* [OE-core][kirkstone 0/9] Patch review
@ 2023-01-17 14:08 Steve Sakoman
2023-01-17 14:08 ` [OE-core][kirkstone 1/9] ffmpeg: refresh patches to apply cleanly Steve Sakoman
` (8 more replies)
0 siblings, 9 replies; 22+ messages in thread
From: Steve Sakoman @ 2023-01-17 14:08 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by
end of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4800
The following changes since commit 4760fac939a6204e3cb7dcd3699cd9a2508f9dee:
devtool: process local files only for the main branch (2023-01-12 04:56:26 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Bhabu Bindu (1):
qemu: Fix CVE-2022-4144
Daniel Gomez (1):
gtk-icon-cache: Fix GTKIC_CMD if-else condition
KARN JYE LAU (1):
freetype:update mirror site.
Martin Jansa (1):
ffmpeg: refresh patches to apply cleanly
Narpat Mali (3):
python3-setuptools: fix for CVE-2022-40897
python3-wheel: fix for CVE-2022-40898
python3-git: fix for CVE-2022-24439
Yash Shinde (1):
glibc: stable 2.35 branch updates.
Yogita Urade (1):
libksba: fix CVE-2022-47629
meta/classes/gtk-icon-cache.bbclass | 2 +-
meta/recipes-core/glibc/glibc-version.inc | 2 +-
...-git-CVE-2022-24439-fix-from-PR-1518.patch | 97 ++++
...-git-CVE-2022-24439-fix-from-PR-1521.patch | 488 ++++++++++++++++++
.../python/python3-git_3.1.27.bb | 4 +
...-of-whitespace-to-search-backtrack.-.patch | 31 ++
.../python/python3-setuptools_59.5.0.bb | 1 +
...tential-DoS-attack-via-WHEEL_INFO_RE.patch | 32 ++
.../python/python3-wheel_0.37.1.bb | 4 +-
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2022-4144.patch | 99 ++++
.../freetype/freetype_2.11.1.bb | 2 +-
...c-stop-accessing-out-of-bounds-frame.patch | 19 +-
...c-stop-accessing-out-of-bounds-frame.patch | 7 +-
...-vp3-Add-missing-check-for-av_malloc.patch | 12 +-
...overflow-in-the-CRL-signature-parser.patch | 72 +++
meta/recipes-support/libksba/libksba_1.6.2.bb | 3 +-
17 files changed, 848 insertions(+), 28 deletions(-)
create mode 100644 meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch
create mode 100644 meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch
create mode 100644 meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch
create mode 100644 meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
create mode 100644 meta/recipes-support/libksba/libksba/0001-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch
--
2.25.1
^ permalink raw reply [flat|nested] 22+ messages in thread* [OE-core][kirkstone 1/9] ffmpeg: refresh patches to apply cleanly 2023-01-17 14:08 [OE-core][kirkstone 0/9] Patch review Steve Sakoman @ 2023-01-17 14:08 ` Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 2/9] qemu: Fix CVE-2022-4144 Steve Sakoman ` (7 subsequent siblings) 8 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2023-01-17 14:08 UTC (permalink / raw) To: openembedded-core From: Martin Jansa <martin.jansa@gmail.com> * the last patch added in: https://git.openembedded.org/openembedded-core/commit/?h=kirkstone&id=874b72fe259cd3a23f4613fccfe2e9cc3f79cd6a doesn't apply cleanly. * fixes: ERROR: ffmpeg-5.0.1-r0 do_patch: Fuzz detected: Applying patch 0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch patching file libavcodec/vp3.c Hunk #1 succeeded at 2677 with fuzz 1 (offset -2 lines). Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- ...c-stop-accessing-out-of-bounds-frame.patch | 19 ++++++++----------- ...c-stop-accessing-out-of-bounds-frame.patch | 7 ++----- ...-vp3-Add-missing-check-for-av_malloc.patch | 12 +++++------- 3 files changed, 15 insertions(+), 23 deletions(-) diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch index 2775a81cc8..23573bb6b3 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch @@ -1,4 +1,4 @@ -From 92f9b28ed84a77138105475beba16c146bdaf984 Mon Sep 17 00:00:00 2001 +From ce25c03fb83395c0a8b5b8121182a486c4408dd4 Mon Sep 17 00:00:00 2001 From: Paul B Mahol <onemda@gmail.com> Date: Sat, 12 Nov 2022 16:12:00 +0100 Subject: [PATCH] avcodec/rpzaenc: stop accessing out of bounds frame @@ -12,10 +12,10 @@ Signed-off-by: <narpat.mali@windriver.com> 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/libavcodec/rpzaenc.c b/libavcodec/rpzaenc.c -index d710eb4f82..4ced9523e2 100644 +index 337b1fa..3e97c87 100644 --- a/libavcodec/rpzaenc.c +++ b/libavcodec/rpzaenc.c -@@ -205,7 +205,7 @@ static void get_max_component_diff(const BlockInfo *bi, const uint16_t *block_pt +@@ -205,7 +205,7 @@ static void get_max_component_diff(BlockInfo *bi, uint16_t *block_ptr, // loop thru and compare pixels for (y = 0; y < bi->block_height; y++) { @@ -24,7 +24,7 @@ index d710eb4f82..4ced9523e2 100644 // TODO: optimize min_r = FFMIN(R(block_ptr[x]), min_r); min_g = FFMIN(G(block_ptr[x]), min_g); -@@ -278,7 +278,7 @@ static int leastsquares(const uint16_t *block_ptr, const BlockInfo *bi, +@@ -277,7 +277,7 @@ static int leastsquares(uint16_t *block_ptr, BlockInfo *bi, return -1; for (i = 0; i < bi->block_height; i++) { @@ -33,7 +33,7 @@ index d710eb4f82..4ced9523e2 100644 x = GET_CHAN(block_ptr[j], xchannel); y = GET_CHAN(block_ptr[j], ychannel); sumx += x; -@@ -325,7 +325,7 @@ static int calc_lsq_max_fit_error(const uint16_t *block_ptr, const BlockInfo *bi +@@ -324,7 +324,7 @@ static int calc_lsq_max_fit_error(uint16_t *block_ptr, BlockInfo *bi, int max_err = 0; for (i = 0; i < bi->block_height; i++) { @@ -42,7 +42,7 @@ index d710eb4f82..4ced9523e2 100644 int x_inc, lin_y, lin_x; x = GET_CHAN(block_ptr[j], xchannel); y = GET_CHAN(block_ptr[j], ychannel); -@@ -420,7 +420,9 @@ static void update_block_in_prev_frame(const uint16_t *src_pixels, +@@ -419,7 +419,9 @@ static void update_block_in_prev_frame(const uint16_t *src_pixels, uint16_t *dest_pixels, const BlockInfo *bi, int block_counter) { @@ -53,7 +53,7 @@ index d710eb4f82..4ced9523e2 100644 memcpy(dest_pixels, src_pixels, 8); dest_pixels += bi->rowstride; src_pixels += bi->rowstride; -@@ -730,14 +732,15 @@ post_skip : +@@ -729,14 +731,15 @@ post_skip : if (err > s->sixteen_color_thresh) { // DO SIXTEEN COLOR BLOCK uint16_t *row_ptr; @@ -72,7 +72,7 @@ index d710eb4f82..4ced9523e2 100644 rgb555 = row_ptr[x] & ~0x8000; put_bits(&s->pb, 16, rgb555); -@@ -745,6 +748,11 @@ post_skip : +@@ -744,6 +747,11 @@ post_skip : row_ptr += bi.rowstride; } @@ -84,6 +84,3 @@ index d710eb4f82..4ced9523e2 100644 block_counter++; } else { // FOUR COLOR BLOCK block_counter += encode_four_color_block(min_color, max_color, --- -2.34.1 - diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch index 923fc6a9c1..6e237fdd52 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch @@ -1,4 +1,4 @@ -From 13c13109759090b7f7182480d075e13b36ed8edd Mon Sep 17 00:00:00 2001 +From d2f31887df2c42948dba7446c475026fdbc69336 Mon Sep 17 00:00:00 2001 From: Paul B Mahol <onemda@gmail.com> Date: Sat, 12 Nov 2022 15:19:21 +0100 Subject: [PATCH] avcodec/smcenc: stop accessing out of bounds frame @@ -12,7 +12,7 @@ Signed-off-by: <narpat.mali@windriver.com> 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/libavcodec/smcenc.c b/libavcodec/smcenc.c -index f3d26a4e8d..33549b8ab4 100644 +index 52795ef..618dc4e 100644 --- a/libavcodec/smcenc.c +++ b/libavcodec/smcenc.c @@ -61,6 +61,7 @@ typedef struct SMCContext { @@ -103,6 +103,3 @@ index f3d26a4e8d..33549b8ab4 100644 blocks = coded_blocks; distinct = coded_distinct; --- -2.34.1 - diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch index 94858a6cdd..dca7c827e3 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch @@ -1,4 +1,4 @@ -From 656cb0450aeb73b25d7d26980af342b37ac4c568 Mon Sep 17 00:00:00 2001 +From ef748a8bd8720416b673e1743e5673a801e8279f Mon Sep 17 00:00:00 2001 From: Jiasheng Jiang <jiasheng@iscas.ac.cn> Date: Tue, 15 Feb 2022 17:58:08 +0800 Subject: [PATCH] avcodec/vp3: Add missing check for av_malloc @@ -16,16 +16,17 @@ CVE: CVE-2022-3109 Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568] Signed-off-by: Narpat Mali <narpat.mali@windriver.com> + --- libavcodec/vp3.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c -index e9ab54d736..e2418eb6fa 100644 +index 5b9ba60..f1eccfe 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c -@@ -2679,8 +2679,13 @@ static int vp3_decode_frame(AVCodecContext *avctx, - AV_GET_BUFFER_FLAG_REF)) < 0) +@@ -2677,8 +2677,13 @@ static int vp3_decode_frame(AVCodecContext *avctx, + if ((ret = ff_thread_get_buffer(avctx, &s->current_frame, AV_GET_BUFFER_FLAG_REF)) < 0) goto error; - if (!s->edge_emu_buffer) @@ -39,6 +40,3 @@ index e9ab54d736..e2418eb6fa 100644 if (s->keyframe) { if (!s->theora) { --- -2.34.1 - -- 2.25.1 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 2/9] qemu: Fix CVE-2022-4144 2023-01-17 14:08 [OE-core][kirkstone 0/9] Patch review Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 1/9] ffmpeg: refresh patches to apply cleanly Steve Sakoman @ 2023-01-17 14:08 ` Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 3/9] python3-setuptools: fix for CVE-2022-40897 Steve Sakoman ` (6 subsequent siblings) 8 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2023-01-17 14:08 UTC (permalink / raw) To: openembedded-core From: Bhabu Bindu <bindudaniel1996@gmail.com> Add patch to fix CVE-2022-4144 Link: https://security-tracker.debian.org/tracker/CVE-2022-4144 Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2022-4144.patch | 99 +++++++++++++++++++ 2 files changed, 100 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index cc9681fb4b..b68be447f1 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -92,6 +92,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch \ file://0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch \ file://CVE-2022-3165.patch \ + file://CVE-2022-4144.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch new file mode 100644 index 0000000000..96052a19e8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch @@ -0,0 +1,99 @@ +From 6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org> +Date: Mon, 28 Nov 2022 21:27:40 +0100 +Subject: [PATCH] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt + (CVE-2022-4144) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Have qxl_get_check_slot_offset() return false if the requested +buffer size does not fit within the slot memory region. + +Similarly qxl_phys2virt() now returns NULL in such case, and +qxl_dirty_one_surface() aborts. + +This avoids buffer overrun in the host pointer returned by +memory_region_get_ram_ptr(). + +Fixes: CVE-2022-4144 (out-of-bounds read) +Reported-by: Wenxu Yin (@awxylitol) +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336 + +CVE: CVE-2022-4144 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622] +Comments: Deleted patch hunk in qxl.h,as it contains change +in comments which is not present in current version of qemu + +Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20221128202741.4945-5-philmd@linaro.org> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/display/qxl.c | 27 +++++++++++++++++++++++---- + 1 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/hw/display/qxl.c b/hw/display/qxl.c +index 231d733250..0b21626aad 100644 +--- a/hw/display/qxl.c ++++ b/hw/display/qxl.c +@@ -1424,11 +1424,13 @@ static void qxl_reset_surfaces(PCIQXLDevice *d) + + /* can be also called from spice server thread context */ + static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, +- uint32_t *s, uint64_t *o) ++ uint32_t *s, uint64_t *o, ++ size_t size_requested) + { + uint64_t phys = le64_to_cpu(pqxl); + uint32_t slot = (phys >> (64 - 8)) & 0xff; + uint64_t offset = phys & 0xffffffffffff; ++ uint64_t size_available; + + if (slot >= NUM_MEMSLOTS) { + qxl_set_guest_bug(qxl, "slot too large %d >= %d", slot, +@@ -1452,6 +1454,23 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, + slot, offset, qxl->guest_slots[slot].size); + return false; + } ++ size_available = memory_region_size(qxl->guest_slots[slot].mr); ++ if (qxl->guest_slots[slot].offset + offset >= size_available) { ++ qxl_set_guest_bug(qxl, ++ "slot %d offset %"PRIu64" > region size %"PRIu64"\n", ++ slot, qxl->guest_slots[slot].offset + offset, ++ size_available); ++ return false; ++ } ++ size_available -= qxl->guest_slots[slot].offset + offset; ++ if (size_requested > size_available) { ++ qxl_set_guest_bug(qxl, ++ "slot %d offset %"PRIu64" size %zu: " ++ "overrun by %"PRIu64" bytes\n", ++ slot, offset, size_requested, ++ size_requested - size_available); ++ return false; ++ } + + *s = slot; + *o = offset; +@@ -1471,7 +1490,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id, + offset = le64_to_cpu(pqxl) & 0xffffffffffff; + return (void *)(intptr_t)offset; + case MEMSLOT_GROUP_GUEST: +- if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset)) { ++ if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) { + return NULL; + } + ptr = memory_region_get_ram_ptr(qxl->guest_slots[slot].mr); +@@ -1937,9 +1956,9 @@ static void qxl_dirty_one_surface(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, + uint32_t slot; + bool rc; + +- rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset); +- assert(rc == true); + size = (uint64_t)height * abs(stride); ++ rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size); ++ assert(rc == true); + trace_qxl_surfaces_dirty(qxl->id, offset, size); + qxl_set_dirty(qxl->guest_slots[slot].mr, + qxl->guest_slots[slot].offset + offset, -- 2.25.1 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 3/9] python3-setuptools: fix for CVE-2022-40897 2023-01-17 14:08 [OE-core][kirkstone 0/9] Patch review Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 1/9] ffmpeg: refresh patches to apply cleanly Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 2/9] qemu: Fix CVE-2022-4144 Steve Sakoman @ 2023-01-17 14:08 ` Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 4/9] python3-wheel: fix for CVE-2022-40898 Steve Sakoman ` (5 subsequent siblings) 8 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2023-01-17 14:08 UTC (permalink / raw) To: openembedded-core From: Narpat Mali <narpat.mali@windriver.com> Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. CVE: CVE-2022-40897 Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be] Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- ...-of-whitespace-to-search-backtrack.-.patch | 31 +++++++++++++++++++ .../python/python3-setuptools_59.5.0.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch diff --git a/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch b/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch new file mode 100644 index 0000000000..20a13da7bc --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch @@ -0,0 +1,31 @@ +From 9e9f617a83f6593b476669030b0347d48e831c3f Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Mon, 9 Jan 2023 14:45:05 +0000 +Subject: [PATCH] Limit the amount of whitespace to search/backtrack. Fixes + #3659. + +CVE: CVE-2022-40897 + +Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + setuptools/package_index.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index 270e7f3..e93fcc6 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -197,7 +197,7 @@ def unique_values(func): + return wrapper + + +-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I) ++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I) + # this line is here to fix emacs' cruddy broken syntax highlighting + + +-- +2.34.1 + diff --git a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb index f2810e18d3..5f2676a04a 100644 --- a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb +++ b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb @@ -11,6 +11,7 @@ SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-e SRC_URI += "\ file://0001-change-shebang-to-python3.patch \ file://0001-_distutils-sysconfig-append-STAGING_LIBDIR-python-sy.patch \ + file://0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch \ " SRC_URI[sha256sum] = "d144f85102f999444d06f9c0e8c737fd0194f10f2f7e5fdb77573f6e2fa4fad0" -- 2.25.1 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 4/9] python3-wheel: fix for CVE-2022-40898 2023-01-17 14:08 [OE-core][kirkstone 0/9] Patch review Steve Sakoman ` (2 preceding siblings ...) 2023-01-17 14:08 ` [OE-core][kirkstone 3/9] python3-setuptools: fix for CVE-2022-40897 Steve Sakoman @ 2023-01-17 14:08 ` Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 5/9] python3-git: fix for CVE-2022-24439 Steve Sakoman ` (4 subsequent siblings) 8 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2023-01-17 14:08 UTC (permalink / raw) To: openembedded-core From: Narpat Mali <narpat.mali@windriver.com> An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. CVE: CVE-2022-40898 Upstream-Status: Backport [https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0] Signed-off-by: Narpat Mali <narpat.mali@windriver.com> --- ...tential-DoS-attack-via-WHEEL_INFO_RE.patch | 32 +++++++++++++++++++ .../python/python3-wheel_0.37.1.bb | 4 ++- 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch diff --git a/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch b/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch new file mode 100644 index 0000000000..bdaae7dd10 --- /dev/null +++ b/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch @@ -0,0 +1,32 @@ +From a9a0d67a663f20b69903751c23851dd4cd6b49d4 Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Wed, 11 Jan 2023 07:45:57 +0000 +Subject: [PATCH] Fixed potential DoS attack via WHEEL_INFO_RE + +CVE: CVE-2022-40898 + +Upstream-Status: Backport [https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + src/wheel/wheelfile.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py +index 21e7361..ff06edf 100644 +--- a/src/wheel/wheelfile.py ++++ b/src/wheel/wheelfile.py +@@ -27,8 +27,8 @@ else: + # Non-greedy matching of an optional build number may be too clever (more + # invalid wheel filenames will match). Separate regex for .dist-info? + WHEEL_INFO_RE = re.compile( +- r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))? +- -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""", ++ r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))? ++ -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""", + re.VERBOSE) + + +-- +2.32.0 + diff --git a/meta/recipes-devtools/python/python3-wheel_0.37.1.bb b/meta/recipes-devtools/python/python3-wheel_0.37.1.bb index 2f7dd122ba..3ee03ddd36 100644 --- a/meta/recipes-devtools/python/python3-wheel_0.37.1.bb +++ b/meta/recipes-devtools/python/python3-wheel_0.37.1.bb @@ -8,7 +8,9 @@ SRC_URI[sha256sum] = "e9a504e793efbca1b8e0e9cb979a249cf4a0a7b5b8c9e8b65a5e39d495 inherit python_flit_core pypi -SRC_URI += " file://0001-Backport-pyproject.toml-from-flit-backend-branch.patch" +SRC_URI += "file://0001-Backport-pyproject.toml-from-flit-backend-branch.patch \ + file://0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch \ + " BBCLASSEXTEND = "native nativesdk" -- 2.25.1 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 5/9] python3-git: fix for CVE-2022-24439 2023-01-17 14:08 [OE-core][kirkstone 0/9] Patch review Steve Sakoman ` (3 preceding siblings ...) 2023-01-17 14:08 ` [OE-core][kirkstone 4/9] python3-wheel: fix for CVE-2022-40898 Steve Sakoman @ 2023-01-17 14:08 ` Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 6/9] libksba: fix CVE-2022-47629 Steve Sakoman ` (3 subsequent siblings) 8 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2023-01-17 14:08 UTC (permalink / raw) To: openembedded-core From: Narpat Mali <narpat.mali@windriver.com> All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. CVE: CVE-2022-24439 Upstream-Status: Backport Reference: https://github.com/gitpython-developers/GitPython/discussions/1529 https://github.com/gitpython-developers/GitPython/pull/1518 https://github.com/gitpython-developers/GitPython/pull/1521 Signed-off-by: Narpat Mali <narpat.mali@windriver.com> --- ...-git-CVE-2022-24439-fix-from-PR-1518.patch | 97 ++++ ...-git-CVE-2022-24439-fix-from-PR-1521.patch | 488 ++++++++++++++++++ .../python/python3-git_3.1.27.bb | 4 + 3 files changed, 589 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch create mode 100644 meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch diff --git a/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch b/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch new file mode 100644 index 0000000000..16192b22c7 --- /dev/null +++ b/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch @@ -0,0 +1,97 @@ +From 6ebe9231cd34dacd32a964859bc509aaa1e3f5fd Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Fri, 6 Jan 2023 14:13:10 +0000 +Subject: [PATCH] python3-git: CVE-2022-24439 fix from PR 1518 + +Fix command injection +Add `--` in some commands that receive user input +and if interpreted as options could lead to remote +code execution (RCE). + +There may be more commands that could benefit from `--` +so the input is never interpreted as an option, +but most of those aren't dangerous. + +Fixed commands: + +- push +- pull +- fetch +- clone/clone_from and friends +- archive (not sure if this one can be exploited, but it doesn't hurt + adding `--` :)) + +For anyone using GitPython and exposing any of the GitPython methods to users, +make sure to always validate the input (like if starts with `--`). +And for anyone allowing users to pass arbitrary options, be aware +that some options may lead fo RCE, like `--exc`, `--upload-pack`, +`--receive-pack`, `--config` (#1516). + +Ref #1517 + +CVE: CVE-2022-24439 + +Upstream-Status: Backport [https://github.com/gitpython-developers/GitPython/pull/1518] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + git/remote.py | 6 +++--- + git/repo/base.py | 4 ++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/git/remote.py b/git/remote.py +index 56f3c5b..59681bc 100644 +--- a/git/remote.py ++++ b/git/remote.py +@@ -881,7 +881,7 @@ class Remote(LazyMixin, IterableObj): + else: + args = [refspec] + +- proc = self.repo.git.fetch(self, *args, as_process=True, with_stdout=False, ++ proc = self.repo.git.fetch("--", self, *args, as_process=True, with_stdout=False, + universal_newlines=True, v=verbose, **kwargs) + res = self._get_fetch_info_from_stderr(proc, progress, + kill_after_timeout=kill_after_timeout) +@@ -905,7 +905,7 @@ class Remote(LazyMixin, IterableObj): + # No argument refspec, then ensure the repo's config has a fetch refspec. + self._assert_refspec() + kwargs = add_progress(kwargs, self.repo.git, progress) +- proc = self.repo.git.pull(self, refspec, with_stdout=False, as_process=True, ++ proc = self.repo.git.pull("--", self, refspec, with_stdout=False, as_process=True, + universal_newlines=True, v=True, **kwargs) + res = self._get_fetch_info_from_stderr(proc, progress, + kill_after_timeout=kill_after_timeout) +@@ -945,7 +945,7 @@ class Remote(LazyMixin, IterableObj): + If the operation fails completely, the length of the returned IterableList will + be 0.""" + kwargs = add_progress(kwargs, self.repo.git, progress) +- proc = self.repo.git.push(self, refspec, porcelain=True, as_process=True, ++ proc = self.repo.git.push("--", self, refspec, porcelain=True, as_process=True, + universal_newlines=True, + kill_after_timeout=kill_after_timeout, + **kwargs) +diff --git a/git/repo/base.py b/git/repo/base.py +index 7713c91..f14f929 100644 +--- a/git/repo/base.py ++++ b/git/repo/base.py +@@ -1072,7 +1072,7 @@ class Repo(object): + multi = None + if multi_options: + multi = shlex.split(' '.join(multi_options)) +- proc = git.clone(multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True, ++ proc = git.clone("--", multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True, + v=True, universal_newlines=True, **add_progress(kwargs, git, progress)) + if progress: + handle_process_output(proc, None, to_progress_instance(progress).new_message_handler(), +@@ -1173,7 +1173,7 @@ class Repo(object): + if not isinstance(path, (tuple, list)): + path = [path] + # end assure paths is list +- self.git.archive(treeish, *path, **kwargs) ++ self.git.archive("--", treeish, *path, **kwargs) + return self + + def has_separate_working_tree(self) -> bool: +-- +2.34.1 + diff --git a/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch b/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch new file mode 100644 index 0000000000..e3e66ec450 --- /dev/null +++ b/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch @@ -0,0 +1,488 @@ +From fe9b71628767610a238e47cd46b82d411a7e871a Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Sat, 7 Jan 2023 17:16:57 +0000 +Subject: [PATCH] python3-git: CVE-2022-24439 fix from PR 1521 + +Forbid unsafe protocol URLs in Repo.clone{,_from}() +Since the URL is passed directly to git clone, and the remote-ext helper +will happily execute shell commands, so by default disallow URLs that +contain a "::" unless a new unsafe_protocols kwarg is passed. +(CVE-2022-24439) + +Fixes #1515 + +CVE: CVE-2022-24439 + +Upstream-Status: Backport [https://github.com/gitpython-developers/GitPython/pull/1521] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + git/cmd.py | 51 ++++++++++++++++++++++++-- + git/exc.py | 8 ++++ + git/objects/submodule/base.py | 19 ++++++---- + git/remote.py | 69 +++++++++++++++++++++++++++++++---- + git/repo/base.py | 44 ++++++++++++++++++---- + 5 files changed, 166 insertions(+), 25 deletions(-) + +diff --git a/git/cmd.py b/git/cmd.py +index 4f05698..77026d6 100644 +--- a/git/cmd.py ++++ b/git/cmd.py +@@ -4,6 +4,7 @@ + # This module is part of GitPython and is released under + # the BSD License: http://www.opensource.org/licenses/bsd-license.php + from __future__ import annotations ++import re + from contextlib import contextmanager + import io + import logging +@@ -31,7 +32,9 @@ from git.util import is_cygwin_git, cygpath, expand_path, remove_password_if_pre + + from .exc import ( + GitCommandError, +- GitCommandNotFound ++ GitCommandNotFound, ++ UnsafeOptionError, ++ UnsafeProtocolError + ) + from .util import ( + LazyMixin, +@@ -225,6 +228,8 @@ class Git(LazyMixin): + + _excluded_ = ('cat_file_all', 'cat_file_header', '_version_info') + ++ re_unsafe_protocol = re.compile("(.+)::.+") ++ + def __getstate__(self) -> Dict[str, Any]: + return slots_to_dict(self, exclude=self._excluded_) + +@@ -400,6 +405,44 @@ class Git(LazyMixin): + url = url.replace("\\\\", "\\").replace("\\", "/") + return url + ++ @classmethod ++ def check_unsafe_protocols(cls, url: str) -> None: ++ """ ++ Check for unsafe protocols. ++ Apart from the usual protocols (http, git, ssh), ++ Git allows "remote helpers" that have the form `<transport>::<address>`, ++ one of these helpers (`ext::`) can be used to invoke any arbitrary command. ++ See: ++ - https://git-scm.com/docs/gitremote-helpers ++ - https://git-scm.com/docs/git-remote-ext ++ """ ++ match = cls.re_unsafe_protocol.match(url) ++ if match: ++ protocol = match.group(1) ++ raise UnsafeProtocolError( ++ f"The `{protocol}::` protocol looks suspicious, use `allow_unsafe_protocols=True` to allow it." ++ ) ++ ++ @classmethod ++ def check_unsafe_options(cls, options: List[str], unsafe_options: List[str]) -> None: ++ """ ++ Check for unsafe options. ++ Some options that are passed to `git <command>` can be used to execute ++ arbitrary commands, this are blocked by default. ++ """ ++ # Options can be of the form `foo` or `--foo bar` `--foo=bar`, ++ # so we need to check if they start with "--foo" or if they are equal to "foo". ++ bare_unsafe_options = [ ++ option.lstrip("-") ++ for option in unsafe_options ++ ] ++ for option in options: ++ for unsafe_option, bare_option in zip(unsafe_options, bare_unsafe_options): ++ if option.startswith(unsafe_option) or option == bare_option: ++ raise UnsafeOptionError( ++ f"{unsafe_option} is not allowed, use `allow_unsafe_options=True` to allow it." ++ ) ++ + class AutoInterrupt(object): + """Kill/Interrupt the stored process instance once this instance goes out of scope. It is + used to prevent processes piling up in case iterators stop reading. +@@ -1068,12 +1111,12 @@ class Git(LazyMixin): + return args + + @classmethod +- def __unpack_args(cls, arg_list: Sequence[str]) -> List[str]: ++ def _unpack_args(cls, arg_list: Sequence[str]) -> List[str]: + + outlist = [] + if isinstance(arg_list, (list, tuple)): + for arg in arg_list: +- outlist.extend(cls.__unpack_args(arg)) ++ outlist.extend(cls._unpack_args(arg)) + else: + outlist.append(str(arg_list)) + +@@ -1154,7 +1197,7 @@ class Git(LazyMixin): + # Prepare the argument list + + opt_args = self.transform_kwargs(**opts_kwargs) +- ext_args = self.__unpack_args([a for a in args if a is not None]) ++ ext_args = self._unpack_args([a for a in args if a is not None]) + + if insert_after_this_arg is None: + args_list = opt_args + ext_args +diff --git a/git/exc.py b/git/exc.py +index e8ff784..5c96db2 100644 +--- a/git/exc.py ++++ b/git/exc.py +@@ -36,6 +36,14 @@ class NoSuchPathError(GitError, OSError): + """ Thrown if a path could not be access by the system. """ + + ++class UnsafeProtocolError(GitError): ++ """Thrown if unsafe protocols are passed without being explicitly allowed.""" ++ ++ ++class UnsafeOptionError(GitError): ++ """Thrown if unsafe options are passed without being explicitly allowed.""" ++ ++ + class CommandError(GitError): + """Base class for exceptions thrown at every stage of `Popen()` execution. + +diff --git a/git/objects/submodule/base.py b/git/objects/submodule/base.py +index f782045..deb224e 100644 +--- a/git/objects/submodule/base.py ++++ b/git/objects/submodule/base.py +@@ -264,7 +264,8 @@ class Submodule(IndexObject, TraversableIterableObj): + # end + + @classmethod +- def _clone_repo(cls, repo: 'Repo', url: str, path: PathLike, name: str, **kwargs: Any) -> 'Repo': ++ def _clone_repo(cls, repo: 'Repo', url: str, path: PathLike, name: str, ++ allow_unsafe_options: bool = False, allow_unsafe_protocols: bool = False,**kwargs: Any) -> 'Repo': + """:return: Repo instance of newly cloned repository + :param repo: our parent repository + :param url: url to clone from +@@ -281,7 +282,8 @@ class Submodule(IndexObject, TraversableIterableObj): + module_checkout_path = osp.join(str(repo.working_tree_dir), path) + # end + +- clone = git.Repo.clone_from(url, module_checkout_path, **kwargs) ++ clone = git.Repo.clone_from(url, module_checkout_path, allow_unsafe_options=allow_unsafe_options, ++ allow_unsafe_protocols=allow_unsafe_protocols, **kwargs) + if cls._need_gitfile_submodules(repo.git): + cls._write_git_file_and_module_config(module_checkout_path, module_abspath) + # end +@@ -338,8 +340,8 @@ class Submodule(IndexObject, TraversableIterableObj): + @classmethod + def add(cls, repo: 'Repo', name: str, path: PathLike, url: Union[str, None] = None, + branch: Union[str, None] = None, no_checkout: bool = False, depth: Union[int, None] = None, +- env: Union[Mapping[str, str], None] = None, clone_multi_options: Union[Sequence[TBD], None] = None +- ) -> 'Submodule': ++ env: Union[Mapping[str, str], None] = None, clone_multi_options: Union[Sequence[TBD], None] = None, ++ allow_unsafe_options: bool = False, allow_unsafe_protocols: bool = False,) -> 'Submodule': + """Add a new submodule to the given repository. This will alter the index + as well as the .gitmodules file, but will not create a new commit. + If the submodule already exists, no matter if the configuration differs +@@ -447,7 +449,8 @@ class Submodule(IndexObject, TraversableIterableObj): + kwargs['multi_options'] = clone_multi_options + + # _clone_repo(cls, repo, url, path, name, **kwargs): +- mrepo = cls._clone_repo(repo, url, path, name, env=env, **kwargs) ++ mrepo = cls._clone_repo(repo, url, path, name, env=env, allow_unsafe_options=allow_unsafe_options, ++ allow_unsafe_protocols=allow_unsafe_protocols, **kwargs) + # END verify url + + ## See #525 for ensuring git urls in config-files valid under Windows. +@@ -484,7 +487,8 @@ class Submodule(IndexObject, TraversableIterableObj): + def update(self, recursive: bool = False, init: bool = True, to_latest_revision: bool = False, + progress: Union['UpdateProgress', None] = None, dry_run: bool = False, + force: bool = False, keep_going: bool = False, env: Union[Mapping[str, str], None] = None, +- clone_multi_options: Union[Sequence[TBD], None] = None) -> 'Submodule': ++ clone_multi_options: Union[Sequence[TBD], None] = None, allow_unsafe_options: bool = False, ++ allow_unsafe_protocols: bool = False) -> 'Submodule': + """Update the repository of this submodule to point to the checkout + we point at with the binsha of this instance. + +@@ -585,7 +589,8 @@ class Submodule(IndexObject, TraversableIterableObj): + (self.url, checkout_module_abspath, self.name)) + if not dry_run: + mrepo = self._clone_repo(self.repo, self.url, self.path, self.name, n=True, env=env, +- multi_options=clone_multi_options) ++ multi_options=clone_multi_options, allow_unsafe_options=allow_unsafe_options, ++ allow_unsafe_protocols=allow_unsafe_protocols) + # END handle dry-run + progress.update(END | CLONE, 0, 1, prefix + "Done cloning to %s" % checkout_module_abspath) + +diff --git a/git/remote.py b/git/remote.py +index 59681bc..cea6b99 100644 +--- a/git/remote.py ++++ b/git/remote.py +@@ -473,6 +473,23 @@ class Remote(LazyMixin, IterableObj): + __slots__ = ("repo", "name", "_config_reader") + _id_attribute_ = "name" + ++ unsafe_git_fetch_options = [ ++ # This option allows users to execute arbitrary commands. ++ # https://git-scm.com/docs/git-fetch#Documentation/git-fetch.txt---upload-packltupload-packgt ++ "--upload-pack", ++ ] ++ unsafe_git_pull_options = [ ++ # This option allows users to execute arbitrary commands. ++ # https://git-scm.com/docs/git-pull#Documentation/git-pull.txt---upload-packltupload-packgt ++ "--upload-pack" ++ ] ++ unsafe_git_push_options = [ ++ # This option allows users to execute arbitrary commands. ++ # https://git-scm.com/docs/git-push#Documentation/git-push.txt---execltgit-receive-packgt ++ "--receive-pack", ++ "--exec", ++ ] ++ + def __init__(self, repo: 'Repo', name: str) -> None: + """Initialize a remote instance + +@@ -549,7 +566,8 @@ class Remote(LazyMixin, IterableObj): + yield Remote(repo, section[lbound + 1:rbound]) + # END for each configuration section + +- def set_url(self, new_url: str, old_url: Optional[str] = None, **kwargs: Any) -> 'Remote': ++ def set_url(self, new_url: str, old_url: Optional[str] = None, ++ allow_unsafe_protocols: bool = False, **kwargs: Any) -> 'Remote': + """Configure URLs on current remote (cf command git remote set_url) + + This command manages URLs on the remote. +@@ -558,15 +576,17 @@ class Remote(LazyMixin, IterableObj): + :param old_url: when set, replaces this URL with new_url for the remote + :return: self + """ ++ if not allow_unsafe_protocols: ++ Git.check_unsafe_protocols(new_url) + scmd = 'set-url' + kwargs['insert_kwargs_after'] = scmd + if old_url: +- self.repo.git.remote(scmd, self.name, new_url, old_url, **kwargs) ++ self.repo.git.remote(scmd, "--", self.name, new_url, old_url, **kwargs) + else: +- self.repo.git.remote(scmd, self.name, new_url, **kwargs) ++ self.repo.git.remote(scmd, "--", self.name, new_url, **kwargs) + return self + +- def add_url(self, url: str, **kwargs: Any) -> 'Remote': ++ def add_url(self, url: str, allow_unsafe_protocols: bool = False, **kwargs: Any) -> 'Remote': + """Adds a new url on current remote (special case of git remote set_url) + + This command adds new URLs to a given remote, making it possible to have +@@ -575,7 +595,7 @@ class Remote(LazyMixin, IterableObj): + :param url: string being the URL to add as an extra remote URL + :return: self + """ +- return self.set_url(url, add=True) ++ return self.set_url(url, add=True, allow_unsafe_protocols=allow_unsafe_protocols) + + def delete_url(self, url: str, **kwargs: Any) -> 'Remote': + """Deletes a new url on current remote (special case of git remote set_url) +@@ -667,7 +687,7 @@ class Remote(LazyMixin, IterableObj): + return out_refs + + @ classmethod +- def create(cls, repo: 'Repo', name: str, url: str, **kwargs: Any) -> 'Remote': ++ def create(cls, repo: 'Repo', name: str, url: str, allow_unsafe_protocols: bool = False, *kwargs: Any) -> 'Remote': + """Create a new remote to the given repository + :param repo: Repository instance that is to receive the new remote + :param name: Desired name of the remote +@@ -677,7 +697,10 @@ class Remote(LazyMixin, IterableObj): + :raise GitCommandError: in case an origin with that name already exists""" + scmd = 'add' + kwargs['insert_kwargs_after'] = scmd +- repo.git.remote(scmd, name, Git.polish_url(url), **kwargs) ++ url = Git.polish_url(url) ++ if not allow_unsafe_protocols: ++ Git.check_unsafe_protocols(url) ++ repo.git.remote(scmd, "--", name, url, **kwargs) + return cls(repo, name) + + # add is an alias +@@ -840,6 +863,8 @@ class Remote(LazyMixin, IterableObj): + progress: Union[RemoteProgress, None, 'UpdateProgress'] = None, + verbose: bool = True, + kill_after_timeout: Union[None, float] = None, ++ allow_unsafe_protocols: bool = False, ++ allow_unsafe_options: bool = False, + **kwargs: Any) -> IterableList[FetchInfo]: + """Fetch the latest changes for this remote + +@@ -881,6 +906,14 @@ class Remote(LazyMixin, IterableObj): + else: + args = [refspec] + ++ if not allow_unsafe_protocols: ++ for ref in args: ++ if ref: ++ Git.check_unsafe_protocols(ref) ++ ++ if not allow_unsafe_options: ++ Git.check_unsafe_options(options=list(kwargs.keys()), unsafe_options=self.unsafe_git_fetch_options) ++ + proc = self.repo.git.fetch("--", self, *args, as_process=True, with_stdout=False, + universal_newlines=True, v=verbose, **kwargs) + res = self._get_fetch_info_from_stderr(proc, progress, +@@ -892,6 +925,8 @@ class Remote(LazyMixin, IterableObj): + def pull(self, refspec: Union[str, List[str], None] = None, + progress: Union[RemoteProgress, 'UpdateProgress', None] = None, + kill_after_timeout: Union[None, float] = None, ++ allow_unsafe_protocols: bool = False, ++ allow_unsafe_options: bool = False, + **kwargs: Any) -> IterableList[FetchInfo]: + """Pull changes from the given branch, being the same as a fetch followed + by a merge of branch with your local branch. +@@ -905,6 +940,15 @@ class Remote(LazyMixin, IterableObj): + # No argument refspec, then ensure the repo's config has a fetch refspec. + self._assert_refspec() + kwargs = add_progress(kwargs, self.repo.git, progress) ++ ++ refspec = Git._unpack_args(refspec or []) ++ if not allow_unsafe_protocols: ++ for ref in refspec: ++ Git.check_unsafe_protocols(ref) ++ ++ if not allow_unsafe_options: ++ Git.check_unsafe_options(options=list(kwargs.keys()), unsafe_options=self.unsafe_git_pull_options) ++ + proc = self.repo.git.pull("--", self, refspec, with_stdout=False, as_process=True, + universal_newlines=True, v=True, **kwargs) + res = self._get_fetch_info_from_stderr(proc, progress, +@@ -916,6 +960,8 @@ class Remote(LazyMixin, IterableObj): + def push(self, refspec: Union[str, List[str], None] = None, + progress: Union[RemoteProgress, 'UpdateProgress', Callable[..., RemoteProgress], None] = None, + kill_after_timeout: Union[None, float] = None, ++ allow_unsafe_protocols: bool = False, ++ allow_unsafe_options: bool = False, + **kwargs: Any) -> IterableList[PushInfo]: + """Push changes from source branch in refspec to target branch in refspec. + +@@ -945,6 +991,15 @@ class Remote(LazyMixin, IterableObj): + If the operation fails completely, the length of the returned IterableList will + be 0.""" + kwargs = add_progress(kwargs, self.repo.git, progress) ++ ++ refspec = Git._unpack_args(refspec or []) ++ if not allow_unsafe_protocols: ++ for ref in refspec: ++ Git.check_unsafe_protocols(ref) ++ ++ if not allow_unsafe_options: ++ Git.check_unsafe_options(options=list(kwargs.keys()), unsafe_options=self.unsafe_git_push_options) ++ + proc = self.repo.git.push("--", self, refspec, porcelain=True, as_process=True, + universal_newlines=True, + kill_after_timeout=kill_after_timeout, +diff --git a/git/repo/base.py b/git/repo/base.py +index f14f929..7b3565b 100644 +--- a/git/repo/base.py ++++ b/git/repo/base.py +@@ -24,7 +24,11 @@ from git.compat import ( + ) + from git.config import GitConfigParser + from git.db import GitCmdObjectDB +-from git.exc import InvalidGitRepositoryError, NoSuchPathError, GitCommandError ++from git.exc import ( ++ GitCommandError, ++ InvalidGitRepositoryError, ++ NoSuchPathError, ++) + from git.index import IndexFile + from git.objects import Submodule, RootModule, Commit + from git.refs import HEAD, Head, Reference, TagReference +@@ -97,6 +101,18 @@ class Repo(object): + re_author_committer_start = re.compile(r'^(author|committer)') + re_tab_full_line = re.compile(r'^\t(.*)$') + ++ unsafe_git_clone_options = [ ++ # This option allows users to execute arbitrary commands. ++ # https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---upload-packltupload-packgt ++ "--upload-pack", ++ "-u", ++ # Users can override configuration variables ++ # like `protocol.allow` or `core.gitProxy` to execute arbitrary commands. ++ # https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---configltkeygtltvaluegt ++ "--config", ++ "-c", ++ ] ++ + # invariants + # represents the configuration level of a configuration file + config_level: ConfigLevels_Tup = ("system", "user", "global", "repository") +@@ -1049,7 +1065,8 @@ class Repo(object): + @ classmethod + def _clone(cls, git: 'Git', url: PathLike, path: PathLike, odb_default_type: Type[GitCmdObjectDB], + progress: Union['RemoteProgress', 'UpdateProgress', Callable[..., 'RemoteProgress'], None] = None, +- multi_options: Optional[List[str]] = None, **kwargs: Any ++ multi_options: Optional[List[str]] = None, allow_unsafe_protocols: bool = False, ++ allow_unsafe_options: bool = False, **kwargs: Any + ) -> 'Repo': + odbt = kwargs.pop('odbt', odb_default_type) + +@@ -1072,6 +1089,12 @@ class Repo(object): + multi = None + if multi_options: + multi = shlex.split(' '.join(multi_options)) ++ ++ if not allow_unsafe_protocols: ++ Git.check_unsafe_protocols(str(url)) ++ if not allow_unsafe_options and multi_options: ++ Git.check_unsafe_options(options=multi_options, unsafe_options=cls.unsafe_git_clone_options) ++ + proc = git.clone("--", multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True, + v=True, universal_newlines=True, **add_progress(kwargs, git, progress)) + if progress: +@@ -1107,7 +1130,9 @@ class Repo(object): + return repo + + def clone(self, path: PathLike, progress: Optional[Callable] = None, +- multi_options: Optional[List[str]] = None, **kwargs: Any) -> 'Repo': ++ multi_options: Optional[List[str]] = None, unsafe_protocols: bool = False, ++ allow_unsafe_protocols: bool = False, allow_unsafe_options: bool = False, ++ **kwargs: Any) -> 'Repo': + """Create a clone from this repository. + + :param path: is the full path of the new repo (traditionally ends with ./<name>.git). +@@ -1116,18 +1141,21 @@ class Repo(object): + option per list item which is passed exactly as specified to clone. + For example ['--config core.filemode=false', '--config core.ignorecase', + '--recurse-submodule=repo1_path', '--recurse-submodule=repo2_path'] ++ :param unsafe_protocols: Allow unsafe protocols to be used, like ex + :param kwargs: + * odbt = ObjectDatabase Type, allowing to determine the object database + implementation used by the returned Repo instance + * All remaining keyword arguments are given to the git-clone command + + :return: ``git.Repo`` (the newly cloned repo)""" +- return self._clone(self.git, self.common_dir, path, type(self.odb), progress, multi_options, **kwargs) ++ return self._clone(self.git, self.common_dir, path, type(self.odb), progress, multi_options, ++ allow_unsafe_protocols=allow_unsafe_protocols, allow_unsafe_options=allow_unsafe_options, **kwargs) + + @ classmethod + def clone_from(cls, url: PathLike, to_path: PathLike, progress: Optional[Callable] = None, +- env: Optional[Mapping[str, str]] = None, +- multi_options: Optional[List[str]] = None, **kwargs: Any) -> 'Repo': ++ env: Optional[Mapping[str, str]] = None, multi_options: Optional[List[str]] = None, ++ unsafe_protocols: bool = False, allow_unsafe_protocols: bool = False, ++ allow_unsafe_options: bool = False, **kwargs: Any) -> 'Repo': + """Create a clone from the given URL + + :param url: valid git url, see http://www.kernel.org/pub/software/scm/git/docs/git-clone.html#URLS +@@ -1140,12 +1168,14 @@ class Repo(object): + If you want to unset some variable, consider providing empty string + as its value. + :param multi_options: See ``clone`` method ++ :param unsafe_protocols: Allow unsafe protocols to be used, like ext + :param kwargs: see the ``clone`` method + :return: Repo instance pointing to the cloned directory""" + git = cls.GitCommandWrapperType(os.getcwd()) + if env is not None: + git.update_environment(**env) +- return cls._clone(git, url, to_path, GitCmdObjectDB, progress, multi_options, **kwargs) ++ return cls._clone(git, url, to_path, GitCmdObjectDB, progress, multi_options, ++ allow_unsafe_protocols=allow_unsafe_protocols, allow_unsafe_options=allow_unsafe_options, **kwargs) + + def archive(self, ostream: Union[TextIO, BinaryIO], treeish: Optional[str] = None, + prefix: Optional[str] = None, **kwargs: Any) -> Repo: +-- +2.34.1 + diff --git a/meta/recipes-devtools/python/python3-git_3.1.27.bb b/meta/recipes-devtools/python/python3-git_3.1.27.bb index fb1bae8f8e..1bd1426926 100644 --- a/meta/recipes-devtools/python/python3-git_3.1.27.bb +++ b/meta/recipes-devtools/python/python3-git_3.1.27.bb @@ -12,6 +12,10 @@ PYPI_PACKAGE = "GitPython" inherit pypi python_setuptools_build_meta +SRC_URI += "file://0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch \ + file://0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch \ + " + SRC_URI[sha256sum] = "1c885ce809e8ba2d88a29befeb385fcea06338d3640712b59ca623c220bb5704" DEPENDS += " ${PYTHON_PN}-gitdb" -- 2.25.1 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 6/9] libksba: fix CVE-2022-47629 2023-01-17 14:08 [OE-core][kirkstone 0/9] Patch review Steve Sakoman ` (4 preceding siblings ...) 2023-01-17 14:08 ` [OE-core][kirkstone 5/9] python3-git: fix for CVE-2022-24439 Steve Sakoman @ 2023-01-17 14:08 ` Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 7/9] glibc: stable 2.35 branch updates Steve Sakoman ` (2 subsequent siblings) 8 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2023-01-17 14:08 UTC (permalink / raw) To: openembedded-core From: Yogita Urade <yogita.urade@windriver.com> Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser. CVE: CVE-2022-47926 References: https://nvd.nist.gov/vuln/detail/CVE-2022-47629 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> --- ...overflow-in-the-CRL-signature-parser.patch | 72 +++++++++++++++++++ meta/recipes-support/libksba/libksba_1.6.2.bb | 3 +- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/libksba/libksba/0001-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch diff --git a/meta/recipes-support/libksba/libksba/0001-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch b/meta/recipes-support/libksba/libksba/0001-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch new file mode 100644 index 0000000000..8c0080d56b --- /dev/null +++ b/meta/recipes-support/libksba/libksba/0001-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch @@ -0,0 +1,72 @@ +From f61a5ea4e0f6a80fd4b28ef0174bee77793cf070 Mon Sep 17 00:00:00 2001 +From: Werner Koch <wk@gnupg.org> +Date: Tue, 22 Nov 2022 16:36:46 +0100 +Subject: [PATCH] Fix an integer overflow in the CRL signature parser. + +* src/crl.c (parse_signature): N+N2 now checked for overflow. + +* src/ocsp.c (parse_response_extensions): Do not accept too large +values. +(parse_single_extensions): Ditto. +-- + +The second patch is an extra safegourd not related to the reported +bug. + +CVE: CVE-2022-47629 + +Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=f61a5ea4e0f6a80fd4b28ef0174bee77793cf070] + +GnuPG-bug-id: 6284 +Reported-by: Joseph Surin, elttam +--- + src/crl.c | 2 +- + src/ocsp.c | 12 ++++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/crl.c b/src/crl.c +index 9f71c85..2e6ca29 100644 +--- a/src/crl.c ++++ b/src/crl.c +@@ -1349,7 +1349,7 @@ parse_signature (ksba_crl_t crl) + && !ti.is_constructed) ) + return gpg_error (GPG_ERR_INV_CRL_OBJ); + n2 = ti.nhdr + ti.length; +- if (n + n2 >= DIM(tmpbuf)) ++ if (n + n2 >= DIM(tmpbuf) || (n + n2) < n) + return gpg_error (GPG_ERR_TOO_LARGE); + memcpy (tmpbuf+n, ti.buf, ti.nhdr); + err = read_buffer (crl->reader, tmpbuf+n+ti.nhdr, ti.length); +diff --git a/src/ocsp.c b/src/ocsp.c +index d4cba04..657d15f 100644 +--- a/src/ocsp.c ++++ b/src/ocsp.c +@@ -721,6 +721,12 @@ parse_response_extensions (ksba_ocsp_t ocsp, + || memcmp (ocsp->nonce, data, ti.length)) + ocsp->bad_nonce = 1; + } ++ if (ti.length > (1<<24)) ++ { ++ /* Bail out on much too large objects. */ ++ err = gpg_error (GPG_ERR_BAD_BER); ++ goto leave; ++ } + ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); + if (!ex) + { +@@ -788,6 +794,12 @@ parse_single_extensions (struct ocsp_reqitem_s *ri, + err = parse_octet_string (&data, &datalen, &ti); + if (err) + goto leave; ++ if (ti.length > (1<<24)) ++ { ++ /* Bail out on much too large objects. */ ++ err = gpg_error (GPG_ERR_BAD_BER); ++ goto leave; ++ } + ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); + if (!ex) + { +-- +2.32.0 + diff --git a/meta/recipes-support/libksba/libksba_1.6.2.bb b/meta/recipes-support/libksba/libksba_1.6.2.bb index f6ecb9aec4..d0ee8475f8 100644 --- a/meta/recipes-support/libksba/libksba_1.6.2.bb +++ b/meta/recipes-support/libksba/libksba_1.6.2.bb @@ -22,7 +22,8 @@ inherit autotools binconfig-disabled pkgconfig texinfo UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html" SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ - file://ksba-add-pkgconfig-support.patch" + file://ksba-add-pkgconfig-support.patch \ + file://0001-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch" SRC_URI[sha256sum] = "fce01ccac59812bddadffacff017dac2e4762bdb6ebc6ffe06f6ed4f6192c971" -- 2.25.1 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 7/9] glibc: stable 2.35 branch updates. 2023-01-17 14:08 [OE-core][kirkstone 0/9] Patch review Steve Sakoman ` (5 preceding siblings ...) 2023-01-17 14:08 ` [OE-core][kirkstone 6/9] libksba: fix CVE-2022-47629 Steve Sakoman @ 2023-01-17 14:08 ` Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 8/9] freetype:update mirror site Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 9/9] gtk-icon-cache: Fix GTKIC_CMD if-else condition Steve Sakoman 8 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2023-01-17 14:08 UTC (permalink / raw) To: openembedded-core From: Yash Shinde <yashinde145@gmail.com> Below commits on glibc-2.35 stable branch are updated. 293211b6fd time: Use 64 bit time on tzfile 26c8278889 nscd: Use 64 bit time_t on libc nscd routines (BZ# 29402) f75f61b659 nis: Build libnsl with 64 bit time_t ca97201c24 Apply asm redirections in syslog.h before first use [BZ #27087] cad7947db7 elf: Fix wrong fscanf usage on tst-pldd e9eb987894 Allow for unpriviledged nested containers 2636fbb7ef elf: Fix wrong fscanf usage on tst-pldd e7019eeeb5 x86: Fix wcsnlen-avx2 page cross length comparison [BZ #29591] fb73a40981 elf: Fix rtld-audit trampoline for aarch64 Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/recipes-core/glibc/glibc-version.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc index 7d7db46c2f..d36da0ce3f 100644 --- a/meta/recipes-core/glibc/glibc-version.inc +++ b/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.35/master" PV = "2.35" -SRCREV_glibc ?= "8d125a1f9145ad90c94e438858d6b5b7578686f2" +SRCREV_glibc ?= "293211b6fddf60fc407d21fcba0326dd2148f76b" SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" -- 2.25.1 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 8/9] freetype:update mirror site. 2023-01-17 14:08 [OE-core][kirkstone 0/9] Patch review Steve Sakoman ` (6 preceding siblings ...) 2023-01-17 14:08 ` [OE-core][kirkstone 7/9] glibc: stable 2.35 branch updates Steve Sakoman @ 2023-01-17 14:08 ` Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 9/9] gtk-icon-cache: Fix GTKIC_CMD if-else condition Steve Sakoman 8 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2023-01-17 14:08 UTC (permalink / raw) To: openembedded-core From: KARN JYE LAU <karn.jye.lau@intel.com> update SAVANNAH_NONGNU_MIRROR to SAVANNAH_GNU_MIRROR to resolve package fetching issues. Signed-off-by: KARN JYE LAU <karn.jye.lau@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/recipes-graphics/freetype/freetype_2.11.1.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-graphics/freetype/freetype_2.11.1.bb b/meta/recipes-graphics/freetype/freetype_2.11.1.bb index 5b464d3d70..d425e162bc 100644 --- a/meta/recipes-graphics/freetype/freetype_2.11.1.bb +++ b/meta/recipes-graphics/freetype/freetype_2.11.1.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.TXT;md5=a5927784d823d443c6cae55701d01553 \ file://docs/FTL.TXT;md5=9f37b4e6afa3fef9dba8932b16bd3f97 \ file://docs/GPLv2.TXT;md5=8ef380476f642c20ebf40fecb0add2ec" -SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \ +SRC_URI = "${SAVANNAH_GNU_MIRROR}/${BPN}/${BP}.tar.xz \ file://CVE-2022-27404.patch \ file://CVE-2022-27405.patch \ file://CVE-2022-27406.patch \ -- 2.25.1 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 9/9] gtk-icon-cache: Fix GTKIC_CMD if-else condition 2023-01-17 14:08 [OE-core][kirkstone 0/9] Patch review Steve Sakoman ` (7 preceding siblings ...) 2023-01-17 14:08 ` [OE-core][kirkstone 8/9] freetype:update mirror site Steve Sakoman @ 2023-01-17 14:08 ` Steve Sakoman 8 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2023-01-17 14:08 UTC (permalink / raw) To: openembedded-core From: Daniel Gomez <daniel@qtec.com> GTKIC_CMD variable gets the wrong assignation leading into a post install script error. Fix if-else condition in GTKIC_CMD variable to assign gtk4-update-icon-cache when GTKIC_VERSION is 4 but gtk-update-icon-cache when is 3. Also, rename gtk-update-icon-cache-3.0.0 to gtk-update-icon-cache-3.0 to match the gtk-update-icon-cache binary name deployed in meta/recipes-gnome/gtk+/gtk+3.inc. Signed-off-by: Daniel Gomez <daniel@qtec.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/classes/gtk-icon-cache.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/classes/gtk-icon-cache.bbclass b/meta/classes/gtk-icon-cache.bbclass index 6808339b90..f999b891f3 100644 --- a/meta/classes/gtk-icon-cache.bbclass +++ b/meta/classes/gtk-icon-cache.bbclass @@ -3,7 +3,7 @@ FILES:${PN} += "${datadir}/icons/hicolor" GTKIC_VERSION ??= '3' GTKPN = "${@ 'gtk4' if d.getVar('GTKIC_VERSION') == '4' else 'gtk+3' }" -GTKIC_CMD = "${@ 'gtk-update-icon-cache-3.0.0' if d.getVar('GTKIC_VERSION') == '4' else 'gtk4-update-icon-cache' }" +GTKIC_CMD = "${@ 'gtk4-update-icon-cache' if d.getVar('GTKIC_VERSION') == '4' else 'gtk-update-icon-cache-3.0' }" #gtk+3/gtk4 require GTK3DISTROFEATURES, DEPENDS on it make all the #recipes inherit this class require GTK3DISTROFEATURES -- 2.25.1 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review @ 2025-11-25 20:54 Steve Sakoman 0 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2025-11-25 20:54 UTC (permalink / raw) To: openembedded-core Please review this set of changes for kirkstone and have comments back by end of day Thursday, November 27 Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2776 The following changes since commit ff72b41a3f0bf1820405b8782f0d125cd10e3406: oe-build-perf-report: relax metadata matching rules (2025-11-19 08:28:19 -0800) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut Divya Chellam (3): ruby: fix CVE-2024-35176 ruby: fix CVE-2024-39908 ruby: fix CVE-2024-41123 Gyorgy Sarvari (1): flac: patch seeking bug Peter Marko (3): libarchive: patch 3.8.3 security issue 1 libarchive: patch 3.8.3 security issue 2 libarchive: patch CVE-2025-60753 Praveen Kumar (1): python3: fix CVE-2025-6075 Vijay Anusuri (1): python3-idna: Fix CVE-2024-3651 .../python/python3-idna/CVE-2024-3651.patch | 2484 +++++++++++++++++ .../python/python3-idna_3.3.bb | 2 + .../python/python3/CVE-2025-6075.patch | 364 +++ .../python/python3_3.10.19.bb | 1 + .../ruby/ruby/CVE-2024-35176.patch | 112 + .../ruby/ruby/CVE-2024-39908-0001.patch | 46 + .../ruby/ruby/CVE-2024-39908-0002.patch | 130 + .../ruby/ruby/CVE-2024-39908-0003.patch | 46 + .../ruby/ruby/CVE-2024-39908-0004.patch | 76 + .../ruby/ruby/CVE-2024-39908-0005.patch | 87 + .../ruby/ruby/CVE-2024-39908-0006.patch | 44 + .../ruby/ruby/CVE-2024-39908-0007.patch | 44 + .../ruby/ruby/CVE-2024-39908-0008.patch | 44 + .../ruby/ruby/CVE-2024-39908-0009.patch | 36 + .../ruby/ruby/CVE-2024-39908-0010.patch | 53 + .../ruby/ruby/CVE-2024-39908-0011.patch | 35 + .../ruby/ruby/CVE-2024-39908-0012.patch | 36 + .../ruby/ruby/CVE-2024-41123-0001.patch | 44 + .../ruby/ruby/CVE-2024-41123-0002.patch | 37 + .../ruby/ruby/CVE-2024-41123-0003.patch | 55 + .../ruby/ruby/CVE-2024-41123-0004.patch | 163 ++ .../ruby/ruby/CVE-2024-41123-0005.patch | 111 + meta/recipes-devtools/ruby/ruby_3.1.3.bb | 18 + ...ax-path-length-metadata-writing-2243.patch | 30 + ...request-2696-from-al3xtjames-mkstemp.patch | 28 + ...st-2749-from-KlaraSystems-des-tempdi.patch | 183 ++ ...st-2753-from-KlaraSystems-des-temp-f.patch | 190 ++ ...-request-2768-from-Commandoss-master.patch | 28 + .../libarchive/CVE-2025-60753.patch | 76 + .../libarchive/libarchive_3.6.2.bb | 6 + .../flac/files/0001-Fix-seeking-bug.patch | 34 + meta/recipes-multimedia/flac/flac_1.3.4.bb | 3 +- 32 files changed, 4645 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/python/python3-idna/CVE-2024-3651.patch create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-6075.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-35176.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0001.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0002.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0003.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0004.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0005.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0006.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0007.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0008.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0009.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0010.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0011.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0012.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0001.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0002.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0003.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0004.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0005.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Fix-max-path-length-metadata-writing-2243.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2696-from-al3xtjames-mkstemp.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2749-from-KlaraSystems-des-tempdi.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2753-from-KlaraSystems-des-temp-f.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2768-from-Commandoss-master.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-60753.patch create mode 100644 meta/recipes-multimedia/flac/files/0001-Fix-seeking-bug.patch -- 2.43.0 ^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review @ 2025-09-03 16:14 Steve Sakoman 0 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2025-09-03 16:14 UTC (permalink / raw) To: openembedded-core Please review this set of changes for kirkstone and have comments back by end of day Friday, September 5 Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/2309 The following changes since commit 36cf6bb39df081b27306d27b20155995b73e1a01: Revert "sqlite3: patch CVE-2025-7458" (2025-09-01 08:18:45 -0700) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut Deepak Rathore (1): default-distrovars.inc: Fix CONNECTIVITY_CHECK_URIS redirect issue Kyungjik Min (1): pulseaudio: Add audio group explicitly Mingli Yu (1): vim: not adjust script pathnames for native scripts either Peter Marko (2): vim: upgrade 9.1.1198 -> 9.1.1652 sudo: remove devtool FIXME comment Praveen Kumar (1): git: fix CVE-2025-48384 Yogita Urade (3): tiff: fix CVE-2024-13978 tiff: fix CVE-2025-8534 tiff: fix CVE-2025-8851 meta-selftest/files/static-group | 1 + .../distro/include/default-distrovars.inc | 2 +- meta/lib/oeqa/sdk/buildtools-cases/https.py | 4 +- .../git/git/CVE-2025-48384.patch | 85 +++++++++++++++++++ meta/recipes-devtools/git/git_2.35.7.bb | 1 + meta/recipes-extended/sudo/sudo_1.9.17p1.bb | 52 ------------ .../libtiff/tiff/CVE-2024-13978.patch | 47 ++++++++++ .../libtiff/tiff/CVE-2025-8534.patch | 60 +++++++++++++ .../libtiff/tiff/CVE-2025-8851.patch | 71 ++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 3 + .../pulseaudio/pulseaudio.inc | 2 +- ...src-Makefile-improve-reproducibility.patch | 10 +-- .../vim/files/disable_acl_header_check.patch | 12 +-- .../vim/files/no-path-adjust.patch | 35 +++++--- meta/recipes-support/vim/vim.inc | 7 +- 15 files changed, 308 insertions(+), 84 deletions(-) create mode 100644 meta/recipes-devtools/git/git/CVE-2025-48384.patch create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978.patch create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8851.patch -- 2.43.0 ^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2025-08-26 13:44 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2025-08-26 13:44 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, August 28
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2267
The following changes since commit e401a16d8e26d25cec95fcea98d6530036cffca1:
libubootenv: backport patch to fix unknown type name 'size_t' (2025-08-19 10:14:55 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Hitendra Prajapati (1):
gstreamer1.0-plugins-base: fix CVE-2025-47807
Jiaying Song (1):
openssl: fix CVE-2023-50781
Peter Marko (4):
qemu: ignore CVE-2024-7730
glib-2.0: patch CVE-2025-7039
dpkg: patch CVE-2025-6297
libarchive: patch regression of patch for CVE-2025-5918
Vijay Anusuri (3):
xserver-xorg: Fix for CVE-2025-49178
xserver-xorg: Fix for CVE-2025-49179
xserver-xorg: Fix for CVE-2025-49180
.../openssl/openssl/CVE-2023-50781-1.patch | 618 ++++++++++++++++++
.../openssl/openssl/CVE-2023-50781-2.patch | 358 ++++++++++
.../openssl/openssl/CVE-2023-50781-3.patch | 41 ++
.../openssl/openssl/CVE-2023-50781-4.patch | 441 +++++++++++++
.../openssl/openssl/CVE-2023-50781-5.patch | 284 ++++++++
.../openssl/openssl/CVE-2023-50781-6.patch | 57 ++
.../openssl/openssl_3.0.17.bb | 8 +-
.../glib-2.0/glib-2.0/CVE-2025-7039-01.patch | 40 ++
.../glib-2.0/glib-2.0/CVE-2025-7039-02.patch | 43 ++
meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 2 +
.../dpkg/dpkg/CVE-2025-6297.patch | 125 ++++
meta/recipes-devtools/dpkg/dpkg_1.21.4.bb | 1 +
meta/recipes-devtools/qemu/qemu.inc | 3 +
...2025-5918.patch => CVE-2025-5918-01.patch} | 0
.../libarchive/CVE-2025-5918-02.patch | 51 ++
.../libarchive/libarchive_3.6.2.bb | 3 +-
.../xserver-xorg/CVE-2025-49178.patch | 49 ++
.../xserver-xorg/CVE-2025-49179.patch | 67 ++
.../xserver-xorg/CVE-2025-49180-1.patch | 44 ++
.../xserver-xorg/CVE-2025-49180-2.patch | 52 ++
.../xorg-xserver/xserver-xorg_21.1.8.bb | 4 +
.../CVE-2025-47807.patch | 49 ++
.../gstreamer1.0-plugins-base_1.20.7.bb | 1 +
23 files changed, 2339 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-4.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-5.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-6.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-7039-01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-7039-02.patch
create mode 100644 meta/recipes-devtools/dpkg/dpkg/CVE-2025-6297.patch
rename meta/recipes-extended/libarchive/libarchive/{CVE-2025-5918.patch => CVE-2025-5918-01.patch} (100%)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-02.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49179.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-1.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-2.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47807.patch
--
2.43.0
^ permalink raw reply [flat|nested] 22+ messages in thread* [OE-core][kirkstone 0/9] Patch review @ 2025-08-19 20:49 Steve Sakoman 0 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2025-08-19 20:49 UTC (permalink / raw) To: openembedded-core Please review this set of changes for scarthgap and have comments back by end of day Thursday, August 21 Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/2236 The following changes since commit 3d1c037a7cb7858a4e3c33a94f5d343a81aac5f7: go-helloworld: fix license (2025-08-12 09:57:24 -0700) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut Dan McGregor (1): systemd: Fix manpage build after CVE-2025-4598 Hitendra Prajapati (3): gstreamer1.0-plugins-base: fix CVE-2025-47806 & CVE-2025-47808 gstreamer1.0-plugins-good: fix CVE-2025-47183 & CVE-2025-47219 git: fix CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835 Peter Marko (1): glib-2.0: ignore CVE-2025-4056 Vijay Anusuri (3): xserver-xorg: Fix for CVE-2025-49175 xserver-xorg: Fix for CVE-2025-49176 xserver-xorg: Fix for CVE-2025-49177 Youngseok Jeong (1): libubootenv: backport patch to fix unknown type name 'size_t' ...-Include-cstddef-in-the-header-for-C.patch | 27 + meta/recipes-bsp/u-boot/libubootenv_0.3.2.bb | 6 +- meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 3 + .../systemd/systemd/CVE-2025-4598-0003.patch | 7 +- ...-27613-CVE-2025-46334-CVE-2025-46835.patch | 2500 +++++++++++++++++ meta/recipes-devtools/git/git_2.35.7.bb | 1 + .../xserver-xorg/CVE-2025-49175.patch | 91 + .../xserver-xorg/CVE-2025-49176-1.patch | 92 + .../xserver-xorg/CVE-2025-49176-2.patch | 37 + .../xserver-xorg/CVE-2025-49177.patch | 54 + .../xorg-xserver/xserver-xorg_21.1.8.bb | 4 + .../CVE-2025-47806.patch | 50 + .../CVE-2025-47808.patch | 36 + .../gstreamer1.0-plugins-base_1.20.7.bb | 2 + .../CVE-2025-47183-001.patch | 151 + .../CVE-2025-47183-002.patch | 80 + .../CVE-2025-47219.patch | 40 + .../gstreamer1.0-plugins-good_1.20.7.bb | 3 + 18 files changed, 3179 insertions(+), 5 deletions(-) create mode 100644 meta/recipes-bsp/u-boot/files/0001-Include-cstddef-in-the-header-for-C.patch create mode 100644 meta/recipes-devtools/git/git/CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49175.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49176-1.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49176-2.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49177.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47806.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47808.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47183-001.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47183-002.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47219.patch -- 2.43.0 ^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review @ 2025-07-04 15:28 Steve Sakoman 0 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2025-07-04 15:28 UTC (permalink / raw) To: openembedded-core Please review this set of changes for kirkstone and have comments back by end of day Tuesday, July 8 Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1949 The following changes since commit 75e54301c5076eb0454aee33c870adf078f563fd: build-appliance-image: Update to kirkstone head revision (2025-06-27 08:10:04 -0700) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut Archana Polampalli (6): xwayland: fix CVE-2025-49175 xwayland: fix CVE-2025-49176 xwayland: fix CVE-2025-49177 xwayland: fix CVE-2025-49178 xwayland: fix CVE-2025-49178 xwayland: fix CVE-2025-49180 Chen Qi (1): systemd: backport patches to fix CVE-2025-4598 Colin Pinnell McAllister (1): libarchive: Fix CVE-2025-5914 Yogita Urade (1): python3-urllib3: fix CVE-2025-50181 .../systemd/systemd/CVE-2025-4598-0001.patch | 92 ++++++++ .../systemd/systemd/CVE-2025-4598-0002.patch | 106 +++++++++ .../systemd/systemd/CVE-2025-4598-0003.patch | 144 ++++++++++++ .../systemd/systemd/CVE-2025-4598-0004.patch | 36 +++ meta/recipes-core/systemd/systemd_250.14.bb | 4 + .../python3-urllib3/CVE-2025-50181.patch | 214 ++++++++++++++++++ .../python/python3-urllib3_1.26.18.bb | 4 + .../libarchive/libarchive/CVE-2025-5914.patch | 46 ++++ .../libarchive/libarchive_3.6.2.bb | 1 + .../xwayland/xwayland/CVE-2025-49175.patch | 92 ++++++++ .../xwayland/CVE-2025-49176-0001.patch | 93 ++++++++ .../xwayland/CVE-2025-49176-0002.patch | 38 ++++ .../xwayland/xwayland/CVE-2025-49177.patch | 55 +++++ .../xwayland/xwayland/CVE-2025-49178.patch | 50 ++++ .../xwayland/xwayland/CVE-2025-49179.patch | 69 ++++++ .../xwayland/xwayland/CVE-2025-49180.patch | 45 ++++ .../xwayland/xwayland_22.1.8.bb | 7 + 17 files changed, 1096 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0001.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0002.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0003.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0004.patch create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch -- 2.43.0 ^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2024-12-17 20:54 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-12-17 20:54 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, December 19
Passed a-full on autobuilder:
https://valkyrie.yoctoproject.org/#/builders/29/builds/663
The following changes since commit b132b817f5931b290e5348dd4a17fbfdc5c6e2c4:
dbus: disable assertions and enable only modular tests (2024-12-10 05:38:29 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alex Kiernan (1):
base-passwd: Add the sgx group
Alexandre Belloni (1):
base-passwd: fix patchreview warning
Ernst Persson (1):
package.bbclass: Use shlex instead of deprecated pipes
Jiaying Song (1):
subversion: fix CVE-2024-46901
Louis Rannou (1):
base-passwd: add the wheel group
Peter Kjellerstedt (3):
base-passwd: Regenerate the patches
base-passwd: Update to 3.5.52
base-passwd: Update the status for two patches
Yogita Urade (1):
xserver-xorg: fix CVE-2024-9632
meta/classes/package.bbclass | 4 +-
.../0001-Add-a-shutdown-group.patch | 26 +++
.../0001-base-passwd-Add-the-sgx-group.patch | 30 ++++
...nstead-of-bin-bash-for-the-root-user.patch | 23 +++
...t-since-we-do-not-have-an-etc-shadow.patch | 21 +++
...put-group-for-the-dev-input-devices.patch} | 17 +-
.../{kvm.patch => 0005-Add-kvm-group.patch} | 2 +-
...ble-to-build-without-debconf-support.patch | 129 ++++++++++++++
...-to-disable-the-generation-of-the-do.patch | 46 +++++
.../base-passwd/0008-Add-wheel-group.patch | 20 +++
.../base-passwd/add_shutdown.patch | 19 ---
.../base-passwd/disable-docs.patch | 24 ---
.../base-passwd/disable-shell.patch | 57 -------
.../base-passwd/base-passwd/nobash.patch | 15 --
.../base-passwd/base-passwd/noshadow.patch | 14 --
...passwd_3.5.29.bb => base-passwd_3.5.52.bb} | 30 ++--
.../subversion/CVE-2024-46901.patch | 161 ++++++++++++++++++
.../subversion/subversion_1.14.2.bb | 3 +-
.../xserver-xorg/CVE-2024-9632.patch | 58 +++++++
.../xorg-xserver/xserver-xorg_21.1.8.bb | 1 +
20 files changed, 547 insertions(+), 153 deletions(-)
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0001-Add-a-shutdown-group.patch
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0002-Use-bin-sh-instead-of-bin-bash-for-the-root-user.patch
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0003-Remove-for-root-since-we-do-not-have-an-etc-shadow.patch
rename meta/recipes-core/base-passwd/base-passwd/{input.patch => 0004-Add-an-input-group-for-the-dev-input-devices.patch} (42%)
rename meta/recipes-core/base-passwd/base-passwd/{kvm.patch => 0005-Add-kvm-group.patch} (88%)
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0006-Make-it-possible-to-build-without-debconf-support.patch
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0007-Make-it-possible-to-disable-the-generation-of-the-do.patch
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0008-Add-wheel-group.patch
delete mode 100644 meta/recipes-core/base-passwd/base-passwd/add_shutdown.patch
delete mode 100644 meta/recipes-core/base-passwd/base-passwd/disable-docs.patch
delete mode 100644 meta/recipes-core/base-passwd/base-passwd/disable-shell.patch
delete mode 100644 meta/recipes-core/base-passwd/base-passwd/nobash.patch
delete mode 100644 meta/recipes-core/base-passwd/base-passwd/noshadow.patch
rename meta/recipes-core/base-passwd/{base-passwd_3.5.29.bb => base-passwd_3.5.52.bb} (79%)
create mode 100644 meta/recipes-devtools/subversion/subversion/CVE-2024-46901.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-9632.patch
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread* [OE-core][kirkstone 0/9] Patch review
@ 2024-06-22 11:57 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-06-22 11:57 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and hjave comments back by
end of day Tuesday, June 25
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7065
The following changes since commit ab2649ef6c83f0ae7cac554a72e6bea4dcda0e99:
build-appliance-image: Update to kirkstone head revision (2024-06-01 19:12:27 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Changqing Li (1):
man-pages: remove conflict pages
Deepthi Hemraj (1):
glibc: stable 2.35 branch updates
Khem Raj (1):
gobject-introspection: Do not hardcode objdump name
Peter Marko (1):
glib-2.0: patch CVE-2024-34397
Siddharth (1):
openssl: Upgrade 3.0.13 -> 3.0.14
Siddharth Doshi (1):
libxml2: Security fix for CVE-2024-34459
Thomas Perrot (1):
man-pages: add an alternative link name for crypt_r.3
Yogita Urade (2):
acpica: fix CVE-2024-24856
ruby: fix CVE-2024-27280
.../openssl/openssl/CVE-2024-2511.patch | 122 ---
.../openssl/openssl/CVE-2024-4603.patch | 180 ----
.../{openssl_3.0.13.bb => openssl_3.0.14.bb} | 4 +-
.../glib-2.0/glib-2.0/CVE-2024-34397_01.patch | 129 +++
.../glib-2.0/glib-2.0/CVE-2024-34397_02.patch | 62 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_03.patch | 985 ++++++++++++++++++
.../glib-2.0/glib-2.0/CVE-2024-34397_04.patch | 253 +++++
.../glib-2.0/glib-2.0/CVE-2024-34397_05.patch | 88 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_06.patch | 263 +++++
.../glib-2.0/glib-2.0/CVE-2024-34397_07.patch | 45 +
.../glib-2.0/glib-2.0/CVE-2024-34397_08.patch | 168 +++
.../glib-2.0/glib-2.0/CVE-2024-34397_09.patch | 81 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_10.patch | 108 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_11.patch | 133 +++
.../glib-2.0/glib-2.0/CVE-2024-34397_12.patch | 173 +++
.../glib-2.0/glib-2.0/CVE-2024-34397_13.patch | 513 +++++++++
.../glib-2.0/glib-2.0/CVE-2024-34397_14.patch | 75 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_15.patch | 47 +
.../glib-2.0/glib-2.0/CVE-2024-34397_16.patch | 62 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_17.patch | 121 +++
.../glib-2.0/glib-2.0/CVE-2024-34397_18.patch | 50 +
meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 18 +
meta/recipes-core/glibc/glibc-version.inc | 2 +-
.../libxml/libxml2/CVE-2024-34459.patch | 30 +
meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 +
.../ruby/ruby/CVE-2024-27280.patch | 87 ++
meta/recipes-devtools/ruby/ruby_3.1.3.bb | 1 +
.../acpica/acpica/CVE-2024-24856.patch | 33 +
.../acpica/acpica_20211217.bb | 4 +-
.../man-pages/man-pages_5.13.bb | 12 +-
.../gobject-introspection_1.72.0.bb | 2 +-
31 files changed, 3536 insertions(+), 316 deletions(-)
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
rename meta/recipes-connectivity/openssl/{openssl_3.0.13.bb => openssl_3.0.14.bb} (98%)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_02.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_03.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_04.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_05.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_06.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_07.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_08.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_09.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_10.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_11.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_12.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_13.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_14.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_15.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_16.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_17.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_18.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2024-34459.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-27280.patch
create mode 100644 meta/recipes-extended/acpica/acpica/CVE-2024-24856.patch
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread* [OE-core][kirkstone 0/9] Patch review
@ 2024-04-03 3:46 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:46 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, April 4
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6758
The following changes since commit 1b5405955c7c2579ed1f52522e2e177d0281fa33:
glibc: Fix subscript typos for get_nscd_addresses (2024-03-19 03:33:32 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Claus Stovgaard (1):
gcc: Backport sanitizer fix for 32-bit ALSR
Colin McAllister (1):
common-licenses: Backport missing license
Lee Chee Yang (2):
xwayland: fix CVE-2023-6816 CVE-2024-0408/0409
tiff: fix CVE-2023-52356 CVE-2023-6277
Meenali Gupta (1):
expat: fix CVE-2023-52425
Tan Wen Yan (1):
python3-urllib3: update to v1.26.18
Vijay Anusuri (2):
curl: backport Debian patch for CVE-2024-2398
qemu: Fix for CVE-2023-6683
aszh07 (1):
nghttp2: fix CVE-2023-44487
.../LGPL-3.0-with-zeromq-exception | 181 ++++
.../expat/expat/CVE-2023-52425-0001.patch | 40 +
.../expat/expat/CVE-2023-52425-0002.patch | 87 ++
.../expat/expat/CVE-2023-52425-0003.patch | 222 +++++
.../expat/expat/CVE-2023-52425-0004.patch | 42 +
.../expat/expat/CVE-2023-52425-0005.patch | 69 ++
.../expat/expat/CVE-2023-52425-0006.patch | 67 ++
.../expat/expat/CVE-2023-52425-0007.patch | 159 +++
.../expat/expat/CVE-2023-52425-0008.patch | 95 ++
.../expat/expat/CVE-2023-52425-0009.patch | 52 +
.../expat/expat/CVE-2023-52425-0010.patch | 111 +++
.../expat/expat/CVE-2023-52425-0011.patch | 89 ++
.../expat/expat/CVE-2023-52425-0012.patch | 87 ++
meta/recipes-core/expat/expat_2.5.0.bb | 12 +
meta/recipes-devtools/gcc/gcc-11.4.inc | 1 +
.../gcc/gcc/0031-gcc-sanitizers-fix.patch | 63 ++
..._1.26.17.bb => python3-urllib3_1.26.18.bb} | 2 +-
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2023-6683.patch | 92 ++
.../xwayland/xwayland/CVE-2023-6816.patch | 57 ++
.../xwayland/xwayland/CVE-2024-0408.patch | 65 ++
.../xwayland/xwayland/CVE-2024-0409.patch | 47 +
.../xwayland/xwayland_22.1.8.bb | 3 +
.../libtiff/tiff/CVE-2023-52356.patch | 54 +
.../libtiff/tiff/CVE-2023-6277-1.patch | 178 ++++
.../libtiff/tiff/CVE-2023-6277-2.patch | 151 +++
.../libtiff/tiff/CVE-2023-6277-3.patch | 46 +
.../libtiff/tiff/CVE-2023-6277-4.patch | 93 ++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 5 +
.../curl/curl/CVE-2024-2398.patch | 89 ++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
.../nghttp2/nghttp2/CVE-2023-44487.patch | 927 ++++++++++++++++++
.../recipes-support/nghttp2/nghttp2_1.47.0.bb | 1 +
33 files changed, 3188 insertions(+), 1 deletion(-)
create mode 100644 meta/files/common-licenses/LGPL-3.0-with-zeromq-exception
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0001.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0002.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0003.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0004.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0005.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0006.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0007.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0009.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0010.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0011.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0012.patch
create mode 100644 meta/recipes-devtools/gcc/gcc/0031-gcc-sanitizers-fix.patch
rename meta/recipes-devtools/python/{python3-urllib3_1.26.17.bb => python3-urllib3_1.26.18.bb} (86%)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2024-2398.patch
create mode 100644 meta/recipes-support/nghttp2/nghttp2/CVE-2023-44487.patch
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread* [OE-core][kirkstone 0/9] Patch review @ 2024-03-07 23:37 Steve Sakoman 0 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2024-03-07 23:37 UTC (permalink / raw) To: openembedded-core Unfortunately this series of linux-yocto version bumps has caused a number of issues with adding and resizing partitions. The problem was introduced in 5.15.132 and has not been fixed in any of the subsequent version bumps. Bruce and have decided to revert this series until we have an acceptable fix. Please have any comments back by end of day Monday, March 11. The following changes since commit e5aae8a371717215a7d78459788ad67dfaefe37e: golang: Fix CVE-2023-45289 & CVE-2023-45290 (2024-03-07 04:18:33 -1000) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut Steve Sakoman (9): Revert "linux-yocto/5.15: update CVE exclusions" Revert "linux-yocto/5.15: update to v5.15.148" Revert "linux-yocto/5.15: update CVE exclusions" Revert "linux-yocto/5.15: update to v5.15.147" Revert "linux-yocto/5.15: update CVE exclusions" Revert "linux-yocto/5.15: update to v5.15.146" Revert "linux-yocto/5.15: update to v5.15.145" Revert "linux-yocto/5.15: update to v5.15.142" Revert "linux-yocto/5.15: update to v5.15.141" .../linux/cve-exclusion_5.15.inc | 372 ++---------------- .../linux/linux-yocto-rt_5.15.bb | 6 +- .../linux/linux-yocto-tiny_5.15.bb | 6 +- meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +- 4 files changed, 57 insertions(+), 353 deletions(-) -- 2.34.1 ^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2023-06-20 15:37 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2023-06-20 15:37 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5492
The following changes since commit 0e17a5a4f0e3301bf78f77bb5ca4aaf3e4dbc7af:
Revert "ipk: Decode byte data to string in manifest handling" (2023-06-17 05:18:44 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (1):
nasm: fix CVE-2022-46457
Bruce Ashfield (1):
kernel: don't force PAHOLE=false
Chen Qi (1):
staging.bbclass: do not add extend_recipe_sysroot to prefuncs of
prepare_recipe_sysroot
Lorenzo Arena (1):
conf: add nice level to the hash config ignred variables
Martin Jansa (1):
go.bbclass: don't use test to check output from ls
Pavel Zhukov (1):
lib/terminal.py: Add urxvt terminal
Ranjitsinh Rathod (1):
kmscube: Correct DEPENDS to avoid overwrite
Thomas Roos (1):
oeqa/selftest/cases/devtool.py: skip all tests require folder a git
repo
Wang Mingyu (1):
iso-codes: upgrade 4.13.0 -> 4.15.0
meta/classes/go.bbclass | 2 +-
meta/classes/kernel.bbclass | 2 +-
meta/classes/staging.bbclass | 2 +-
meta/conf/bitbake.conf | 2 +-
meta/lib/oe/terminal.py | 4 ++
meta/lib/oeqa/selftest/cases/devtool.py | 8 +++
.../nasm/nasm/CVE-2022-46457.patch | 50 +++++++++++++++++++
meta/recipes-devtools/nasm/nasm_2.15.05.bb | 1 +
meta/recipes-graphics/kmscube/kmscube_git.bb | 3 +-
...so-codes_4.13.0.bb => iso-codes_4.15.0.bb} | 2 +-
10 files changed, 69 insertions(+), 7 deletions(-)
create mode 100644 meta/recipes-devtools/nasm/nasm/CVE-2022-46457.patch
rename meta/recipes-support/iso-codes/{iso-codes_4.13.0.bb => iso-codes_4.15.0.bb} (94%)
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread* [OE-core][kirkstone 0/9] Patch review
@ 2022-11-13 14:12 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2022-11-13 14:12 UTC (permalink / raw)
To: openembedded-core
Please review this set of patchesd for kirkstone and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4468
The following changes since commit 0c0723757fbba9a4b88c0f98477a18d1e220da2e:
mirrors.bbclass: use shallow tarball for binutils-native (2022-11-06 06:00:05 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Kanavin (2):
lttng-modules: upgrade 2.13.4 -> 2.13.5
quilt: backport a patch to address grep 3.8 failures
Hitendra Prajapati (1):
QEMU: CVE-2022-3165 VNC: integer underflow in vnc_client_cut_text_ext
leads to CPU exhaustion
Michael Opdenacker (1):
create-spdx.bbclass: remove unused SPDX_INCLUDE_PACKAGED
Narpat Mali (1):
python3-mako: backport fix for CVE-2022-40023
Ross Burton (3):
pixman: backport fix for CVE-2022-44638
sanity: check for GNU tar specifically
qemu: add io_uring PACKAGECONFIG
ciarancourtney (1):
wic: swap partitions are not added to fstab
meta/classes/create-spdx.bbclass | 2 -
meta/classes/sanity.bbclass | 8 +
.../python/python3-mako/CVE-2022-40023.patch | 119 +++++++++++++++
.../python/python3-mako_1.1.6.bb | 2 +
meta/recipes-devtools/qemu/qemu.inc | 3 +-
.../qemu/qemu/CVE-2022-3165.patch | 61 ++++++++
meta/recipes-devtools/quilt/quilt.inc | 1 +
.../quilt/quilt/fix-grep-3.8.patch | 144 ++++++++++++++++++
.../xorg-lib/pixman/CVE-2022-44638.patch | 33 ++++
.../xorg-lib/pixman_0.40.0.bb | 1 +
.../lttng-modules/0001-fix-compaction.patch | 68 ---------
...c-fix-tracepoint-mm_page_alloc_zone_.patch | 106 -------------
...oduce-kfree_skb_reason-v5.15.58.v5.1.patch | 53 -------
...ags-parameter-from-aops-write_begin-.patch | 76 ---------
...Fix-type-of-cpu-in-trace-event-v5.19.patch | 124 ---------------
...ules_2.13.4.bb => lttng-modules_2.13.5.bb} | 7 +-
scripts/lib/wic/plugins/imager/direct.py | 2 +-
17 files changed, 373 insertions(+), 437 deletions(-)
create mode 100644 meta/recipes-devtools/python/python3-mako/CVE-2022-40023.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch
create mode 100644 meta/recipes-devtools/quilt/quilt/fix-grep-3.8.patch
create mode 100644 meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-compaction.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-mm-page_alloc-fix-tracepoint-mm_page_alloc_zone_.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-net-skb-introduce-kfree_skb_reason-v5.15.58.v5.1.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0002-fix-fs-Remove-flags-parameter-from-aops-write_begin-.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0003-fix-workqueue-Fix-type-of-cpu-in-trace-event-v5.19.patch
rename meta/recipes-kernel/lttng/{lttng-modules_2.13.4.bb => lttng-modules_2.13.5.bb} (78%)
--
2.25.1
^ permalink raw reply [flat|nested] 22+ messages in thread* [OE-core][kirkstone 0/9] Patch review
@ 2022-05-23 13:59 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2022-05-23 13:59 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by end
of day Wednesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3692
The following changes since commit ec9e9497730f0a9c8ad3d696c8cdcec06267aacf:
base-passwd: Disable shell for default users (2022-05-16 13:59:44 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Kanavin (1):
mmc-utils: upgrade to latest revision
Claudius Heine (1):
classes: rootfs-postcommands: add skip option to overlayfs_qa_check
Marta Rybczynska (1):
cve-check: Fix report generation
Richard Purdie (2):
staging: Fix rare sysroot corruption issue
selftest/imagefeatures/overlayfs: Always append to DISTRO_FEATURES
Robert Joslyn (1):
curl: Backport CVE fixes
Samuli Piippo (1):
binutils: Bump to latest 2.38 release branch
Steve Sakoman (1):
python3: fix reproducibility issue with python3-core
wangmy (1):
librepo: upgrade 1.14.2 -> 1.14.3
meta/classes/cve-check.bbclass | 18 +-
meta/classes/rootfs-postcommands.bbclass | 10 +-
meta/classes/staging.bbclass | 24 +
meta/lib/oeqa/selftest/cases/imagefeatures.py | 2 +-
meta/lib/oeqa/selftest/cases/overlayfs.py | 36 +-
.../binutils/binutils-2.38.inc | 2 +-
.../{librepo_1.14.2.bb => librepo_1.14.3.bb} | 2 +-
meta/recipes-devtools/mmc/mmc-utils_git.bb | 2 +-
.../recipes-devtools/python/python3_3.10.4.bb | 5 +
.../curl/curl/CVE-2022-22576.patch | 145 ++++++
.../curl/curl/CVE-2022-27774-1.patch | 45 ++
.../curl/curl/CVE-2022-27774-2.patch | 80 +++
.../curl/curl/CVE-2022-27774-3.patch | 83 ++++
.../curl/curl/CVE-2022-27774-4.patch | 35 ++
.../curl/curl/CVE-2022-27775.patch | 37 ++
.../curl/curl/CVE-2022-27776.patch | 115 +++++
.../curl/curl/CVE-2022-27779.patch | 42 ++
.../curl/curl/CVE-2022-27780.patch | 33 ++
.../curl/curl/CVE-2022-27781.patch | 43 ++
.../curl/curl/CVE-2022-27782-1.patch | 458 ++++++++++++++++++
.../curl/curl/CVE-2022-27782-2.patch | 71 +++
.../curl/curl/CVE-2022-30115.patch | 82 ++++
meta/recipes-support/curl/curl_7.82.0.bb | 16 +-
23 files changed, 1362 insertions(+), 24 deletions(-)
rename meta/recipes-devtools/librepo/{librepo_1.14.2.bb => librepo_1.14.3.bb} (94%)
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-22576.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-2.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-3.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-4.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27775.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27776.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27779.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27780.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27781.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-2.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-30115.patch
--
2.25.1
^ permalink raw reply [flat|nested] 22+ messages in threadend of thread, other threads:[~2025-11-25 20:55 UTC | newest] Thread overview: 22+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-01-17 14:08 [OE-core][kirkstone 0/9] Patch review Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 1/9] ffmpeg: refresh patches to apply cleanly Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 2/9] qemu: Fix CVE-2022-4144 Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 3/9] python3-setuptools: fix for CVE-2022-40897 Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 4/9] python3-wheel: fix for CVE-2022-40898 Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 5/9] python3-git: fix for CVE-2022-24439 Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 6/9] libksba: fix CVE-2022-47629 Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 7/9] glibc: stable 2.35 branch updates Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 8/9] freetype:update mirror site Steve Sakoman 2023-01-17 14:08 ` [OE-core][kirkstone 9/9] gtk-icon-cache: Fix GTKIC_CMD if-else condition Steve Sakoman -- strict thread matches above, loose matches on Subject: below -- 2025-11-25 20:54 [OE-core][kirkstone 0/9] Patch review Steve Sakoman 2025-09-03 16:14 Steve Sakoman 2025-08-26 13:44 Steve Sakoman 2025-08-19 20:49 Steve Sakoman 2025-07-04 15:28 Steve Sakoman 2024-12-17 20:54 Steve Sakoman 2024-06-22 11:57 Steve Sakoman 2024-04-03 3:46 Steve Sakoman 2024-03-07 23:37 Steve Sakoman 2023-06-20 15:37 Steve Sakoman 2022-11-13 14:12 Steve Sakoman 2022-05-23 13:59 Steve Sakoman
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.