy/files/mipsarchn32eb/_numpyconfig.h b/meta/recipes-devtools/python-numpy/files/mipsarchn32eb/_numpyconfig.h
deleted file mode 100644
index debb390094..0000000000
--- a/meta/recipes-devtools/python-numpy/files/mipsarchn32eb/_numpyconfig.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#define NPY_HAVE_ENDIAN_H 1
-#define NPY_SIZEOF_SHORT SIZEOF_SHORT
-#define NPY_SIZEOF_INT SIZEOF_INT
-#define NPY_SIZEOF_LONG SIZEOF_LONG
-#define NPY_SIZEOF_FLOAT 4
-#define NPY_SIZEOF_COMPLEX_FLOAT 8
-#define NPY_SIZEOF_DOUBLE 8
-#define NPY_SIZEOF_COMPLEX_DOUBLE 16
-#define NPY_SIZEOF_LONGDOUBLE 16
-#define NPY_SIZEOF_COMPLEX_LONGDOUBLE 32
-#define NPY_ENABLE_SEPARATE_COMPILATION 1
-#define NPY_SIZEOF_PY_INTPTR_T 8
-#define NPY_SIZEOF_PY_LONG_LONG 8
-#define NPY_SIZEOF_LONGLONG 8
-#define NPY_SIZEOF_OFF_T 8
-#define NPY_NO_SMP 0
-#define NPY_HAVE_DECL_ISNAN
-#define NPY_HAVE_DECL_ISINF
-#define NPY_HAVE_DECL_ISFINITE
-#define NPY_HAVE_DECL_SIGNBIT
-#define NPY_USE_C99_COMPLEX 1
-#define NPY_HAVE_COMPLEX_DOUBLE 1
-#define NPY_HAVE_COMPLEX_FLOAT 1
-#define NPY_HAVE_COMPLEX_LONG_DOUBLE 1
-#define NPY_USE_C99_FORMATS 1
-#define NPY_VISIBILITY_HIDDEN __attribute__((visibility("hidden")))
-#define NPY_ABI_VERSION 0x01000009
-#define NPY_API_VERSION 0x0000000A
-
-#ifndef __STDC_FORMAT_MACROS
-#define __STDC_FORMAT_MACROS 1
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/mipsarchn32eb/config.h b/meta/recipes-devtools/python-numpy/files/mipsarchn32eb/config.h
deleted file mode 100644
index c30b868f2f..0000000000
--- a/meta/recipes-devtools/python-numpy/files/mipsarchn32eb/config.h
+++ /dev/null
@@ -1,139 +0,0 @@
-#define HAVE_ENDIAN_H 1
-#define SIZEOF_PY_INTPTR_T 8
-#define SIZEOF_PY_LONG_LONG 8
-#define MATHLIB m
-#define HAVE_SIN 1
-#define HAVE_COS 1
-#define HAVE_TAN 1
-#define HAVE_SINH 1
-#define HAVE_COSH 1
-#define HAVE_TANH 1
-#define HAVE_FABS 1
-#define HAVE_FLOOR 1
-#define HAVE_CEIL 1
-#define HAVE_SQRT 1
-#define HAVE_LOG10 1
-#define HAVE_LOG 1
-#define HAVE_EXP 1
-#define HAVE_ASIN 1
-#define HAVE_ACOS 1
-#define HAVE_ATAN 1
-#define HAVE_FMOD 1
-#define HAVE_MODF 1
-#define HAVE_FREXP 1
-#define HAVE_LDEXP 1
-#define HAVE_RINT 1
-#define HAVE_TRUNC 1
-#define HAVE_EXP2 1
-#define HAVE_LOG2 1
-#define HAVE_ATAN2 1
-#define HAVE_POW 1
-#define HAVE_NEXTAFTER 1
-#define HAVE_SINF 1
-#define HAVE_COSF 1
-#define HAVE_TANF 1
-#define HAVE_SINHF 1
-#define HAVE_COSHF 1
-#define HAVE_TANHF 1
-#define HAVE_FABSF 1
-#define HAVE_FLOORF 1
-#define HAVE_CEILF 1
-#define HAVE_RINTF 1
-#define HAVE_TRUNCF 1
-#define HAVE_SQRTF 1
-#define HAVE_LOG10F 1
-#define HAVE_LOGF 1
-#define HAVE_LOG1PF 1
-#define HAVE_EXPF 1
-#define HAVE_EXPM1F 1
-#define HAVE_ASINF 1
-#define HAVE_ACOSF 1
-#define HAVE_ATANF 1
-#define HAVE_ASINHF 1
-#define HAVE_ACOSHF 1
-#define HAVE_ATANHF 1
-#define HAVE_HYPOTF 1
-#define HAVE_ATAN2F 1
-#define HAVE_POWF 1
-#define HAVE_FMODF 1
-#define HAVE_MODFF 1
-#define HAVE_FREXPF 1
-#define HAVE_LDEXPF 1
-#define HAVE_EXP2F 1
-#define HAVE_LOG2F 1
-#define HAVE_COPYSIGNF 1
-#define HAVE_NEXTAFTERF 1
-#define HAVE_SINL 1
-#define HAVE_COSL 1
-#define HAVE_TANL 1
-#define HAVE_SINHL 1
-#define HAVE_COSHL 1
-#define HAVE_TANHL 1
-#define HAVE_FABSL 1
-#define HAVE_FLOORL 1
-#define HAVE_CEILL 1
-#define HAVE_RINTL 1
-#define HAVE_TRUNCL 1
-#define HAVE_SQRTL 1
-#define HAVE_LOG10L 1
-#define HAVE_LOGL 1
-#define HAVE_LOG1PL 1
-#define HAVE_EXPL 1
-#define HAVE_EXPM1L 1
-#define HAVE_ASINL 1
-#define HAVE_ACOSL 1
-#define HAVE_ATANL 1
-#define HAVE_ASINHL 1
-#define HAVE_ACOSHL 1
-#define HAVE_ATANHL 1
-#define HAVE_HYPOTL 1
-#define HAVE_ATAN2L 1
-#define HAVE_POWL 1
-#define HAVE_FMODL 1
-#define HAVE_MODFL 1
-#define HAVE_FREXPL 1
-#define HAVE_LDEXPL 1
-#define HAVE_EXP2L 1
-#define HAVE_LOG2L 1
-#define HAVE_COPYSIGNL 1
-#define HAVE_NEXTAFTERL 1
-#define HAVE_DECL_SIGNBIT
-#define HAVE_COMPLEX_H 1
-#define HAVE_CREAL 1
-#define HAVE_CIMAG 1
-#define HAVE_CABS 1
-#define HAVE_CARG 1
-#define HAVE_CEXP 1
-#define HAVE_CSQRT 1
-#define HAVE_CLOG 1
-#define HAVE_CCOS 1
-#define HAVE_CSIN 1
-#define HAVE_CPOW 1
-#define HAVE_CREALF 1
-#define HAVE_CIMAGF 1
-#define HAVE_CABSF 1
-#define HAVE_CARGF 1
-#define HAVE_CEXPF 1
-#define HAVE_CSQRTF 1
-#define HAVE_CLOGF 1
-#define HAVE_CCOSF 1
-#define HAVE_CSINF 1
-#define HAVE_CPOWF 1
-#define HAVE_CREALL 1
-#define HAVE_CIMAGL 1
-#define HAVE_CABSL 1
-#define HAVE_CARGL 1
-#define HAVE_CEXPL 1
-#define HAVE_CSQRTL 1
-#define HAVE_CLOGL 1
-#define HAVE_CCOSL 1
-#define HAVE_CSINL 1
-#define HAVE_CPOWL 1
-#define HAVE_LDOUBLE_IEEE_QUAD_LE 1
-#ifndef __cplusplus
-/* #undef inline */
-#endif
-
-#ifndef _NPY_NPY_CONFIG_H_
-#error config.h should never be included directly, include npy_config.h instead
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/mipsarchn32el/_numpyconfig.h b/meta/recipes-devtools/python-numpy/files/mipsarchn32el/_numpyconfig.h
deleted file mode 100644
index 8e2b5d0940..0000000000
--- a/meta/recipes-devtools/python-numpy/files/mipsarchn32el/_numpyconfig.h
+++ /dev/null
@@ -1,31 +0,0 @@
-#define NPY_HAVE_ENDIAN_H 1
-#define NPY_SIZEOF_SHORT SIZEOF_SHORT
-#define NPY_SIZEOF_INT SIZEOF_INT
-#define NPY_SIZEOF_LONG SIZEOF_LONG
-#define NPY_SIZEOF_FLOAT 4
-#define NPY_SIZEOF_COMPLEX_FLOAT 8
-#define NPY_SIZEOF_DOUBLE 8
-#define NPY_SIZEOF_COMPLEX_DOUBLE 16
-#define NPY_SIZEOF_LONGDOUBLE 16
-#define NPY_SIZEOF_COMPLEX_LONGDOUBLE 32
-#define NPY_ENABLE_SEPARATE_COMPILATION 1
-#define NPY_SIZEOF_PY_INTPTR_T 8
-#define NPY_SIZEOF_PY_LONG_LONG 8
-#define NPY_SIZEOF_LONGLONG 8
-#define NPY_NO_SMP 0
-#define NPY_HAVE_DECL_ISNAN
-#define NPY_HAVE_DECL_ISINF
-#define NPY_HAVE_DECL_ISFINITE
-#define NPY_HAVE_DECL_SIGNBIT
-#define NPY_USE_C99_COMPLEX 1
-#define NPY_HAVE_COMPLEX_DOUBLE 1
-#define NPY_HAVE_COMPLEX_FLOAT 1
-#define NPY_HAVE_COMPLEX_LONG_DOUBLE 1
-#define NPY_USE_C99_FORMATS 1
-#define NPY_VISIBILITY_HIDDEN __attribute__((visibility("hidden")))
-#define NPY_ABI_VERSION 0x01000009
-#define NPY_API_VERSION 0x0000000A
-
-#ifndef __STDC_FORMAT_MACROS
-#define __STDC_FORMAT_MACROS 1
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/mipsarchn32el/config.h b/meta/recipes-devtools/python-numpy/files/mipsarchn32el/config.h
deleted file mode 100644
index 48727039ae..0000000000
--- a/meta/recipes-devtools/python-numpy/files/mipsarchn32el/config.h
+++ /dev/null
@@ -1,138 +0,0 @@
-#define SIZEOF_PY_INTPTR_T 8
-#define SIZEOF_PY_LONG_LONG 8
-#define MATHLIB m
-#define HAVE_SIN 1
-#define HAVE_COS 1
-#define HAVE_TAN 1
-#define HAVE_SINH 1
-#define HAVE_COSH 1
-#define HAVE_TANH 1
-#define HAVE_FABS 1
-#define HAVE_FLOOR 1
-#define HAVE_CEIL 1
-#define HAVE_SQRT 1
-#define HAVE_LOG10 1
-#define HAVE_LOG 1
-#define HAVE_EXP 1
-#define HAVE_ASIN 1
-#define HAVE_ACOS 1
-#define HAVE_ATAN 1
-#define HAVE_FMOD 1
-#define HAVE_MODF 1
-#define HAVE_FREXP 1
-#define HAVE_LDEXP 1
-#define HAVE_RINT 1
-#define HAVE_TRUNC 1
-#define HAVE_EXP2 1
-#define HAVE_LOG2 1
-#define HAVE_ATAN2 1
-#define HAVE_POW 1
-#define HAVE_NEXTAFTER 1
-#define HAVE_SINF 1
-#define HAVE_COSF 1
-#define HAVE_TANF 1
-#define HAVE_SINHF 1
-#define HAVE_COSHF 1
-#define HAVE_TANHF 1
-#define HAVE_FABSF 1
-#define HAVE_FLOORF 1
-#define HAVE_CEILF 1
-#define HAVE_RINTF 1
-#define HAVE_TRUNCF 1
-#define HAVE_SQRTF 1
-#define HAVE_LOG10F 1
-#define HAVE_LOGF 1
-#define HAVE_LOG1PF 1
-#define HAVE_EXPF 1
-#define HAVE_EXPM1F 1
-#define HAVE_ASINF 1
-#define HAVE_ACOSF 1
-#define HAVE_ATANF 1
-#define HAVE_ASINHF 1
-#define HAVE_ACOSHF 1
-#define HAVE_ATANHF 1
-#define HAVE_HYPOTF 1
-#define HAVE_ATAN2F 1
-#define HAVE_POWF 1
-#define HAVE_FMODF 1
-#define HAVE_MODFF 1
-#define HAVE_FREXPF 1
-#define HAVE_LDEXPF 1
-#define HAVE_EXP2F 1
-#define HAVE_LOG2F 1
-#define HAVE_COPYSIGNF 1
-#define HAVE_NEXTAFTERF 1
-#define HAVE_SINL 1
-#define HAVE_COSL 1
-#define HAVE_TANL 1
-#define HAVE_SINHL 1
-#define HAVE_COSHL 1
-#define HAVE_TANHL 1
-#define HAVE_FABSL 1
-#define HAVE_FLOORL 1
-#define HAVE_CEILL 1
-#define HAVE_RINTL 1
-#define HAVE_TRUNCL 1
-#define HAVE_SQRTL 1
-#define HAVE_LOG10L 1
-#define HAVE_LOGL 1
-#define HAVE_LOG1PL 1
-#define HAVE_EXPL 1
-#define HAVE_EXPM1L 1
-#define HAVE_ASINL 1
-#define HAVE_ACOSL 1
-#define HAVE_ATANL 1
-#define HAVE_ASINHL 1
-#define HAVE_ACOSHL 1
-#define HAVE_ATANHL 1
-#define HAVE_HYPOTL 1
-#define HAVE_ATAN2L 1
-#define HAVE_POWL 1
-#define HAVE_FMODL 1
-#define HAVE_MODFL 1
-#define HAVE_FREXPL 1
-#define HAVE_LDEXPL 1
-#define HAVE_EXP2L 1
-#define HAVE_LOG2L 1
-#define HAVE_COPYSIGNL 1
-#define HAVE_NEXTAFTERL 1
-#define HAVE_DECL_SIGNBIT
-#define HAVE_COMPLEX_H 1
-#define HAVE_CREAL 1
-#define HAVE_CIMAG 1
-#define HAVE_CABS 1
-#define HAVE_CARG 1
-#define HAVE_CEXP 1
-#define HAVE_CSQRT 1
-#define HAVE_CLOG 1
-#define HAVE_CCOS 1
-#define HAVE_CSIN 1
-#define HAVE_CPOW 1
-#define HAVE_CREALF 1
-#define HAVE_CIMAGF 1
-#define HAVE_CABSF 1
-#define HAVE_CARGF 1
-#define HAVE_CEXPF 1
-#define HAVE_CSQRTF 1
-#define HAVE_CLOGF 1
-#define HAVE_CCOSF 1
-#define HAVE_CSINF 1
-#define HAVE_CPOWF 1
-#define HAVE_CREALL 1
-#define HAVE_CIMAGL 1
-#define HAVE_CABSL 1
-#define HAVE_CARGL 1
-#define HAVE_CEXPL 1
-#define HAVE_CSQRTL 1
-#define HAVE_CLOGL 1
-#define HAVE_CCOSL 1
-#define HAVE_CSINL 1
-#define HAVE_CPOWL 1
-#define HAVE_LDOUBLE_IEEE_QUAD_LE 1
-#ifndef __cplusplus
-/* #undef inline */
-#endif
-
-#ifndef _NPY_NPY_CONFIG_H_
-#error config.h should never be included directly, include npy_config.h instead
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/mipsarchn64eb/_numpyconfig.h b/meta/recipes-devtools/python-numpy/files/mipsarchn64eb/_numpyconfig.h
deleted file mode 100644
index debb390094..0000000000
--- a/meta/recipes-devtools/python-numpy/files/mipsarchn64eb/_numpyconfig.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#define NPY_HAVE_ENDIAN_H 1
-#define NPY_SIZEOF_SHORT SIZEOF_SHORT
-#define NPY_SIZEOF_INT SIZEOF_INT
-#define NPY_SIZEOF_LONG SIZEOF_LONG
-#define NPY_SIZEOF_FLOAT 4
-#define NPY_SIZEOF_COMPLEX_FLOAT 8
-#define NPY_SIZEOF_DOUBLE 8
-#define NPY_SIZEOF_COMPLEX_DOUBLE 16
-#define NPY_SIZEOF_LONGDOUBLE 16
-#define NPY_SIZEOF_COMPLEX_LONGDOUBLE 32
-#define NPY_ENABLE_SEPARATE_COMPILATION 1
-#define NPY_SIZEOF_PY_INTPTR_T 8
-#define NPY_SIZEOF_PY_LONG_LONG 8
-#define NPY_SIZEOF_LONGLONG 8
-#define NPY_SIZEOF_OFF_T 8
-#define NPY_NO_SMP 0
-#define NPY_HAVE_DECL_ISNAN
-#define NPY_HAVE_DECL_ISINF
-#define NPY_HAVE_DECL_ISFINITE
-#define NPY_HAVE_DECL_SIGNBIT
-#define NPY_USE_C99_COMPLEX 1
-#define NPY_HAVE_COMPLEX_DOUBLE 1
-#define NPY_HAVE_COMPLEX_FLOAT 1
-#define NPY_HAVE_COMPLEX_LONG_DOUBLE 1
-#define NPY_USE_C99_FORMATS 1
-#define NPY_VISIBILITY_HIDDEN __attribute__((visibility("hidden")))
-#define NPY_ABI_VERSION 0x01000009
-#define NPY_API_VERSION 0x0000000A
-
-#ifndef __STDC_FORMAT_MACROS
-#define __STDC_FORMAT_MACROS 1
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/mipsarchn64eb/config.h b/meta/recipes-devtools/python-numpy/files/mipsarchn64eb/config.h
deleted file mode 100644
index c30b868f2f..0000000000
--- a/meta/recipes-devtools/python-numpy/files/mipsarchn64eb/config.h
+++ /dev/null
@@ -1,139 +0,0 @@
-#define HAVE_ENDIAN_H 1
-#define SIZEOF_PY_INTPTR_T 8
-#define SIZEOF_PY_LONG_LONG 8
-#define MATHLIB m
-#define HAVE_SIN 1
-#define HAVE_COS 1
-#define HAVE_TAN 1
-#define HAVE_SINH 1
-#define HAVE_COSH 1
-#define HAVE_TANH 1
-#define HAVE_FABS 1
-#define HAVE_FLOOR 1
-#define HAVE_CEIL 1
-#define HAVE_SQRT 1
-#define HAVE_LOG10 1
-#define HAVE_LOG 1
-#define HAVE_EXP 1
-#define HAVE_ASIN 1
-#define HAVE_ACOS 1
-#define HAVE_ATAN 1
-#define HAVE_FMOD 1
-#define HAVE_MODF 1
-#define HAVE_FREXP 1
-#define HAVE_LDEXP 1
-#define HAVE_RINT 1
-#define HAVE_TRUNC 1
-#define HAVE_EXP2 1
-#define HAVE_LOG2 1
-#define HAVE_ATAN2 1
-#define HAVE_POW 1
-#define HAVE_NEXTAFTER 1
-#define HAVE_SINF 1
-#define HAVE_COSF 1
-#define HAVE_TANF 1
-#define HAVE_SINHF 1
-#define HAVE_COSHF 1
-#define HAVE_TANHF 1
-#define HAVE_FABSF 1
-#define HAVE_FLOORF 1
-#define HAVE_CEILF 1
-#define HAVE_RINTF 1
-#define HAVE_TRUNCF 1
-#define HAVE_SQRTF 1
-#define HAVE_LOG10F 1
-#define HAVE_LOGF 1
-#define HAVE_LOG1PF 1
-#define HAVE_EXPF 1
-#define HAVE_EXPM1F 1
-#define HAVE_ASINF 1
-#define HAVE_ACOSF 1
-#define HAVE_ATANF 1
-#define HAVE_ASINHF 1
-#define HAVE_ACOSHF 1
-#define HAVE_ATANHF 1
-#define HAVE_HYPOTF 1
-#define HAVE_ATAN2F 1
-#define HAVE_POWF 1
-#define HAVE_FMODF 1
-#define HAVE_MODFF 1
-#define HAVE_FREXPF 1
-#define HAVE_LDEXPF 1
-#define HAVE_EXP2F 1
-#define HAVE_LOG2F 1
-#define HAVE_COPYSIGNF 1
-#define HAVE_NEXTAFTERF 1
-#define HAVE_SINL 1
-#define HAVE_COSL 1
-#define HAVE_TANL 1
-#define HAVE_SINHL 1
-#define HAVE_COSHL 1
-#define HAVE_TANHL 1
-#define HAVE_FABSL 1
-#define HAVE_FLOORL 1
-#define HAVE_CEILL 1
-#define HAVE_RINTL 1
-#define HAVE_TRUNCL 1
-#define HAVE_SQRTL 1
-#define HAVE_LOG10L 1
-#define HAVE_LOGL 1
-#define HAVE_LOG1PL 1
-#define HAVE_EXPL 1
-#define HAVE_EXPM1L 1
-#define HAVE_ASINL 1
-#define HAVE_ACOSL 1
-#define HAVE_ATANL 1
-#define HAVE_ASINHL 1
-#define HAVE_ACOSHL 1
-#define HAVE_ATANHL 1
-#define HAVE_HYPOTL 1
-#define HAVE_ATAN2L 1
-#define HAVE_POWL 1
-#define HAVE_FMODL 1
-#define HAVE_MODFL 1
-#define HAVE_FREXPL 1
-#define HAVE_LDEXPL 1
-#define HAVE_EXP2L 1
-#define HAVE_LOG2L 1
-#define HAVE_COPYSIGNL 1
-#define HAVE_NEXTAFTERL 1
-#define HAVE_DECL_SIGNBIT
-#define HAVE_COMPLEX_H 1
-#define HAVE_CREAL 1
-#define HAVE_CIMAG 1
-#define HAVE_CABS 1
-#define HAVE_CARG 1
-#define HAVE_CEXP 1
-#define HAVE_CSQRT 1
-#define HAVE_CLOG 1
-#define HAVE_CCOS 1
-#define HAVE_CSIN 1
-#define HAVE_CPOW 1
-#define HAVE_CREALF 1
-#define HAVE_CIMAGF 1
-#define HAVE_CABSF 1
-#define HAVE_CARGF 1
-#define HAVE_CEXPF 1
-#define HAVE_CSQRTF 1
-#define HAVE_CLOGF 1
-#define HAVE_CCOSF 1
-#define HAVE_CSINF 1
-#define HAVE_CPOWF 1
-#define HAVE_CREALL 1
-#define HAVE_CIMAGL 1
-#define HAVE_CABSL 1
-#define HAVE_CARGL 1
-#define HAVE_CEXPL 1
-#define HAVE_CSQRTL 1
-#define HAVE_CLOGL 1
-#define HAVE_CCOSL 1
-#define HAVE_CSINL 1
-#define HAVE_CPOWL 1
-#define HAVE_LDOUBLE_IEEE_QUAD_LE 1
-#ifndef __cplusplus
-/* #undef inline */
-#endif
-
-#ifndef _NPY_NPY_CONFIG_H_
-#error config.h should never be included directly, include npy_config.h instead
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/mipsarchn64el/_numpyconfig.h b/meta/recipes-devtools/python-numpy/files/mipsarchn64el/_numpyconfig.h
deleted file mode 100644
index debb390094..0000000000
--- a/meta/recipes-devtools/python-numpy/files/mipsarchn64el/_numpyconfig.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#define NPY_HAVE_ENDIAN_H 1
-#define NPY_SIZEOF_SHORT SIZEOF_SHORT
-#define NPY_SIZEOF_INT SIZEOF_INT
-#define NPY_SIZEOF_LONG SIZEOF_LONG
-#define NPY_SIZEOF_FLOAT 4
-#define NPY_SIZEOF_COMPLEX_FLOAT 8
-#define NPY_SIZEOF_DOUBLE 8
-#define NPY_SIZEOF_COMPLEX_DOUBLE 16
-#define NPY_SIZEOF_LONGDOUBLE 16
-#define NPY_SIZEOF_COMPLEX_LONGDOUBLE 32
-#define NPY_ENABLE_SEPARATE_COMPILATION 1
-#define NPY_SIZEOF_PY_INTPTR_T 8
-#define NPY_SIZEOF_PY_LONG_LONG 8
-#define NPY_SIZEOF_LONGLONG 8
-#define NPY_SIZEOF_OFF_T 8
-#define NPY_NO_SMP 0
-#define NPY_HAVE_DECL_ISNAN
-#define NPY_HAVE_DECL_ISINF
-#define NPY_HAVE_DECL_ISFINITE
-#define NPY_HAVE_DECL_SIGNBIT
-#define NPY_USE_C99_COMPLEX 1
-#define NPY_HAVE_COMPLEX_DOUBLE 1
-#define NPY_HAVE_COMPLEX_FLOAT 1
-#define NPY_HAVE_COMPLEX_LONG_DOUBLE 1
-#define NPY_USE_C99_FORMATS 1
-#define NPY_VISIBILITY_HIDDEN __attribute__((visibility("hidden")))
-#define NPY_ABI_VERSION 0x01000009
-#define NPY_API_VERSION 0x0000000A
-
-#ifndef __STDC_FORMAT_MACROS
-#define __STDC_FORMAT_MACROS 1
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/mipsarchn64el/config.h b/meta/recipes-devtools/python-numpy/files/mipsarchn64el/config.h
deleted file mode 100644
index 48727039ae..0000000000
--- a/meta/recipes-devtools/python-numpy/files/mipsarchn64el/config.h
+++ /dev/null
@@ -1,138 +0,0 @@
-#define SIZEOF_PY_INTPTR_T 8
-#define SIZEOF_PY_LONG_LONG 8
-#define MATHLIB m
-#define HAVE_SIN 1
-#define HAVE_COS 1
-#define HAVE_TAN 1
-#define HAVE_SINH 1
-#define HAVE_COSH 1
-#define HAVE_TANH 1
-#define HAVE_FABS 1
-#define HAVE_FLOOR 1
-#define HAVE_CEIL 1
-#define HAVE_SQRT 1
-#define HAVE_LOG10 1
-#define HAVE_LOG 1
-#define HAVE_EXP 1
-#define HAVE_ASIN 1
-#define HAVE_ACOS 1
-#define HAVE_ATAN 1
-#define HAVE_FMOD 1
-#define HAVE_MODF 1
-#define HAVE_FREXP 1
-#define HAVE_LDEXP 1
-#define HAVE_RINT 1
-#define HAVE_TRUNC 1
-#define HAVE_EXP2 1
-#define HAVE_LOG2 1
-#define HAVE_ATAN2 1
-#define HAVE_POW 1
-#define HAVE_NEXTAFTER 1
-#define HAVE_SINF 1
-#define HAVE_COSF 1
-#define HAVE_TANF 1
-#define HAVE_SINHF 1
-#define HAVE_COSHF 1
-#define HAVE_TANHF 1
-#define HAVE_FABSF 1
-#define HAVE_FLOORF 1
-#define HAVE_CEILF 1
-#define HAVE_RINTF 1
-#define HAVE_TRUNCF 1
-#define HAVE_SQRTF 1
-#define HAVE_LOG10F 1
-#define HAVE_LOGF 1
-#define HAVE_LOG1PF 1
-#define HAVE_EXPF 1
-#define HAVE_EXPM1F 1
-#define HAVE_ASINF 1
-#define HAVE_ACOSF 1
-#define HAVE_ATANF 1
-#define HAVE_ASINHF 1
-#define HAVE_ACOSHF 1
-#define HAVE_ATANHF 1
-#define HAVE_HYPOTF 1
-#define HAVE_ATAN2F 1
-#define HAVE_POWF 1
-#define HAVE_FMODF 1
-#define HAVE_MODFF 1
-#define HAVE_FREXPF 1
-#define HAVE_LDEXPF 1
-#define HAVE_EXP2F 1
-#define HAVE_LOG2F 1
-#define HAVE_COPYSIGNF 1
-#define HAVE_NEXTAFTERF 1
-#define HAVE_SINL 1
-#define HAVE_COSL 1
-#define HAVE_TANL 1
-#define HAVE_SINHL 1
-#define HAVE_COSHL 1
-#define HAVE_TANHL 1
-#define HAVE_FABSL 1
-#define HAVE_FLOORL 1
-#define HAVE_CEILL 1
-#define HAVE_RINTL 1
-#define HAVE_TRUNCL 1
-#define HAVE_SQRTL 1
-#define HAVE_LOG10L 1
-#define HAVE_LOGL 1
-#define HAVE_LOG1PL 1
-#define HAVE_EXPL 1
-#define HAVE_EXPM1L 1
-#define HAVE_ASINL 1
-#define HAVE_ACOSL 1
-#define HAVE_ATANL 1
-#define HAVE_ASINHL 1
-#define HAVE_ACOSHL 1
-#define HAVE_ATANHL 1
-#define HAVE_HYPOTL 1
-#define HAVE_ATAN2L 1
-#define HAVE_POWL 1
-#define HAVE_FMODL 1
-#define HAVE_MODFL 1
-#define HAVE_FREXPL 1
-#define HAVE_LDEXPL 1
-#define HAVE_EXP2L 1
-#define HAVE_LOG2L 1
-#define HAVE_COPYSIGNL 1
-#define HAVE_NEXTAFTERL 1
-#define HAVE_DECL_SIGNBIT
-#define HAVE_COMPLEX_H 1
-#define HAVE_CREAL 1
-#define HAVE_CIMAG 1
-#define HAVE_CABS 1
-#define HAVE_CARG 1
-#define HAVE_CEXP 1
-#define HAVE_CSQRT 1
-#define HAVE_CLOG 1
-#define HAVE_CCOS 1
-#define HAVE_CSIN 1
-#define HAVE_CPOW 1
-#define HAVE_CREALF 1
-#define HAVE_CIMAGF 1
-#define HAVE_CABSF 1
-#define HAVE_CARGF 1
-#define HAVE_CEXPF 1
-#define HAVE_CSQRTF 1
-#define HAVE_CLOGF 1
-#define HAVE_CCOSF 1
-#define HAVE_CSINF 1
-#define HAVE_CPOWF 1
-#define HAVE_CREALL 1
-#define HAVE_CIMAGL 1
-#define HAVE_CABSL 1
-#define HAVE_CARGL 1
-#define HAVE_CEXPL 1
-#define HAVE_CSQRTL 1
-#define HAVE_CLOGL 1
-#define HAVE_CCOSL 1
-#define HAVE_CSINL 1
-#define HAVE_CPOWL 1
-#define HAVE_LDOUBLE_IEEE_QUAD_LE 1
-#ifndef __cplusplus
-/* #undef inline */
-#endif
-
-#ifndef _NPY_NPY_CONFIG_H_
-#error config.h should never be included directly, include npy_config.h instead
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/mipsarcho32eb/_numpyconfig.h b/meta/recipes-devtools/python-numpy/files/mipsarcho32eb/_numpyconfig.h
deleted file mode 100644
index 4c465c216c..0000000000
--- a/meta/recipes-devtools/python-numpy/files/mipsarcho32eb/_numpyconfig.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#define NPY_HAVE_ENDIAN_H 1
-#define NPY_SIZEOF_SHORT SIZEOF_SHORT
-#define NPY_SIZEOF_INT SIZEOF_INT
-#define NPY_SIZEOF_LONG SIZEOF_LONG
-#define NPY_SIZEOF_FLOAT 4
-#define NPY_SIZEOF_COMPLEX_FLOAT 8
-#define NPY_SIZEOF_DOUBLE 8
-#define NPY_SIZEOF_COMPLEX_DOUBLE 16
-#define NPY_SIZEOF_LONGDOUBLE 8
-#define NPY_SIZEOF_COMPLEX_LONGDOUBLE 16
-#define NPY_ENABLE_SEPARATE_COMPILATION 1
-#define NPY_SIZEOF_PY_INTPTR_T 4
-#define NPY_SIZEOF_PY_LONG_LONG 8
-#define NPY_SIZEOF_LONGLONG 8
-#define NPY_SIZEOF_OFF_T 8
-#define NPY_NO_SMP 0
-#define NPY_HAVE_DECL_ISNAN
-#define NPY_HAVE_DECL_ISINF
-#define NPY_HAVE_DECL_ISFINITE
-#define NPY_HAVE_DECL_SIGNBIT
-#define NPY_USE_C99_COMPLEX 1
-#define NPY_HAVE_COMPLEX_DOUBLE 1
-#define NPY_HAVE_COMPLEX_FLOAT 1
-#define NPY_HAVE_COMPLEX_LONG_DOUBLE 1
-#define NPY_USE_C99_FORMATS 1
-#define NPY_VISIBILITY_HIDDEN __attribute__((visibility("hidden")))
-#define NPY_ABI_VERSION 0x01000009
-#define NPY_API_VERSION 0x0000000A
-
-#ifndef __STDC_FORMAT_MACROS
-#define __STDC_FORMAT_MACROS 1
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/mipsarcho32eb/config.h b/meta/recipes-devtools/python-numpy/files/mipsarcho32eb/config.h
deleted file mode 100644
index 2f6135adce..0000000000
--- a/meta/recipes-devtools/python-numpy/files/mipsarcho32eb/config.h
+++ /dev/null
@@ -1,139 +0,0 @@
-#define HAVE_ENDIAN_H 1
-#define SIZEOF_PY_INTPTR_T 4
-#define SIZEOF_PY_LONG_LONG 8
-#define MATHLIB m
-#define HAVE_SIN 1
-#define HAVE_COS 1
-#define HAVE_TAN 1
-#define HAVE_SINH 1
-#define HAVE_COSH 1
-#define HAVE_TANH 1
-#define HAVE_FABS 1
-#define HAVE_FLOOR 1
-#define HAVE_CEIL 1
-#define HAVE_SQRT 1
-#define HAVE_LOG10 1
-#define HAVE_LOG 1
-#define HAVE_EXP 1
-#define HAVE_ASIN 1
-#define HAVE_ACOS 1
-#define HAVE_ATAN 1
-#define HAVE_FMOD 1
-#define HAVE_MODF 1
-#define HAVE_FREXP 1
-#define HAVE_LDEXP 1
-#define HAVE_RINT 1
-#define HAVE_TRUNC 1
-#define HAVE_EXP2 1
-#define HAVE_LOG2 1
-#define HAVE_ATAN2 1
-#define HAVE_POW 1
-#define HAVE_NEXTAFTER 1
-#define HAVE_SINF 1
-#define HAVE_COSF 1
-#define HAVE_TANF 1
-#define HAVE_SINHF 1
-#define HAVE_COSHF 1
-#define HAVE_TANHF 1
-#define HAVE_FABSF 1
-#define HAVE_FLOORF 1
-#define HAVE_CEILF 1
-#define HAVE_RINTF 1
-#define HAVE_TRUNCF 1
-#define HAVE_SQRTF 1
-#define HAVE_LOG10F 1
-#define HAVE_LOGF 1
-#define HAVE_LOG1PF 1
-#define HAVE_EXPF 1
-#define HAVE_EXPM1F 1
-#define HAVE_ASINF 1
-#define HAVE_ACOSF 1
-#define HAVE_ATANF 1
-#define HAVE_ASINHF 1
-#define HAVE_ACOSHF 1
-#define HAVE_ATANHF 1
-#define HAVE_HYPOTF 1
-#define HAVE_ATAN2F 1
-#define HAVE_POWF 1
-#define HAVE_FMODF 1
-#define HAVE_MODFF 1
-#define HAVE_FREXPF 1
-#define HAVE_LDEXPF 1
-#define HAVE_EXP2F 1
-#define HAVE_LOG2F 1
-#define HAVE_COPYSIGNF 1
-#define HAVE_NEXTAFTERF 1
-#define HAVE_SINL 1
-#define HAVE_COSL 1
-#define HAVE_TANL 1
-#define HAVE_SINHL 1
-#define HAVE_COSHL 1
-#define HAVE_TANHL 1
-#define HAVE_FABSL 1
-#define HAVE_FLOORL 1
-#define HAVE_CEILL 1
-#define HAVE_RINTL 1
-#define HAVE_TRUNCL 1
-#define HAVE_SQRTL 1
-#define HAVE_LOG10L 1
-#define HAVE_LOGL 1
-#define HAVE_LOG1PL 1
-#define HAVE_EXPL 1
-#define HAVE_EXPM1L 1
-#define HAVE_ASINL 1
-#define HAVE_ACOSL 1
-#define HAVE_ATANL 1
-#define HAVE_ASINHL 1
-#define HAVE_ACOSHL 1
-#define HAVE_ATANHL 1
-#define HAVE_HYPOTL 1
-#define HAVE_ATAN2L 1
-#define HAVE_POWL 1
-#define HAVE_FMODL 1
-#define HAVE_MODFL 1
-#define HAVE_FREXPL 1
-#define HAVE_LDEXPL 1
-#define HAVE_EXP2L 1
-#define HAVE_LOG2L 1
-#define HAVE_COPYSIGNL 1
-#define HAVE_NEXTAFTERL 1
-#define HAVE_DECL_SIGNBIT
-#define HAVE_COMPLEX_H 1
-#define HAVE_CREAL 1
-#define HAVE_CIMAG 1
-#define HAVE_CABS 1
-#define HAVE_CARG 1
-#define HAVE_CEXP 1
-#define HAVE_CSQRT 1
-#define HAVE_CLOG 1
-#define HAVE_CCOS 1
-#define HAVE_CSIN 1
-#define HAVE_CPOW 1
-#define HAVE_CREALF 1
-#define HAVE_CIMAGF 1
-#define HAVE_CABSF 1
-#define HAVE_CARGF 1
-#define HAVE_CEXPF 1
-#define HAVE_CSQRTF 1
-#define HAVE_CLOGF 1
-#define HAVE_CCOSF 1
-#define HAVE_CSINF 1
-#define HAVE_CPOWF 1
-#define HAVE_CREALL 1
-#define HAVE_CIMAGL 1
-#define HAVE_CABSL 1
-#define HAVE_CARGL 1
-#define HAVE_CEXPL 1
-#define HAVE_CSQRTL 1
-#define HAVE_CLOGL 1
-#define HAVE_CCOSL 1
-#define HAVE_CSINL 1
-#define HAVE_CPOWL 1
-#define HAVE_LDOUBLE_IEEE_DOUBLE_BE 1
-#ifndef __cplusplus
-/* #undef inline */
-#endif
-
-#ifndef _NPY_NPY_CONFIG_H_
-#error config.h should never be included directly, include npy_config.h instead
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/mipsarcho32el/config.h b/meta/recipes-devtools/python-numpy/files/mipsarcho32el/config.h
deleted file mode 100644
index 17ef186d56..0000000000
--- a/meta/recipes-devtools/python-numpy/files/mipsarcho32el/config.h
+++ /dev/null
@@ -1,21 +0,0 @@
-/* ./src.linux-i686-2.5/numpy/core/include/numpy/config.h */
-/* #define SIZEOF_SHORT 2 */
-/* #define SIZEOF_INT 4 */
-/* #define SIZEOF_LONG 4 */
-/* #define SIZEOF_FLOAT 4 */
-/* #define SIZEOF_DOUBLE 8 */
-#define SIZEOF_LONG_DOUBLE 12
-#define SIZEOF_PY_INTPTR_T 4
-/* #define SIZEOF_LONG_LONG 8 */
-#define SIZEOF_PY_LONG_LONG 8
-/* #define CHAR_BIT 8 */
-#define MATHLIB m
-#define HAVE_FLOAT_FUNCS
-#define HAVE_LOG1P
-#define HAVE_EXPM1
-#define HAVE_INVERSE_HYPERBOLIC
-#define HAVE_INVERSE_HYPERBOLIC_FLOAT
-#define HAVE_ISNAN
-#define HAVE_ISINF
-#define HAVE_RINT
-
diff --git a/meta/recipes-devtools/python-numpy/files/mipsarcho32el/numpyconfig.h b/meta/recipes-devtools/python-numpy/files/mipsarcho32el/numpyconfig.h
deleted file mode 100644
index 0b7cd51af4..0000000000
--- a/meta/recipes-devtools/python-numpy/files/mipsarcho32el/numpyconfig.h
+++ /dev/null
@@ -1,18 +0,0 @@
-/* cat ./src.linux-i686-2.5/numpy/core/include/numpy/numpyconfig.h */
-/*
- * * This file is generated by numpy/core/setup.pyc. DO NOT EDIT
- * */
-#define NPY_SIZEOF_SHORT 2
-#define NPY_SIZEOF_INT 4
-#define NPY_SIZEOF_LONG 4
-#define NPY_SIZEOF_FLOAT 4
-#define NPY_SIZEOF_DOUBLE 8
-#define NPY_SIZEOF_LONGDOUBLE 12
-#define NPY_SIZEOF_PY_INTPTR_T 4
-#define NPY_NO_SMP 0
-
-#define NPY_SIZEOF_LONGLONG 8
-#define NPY_SIZEOF_PY_LONG_LONG 8
-#define NPY_SIZEOF_OFF_T 8
-/* #define CHAR_BIT 8 */
-
diff --git a/meta/recipes-devtools/python-numpy/files/powerpc/_numpyconfig.h b/meta/recipes-devtools/python-numpy/files/powerpc/_numpyconfig.h
deleted file mode 100644
index 6e7262ad91..0000000000
--- a/meta/recipes-devtools/python-numpy/files/powerpc/_numpyconfig.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#define NPY_HAVE_ENDIAN_H 1
-#define NPY_SIZEOF_SHORT SIZEOF_SHORT
-#define NPY_SIZEOF_INT SIZEOF_INT
-#define NPY_SIZEOF_LONG SIZEOF_LONG
-#define NPY_SIZEOF_FLOAT 4
-#define NPY_SIZEOF_COMPLEX_FLOAT 8
-#define NPY_SIZEOF_DOUBLE 8
-#define NPY_SIZEOF_COMPLEX_DOUBLE 16
-#define NPY_SIZEOF_LONGDOUBLE 16
-#define NPY_SIZEOF_COMPLEX_LONGDOUBLE 32
-#define NPY_ENABLE_SEPARATE_COMPILATION 1
-#define NPY_SIZEOF_PY_INTPTR_T 4
-#define NPY_SIZEOF_PY_LONG_LONG 8
-#define NPY_SIZEOF_LONGLONG 8
-#define NPY_SIZEOF_OFF_T 8
-#define NPY_NO_SMP 0
-#define NPY_HAVE_DECL_ISNAN
-#define NPY_HAVE_DECL_ISINF
-#define NPY_HAVE_DECL_ISFINITE
-#define NPY_HAVE_DECL_SIGNBIT
-#define NPY_USE_C99_COMPLEX 1
-#define NPY_HAVE_COMPLEX_DOUBLE 1
-#define NPY_HAVE_COMPLEX_FLOAT 1
-#define NPY_HAVE_COMPLEX_LONG_DOUBLE 1
-#define NPY_USE_C99_FORMATS 1
-#define NPY_VISIBILITY_HIDDEN __attribute__((visibility("hidden")))
-#define NPY_ABI_VERSION 0x01000009
-#define NPY_API_VERSION 0x0000000A
-
-#ifndef __STDC_FORMAT_MACROS
-#define __STDC_FORMAT_MACROS 1
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/powerpc/config.h b/meta/recipes-devtools/python-numpy/files/powerpc/config.h
deleted file mode 100644
index f65d39d5de..0000000000
--- a/meta/recipes-devtools/python-numpy/files/powerpc/config.h
+++ /dev/null
@@ -1,139 +0,0 @@
-#define HAVE_ENDIAN_H 1
-#define SIZEOF_PY_INTPTR_T 4
-#define SIZEOF_PY_LONG_LONG 8
-#define MATHLIB m
-#define HAVE_SIN 1
-#define HAVE_COS 1
-#define HAVE_TAN 1
-#define HAVE_SINH 1
-#define HAVE_COSH 1
-#define HAVE_TANH 1
-#define HAVE_FABS 1
-#define HAVE_FLOOR 1
-#define HAVE_CEIL 1
-#define HAVE_SQRT 1
-#define HAVE_LOG10 1
-#define HAVE_LOG 1
-#define HAVE_EXP 1
-#define HAVE_ASIN 1
-#define HAVE_ACOS 1
-#define HAVE_ATAN 1
-#define HAVE_FMOD 1
-#define HAVE_MODF 1
-#define HAVE_FREXP 1
-#define HAVE_LDEXP 1
-#define HAVE_RINT 1
-#define HAVE_TRUNC 1
-#define HAVE_EXP2 1
-#define HAVE_LOG2 1
-#define HAVE_ATAN2 1
-#define HAVE_POW 1
-#define HAVE_NEXTAFTER 1
-#define HAVE_SINF 1
-#define HAVE_COSF 1
-#define HAVE_TANF 1
-#define HAVE_SINHF 1
-#define HAVE_COSHF 1
-#define HAVE_TANHF 1
-#define HAVE_FABSF 1
-#define HAVE_FLOORF 1
-#define HAVE_CEILF 1
-#define HAVE_RINTF 1
-#define HAVE_TRUNCF 1
-#define HAVE_SQRTF 1
-#define HAVE_LOG10F 1
-#define HAVE_LOGF 1
-#define HAVE_LOG1PF 1
-#define HAVE_EXPF 1
-#define HAVE_EXPM1F 1
-#define HAVE_ASINF 1
-#define HAVE_ACOSF 1
-#define HAVE_ATANF 1
-#define HAVE_ASINHF 1
-#define HAVE_ACOSHF 1
-#define HAVE_ATANHF 1
-#define HAVE_HYPOTF 1
-#define HAVE_ATAN2F 1
-#define HAVE_POWF 1
-#define HAVE_FMODF 1
-#define HAVE_MODFF 1
-#define HAVE_FREXPF 1
-#define HAVE_LDEXPF 1
-#define HAVE_EXP2F 1
-#define HAVE_LOG2F 1
-#define HAVE_COPYSIGNF 1
-#define HAVE_NEXTAFTERF 1
-#define HAVE_SINL 1
-#define HAVE_COSL 1
-#define HAVE_TANL 1
-#define HAVE_SINHL 1
-#define HAVE_COSHL 1
-#define HAVE_TANHL 1
-#define HAVE_FABSL 1
-#define HAVE_FLOORL 1
-#define HAVE_CEILL 1
-#define HAVE_RINTL 1
-#define HAVE_TRUNCL 1
-#define HAVE_SQRTL 1
-#define HAVE_LOG10L 1
-#define HAVE_LOGL 1
-#define HAVE_LOG1PL 1
-#define HAVE_EXPL 1
-#define HAVE_EXPM1L 1
-#define HAVE_ASINL 1
-#define HAVE_ACOSL 1
-#define HAVE_ATANL 1
-#define HAVE_ASINHL 1
-#define HAVE_ACOSHL 1
-#define HAVE_ATANHL 1
-#define HAVE_HYPOTL 1
-#define HAVE_ATAN2L 1
-#define HAVE_POWL 1
-#define HAVE_FMODL 1
-#define HAVE_MODFL 1
-#define HAVE_FREXPL 1
-#define HAVE_LDEXPL 1
-#define HAVE_EXP2L 1
-#define HAVE_LOG2L 1
-#define HAVE_COPYSIGNL 1
-#define HAVE_NEXTAFTERL 1
-#define HAVE_DECL_SIGNBIT
-#define HAVE_COMPLEX_H 1
-#define HAVE_CREAL 1
-#define HAVE_CIMAG 1
-#define HAVE_CABS 1
-#define HAVE_CARG 1
-#define HAVE_CEXP 1
-#define HAVE_CSQRT 1
-#define HAVE_CLOG 1
-#define HAVE_CCOS 1
-#define HAVE_CSIN 1
-#define HAVE_CPOW 1
-#define HAVE_CREALF 1
-#define HAVE_CIMAGF 1
-#define HAVE_CABSF 1
-#define HAVE_CARGF 1
-#define HAVE_CEXPF 1
-#define HAVE_CSQRTF 1
-#define HAVE_CLOGF 1
-#define HAVE_CCOSF 1
-#define HAVE_CSINF 1
-#define HAVE_CPOWF 1
-#define HAVE_CREALL 1
-#define HAVE_CIMAGL 1
-#define HAVE_CABSL 1
-#define HAVE_CARGL 1
-#define HAVE_CEXPL 1
-#define HAVE_CSQRTL 1
-#define HAVE_CLOGL 1
-#define HAVE_CCOSL 1
-#define HAVE_CSINL 1
-#define HAVE_CPOWL 1
-#define HAVE_LDOUBLE_DOUBLE_DOUBLE_BE 1
-#ifndef __cplusplus
-/* #undef inline */
-#endif
-
-#ifndef _NPY_NPY_CONFIG_H_
-#error config.h should never be included directly, include npy_config.h instead
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/powerpc64/_numpyconfig.h b/meta/recipes-devtools/python-numpy/files/powerpc64/_numpyconfig.h
deleted file mode 100644
index debb390094..0000000000
--- a/meta/recipes-devtools/python-numpy/files/powerpc64/_numpyconfig.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#define NPY_HAVE_ENDIAN_H 1
-#define NPY_SIZEOF_SHORT SIZEOF_SHORT
-#define NPY_SIZEOF_INT SIZEOF_INT
-#define NPY_SIZEOF_LONG SIZEOF_LONG
-#define NPY_SIZEOF_FLOAT 4
-#define NPY_SIZEOF_COMPLEX_FLOAT 8
-#define NPY_SIZEOF_DOUBLE 8
-#define NPY_SIZEOF_COMPLEX_DOUBLE 16
-#define NPY_SIZEOF_LONGDOUBLE 16
-#define NPY_SIZEOF_COMPLEX_LONGDOUBLE 32
-#define NPY_ENABLE_SEPARATE_COMPILATION 1
-#define NPY_SIZEOF_PY_INTPTR_T 8
-#define NPY_SIZEOF_PY_LONG_LONG 8
-#define NPY_SIZEOF_LONGLONG 8
-#define NPY_SIZEOF_OFF_T 8
-#define NPY_NO_SMP 0
-#define NPY_HAVE_DECL_ISNAN
-#define NPY_HAVE_DECL_ISINF
-#define NPY_HAVE_DECL_ISFINITE
-#define NPY_HAVE_DECL_SIGNBIT
-#define NPY_USE_C99_COMPLEX 1
-#define NPY_HAVE_COMPLEX_DOUBLE 1
-#define NPY_HAVE_COMPLEX_FLOAT 1
-#define NPY_HAVE_COMPLEX_LONG_DOUBLE 1
-#define NPY_USE_C99_FORMATS 1
-#define NPY_VISIBILITY_HIDDEN __attribute__((visibility("hidden")))
-#define NPY_ABI_VERSION 0x01000009
-#define NPY_API_VERSION 0x0000000A
-
-#ifndef __STDC_FORMAT_MACROS
-#define __STDC_FORMAT_MACROS 1
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/powerpc64/config.h b/meta/recipes-devtools/python-numpy/files/powerpc64/config.h
deleted file mode 100644
index c30b868f2f..0000000000
--- a/meta/recipes-devtools/python-numpy/files/powerpc64/config.h
+++ /dev/null
@@ -1,139 +0,0 @@
-#define HAVE_ENDIAN_H 1
-#define SIZEOF_PY_INTPTR_T 8
-#define SIZEOF_PY_LONG_LONG 8
-#define MATHLIB m
-#define HAVE_SIN 1
-#define HAVE_COS 1
-#define HAVE_TAN 1
-#define HAVE_SINH 1
-#define HAVE_COSH 1
-#define HAVE_TANH 1
-#define HAVE_FABS 1
-#define HAVE_FLOOR 1
-#define HAVE_CEIL 1
-#define HAVE_SQRT 1
-#define HAVE_LOG10 1
-#define HAVE_LOG 1
-#define HAVE_EXP 1
-#define HAVE_ASIN 1
-#define HAVE_ACOS 1
-#define HAVE_ATAN 1
-#define HAVE_FMOD 1
-#define HAVE_MODF 1
-#define HAVE_FREXP 1
-#define HAVE_LDEXP 1
-#define HAVE_RINT 1
-#define HAVE_TRUNC 1
-#define HAVE_EXP2 1
-#define HAVE_LOG2 1
-#define HAVE_ATAN2 1
-#define HAVE_POW 1
-#define HAVE_NEXTAFTER 1
-#define HAVE_SINF 1
-#define HAVE_COSF 1
-#define HAVE_TANF 1
-#define HAVE_SINHF 1
-#define HAVE_COSHF 1
-#define HAVE_TANHF 1
-#define HAVE_FABSF 1
-#define HAVE_FLOORF 1
-#define HAVE_CEILF 1
-#define HAVE_RINTF 1
-#define HAVE_TRUNCF 1
-#define HAVE_SQRTF 1
-#define HAVE_LOG10F 1
-#define HAVE_LOGF 1
-#define HAVE_LOG1PF 1
-#define HAVE_EXPF 1
-#define HAVE_EXPM1F 1
-#define HAVE_ASINF 1
-#define HAVE_ACOSF 1
-#define HAVE_ATANF 1
-#define HAVE_ASINHF 1
-#define HAVE_ACOSHF 1
-#define HAVE_ATANHF 1
-#define HAVE_HYPOTF 1
-#define HAVE_ATAN2F 1
-#define HAVE_POWF 1
-#define HAVE_FMODF 1
-#define HAVE_MODFF 1
-#define HAVE_FREXPF 1
-#define HAVE_LDEXPF 1
-#define HAVE_EXP2F 1
-#define HAVE_LOG2F 1
-#define HAVE_COPYSIGNF 1
-#define HAVE_NEXTAFTERF 1
-#define HAVE_SINL 1
-#define HAVE_COSL 1
-#define HAVE_TANL 1
-#define HAVE_SINHL 1
-#define HAVE_COSHL 1
-#define HAVE_TANHL 1
-#define HAVE_FABSL 1
-#define HAVE_FLOORL 1
-#define HAVE_CEILL 1
-#define HAVE_RINTL 1
-#define HAVE_TRUNCL 1
-#define HAVE_SQRTL 1
-#define HAVE_LOG10L 1
-#define HAVE_LOGL 1
-#define HAVE_LOG1PL 1
-#define HAVE_EXPL 1
-#define HAVE_EXPM1L 1
-#define HAVE_ASINL 1
-#define HAVE_ACOSL 1
-#define HAVE_ATANL 1
-#define HAVE_ASINHL 1
-#define HAVE_ACOSHL 1
-#define HAVE_ATANHL 1
-#define HAVE_HYPOTL 1
-#define HAVE_ATAN2L 1
-#define HAVE_POWL 1
-#define HAVE_FMODL 1
-#define HAVE_MODFL 1
-#define HAVE_FREXPL 1
-#define HAVE_LDEXPL 1
-#define HAVE_EXP2L 1
-#define HAVE_LOG2L 1
-#define HAVE_COPYSIGNL 1
-#define HAVE_NEXTAFTERL 1
-#define HAVE_DECL_SIGNBIT
-#define HAVE_COMPLEX_H 1
-#define HAVE_CREAL 1
-#define HAVE_CIMAG 1
-#define HAVE_CABS 1
-#define HAVE_CARG 1
-#define HAVE_CEXP 1
-#define HAVE_CSQRT 1
-#define HAVE_CLOG 1
-#define HAVE_CCOS 1
-#define HAVE_CSIN 1
-#define HAVE_CPOW 1
-#define HAVE_CREALF 1
-#define HAVE_CIMAGF 1
-#define HAVE_CABSF 1
-#define HAVE_CARGF 1
-#define HAVE_CEXPF 1
-#define HAVE_CSQRTF 1
-#define HAVE_CLOGF 1
-#define HAVE_CCOSF 1
-#define HAVE_CSINF 1
-#define HAVE_CPOWF 1
-#define HAVE_CREALL 1
-#define HAVE_CIMAGL 1
-#define HAVE_CABSL 1
-#define HAVE_CARGL 1
-#define HAVE_CEXPL 1
-#define HAVE_CSQRTL 1
-#define HAVE_CLOGL 1
-#define HAVE_CCOSL 1
-#define HAVE_CSINL 1
-#define HAVE_CPOWL 1
-#define HAVE_LDOUBLE_IEEE_QUAD_LE 1
-#ifndef __cplusplus
-/* #undef inline */
-#endif
-
-#ifndef _NPY_NPY_CONFIG_H_
-#error config.h should never be included directly, include npy_config.h instead
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/riscv64/_numpyconfig.h b/meta/recipes-devtools/python-numpy/files/riscv64/_numpyconfig.h
deleted file mode 100644
index 109deb0435..0000000000
--- a/meta/recipes-devtools/python-numpy/files/riscv64/_numpyconfig.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#define NPY_HAVE_ENDIAN_H 1
-#define NPY_SIZEOF_SHORT SIZEOF_SHORT
-#define NPY_SIZEOF_INT SIZEOF_INT
-#define NPY_SIZEOF_LONG SIZEOF_LONG
-#define NPY_SIZEOF_FLOAT 4
-#define NPY_SIZEOF_COMPLEX_FLOAT 8
-#define NPY_SIZEOF_DOUBLE 8
-#define NPY_SIZEOF_COMPLEX_DOUBLE 16
-#define NPY_SIZEOF_LONGDOUBLE 16
-#define NPY_SIZEOF_COMPLEX_LONGDOUBLE 32
-#define NPY_SIZEOF_PY_INTPTR_T 8
-#define NPY_SIZEOF_PY_LONG_LONG 8
-#define NPY_SIZEOF_LONGLONG 8
-#define NPY_SIZEOF_OFF_T 8
-#define NPY_NO_SMP 0
-#define NPY_HAVE_DECL_ISNAN
-#define NPY_HAVE_DECL_ISINF
-#define NPY_HAVE_DECL_ISFINITE
-#define NPY_HAVE_DECL_SIGNBIT
-#define NPY_USE_C99_COMPLEX 1
-#define NPY_HAVE_COMPLEX_DOUBLE 1
-#define NPY_HAVE_COMPLEX_FLOAT 1
-#define NPY_HAVE_COMPLEX_LONG_DOUBLE 1
-#define NPY_ENABLE_SEPARATE_COMPILATION 1
-#define NPY_USE_C99_FORMATS 1
-#define NPY_VISIBILITY_HIDDEN __attribute__((visibility("hidden")))
-#define NPY_ABI_VERSION 0x01000009
-#define NPY_API_VERSION 0x0000000A
-
-#ifndef __STDC_FORMAT_MACROS
-#define __STDC_FORMAT_MACROS 1
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/riscv64/config.h b/meta/recipes-devtools/python-numpy/files/riscv64/config.h
deleted file mode 100644
index c30b868f2f..0000000000
--- a/meta/recipes-devtools/python-numpy/files/riscv64/config.h
+++ /dev/null
@@ -1,139 +0,0 @@
-#define HAVE_ENDIAN_H 1
-#define SIZEOF_PY_INTPTR_T 8
-#define SIZEOF_PY_LONG_LONG 8
-#define MATHLIB m
-#define HAVE_SIN 1
-#define HAVE_COS 1
-#define HAVE_TAN 1
-#define HAVE_SINH 1
-#define HAVE_COSH 1
-#define HAVE_TANH 1
-#define HAVE_FABS 1
-#define HAVE_FLOOR 1
-#define HAVE_CEIL 1
-#define HAVE_SQRT 1
-#define HAVE_LOG10 1
-#define HAVE_LOG 1
-#define HAVE_EXP 1
-#define HAVE_ASIN 1
-#define HAVE_ACOS 1
-#define HAVE_ATAN 1
-#define HAVE_FMOD 1
-#define HAVE_MODF 1
-#define HAVE_FREXP 1
-#define HAVE_LDEXP 1
-#define HAVE_RINT 1
-#define HAVE_TRUNC 1
-#define HAVE_EXP2 1
-#define HAVE_LOG2 1
-#define HAVE_ATAN2 1
-#define HAVE_POW 1
-#define HAVE_NEXTAFTER 1
-#define HAVE_SINF 1
-#define HAVE_COSF 1
-#define HAVE_TANF 1
-#define HAVE_SINHF 1
-#define HAVE_COSHF 1
-#define HAVE_TANHF 1
-#define HAVE_FABSF 1
-#define HAVE_FLOORF 1
-#define HAVE_CEILF 1
-#define HAVE_RINTF 1
-#define HAVE_TRUNCF 1
-#define HAVE_SQRTF 1
-#define HAVE_LOG10F 1
-#define HAVE_LOGF 1
-#define HAVE_LOG1PF 1
-#define HAVE_EXPF 1
-#define HAVE_EXPM1F 1
-#define HAVE_ASINF 1
-#define HAVE_ACOSF 1
-#define HAVE_ATANF 1
-#define HAVE_ASINHF 1
-#define HAVE_ACOSHF 1
-#define HAVE_ATANHF 1
-#define HAVE_HYPOTF 1
-#define HAVE_ATAN2F 1
-#define HAVE_POWF 1
-#define HAVE_FMODF 1
-#define HAVE_MODFF 1
-#define HAVE_FREXPF 1
-#define HAVE_LDEXPF 1
-#define HAVE_EXP2F 1
-#define HAVE_LOG2F 1
-#define HAVE_COPYSIGNF 1
-#define HAVE_NEXTAFTERF 1
-#define HAVE_SINL 1
-#define HAVE_COSL 1
-#define HAVE_TANL 1
-#define HAVE_SINHL 1
-#define HAVE_COSHL 1
-#define HAVE_TANHL 1
-#define HAVE_FABSL 1
-#define HAVE_FLOORL 1
-#define HAVE_CEILL 1
-#define HAVE_RINTL 1
-#define HAVE_TRUNCL 1
-#define HAVE_SQRTL 1
-#define HAVE_LOG10L 1
-#define HAVE_LOGL 1
-#define HAVE_LOG1PL 1
-#define HAVE_EXPL 1
-#define HAVE_EXPM1L 1
-#define HAVE_ASINL 1
-#define HAVE_ACOSL 1
-#define HAVE_ATANL 1
-#define HAVE_ASINHL 1
-#define HAVE_ACOSHL 1
-#define HAVE_ATANHL 1
-#define HAVE_HYPOTL 1
-#define HAVE_ATAN2L 1
-#define HAVE_POWL 1
-#define HAVE_FMODL 1
-#define HAVE_MODFL 1
-#define HAVE_FREXPL 1
-#define HAVE_LDEXPL 1
-#define HAVE_EXP2L 1
-#define HAVE_LOG2L 1
-#define HAVE_COPYSIGNL 1
-#define HAVE_NEXTAFTERL 1
-#define HAVE_DECL_SIGNBIT
-#define HAVE_COMPLEX_H 1
-#define HAVE_CREAL 1
-#define HAVE_CIMAG 1
-#define HAVE_CABS 1
-#define HAVE_CARG 1
-#define HAVE_CEXP 1
-#define HAVE_CSQRT 1
-#define HAVE_CLOG 1
-#define HAVE_CCOS 1
-#define HAVE_CSIN 1
-#define HAVE_CPOW 1
-#define HAVE_CREALF 1
-#define HAVE_CIMAGF 1
-#define HAVE_CABSF 1
-#define HAVE_CARGF 1
-#define HAVE_CEXPF 1
-#define HAVE_CSQRTF 1
-#define HAVE_CLOGF 1
-#define HAVE_CCOSF 1
-#define HAVE_CSINF 1
-#define HAVE_CPOWF 1
-#define HAVE_CREALL 1
-#define HAVE_CIMAGL 1
-#define HAVE_CABSL 1
-#define HAVE_CARGL 1
-#define HAVE_CEXPL 1
-#define HAVE_CSQRTL 1
-#define HAVE_CLOGL 1
-#define HAVE_CCOSL 1
-#define HAVE_CSINL 1
-#define HAVE_CPOWL 1
-#define HAVE_LDOUBLE_IEEE_QUAD_LE 1
-#ifndef __cplusplus
-/* #undef inline */
-#endif
-
-#ifndef _NPY_NPY_CONFIG_H_
-#error config.h should never be included directly, include npy_config.h instead
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/x86-64/_numpyconfig.h b/meta/recipes-devtools/python-numpy/files/x86-64/_numpyconfig.h
deleted file mode 100644
index b330361649..0000000000
--- a/meta/recipes-devtools/python-numpy/files/x86-64/_numpyconfig.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#define NPY_HAVE_ENDIAN_H 1
-#define NPY_SIZEOF_SHORT SIZEOF_SHORT
-#define NPY_SIZEOF_INT SIZEOF_INT
-#define NPY_SIZEOF_LONG SIZEOF_LONG
-#define NPY_SIZEOF_FLOAT 4
-#define NPY_SIZEOF_COMPLEX_FLOAT 8
-#define NPY_SIZEOF_DOUBLE 8
-#define NPY_SIZEOF_OFF_T 8
-#define NPY_SIZEOF_COMPLEX_DOUBLE 16
-#define NPY_SIZEOF_LONGDOUBLE 16
-#define NPY_SIZEOF_COMPLEX_LONGDOUBLE 32
-#define NPY_ENABLE_SEPARATE_COMPILATION 1
-#define NPY_SIZEOF_PY_INTPTR_T 8
-#define NPY_SIZEOF_PY_LONG_LONG 8
-#define NPY_SIZEOF_LONGLONG 8
-#define NPY_NO_SMP 0
-#define NPY_HAVE_DECL_ISNAN
-#define NPY_HAVE_DECL_ISINF
-#define NPY_HAVE_DECL_ISFINITE
-#define NPY_HAVE_DECL_SIGNBIT
-#define NPY_USE_C99_COMPLEX 1
-#define NPY_HAVE_COMPLEX_DOUBLE 1
-#define NPY_HAVE_COMPLEX_FLOAT 1
-#define NPY_HAVE_COMPLEX_LONG_DOUBLE 1
-#define NPY_USE_C99_FORMATS 1
-#define NPY_VISIBILITY_HIDDEN __attribute__((visibility("hidden")))
-#define NPY_ABI_VERSION 0x01000009
-#define NPY_API_VERSION 0x0000000A
-
-#ifndef __STDC_FORMAT_MACROS
-#define __STDC_FORMAT_MACROS 1
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/x86-64/config.h b/meta/recipes-devtools/python-numpy/files/x86-64/config.h
deleted file mode 100644
index 0ce63b7d22..0000000000
--- a/meta/recipes-devtools/python-numpy/files/x86-64/config.h
+++ /dev/null
@@ -1,139 +0,0 @@
-#define HAVE_ENDIAN_H 1
-#define SIZEOF_PY_INTPTR_T 8
-#define SIZEOF_PY_LONG_LONG 8
-#define MATHLIB m
-#define HAVE_SIN 1
-#define HAVE_COS 1
-#define HAVE_TAN 1
-#define HAVE_SINH 1
-#define HAVE_COSH 1
-#define HAVE_TANH 1
-#define HAVE_FABS 1
-#define HAVE_FLOOR 1
-#define HAVE_CEIL 1
-#define HAVE_SQRT 1
-#define HAVE_LOG10 1
-#define HAVE_LOG 1
-#define HAVE_EXP 1
-#define HAVE_ASIN 1
-#define HAVE_ACOS 1
-#define HAVE_ATAN 1
-#define HAVE_FMOD 1
-#define HAVE_MODF 1
-#define HAVE_FREXP 1
-#define HAVE_LDEXP 1
-#define HAVE_RINT 1
-#define HAVE_TRUNC 1
-#define HAVE_EXP2 1
-#define HAVE_LOG2 1
-#define HAVE_ATAN2 1
-#define HAVE_POW 1
-#define HAVE_NEXTAFTER 1
-#define HAVE_SINF 1
-#define HAVE_COSF 1
-#define HAVE_TANF 1
-#define HAVE_SINHF 1
-#define HAVE_COSHF 1
-#define HAVE_TANHF 1
-#define HAVE_FABSF 1
-#define HAVE_FLOORF 1
-#define HAVE_CEILF 1
-#define HAVE_RINTF 1
-#define HAVE_TRUNCF 1
-#define HAVE_SQRTF 1
-#define HAVE_LOG10F 1
-#define HAVE_LOGF 1
-#define HAVE_LOG1PF 1
-#define HAVE_EXPF 1
-#define HAVE_EXPM1F 1
-#define HAVE_ASINF 1
-#define HAVE_ACOSF 1
-#define HAVE_ATANF 1
-#define HAVE_ASINHF 1
-#define HAVE_ACOSHF 1
-#define HAVE_ATANHF 1
-#define HAVE_HYPOTF 1
-#define HAVE_ATAN2F 1
-#define HAVE_POWF 1
-#define HAVE_FMODF 1
-#define HAVE_MODFF 1
-#define HAVE_FREXPF 1
-#define HAVE_LDEXPF 1
-#define HAVE_EXP2F 1
-#define HAVE_LOG2F 1
-#define HAVE_COPYSIGNF 1
-#define HAVE_NEXTAFTERF 1
-#define HAVE_SINL 1
-#define HAVE_COSL 1
-#define HAVE_TANL 1
-#define HAVE_SINHL 1
-#define HAVE_COSHL 1
-#define HAVE_TANHL 1
-#define HAVE_FABSL 1
-#define HAVE_FLOORL 1
-#define HAVE_CEILL 1
-#define HAVE_RINTL 1
-#define HAVE_TRUNCL 1
-#define HAVE_SQRTL 1
-#define HAVE_LOG10L 1
-#define HAVE_LOGL 1
-#define HAVE_LOG1PL 1
-#define HAVE_EXPL 1
-#define HAVE_EXPM1L 1
-#define HAVE_ASINL 1
-#define HAVE_ACOSL 1
-#define HAVE_ATANL 1
-#define HAVE_ASINHL 1
-#define HAVE_ACOSHL 1
-#define HAVE_ATANHL 1
-#define HAVE_HYPOTL 1
-#define HAVE_ATAN2L 1
-#define HAVE_POWL 1
-#define HAVE_FMODL 1
-#define HAVE_MODFL 1
-#define HAVE_FREXPL 1
-#define HAVE_LDEXPL 1
-#define HAVE_EXP2L 1
-#define HAVE_LOG2L 1
-#define HAVE_COPYSIGNL 1
-#define HAVE_NEXTAFTERL 1
-#define HAVE_DECL_SIGNBIT
-#define HAVE_COMPLEX_H 1
-#define HAVE_CREAL 1
-#define HAVE_CIMAG 1
-#define HAVE_CABS 1
-#define HAVE_CARG 1
-#define HAVE_CEXP 1
-#define HAVE_CSQRT 1
-#define HAVE_CLOG 1
-#define HAVE_CCOS 1
-#define HAVE_CSIN 1
-#define HAVE_CPOW 1
-#define HAVE_CREALF 1
-#define HAVE_CIMAGF 1
-#define HAVE_CABSF 1
-#define HAVE_CARGF 1
-#define HAVE_CEXPF 1
-#define HAVE_CSQRTF 1
-#define HAVE_CLOGF 1
-#define HAVE_CCOSF 1
-#define HAVE_CSINF 1
-#define HAVE_CPOWF 1
-#define HAVE_CREALL 1
-#define HAVE_CIMAGL 1
-#define HAVE_CABSL 1
-#define HAVE_CARGL 1
-#define HAVE_CEXPL 1
-#define HAVE_CSQRTL 1
-#define HAVE_CLOGL 1
-#define HAVE_CCOSL 1
-#define HAVE_CSINL 1
-#define HAVE_CPOWL 1
-#define HAVE_LDOUBLE_INTEL_EXTENDED_16_BYTES_LE 1
-#ifndef __cplusplus
-/* #undef inline */
-#endif
-
-#ifndef _NPY_NPY_CONFIG_H_
-#error config.h should never be included directly, include npy_config.h instead
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/x86/config.h b/meta/recipes-devtools/python-numpy/files/x86/config.h
deleted file mode 100644
index 08e41e3d99..0000000000
--- a/meta/recipes-devtools/python-numpy/files/x86/config.h
+++ /dev/null
@@ -1,108 +0,0 @@
-#define SIZEOF_PY_INTPTR_T 4
-#define SIZEOF_PY_LONG_LONG 8
-#define MATHLIB m
-#define HAVE_SIN
-#define HAVE_COS
-#define HAVE_TAN
-#define HAVE_SINH
-#define HAVE_COSH
-#define HAVE_TANH
-#define HAVE_FABS
-#define HAVE_FLOOR
-#define HAVE_CEIL
-#define HAVE_SQRT
-#define HAVE_LOG10
-#define HAVE_LOG
-#define HAVE_EXP
-#define HAVE_ASIN
-#define HAVE_ACOS
-#define HAVE_ATAN
-#define HAVE_FMOD
-#define HAVE_MODF
-#define HAVE_FREXP
-#define HAVE_LDEXP
-#define HAVE_RINT
-#define HAVE_TRUNC
-#define HAVE_EXP2
-#define HAVE_LOG2
-#define HAVE_ATAN2
-#define HAVE_POW
-#define HAVE_NEXTAFTER
-#define HAVE_SINF
-#define HAVE_COSF
-#define HAVE_TANF
-#define HAVE_SINHF
-#define HAVE_COSHF
-#define HAVE_TANHF
-#define HAVE_FABSF
-#define HAVE_FLOORF
-#define HAVE_CEILF
-#define HAVE_RINTF
-#define HAVE_TRUNCF
-#define HAVE_SQRTF
-#define HAVE_LOG10F
-#define HAVE_LOGF
-#define HAVE_LOG1PF
-#define HAVE_EXPF
-#define HAVE_EXPM1F
-#define HAVE_ASINF
-#define HAVE_ACOSF
-#define HAVE_ATANF
-#define HAVE_ASINHF
-#define HAVE_ACOSHF
-#define HAVE_ATANHF
-#define HAVE_HYPOTF
-#define HAVE_ATAN2F
-#define HAVE_POWF
-#define HAVE_FMODF
-#define HAVE_MODFF
-#define HAVE_FREXPF
-#define HAVE_LDEXPF
-#define HAVE_EXP2F
-#define HAVE_LOG2F
-#define HAVE_COPYSIGNF
-#define HAVE_NEXTAFTERF
-#define HAVE_SINL
-#define HAVE_COSL
-#define HAVE_TANL
-#define HAVE_SINHL
-#define HAVE_COSHL
-#define HAVE_TANHL
-#define HAVE_FABSL
-#define HAVE_FLOORL
-#define HAVE_CEILL
-#define HAVE_RINTL
-#define HAVE_TRUNCL
-#define HAVE_SQRTL
-#define HAVE_LOG10L
-#define HAVE_LOGL
-#define HAVE_LOG1PL
-#define HAVE_EXPL
-#define HAVE_EXPM1L
-#define HAVE_ASINL
-#define HAVE_ACOSL
-#define HAVE_ATANL
-#define HAVE_ASINHL
-#define HAVE_ACOSHL
-#define HAVE_ATANHL
-#define HAVE_HYPOTL
-#define HAVE_ATAN2L
-#define HAVE_POWL
-#define HAVE_FMODL
-#define HAVE_MODFL
-#define HAVE_FREXPL
-#define HAVE_LDEXPL
-#define HAVE_EXP2L
-#define HAVE_LOG2L
-#define HAVE_COPYSIGNL
-#define HAVE_NEXTAFTERL
-#define HAVE_DECL_SIGNBIT
-#define HAVE_COMPLEX_H
-#define HAVE_LDOUBLE_INTEL_EXTENDED_12_BYTES_LE 1
-#ifndef __cplusplus
-/* #undef inline */
-#endif
-
-#ifndef _NPY_NPY_CONFIG_H_
-#error config.h should never be included directly, include npy_config.h instead
-#endif
diff --git a/meta/recipes-devtools/python-numpy/files/x86/numpyconfig.h b/meta/recipes-devtools/python-numpy/files/x86/numpyconfig.h
deleted file mode 100644
index ff7938cd96..0000000000
--- a/meta/recipes-devtools/python-numpy/files/x86/numpyconfig.h
+++ /dev/null
@@ -1,24 +0,0 @@
-#ifndef _NPY_NUMPYCONFIG_H_
-#define _NPY_NUMPYCONFIG_H_
-
-#include "_numpyconfig.h"
-
-/*
- * On Mac OS X, because there is only one configuration stage for all the archs
- * in universal builds, any macro which depends on the arch needs to be
- * harcoded
- */
-#ifdef __APPLE__
- #undef NPY_SIZEOF_LONG
- #undef NPY_SIZEOF_PY_INTPTR_T
-
- #ifdef __LP64__
- #define NPY_SIZEOF_LONG 8
- #define NPY_SIZEOF_PY_INTPTR_T 8
- #else
- #define NPY_SIZEOF_LONG 4
- #define NPY_SIZEOF_PY_INTPTR_T 4
- #endif
-#endif
-
-#endif
diff --git a/meta/recipes-devtools/python-numpy/python-numpy.inc b/meta/recipes-devtools/python-numpy/python-numpy.inc
index a12e72f964..f68b90e6b9 100644
--- a/meta/recipes-devtools/python-numpy/python-numpy.inc
+++ b/meta/recipes-devtools/python-numpy/python-numpy.inc
@@ -8,7 +8,6 @@ SRCNAME = "numpy"
SRC_URI = "https://github.com/${SRCNAME}/${SRCNAME}/releases/download/v${PV}/${SRCNAME}-${PV}.tar.gz \
file://0001-Don-t-search-usr-and-so-on-for-libraries-by-default-.patch \
file://0001-npy_cpu-Add-riscv-support.patch \
- ${CONFIGFILESURI} \
file://0001-numpy-random-setup.py-remove-the-detection-of-x86-ta.patch \
"
SRC_URI[md5sum] = "c48b2ad785f82cdfe28c907ce35e2a71"
@@ -20,77 +19,10 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar"
# Needed for building with gcc 4.x from centos 7
CFLAGS_append_class-native = " -std=c99"
-CONFIGFILESURI ?= ""
-
-CONFIGFILESURI_aarch64 = " \
- file://config.h \
- file://_numpyconfig.h \
-"
-CONFIGFILESURI_arm = " \
- file://config.h \
- file://numpyconfig.h \
-"
-CONFIGFILESURI_armeb = " \
- file://config.h \
- file://numpyconfig.h \
-"
-CONFIGFILESURI_mipsarcho32el = " \
- file://config.h \
- file://numpyconfig.h \
-"
-CONFIGFILESURI_x86 = " \
- file://config.h \
- file://numpyconfig.h \
-"
-CONFIGFILESURI_x86-64 = " \
- file://config.h \
- file://_numpyconfig.h \
-"
-CONFIGFILESURI_mipsarcho32eb = " \
- file://config.h \
- file://_numpyconfig.h \
-"
-CONFIGFILESURI_powerpc = " \
- file://config.h \
- file://_numpyconfig.h \
-"
-CONFIGFILESURI_powerpc64 = " \
- file://config.h \
- file://_numpyconfig.h \
-"
-CONFIGFILESURI_mipsarchn64eb = " \
- file://config.h \
- file://_numpyconfig.h \
-"
-CONFIGFILESURI_mipsarchn64el = " \
- file://config.h \
- file://_numpyconfig.h \
-"
-CONFIGFILESURI_mipsarchn32eb = " \
- file://config.h \
- file://_numpyconfig.h \
-"
-CONFIGFILESURI_mipsarchn32el = " \
- file://config.h \
- file://_numpyconfig.h \
-"
-CONFIGFILESURI_riscv64 = " \
- file://config.h \
- file://_numpyconfig.h \
-"
-
S = "${WORKDIR}/numpy-${PV}"
CLEANBROKEN = "1"
-# Make the build fail and replace *config.h with proper one
-# This is a ugly, ugly hack - Koen
-do_compile_prepend_class-target() {
- ${STAGING_BINDIR_NATIVE}/${PYTHON_PN}-native/${PYTHON_PN} setup.py build ${DISTUTILS_BUILD_ARGS} || \
- true
- cp ${WORKDIR}/*config.h ${S}/build/$(ls ${S}/build | grep src)/numpy/core/include/numpy/
-}
-
FILES_${PN}-staticdev += "${PYTHON_SITEPACKAGES_DIR}/numpy/core/lib/*.a"
# install what is needed for numpy.test()
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 28/32] cve-update: handle baseMetricV2 as optional
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (26 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 27/32] python3-numpy: Stop shipping manual config files Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 29/32] nss: Fix CVE-2020-12399 Anuj Mittal
` (4 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Konrad Weihmann <kweihmann@outlook.com>
Currently in NVD DB an item popped up, which hasn't set baseMetricV2.
Let the parser handle it as an optional item.
In case use baseMetricV2 before baseMetricV3
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fdcbf3f28289188c5a97664d1421d4a5c4991eda)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-core/meta/cve-update-db-native.bb | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index d69d79cb31..0577a5ccac 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -167,15 +167,20 @@ def update_db(c, jsondata):
if not elt['impact']:
continue
+ accessVector = None
cveId = elt['cve']['CVE_data_meta']['ID']
cveDesc = elt['cve']['description']['description_data'][0]['value']
date = elt['lastModifiedDate']
- accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector']
- cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore']
-
try:
+ accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector']
+ cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore']
+ except KeyError:
+ cvssv2 = 0.0
+ try:
+ accessVector = accessVector or elt['impact']['baseMetricV3']['cvssV3']['attackVector']
cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore']
- except:
+ except KeyError:
+ accessVector = accessVector or "UNKNOWN"
cvssv3 = 0.0
c.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 29/32] nss: Fix CVE-2020-12399
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (27 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 28/32] cve-update: handle baseMetricV2 as optional Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 30/32] glibc: CVE-2020-6096 Anuj Mittal
` (3 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Ovidiu Panait <ovidiu.panait@windriver.com>
Master (nss version 3.54) is not affected by this issue. This is a backport
from nss version 3.54.
NSS has shown timing differences when performing DSA signatures, which was
exploitable and could eventually leak private keys. This vulnerability affects
Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.
Upstream patch:
https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
...e-a-fixed-length-for-DSA-exponentiat.patch | 110 ++++++++++++++++++
meta/recipes-support/nss/nss_3.45.bb | 1 +
2 files changed, 111 insertions(+)
create mode 100644 meta/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch
diff --git a/meta/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch b/meta/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch
new file mode 100644
index 0000000000..517c277ae0
--- /dev/null
+++ b/meta/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch
@@ -0,0 +1,110 @@
+From 5942c26888ba12ad5e0d92fb62f23d7cde6dc159 Mon Sep 17 00:00:00 2001
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+Date: Mon, 13 Jul 2020 06:25:56 +0000
+Subject: [PATCH] Bug 1631576 - Force a fixed length for DSA exponentiation
+ r=pereida,bbrumley
+
+Differential Revision: https://phabricator.services.mozilla.com/D72011
+
+Upstream-Status: Backport [https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e]
+
+Authored-by: Robert Relyea <rrelyea@redhat.com>
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+---
+ nss/lib/freebl/dsa.c | 45 ++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 35 insertions(+), 10 deletions(-)
+
+diff --git a/nss/lib/freebl/dsa.c b/nss/lib/freebl/dsa.c
+index aef3539..389c9de 100644
+--- a/nss/lib/freebl/dsa.c
++++ b/nss/lib/freebl/dsa.c
+@@ -313,13 +313,14 @@ DSA_NewKeyFromSeed(const PQGParams *params,
+
+ static SECStatus
+ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
+- const unsigned char *kb)
++ const unsigned char *kbytes)
+ {
+ mp_int p, q, g; /* PQG parameters */
+ mp_int x, k; /* private key & pseudo-random integer */
+ mp_int r, s; /* tuple (r, s) is signature) */
+ mp_int t; /* holding tmp values */
+ mp_int ar; /* holding blinding values */
++ mp_digit fuzz; /* blinding multiplier for q */
+ mp_err err = MP_OKAY;
+ SECStatus rv = SECSuccess;
+ unsigned int dsa_subprime_len, dsa_signature_len, offset;
+@@ -373,6 +374,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
+ CHECK_MPI_OK(mp_init(&s));
+ CHECK_MPI_OK(mp_init(&t));
+ CHECK_MPI_OK(mp_init(&ar));
++
+ /*
+ ** Convert stored PQG and private key into MPI integers.
+ */
+@@ -380,14 +382,28 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
+ SECITEM_TO_MPINT(key->params.subPrime, &q);
+ SECITEM_TO_MPINT(key->params.base, &g);
+ SECITEM_TO_MPINT(key->privateValue, &x);
+- OCTETS_TO_MPINT(kb, &k, dsa_subprime_len);
++ OCTETS_TO_MPINT(kbytes, &k, dsa_subprime_len);
++
++ /* k blinding create a single value that has the high bit set in
++ * the mp_digit*/
++ if (RNG_GenerateGlobalRandomBytes(&fuzz, sizeof(mp_digit)) != SECSuccess) {
++ PORT_SetError(SEC_ERROR_NEED_RANDOM);
++ rv = SECFailure;
++ goto cleanup;
++ }
++ fuzz |= 1ULL << ((sizeof(mp_digit) * PR_BITS_PER_BYTE - 1));
+ /*
+ ** FIPS 186-1, Section 5, Step 1
+ **
+ ** r = (g**k mod p) mod q
+ */
+- CHECK_MPI_OK(mp_exptmod(&g, &k, &p, &r)); /* r = g**k mod p */
+- CHECK_MPI_OK(mp_mod(&r, &q, &r)); /* r = r mod q */
++ CHECK_MPI_OK(mp_mul_d(&q, fuzz, &t)); /* t = q*fuzz */
++ CHECK_MPI_OK(mp_add(&k, &t, &t)); /* t = k+q*fuzz */
++ /* length of t is now fixed, bits in k have been blinded */
++ CHECK_MPI_OK(mp_exptmod(&g, &t, &p, &r)); /* r = g**t mod p */
++ /* r is now g**(k+q*fuzz) == g**k mod p */
++ CHECK_MPI_OK(mp_mod(&r, &q, &r)); /* r = r mod q */
++
+ /*
+ ** FIPS 186-1, Section 5, Step 2
+ **
+@@ -411,15 +427,24 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
+ /* Using mp_invmod on k directly would leak bits from k. */
+ CHECK_MPI_OK(mp_mul(&k, &ar, &k)); /* k = k * ar */
+ CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */
+- CHECK_MPI_OK(mp_invmod(&k, &q, &k)); /* k = k**-1 mod q */
++ /* k is now k*t*ar */
++ CHECK_MPI_OK(mp_invmod(&k, &q, &k)); /* k = k**-1 mod q */
++ /* k is now (k*t*ar)**-1 */
+ CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */
+- SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M) */
++ /* k is now (k*ar)**-1 */
++ SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M) */
+ /* To avoid leaking secret bits here the addition is blinded. */
+- CHECK_MPI_OK(mp_mul(&x, &ar, &x)); /* x = x * ar */
+- CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */
++ CHECK_MPI_OK(mp_mul(&x, &ar, &x)); /* x = x * ar */
++ /* x is now x*ar */
++ CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */
++ /* x is now x*r*ar */
+ CHECK_MPI_OK(mp_mulmod(&s, &ar, &q, &t)); /* t = s * ar mod q */
+- CHECK_MPI_OK(mp_add(&t, &x, &s)); /* s = t + x */
+- CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */
++ /* t is now hash(M)*ar */
++ CHECK_MPI_OK(mp_add(&t, &x, &s)); /* s = t + x */
++ /* s is now (HASH(M)+x*r)*ar */
++ CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */
++ /* s is now (HASH(M)+x*r)*ar*(k*ar)**-1 = (k**-1)*(HASH(M)+x*r) */
++
+ /*
+ ** verify r != 0 and s != 0
+ ** mentioned as optional in FIPS 186-1.
+--
+2.18.1
+
diff --git a/meta/recipes-support/nss/nss_3.45.bb b/meta/recipes-support/nss/nss_3.45.bb
index c8005a5b3a..9fe27af5db 100644
--- a/meta/recipes-support/nss/nss_3.45.bb
+++ b/meta/recipes-support/nss/nss_3.45.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
file://blank-cert9.db \
file://blank-key4.db \
file://system-pkcs11.txt \
+ file://0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch \
"
SRC_URI[md5sum] = "f1752d7223ee9d910d551e57264bafa8"
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 30/32] glibc: CVE-2020-6096
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (28 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 29/32] nss: Fix CVE-2020-12399 Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 31/32] core: glib-2.0: fix requested libmount/mkostemp/selinux not being linked in Anuj Mittal
` (2 subsequent siblings)
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Zhixiong Chi <zhixiong.chi@windriver.com>
Backport the CVE patch from the upstream:
git://sourceware.org/git/glibc.git
commit 79a4fa341b8a89cb03f84564fd72abaa1a2db394
commit beea361050728138b82c57dda0c4810402d342b9
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../glibc/glibc/CVE-2020-6096-1.patch | 193 ++++++++++++++++++
.../glibc/glibc/CVE-2020-6096-2.patch | 111 ++++++++++
meta/recipes-core/glibc/glibc_2.30.bb | 2 +
3 files changed, 306 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch
new file mode 100644
index 0000000000..01c0328362
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch
@@ -0,0 +1,193 @@
+From 79a4fa341b8a89cb03f84564fd72abaa1a2db394 Mon Sep 17 00:00:00 2001
+From: Evgeny Eremin <e.eremin@omprussia.ru>
+Date: Wed, 8 Jul 2020 14:18:19 +0200
+Subject: [PATCH 1/2] arm: CVE-2020-6096: fix memcpy and memmove for negative
+ length [BZ #25620]
+
+Unsigned branch instructions could be used for r2 to fix the wrong
+behavior when a negative length is passed to memcpy and memmove.
+This commit fixes the generic arm implementation of memcpy amd memmove.
+
+CVE: CVE-2020-6096
+Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ sysdeps/arm/memcpy.S | 24 ++++++++++--------------
+ sysdeps/arm/memmove.S | 24 ++++++++++--------------
+ 2 files changed, 20 insertions(+), 28 deletions(-)
+
+diff --git a/sysdeps/arm/memcpy.S b/sysdeps/arm/memcpy.S
+index 510e8adaf2..bcfbc51d99 100644
+--- a/sysdeps/arm/memcpy.S
++++ b/sysdeps/arm/memcpy.S
+@@ -68,7 +68,7 @@ ENTRY(memcpy)
+ cfi_remember_state
+
+ subs r2, r2, #4
+- blt 8f
++ blo 8f
+ ands ip, r0, #3
+ PLD( pld [r1, #0] )
+ bne 9f
+@@ -82,7 +82,7 @@ ENTRY(memcpy)
+ cfi_rel_offset (r6, 4)
+ cfi_rel_offset (r7, 8)
+ cfi_rel_offset (r8, 12)
+- blt 5f
++ blo 5f
+
+ CALGN( ands ip, r1, #31 )
+ CALGN( rsb r3, ip, #32 )
+@@ -98,9 +98,9 @@ ENTRY(memcpy)
+ #endif
+
+ PLD( pld [r1, #0] )
+-2: PLD( subs r2, r2, #96 )
++2: PLD( cmp r2, #96 )
+ PLD( pld [r1, #28] )
+- PLD( blt 4f )
++ PLD( blo 4f )
+ PLD( pld [r1, #60] )
+ PLD( pld [r1, #92] )
+
+@@ -108,9 +108,7 @@ ENTRY(memcpy)
+ 4: ldmia r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
+ subs r2, r2, #32
+ stmia r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
+- bge 3b
+- PLD( cmn r2, #96 )
+- PLD( bge 4b )
++ bhs 3b
+
+ 5: ands ip, r2, #28
+ rsb ip, ip, #32
+@@ -222,7 +220,7 @@ ENTRY(memcpy)
+ strbge r4, [r0], #1
+ subs r2, r2, ip
+ strb lr, [r0], #1
+- blt 8b
++ blo 8b
+ ands ip, r1, #3
+ beq 1b
+
+@@ -236,7 +234,7 @@ ENTRY(memcpy)
+ .macro forward_copy_shift pull push
+
+ subs r2, r2, #28
+- blt 14f
++ blo 14f
+
+ CALGN( ands ip, r1, #31 )
+ CALGN( rsb ip, ip, #32 )
+@@ -253,9 +251,9 @@ ENTRY(memcpy)
+ cfi_rel_offset (r10, 16)
+
+ PLD( pld [r1, #0] )
+- PLD( subs r2, r2, #96 )
++ PLD( cmp r2, #96 )
+ PLD( pld [r1, #28] )
+- PLD( blt 13f )
++ PLD( blo 13f )
+ PLD( pld [r1, #60] )
+ PLD( pld [r1, #92] )
+
+@@ -280,9 +278,7 @@ ENTRY(memcpy)
+ mov ip, ip, PULL #\pull
+ orr ip, ip, lr, PUSH #\push
+ stmia r0!, {r3, r4, r5, r6, r7, r8, r10, ip}
+- bge 12b
+- PLD( cmn r2, #96 )
+- PLD( bge 13b )
++ bhs 12b
+
+ pop {r5 - r8, r10}
+ cfi_adjust_cfa_offset (-20)
+diff --git a/sysdeps/arm/memmove.S b/sysdeps/arm/memmove.S
+index 954037ef3a..0d07b76ee6 100644
+--- a/sysdeps/arm/memmove.S
++++ b/sysdeps/arm/memmove.S
+@@ -85,7 +85,7 @@ ENTRY(memmove)
+ add r1, r1, r2
+ add r0, r0, r2
+ subs r2, r2, #4
+- blt 8f
++ blo 8f
+ ands ip, r0, #3
+ PLD( pld [r1, #-4] )
+ bne 9f
+@@ -99,7 +99,7 @@ ENTRY(memmove)
+ cfi_rel_offset (r6, 4)
+ cfi_rel_offset (r7, 8)
+ cfi_rel_offset (r8, 12)
+- blt 5f
++ blo 5f
+
+ CALGN( ands ip, r1, #31 )
+ CALGN( sbcsne r4, ip, r2 ) @ C is always set here
+@@ -114,9 +114,9 @@ ENTRY(memmove)
+ #endif
+
+ PLD( pld [r1, #-4] )
+-2: PLD( subs r2, r2, #96 )
++2: PLD( cmp r2, #96 )
+ PLD( pld [r1, #-32] )
+- PLD( blt 4f )
++ PLD( blo 4f )
+ PLD( pld [r1, #-64] )
+ PLD( pld [r1, #-96] )
+
+@@ -124,9 +124,7 @@ ENTRY(memmove)
+ 4: ldmdb r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
+ subs r2, r2, #32
+ stmdb r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
+- bge 3b
+- PLD( cmn r2, #96 )
+- PLD( bge 4b )
++ bhs 3b
+
+ 5: ands ip, r2, #28
+ rsb ip, ip, #32
+@@ -237,7 +235,7 @@ ENTRY(memmove)
+ strbge r4, [r0, #-1]!
+ subs r2, r2, ip
+ strb lr, [r0, #-1]!
+- blt 8b
++ blo 8b
+ ands ip, r1, #3
+ beq 1b
+
+@@ -251,7 +249,7 @@ ENTRY(memmove)
+ .macro backward_copy_shift push pull
+
+ subs r2, r2, #28
+- blt 14f
++ blo 14f
+
+ CALGN( ands ip, r1, #31 )
+ CALGN( rsb ip, ip, #32 )
+@@ -268,9 +266,9 @@ ENTRY(memmove)
+ cfi_rel_offset (r10, 16)
+
+ PLD( pld [r1, #-4] )
+- PLD( subs r2, r2, #96 )
++ PLD( cmp r2, #96 )
+ PLD( pld [r1, #-32] )
+- PLD( blt 13f )
++ PLD( blo 13f )
+ PLD( pld [r1, #-64] )
+ PLD( pld [r1, #-96] )
+
+@@ -295,9 +293,7 @@ ENTRY(memmove)
+ mov r4, r4, PUSH #\push
+ orr r4, r4, r3, PULL #\pull
+ stmdb r0!, {r4 - r8, r10, ip, lr}
+- bge 12b
+- PLD( cmn r2, #96 )
+- PLD( bge 13b )
++ bhs 12b
+
+ pop {r5 - r8, r10}
+ cfi_adjust_cfa_offset (-20)
+--
+2.17.0
+
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch
new file mode 100644
index 0000000000..bfb2d7e7f5
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch
@@ -0,0 +1,111 @@
+From beea361050728138b82c57dda0c4810402d342b9 Mon Sep 17 00:00:00 2001
+From: Alexander Anisimov <a.anisimov@omprussia.ru>
+Date: Wed, 8 Jul 2020 14:18:31 +0200
+Subject: [PATCH 2/2] arm: CVE-2020-6096: Fix multiarch memcpy for negative
+ length [BZ #25620]
+
+Unsigned branch instructions could be used for r2 to fix the wrong
+behavior when a negative length is passed to memcpy.
+This commit fixes the armv7 version.
+
+CVE: CVE-2020-6096
+Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ sysdeps/arm/armv7/multiarch/memcpy_impl.S | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/sysdeps/arm/armv7/multiarch/memcpy_impl.S b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
+index bf4ac7077f..379bb56fc9 100644
+--- a/sysdeps/arm/armv7/multiarch/memcpy_impl.S
++++ b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
+@@ -268,7 +268,7 @@ ENTRY(memcpy)
+
+ mov dst, dstin /* Preserve dstin, we need to return it. */
+ cmp count, #64
+- bge .Lcpy_not_short
++ bhs .Lcpy_not_short
+ /* Deal with small copies quickly by dropping straight into the
+ exit block. */
+
+@@ -351,10 +351,10 @@ ENTRY(memcpy)
+
+ 1:
+ subs tmp2, count, #64 /* Use tmp2 for count. */
+- blt .Ltail63aligned
++ blo .Ltail63aligned
+
+ cmp tmp2, #512
+- bge .Lcpy_body_long
++ bhs .Lcpy_body_long
+
+ .Lcpy_body_medium: /* Count in tmp2. */
+ #ifdef USE_VFP
+@@ -378,7 +378,7 @@ ENTRY(memcpy)
+ add src, src, #64
+ vstr d1, [dst, #56]
+ add dst, dst, #64
+- bge 1b
++ bhs 1b
+ tst tmp2, #0x3f
+ beq .Ldone
+
+@@ -412,7 +412,7 @@ ENTRY(memcpy)
+ ldrd A_l, A_h, [src, #64]!
+ strd A_l, A_h, [dst, #64]!
+ subs tmp2, tmp2, #64
+- bge 1b
++ bhs 1b
+ tst tmp2, #0x3f
+ bne 1f
+ ldr tmp2,[sp], #FRAME_SIZE
+@@ -482,7 +482,7 @@ ENTRY(memcpy)
+ add src, src, #32
+
+ subs tmp2, tmp2, #prefetch_lines * 64 * 2
+- blt 2f
++ blo 2f
+ 1:
+ cpy_line_vfp d3, 0
+ cpy_line_vfp d4, 64
+@@ -494,7 +494,7 @@ ENTRY(memcpy)
+ add dst, dst, #2 * 64
+ add src, src, #2 * 64
+ subs tmp2, tmp2, #prefetch_lines * 64
+- bge 1b
++ bhs 1b
+
+ 2:
+ cpy_tail_vfp d3, 0
+@@ -615,8 +615,8 @@ ENTRY(memcpy)
+ 1:
+ pld [src, #(3 * 64)]
+ subs count, count, #64
+- ldrmi tmp2, [sp], #FRAME_SIZE
+- bmi .Ltail63unaligned
++ ldrlo tmp2, [sp], #FRAME_SIZE
++ blo .Ltail63unaligned
+ pld [src, #(4 * 64)]
+
+ #ifdef USE_NEON
+@@ -633,7 +633,7 @@ ENTRY(memcpy)
+ neon_load_multi d0-d3, src
+ neon_load_multi d4-d7, src
+ subs count, count, #64
+- bmi 2f
++ blo 2f
+ 1:
+ pld [src, #(4 * 64)]
+ neon_store_multi d0-d3, dst
+@@ -641,7 +641,7 @@ ENTRY(memcpy)
+ neon_store_multi d4-d7, dst
+ neon_load_multi d4-d7, src
+ subs count, count, #64
+- bpl 1b
++ bhs 1b
+ 2:
+ neon_store_multi d0-d3, dst
+ neon_store_multi d4-d7, dst
+--
+2.17.0
+
diff --git a/meta/recipes-core/glibc/glibc_2.30.bb b/meta/recipes-core/glibc/glibc_2.30.bb
index e9286b6b49..b674b02706 100644
--- a/meta/recipes-core/glibc/glibc_2.30.bb
+++ b/meta/recipes-core/glibc/glibc_2.30.bb
@@ -45,6 +45,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://CVE-2020-10029.patch \
file://CVE-2020-1751.patch \
file://CVE-2020-1752.patch \
+ file://CVE-2020-6096-1.patch \
+ file://CVE-2020-6096-2.patch \
"
S = "${WORKDIR}/git"
B = "${WORKDIR}/build-${TARGET_SYS}"
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 31/32] core: glib-2.0: fix requested libmount/mkostemp/selinux not being linked in
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (29 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 30/32] glibc: CVE-2020-6096 Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 8:51 ` [zeus][PATCH 32/32] gstreamer1.0: fix builds with make 4.3 Anuj Mittal
2020-07-28 9:02 ` ✗ patchtest: failure for zeus review request (rev4) Patchwork
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
From: Ahmad Fatoum <a.fatoum@pengutronix.de>
Since 010202076760 ("meson.bbclass: avoid unexpected operating-system
names"), meson is no longer used with a cross file that appends the used
libc to the operating system name, e.g. linux-gnueabi.
Prior to that commit, the host_system == 'linux' checks in glib's meson
failed, which led to glib being compiled without libmount, mkostemp and
selinux even if explicitly requested.
As the aforementioned commit affects all recipes built by glib, it might
not be a candidate for backporting to current stable branches. To fix
just the glib issue, instances of host_system == 'linux' are patched
locally.
The patch is marked as Upstream-Status: Inappropriate as it is rendered
unnecessary for OE releases newer than Dunfell.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
...ot-hardcode-linux-as-the-host-system.patch | 49 +++++++++++++++++++
meta/recipes-core/glib-2.0/glib-2.0_2.60.7.bb | 1 +
2 files changed, 50 insertions(+)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/0020-meson.build-do-not-hardcode-linux-as-the-host-system.patch
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/0020-meson.build-do-not-hardcode-linux-as-the-host-system.patch b/meta/recipes-core/glib-2.0/glib-2.0/0020-meson.build-do-not-hardcode-linux-as-the-host-system.patch
new file mode 100644
index 0000000000..9c311f1c90
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/0020-meson.build-do-not-hardcode-linux-as-the-host-system.patch
@@ -0,0 +1,49 @@
+From d5e82cd0b6076f33b86e0285ef1c0dba8a14112e Mon Sep 17 00:00:00 2001
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Date: Thu, 9 Jul 2020 13:00:16 +0200
+Subject: [PATCH] meson.build: do not hardcode 'linux' as the host system
+
+OE build system can set this to other values that include 'linux',
+e.g. 'linux-gnueabi'. This led to glib always being built without
+libmount, mkostemp and selinux support.
+
+Upstream-Status: Inappropriate [other]
+Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+---
+ meson.build | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index dd95c750b5ea..8bcacaf3c7e1 100644
+--- a/meson.build
++++ b/meson.build
+@@ -604,7 +604,7 @@ else
+ endif
+ message('Checking whether to use statfs or statvfs .. ' + stat_func_to_use)
+
+-if host_system == 'linux'
++if host_system.contains('linux')
+ if cc.has_function('mkostemp',
+ prefix: '''#define _GNU_SOURCE
+ #include <stdlib.h>''')
+@@ -1810,7 +1810,7 @@ glib_conf.set_quoted('GLIB_LOCALE_DIR', join_paths(glib_datadir, 'locale'))
+ # libmount is only used by gio, but we need to fetch the libs to generate the
+ # pkg-config file below
+ libmount_dep = []
+-if host_system == 'linux' and get_option('libmount')
++if host_system.contains('linux') and get_option('libmount')
+ libmount_dep = [dependency('mount', version : '>=2.23', required : true)]
+ glib_conf.set('HAVE_LIBMOUNT', 1)
+ endif
+@@ -1820,7 +1820,7 @@ if host_system == 'windows'
+ endif
+
+ selinux_dep = []
+-if host_system == 'linux'
++if host_system.contains('linux')
+ selinux_dep = dependency('libselinux', required: get_option('selinux'))
+
+ glib_conf.set('HAVE_SELINUX', selinux_dep.found())
+--
+2.27.0
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.60.7.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.60.7.bb
index 5be81a8f31..af8ded76d5 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.60.7.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.60.7.bb
@@ -17,6 +17,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://0001-meson.build-do-not-hardcode-linux-as-the-host-system.patch \
file://0001-meson-do-a-build-time-check-for-strlcpy-before-attem.patch \
file://CVE-2020-6750.patch \
+ file://0020-meson.build-do-not-hardcode-linux-as-the-host-system.patch \
"
SRC_URI_append_class-native = " file://relocate-modules.patch"
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* [zeus][PATCH 32/32] gstreamer1.0: fix builds with make 4.3
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (30 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 31/32] core: glib-2.0: fix requested libmount/mkostemp/selinux not being linked in Anuj Mittal
@ 2020-07-28 8:51 ` Anuj Mittal
2020-07-28 9:02 ` ✗ patchtest: failure for zeus review request (rev4) Patchwork
32 siblings, 0 replies; 34+ messages in thread
From: Anuj Mittal @ 2020-07-28 8:51 UTC (permalink / raw)
To: openembedded-core
Depend on make-native instead of using host make to avoid errors like:
| controller-enumtypes.c:10:1: error: stray '\' in program
| 10 | \#include "gstinterpolationcontrolsource.h"
| | ^
| controller-enumtypes.c:10:2: error: stray '#' in program
| 10 | \#include "gstinterpolationcontrolsource.h"
| | ^
| controller-enumtypes.c:10:11: error: expected '=', ',', ';', 'asm' or '__attribute__' before string constant
| 10 | \#include "gstinterpolationcontrolsource.h"
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| controller-enumtypes.c:11:1: error: stray '\' in program
| 11 | \#include "gstlfocontrolsource.h"
| | ^
| controller-enumtypes.c:11:2: error: stray '#' in program
| 11 | \#include "gstlfocontrolsource.h"
This helps building on autobuilder where some workers have buildtools
with make 4.3 installed.
Building using meson works fine so later branches are not affected and
upstream has rejected patches to fix this:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/515
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc | 2 +-
.../gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb | 2 +-
meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc
index bc24b05fec..92b473add6 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc
@@ -3,7 +3,7 @@ HOMEPAGE = "http://gstreamer.freedesktop.org/"
BUGTRACKER = "https://bugzilla.gnome.org/enter_bug.cgi?product=Gstreamer"
SECTION = "multimedia"
-DEPENDS = "gstreamer1.0 glib-2.0-native"
+DEPENDS = "gstreamer1.0 glib-2.0-native make-native"
SRC_URI_append = " file://gtk-doc-tweaks.patch"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb
index 15ef5d1b28..b7470b0047 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb
@@ -4,7 +4,7 @@ SECTION = "multimedia"
LICENSE = "LGPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=6762ed442b3822387a51c92d928ead0d"
-DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base"
+DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base make-native"
PNREAL = "gst-rtsp-server"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb
index cf7c1bca12..96a6ade22b 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb
@@ -6,7 +6,7 @@ BUGTRACKER = "https://bugzilla.gnome.org/enter_bug.cgi?product=Gstreamer"
SECTION = "multimedia"
LICENSE = "LGPLv2+"
-DEPENDS = "glib-2.0 glib-2.0-native libcap libxml2 bison-native flex-native"
+DEPENDS = "glib-2.0 glib-2.0-native libcap libxml2 bison-native flex-native make-native"
inherit autotools pkgconfig gettext upstream-version-is-even gobject-introspection gtk-doc ptest
--
2.25.4
^ permalink raw reply related [flat|nested] 34+ messages in thread* ✗ patchtest: failure for zeus review request (rev4)
2020-07-28 8:51 [zeus][PATCH 00/32] zeus review request Anuj Mittal
` (31 preceding siblings ...)
2020-07-28 8:51 ` [zeus][PATCH 32/32] gstreamer1.0: fix builds with make 4.3 Anuj Mittal
@ 2020-07-28 9:02 ` Patchwork
32 siblings, 0 replies; 34+ messages in thread
From: Patchwork @ 2020-07-28 9:02 UTC (permalink / raw)
To: Anuj Mittal; +Cc: openembedded-core
== Series Details ==
Series: zeus review request (rev4)
Revision: 4
URL : https://patchwork.openembedded.org/series/23013/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Patch [zeus,29/32] nss: Fix CVE-2020-12399
Issue Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format]
Suggested fix Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 34+ messages in thread