* [OE-core][nanbield 01/21] tiff: fix CVE-2023-6228
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
@ 2024-02-15 16:17 ` Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 02/21] tiff: fix CVE-2023-52355 and CVE-2023-52356 Steve Sakoman
` (19 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:17 UTC (permalink / raw)
To: openembedded-core
From: Yogita Urade <yogita.urade@windriver.com>
CVE-2023-6228:
An issue was found in the tiffcp utility distributed by the
libtiff package where a crafted TIFF file on processing may
cause a heap-based buffer overflow leads to an application
crash.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-6228
https://gitlab.com/libtiff/libtiff/-/issues/606
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 55735e0d75820d59e569a630679f9ac403c7fdbe)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libtiff/tiff/CVE-2023-6228.patch | 31 +++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 1 +
2 files changed, 32 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch
new file mode 100644
index 0000000000..2020508fdf
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch
@@ -0,0 +1,31 @@
+From 1e7d217a323eac701b134afc4ae39b6bdfdbc96a Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Wed, 17 Jan 2024 06:57:08 +0000
+Subject: [PATCH] codec of input image is available, independently from codec
+ check of output image and return with error if not.
+
+Fixes #606.
+
+CVE: CVE-2023-6228
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tools/tiffcp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index aff0626..a4f7f6b 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -846,6 +846,8 @@ static int tiffcp(TIFF *in, TIFF *out)
+ if (!TIFFIsCODECConfigured(compression))
+ return FALSE;
+ TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
++ if (!TIFFIsCODECConfigured(input_compression))
++ return FALSE;
+ TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
+ if (input_compression == COMPRESSION_JPEG)
+ {
+--
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
index 4c472f8ef6..eb8a096f19 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch \
file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \
file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \
+ file://CVE-2023-6228.patch \
"
SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 02/21] tiff: fix CVE-2023-52355 and CVE-2023-52356
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 01/21] tiff: fix CVE-2023-6228 Steve Sakoman
@ 2024-02-15 16:17 ` Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 03/21] zlib: ignore CVE-2023-6992 Steve Sakoman
` (18 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:17 UTC (permalink / raw)
To: openembedded-core
From: Yogita Urade <yogita.urade@windriver.com>
CVE-2023-52355:
An out-of-memory flaw was found in libtiff that could be
triggered by passing a crafted tiff file to the
TIFFRasterScanlineSize64() API. This flaw allows a remote
attacker to cause a denial of service via a crafted input
with a size smaller than 379 KB.
Issue fixed by providing a documentation update.
CVE-2023-52356:
A segment fault (SEGV) flaw was found in libtiff that could
be triggered by passing a crafted tiff file to the
TIFFReadRGBATileExt() API. This flaw allows a remote attacker
to cause a heap-buffer overflow, leading to a denial of service.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-52355
https://security-tracker.debian.org/tracker/CVE-2023-52355
https://gitlab.com/libtiff/libtiff/-/issues/621
https://gitlab.com/libtiff/libtiff/-/merge_requests/553
https://nvd.nist.gov/vuln/detail/CVE-2023-52356
https://gitlab.com/libtiff/libtiff/-/issues/622
https://gitlab.com/libtiff/libtiff/-/merge_requests/546
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 831d7a2fffb3dec94571289292f0940bc7ecd70a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libtiff/tiff/CVE-2023-52355-0001.patch | 238 ++++++++++++++++++
.../libtiff/tiff/CVE-2023-52355-0002.patch | 28 +++
.../libtiff/tiff/CVE-2023-52356.patch | 49 ++++
meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 3 +
4 files changed, 318 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch
new file mode 100644
index 0000000000..f5520fcafd
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch
@@ -0,0 +1,238 @@
+From 335947359ce2dd3862cd9f7c49f92eba065dfed4 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Thu, 1 Feb 2024 13:06:08 +0000
+Subject: [PATCH] manpage: Update TIFF documentation about TIFFOpenOptions.rst
+ and TIFFOpenOptionsSetMaxSingleMemAlloc() usage and some other small fixes.
+
+CVE: CVE-2023-52355
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ doc/functions/TIFFDeferStrileArrayWriting.rst | 5 +++
+ doc/functions/TIFFError.rst | 3 ++
+ doc/functions/TIFFOpen.rst | 13 +++---
+ doc/functions/TIFFOpenOptions.rst | 44 ++++++++++++++++++-
+ doc/functions/TIFFStrileQuery.rst | 5 +++
+ doc/libtiff.rst | 31 ++++++++++++-
+ 6 files changed, 91 insertions(+), 10 deletions(-)
+
+diff --git a/doc/functions/TIFFDeferStrileArrayWriting.rst b/doc/functions/TIFFDeferStrileArrayWriting.rst
+index 60ee746..705aebc 100644
+--- a/doc/functions/TIFFDeferStrileArrayWriting.rst
++++ b/doc/functions/TIFFDeferStrileArrayWriting.rst
+@@ -61,6 +61,11 @@ Diagnostics
+ All error messages are directed to the :c:func:`TIFFErrorExtR` routine.
+ Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine.
+
++Note
++----
++
++This functionality was introduced with libtiff 4.1.
++
+ See also
+ --------
+
+diff --git a/doc/functions/TIFFError.rst b/doc/functions/TIFFError.rst
+index 99924ad..cf4b37c 100644
+--- a/doc/functions/TIFFError.rst
++++ b/doc/functions/TIFFError.rst
+@@ -65,6 +65,9 @@ or :c:func:`TIFFClientOpenExt`.
+ Furthermore, a **custom defined data structure** *user_data* for the
+ error handler can be given along.
+
++Please refer to :doc:`/functions/TIFFOpenOptions` for how to setup the
++application-specific handler introduced with libtiff 4.5.
++
+ Note
+ ----
+
+diff --git a/doc/functions/TIFFOpen.rst b/doc/functions/TIFFOpen.rst
+index db79d7b..adc474f 100644
+--- a/doc/functions/TIFFOpen.rst
++++ b/doc/functions/TIFFOpen.rst
+@@ -94,8 +94,9 @@ TIFF structure without closing the file handle and afterwards the
+ file should be closed using its file descriptor *fd*.
+
+ :c:func:`TIFFOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFOpen`,
+-but options, such as re-entrant error and warning handlers may be passed
+-with the *opts* argument. The *opts* argument may be NULL.
++but options, such as re-entrant error and warning handlers and a limit in byte
++that libtiff internal memory allocation functions are allowed to request per call
++may be passed with the *opts* argument. The *opts* argument may be NULL.
+ Refer to :doc:`TIFFOpenOptions` for allocating and filling the *opts* argument
+ parameters. The allocated memory for :c:type:`TIFFOpenOptions`
+ can be released straight after successful execution of the related
+@@ -105,9 +106,7 @@ can be released straight after successful execution of the related
+ but opens a TIFF file with a Unicode filename.
+
+ :c:func:`TIFFFdOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFFdOpen`,
+-but options, such as re-entrant error and warning handlers may be passed
+-with the *opts* argument. The *opts* argument may be NULL.
+-Refer to :doc:`TIFFOpenOptions` for filling the *opts* argument.
++but options argument *opts* like for :c:func:`TIFFOpenExt` can be passed.
+
+ :c:func:`TIFFSetFileName` sets the file name in the tif-structure
+ and returns the old file name.
+@@ -326,5 +325,5 @@ See also
+
+ :doc:`libtiff` (3tiff),
+ :doc:`TIFFClose` (3tiff),
+-:doc:`TIFFStrileQuery`,
+-:doc:`TIFFOpenOptions`
+\ No newline at end of file
++:doc:`TIFFStrileQuery` (3tiff),
++:doc:`TIFFOpenOptions`
+diff --git a/doc/functions/TIFFOpenOptions.rst b/doc/functions/TIFFOpenOptions.rst
+index 5c67566..23f2975 100644
+--- a/doc/functions/TIFFOpenOptions.rst
++++ b/doc/functions/TIFFOpenOptions.rst
+@@ -38,12 +38,17 @@ opaque structure and returns a :c:type:`TIFFOpenOptions` pointer.
+ :c:func:`TIFFOpenOptionsFree` releases the allocated memory for
+ :c:type:`TIFFOpenOptions`. The allocated memory for :c:type:`TIFFOpenOptions`
+ can be released straight after successful execution of the related
+-TIFF open"Ext" functions like :c:func:`TIFFOpenExt`.
++TIFFOpen"Ext" functions like :c:func:`TIFFOpenExt`.
+
+ :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` sets parameter for the
+ maximum single memory limit in byte that ``libtiff`` internal memory allocation
+ functions are allowed to request per call.
+
++.. note::
++ However, the ``libtiff`` external functions :c:func:`_TIFFmalloc`
++ and :c:func:`_TIFFrealloc` **do not apply** this internal memory
++ allocation limit set by :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`!
++
+ :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` sets the function pointer to
+ an application-specific and per-TIFF handle (re-entrant) error handler.
+ Furthermore, a pointer to a **custom defined data structure** *errorhandler_user_data*
+@@ -55,6 +60,43 @@ The *errorhandler_user_data* argument may be NULL.
+ :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` but for the warning handler,
+ which is invoked through :c:func:`TIFFWarningExtR`
+
++Example
++-------
++
++::
++
++ #include "tiffio.h"
++
++ typedef struct MyErrorHandlerUserDataStruct
++ {
++ /* ... any user data structure ... */
++ } MyErrorHandlerUserDataStruct;
++
++ static int myErrorHandler(TIFF *tiff, void *user_data, const char *module,
++ const char *fmt, va_list ap)
++ {
++ MyErrorHandlerUserDataStruct *errorhandler_user_data =
++ (MyErrorHandlerUserDataStruct *)user_data;
++ /*... code of myErrorHandler ...*/
++ return 1;
++ }
++
++
++ main()
++ {
++ tmsize_t limit = (256 * 1024 * 1024);
++ MyErrorHandlerUserDataStruct user_data = { /* ... any data ... */};
++
++ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
++ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);
++ TIFFOpenOptionsSetErrorHandlerExtR(opts, myErrorHandler, &user_data);
++ TIFF *tif = TIFFOpenExt("foo.tif", "r", opts);
++ TIFFOpenOptionsFree(opts);
++ /* ... go on here ... */
++
++ TIFFClose(tif);
++ }
++
+ Note
+ ----
+
+diff --git a/doc/functions/TIFFStrileQuery.rst b/doc/functions/TIFFStrileQuery.rst
+index f8631af..7931fe4 100644
+--- a/doc/functions/TIFFStrileQuery.rst
++++ b/doc/functions/TIFFStrileQuery.rst
+@@ -66,6 +66,11 @@ Diagnostics
+ All error messages are directed to the :c:func:`TIFFErrorExtR` routine.
+ Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine.
+
++Note
++----
++
++This functionality was introduced with libtiff 4.1.
++
+ See also
+ --------
+
+diff --git a/doc/libtiff.rst b/doc/libtiff.rst
+index 6a0054c..d96a860 100644
+--- a/doc/libtiff.rst
++++ b/doc/libtiff.rst
+@@ -90,11 +90,15 @@ compatibility on machines with a segmented architecture.
+ :c:func:`realloc`, and :c:func:`free` routines in the C library.)
+
+ To deal with segmented pointer issues ``libtiff`` also provides
+-:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemmove`
++:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemcmp`
+ routines that mimic the equivalent ANSI C routines, but that are
+ intended for use with memory allocated through :c:func:`_TIFFmalloc`
+ and :c:func:`_TIFFrealloc`.
+
++With ``libtiff`` 4.5 a method was introduced to limit the internal
++memory allocation that functions are allowed to request per call
++(see :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` and :c:func:`TIFFOpenExt`).
++
+ Error Handling
+ --------------
+
+@@ -106,6 +110,10 @@ routine that can be specified with a call to :c:func:`TIFFSetErrorHandler`.
+ Likewise warning messages are directed to a single handler routine
+ that can be specified with a call to :c:func:`TIFFSetWarningHandler`
+
++Further application-specific and per-TIFF handle (re-entrant) error handler
++and warning handler can be set. Please refer to :doc:`/functions/TIFFError`
++and :doc:`/functions/TIFFOpenOptions`.
++
+ Basic File Handling
+ -------------------
+
+@@ -139,7 +147,7 @@ a ``"w"`` argument:
+ main()
+ {
+ TIFF* tif = TIFFOpen("foo.tif", "w");
+- ... do stuff ...
++ /* ... do stuff ... */
+ TIFFClose(tif);
+ }
+
+@@ -157,6 +165,25 @@ to always call :c:func:`TIFFClose` or :c:func:`TIFFFlush` to flush any
+ buffered information to a file. Note that if you call :c:func:`TIFFClose`
+ you do not need to call :c:func:`TIFFFlush`.
+
++.. warning::
++
++ In order to prevent out-of-memory issues when opening a TIFF file
++ :c:func:`TIFFOpenExt` can be used and then the maximum single memory
++ limit in byte that ``libtiff`` internal memory allocation functions
++ are allowed to request per call can be set with
++ :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`.
++
++Example
++
++::
++
++ tmsize_t limit = (256 * 1024 * 1024);
++ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
++ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);
++ TIFF *tif = TIFFOpenExt("foo.tif", "w", opts);
++ TIFFOpenOptionsFree(opts);
++ /* ... go on here ... */
++
+ TIFF Directories
+ ----------------
+
+--
+2.40.0
+
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch
new file mode 100644
index 0000000000..19a1ef727a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch
@@ -0,0 +1,28 @@
+From 16ab4a205cfc938c32686e8d697d048fabf97ed4 Mon Sep 17 00:00:00 2001
+From: Timothy Lyanguzov <theta682@gmail.com>
+Date: Thu, 1 Feb 2024 11:19:06 +0000
+Subject: [PATCH] Fix typo.
+
+CVE: CVE-2023-52355
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/16ab4a205cfc938c32686e8d697d048fabf97ed4]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ doc/libtiff.rst | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/libtiff.rst b/doc/libtiff.rst
+index d96a860..4fedc3e 100644
+--- a/doc/libtiff.rst
++++ b/doc/libtiff.rst
+@@ -169,7 +169,7 @@ you do not need to call :c:func:`TIFFFlush`.
+
+ In order to prevent out-of-memory issues when opening a TIFF file
+ :c:func:`TIFFOpenExt` can be used and then the maximum single memory
+- limit in byte that ``libtiff`` internal memory allocation functions
++ limit in bytes that ``libtiff`` internal memory allocation functions
+ are allowed to request per call can be set with
+ :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`.
+
+--
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
new file mode 100644
index 0000000000..75f5d8946a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
@@ -0,0 +1,49 @@
+From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 1 Feb 2024 11:38:14 +0000
+Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
+ col/row (fixes #622)
+
+CVE: CVE-2023-52356
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ libtiff/tif_getimage.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 41f7dfd..9cd6eee 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint32_t row, uint32_t *raster,
+ if (TIFFRGBAImageOK(tif, emsg) &&
+ TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg))
+ {
++ if (row >= img.height)
++ {
++ TIFFErrorExtR(tif, TIFFFileName(tif),
++ "Invalid row passed to TIFFReadRGBAStrip().");
++ TIFFRGBAImageEnd(&img);
++ return (0);
++ }
+
+ img.row_offset = row;
+ img.col_offset = 0;
+@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint32_t col, uint32_t row, uint32_t *raster,
+ return (0);
+ }
+
++ if (col >= img.width || row >= img.height)
++ {
++ TIFFErrorExtR(tif, TIFFFileName(tif),
++ "Invalid row/col passed to TIFFReadRGBATile().");
++ TIFFRGBAImageEnd(&img);
++ return (0);
++ }
++
+ /*
+ * The TIFFRGBAImageGet() function doesn't allow us to get off the
+ * edge of the image, even to fill an otherwise valid tile. So we
+--
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
index eb8a096f19..a26e4694f6 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
@@ -13,6 +13,9 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \
file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \
file://CVE-2023-6228.patch \
+ file://CVE-2023-52355-0001.patch \
+ file://CVE-2023-52355-0002.patch \
+ file://CVE-2023-52356.patch \
"
SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 03/21] zlib: ignore CVE-2023-6992
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 01/21] tiff: fix CVE-2023-6228 Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 02/21] tiff: fix CVE-2023-52355 and CVE-2023-52356 Steve Sakoman
@ 2024-02-15 16:17 ` Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 04/21] libssh2: backport fix for CVE-2023-48795 Steve Sakoman
` (17 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:17 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
This CVE is for iCPE cloudflare:zlib.
Alternative to ignoring would be to limit CVE_PRODUCT, but
historic CVEs already have two - gnu:zlib and zlib:zlib.
So limiting it could miss future CVEs.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9f953a1cd832f03f0b3666168addf45fd4fc8d14)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/zlib/zlib_1.3.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-core/zlib/zlib_1.3.bb b/meta/recipes-core/zlib/zlib_1.3.bb
index 1ed18172fa..ede75f90bd 100644
--- a/meta/recipes-core/zlib/zlib_1.3.bb
+++ b/meta/recipes-core/zlib/zlib_1.3.bb
@@ -47,3 +47,4 @@ do_install_ptest() {
BBCLASSEXTEND = "native nativesdk"
CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip"
+CVE_STATUS[CVE-2023-6992] = "cpe-incorrect: this CVE is for cloudflare zlib"
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 04/21] libssh2: backport fix for CVE-2023-48795
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (2 preceding siblings ...)
2024-02-15 16:17 ` [OE-core][nanbield 03/21] zlib: ignore CVE-2023-6992 Steve Sakoman
@ 2024-02-15 16:17 ` Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 05/21] gcc: Update status of CVE-2023-4039 Steve Sakoman
` (16 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:17 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@arm.com>
Backport the upstream fix for CVE-2023-48795.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 314fa19c5e07fa632ff0434a6adbb97de1319a02)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libssh2/libssh2/CVE-2023-48795.patch | 466 ++++++++++++++++++
.../recipes-support/libssh2/libssh2_1.11.0.bb | 1 +
2 files changed, 467 insertions(+)
create mode 100644 meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch
diff --git a/meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch b/meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch
new file mode 100644
index 0000000000..ab0f419ac5
--- /dev/null
+++ b/meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch
@@ -0,0 +1,466 @@
+From d4634630432594b139b3af6b9f254b890c0f275d Mon Sep 17 00:00:00 2001
+From: Michael Buckley <michael@buckleyisms.com>
+Date: Thu, 30 Nov 2023 15:08:02 -0800
+Subject: [PATCH] src: add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack"
+
+Refs:
+https://terrapin-attack.com/
+https://seclists.org/oss-sec/2023/q4/292
+https://osv.dev/list?ecosystem=&q=CVE-2023-48795
+https://github.com/advisories/GHSA-45x7-px36-x8w8
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795
+
+Fixes #1290
+Closes #1291
+
+CVE: CVE-2023-48795
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ src/kex.c | 63 +++++++++++++++++++++++------------
+ src/libssh2_priv.h | 18 +++++++---
+ src/packet.c | 83 +++++++++++++++++++++++++++++++++++++++++++---
+ src/packet.h | 2 +-
+ src/session.c | 3 ++
+ src/transport.c | 12 ++++++-
+ 6 files changed, 149 insertions(+), 32 deletions(-)
+
+diff --git a/src/kex.c b/src/kex.c
+index d4034a0a..b4b748ca 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -3037,6 +3037,13 @@ kex_method_extension_negotiation = {
+ 0,
+ };
+
++static const LIBSSH2_KEX_METHOD
++kex_method_strict_client_extension = {
++ "kex-strict-c-v00@openssh.com",
++ NULL,
++ 0,
++};
++
+ static const LIBSSH2_KEX_METHOD *libssh2_kex_methods[] = {
+ #if LIBSSH2_ED25519
+ &kex_method_ssh_curve25519_sha256,
+@@ -3055,6 +3062,7 @@ static const LIBSSH2_KEX_METHOD *libssh2_kex_methods[] = {
+ &kex_method_diffie_helman_group1_sha1,
+ &kex_method_diffie_helman_group_exchange_sha1,
+ &kex_method_extension_negotiation,
++ &kex_method_strict_client_extension,
+ NULL
+ };
+
+@@ -3307,13 +3315,13 @@ static int kexinit(LIBSSH2_SESSION * session)
+ return 0;
+ }
+
+-/* kex_agree_instr
++/* _libssh2_kex_agree_instr
+ * Kex specific variant of strstr()
+ * Needle must be preceded by BOL or ',', and followed by ',' or EOL
+ */
+-static unsigned char *
+-kex_agree_instr(unsigned char *haystack, size_t haystack_len,
+- const unsigned char *needle, size_t needle_len)
++unsigned char *
++_libssh2_kex_agree_instr(unsigned char *haystack, size_t haystack_len,
++ const unsigned char *needle, size_t needle_len)
+ {
+ unsigned char *s;
+ unsigned char *end_haystack;
+@@ -3398,7 +3406,7 @@ static int kex_agree_hostkey(LIBSSH2_SESSION * session,
+ while(s && *s) {
+ unsigned char *p = (unsigned char *) strchr((char *) s, ',');
+ size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
+- if(kex_agree_instr(hostkey, hostkey_len, s, method_len)) {
++ if(_libssh2_kex_agree_instr(hostkey, hostkey_len, s, method_len)) {
+ const LIBSSH2_HOSTKEY_METHOD *method =
+ (const LIBSSH2_HOSTKEY_METHOD *)
+ kex_get_method_by_name((char *) s, method_len,
+@@ -3432,9 +3440,9 @@ static int kex_agree_hostkey(LIBSSH2_SESSION * session,
+ }
+
+ while(hostkeyp && (*hostkeyp) && (*hostkeyp)->name) {
+- s = kex_agree_instr(hostkey, hostkey_len,
+- (unsigned char *) (*hostkeyp)->name,
+- strlen((*hostkeyp)->name));
++ s = _libssh2_kex_agree_instr(hostkey, hostkey_len,
++ (unsigned char *) (*hostkeyp)->name,
++ strlen((*hostkeyp)->name));
+ if(s) {
+ /* So far so good, but does it suit our purposes? (Encrypting vs
+ Signing) */
+@@ -3468,6 +3476,12 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex,
+ {
+ const LIBSSH2_KEX_METHOD **kexp = libssh2_kex_methods;
+ unsigned char *s;
++ const unsigned char *strict =
++ (unsigned char *)"kex-strict-s-v00@openssh.com";
++
++ if(_libssh2_kex_agree_instr(kex, kex_len, strict, 28)) {
++ session->kex_strict = 1;
++ }
+
+ if(session->kex_prefs) {
+ s = (unsigned char *) session->kex_prefs;
+@@ -3475,7 +3489,7 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex,
+ while(s && *s) {
+ unsigned char *q, *p = (unsigned char *) strchr((char *) s, ',');
+ size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
+- q = kex_agree_instr(kex, kex_len, s, method_len);
++ q = _libssh2_kex_agree_instr(kex, kex_len, s, method_len);
+ if(q) {
+ const LIBSSH2_KEX_METHOD *method = (const LIBSSH2_KEX_METHOD *)
+ kex_get_method_by_name((char *) s, method_len,
+@@ -3509,9 +3523,9 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex,
+ }
+
+ while(*kexp && (*kexp)->name) {
+- s = kex_agree_instr(kex, kex_len,
+- (unsigned char *) (*kexp)->name,
+- strlen((*kexp)->name));
++ s = _libssh2_kex_agree_instr(kex, kex_len,
++ (unsigned char *) (*kexp)->name,
++ strlen((*kexp)->name));
+ if(s) {
+ /* We've agreed on a key exchange method,
+ * Can we agree on a hostkey that works with this kex?
+@@ -3555,7 +3569,7 @@ static int kex_agree_crypt(LIBSSH2_SESSION * session,
+ unsigned char *p = (unsigned char *) strchr((char *) s, ',');
+ size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
+
+- if(kex_agree_instr(crypt, crypt_len, s, method_len)) {
++ if(_libssh2_kex_agree_instr(crypt, crypt_len, s, method_len)) {
+ const LIBSSH2_CRYPT_METHOD *method =
+ (const LIBSSH2_CRYPT_METHOD *)
+ kex_get_method_by_name((char *) s, method_len,
+@@ -3577,9 +3591,9 @@ static int kex_agree_crypt(LIBSSH2_SESSION * session,
+ }
+
+ while(*cryptp && (*cryptp)->name) {
+- s = kex_agree_instr(crypt, crypt_len,
+- (unsigned char *) (*cryptp)->name,
+- strlen((*cryptp)->name));
++ s = _libssh2_kex_agree_instr(crypt, crypt_len,
++ (unsigned char *) (*cryptp)->name,
++ strlen((*cryptp)->name));
+ if(s) {
+ endpoint->crypt = *cryptp;
+ return 0;
+@@ -3619,7 +3633,7 @@ static int kex_agree_mac(LIBSSH2_SESSION * session,
+ unsigned char *p = (unsigned char *) strchr((char *) s, ',');
+ size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
+
+- if(kex_agree_instr(mac, mac_len, s, method_len)) {
++ if(_libssh2_kex_agree_instr(mac, mac_len, s, method_len)) {
+ const LIBSSH2_MAC_METHOD *method = (const LIBSSH2_MAC_METHOD *)
+ kex_get_method_by_name((char *) s, method_len,
+ (const LIBSSH2_COMMON_METHOD **)
+@@ -3640,8 +3654,9 @@ static int kex_agree_mac(LIBSSH2_SESSION * session,
+ }
+
+ while(*macp && (*macp)->name) {
+- s = kex_agree_instr(mac, mac_len, (unsigned char *) (*macp)->name,
+- strlen((*macp)->name));
++ s = _libssh2_kex_agree_instr(mac, mac_len,
++ (unsigned char *) (*macp)->name,
++ strlen((*macp)->name));
+ if(s) {
+ endpoint->mac = *macp;
+ return 0;
+@@ -3672,7 +3687,7 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
+ unsigned char *p = (unsigned char *) strchr((char *) s, ',');
+ size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
+
+- if(kex_agree_instr(comp, comp_len, s, method_len)) {
++ if(_libssh2_kex_agree_instr(comp, comp_len, s, method_len)) {
+ const LIBSSH2_COMP_METHOD *method =
+ (const LIBSSH2_COMP_METHOD *)
+ kex_get_method_by_name((char *) s, method_len,
+@@ -3694,8 +3709,9 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
+ }
+
+ while(*compp && (*compp)->name) {
+- s = kex_agree_instr(comp, comp_len, (unsigned char *) (*compp)->name,
+- strlen((*compp)->name));
++ s = _libssh2_kex_agree_instr(comp, comp_len,
++ (unsigned char *) (*compp)->name,
++ strlen((*compp)->name));
+ if(s) {
+ endpoint->comp = *compp;
+ return 0;
+@@ -3876,6 +3892,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
+ session->local.kexinit = key_state->oldlocal;
+ session->local.kexinit_len = key_state->oldlocal_len;
+ key_state->state = libssh2_NB_state_idle;
++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX;
+ session->state &= ~LIBSSH2_STATE_KEX_ACTIVE;
+ session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS;
+ return -1;
+@@ -3901,6 +3918,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
+ session->local.kexinit = key_state->oldlocal;
+ session->local.kexinit_len = key_state->oldlocal_len;
+ key_state->state = libssh2_NB_state_idle;
++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX;
+ session->state &= ~LIBSSH2_STATE_KEX_ACTIVE;
+ session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS;
+ return -1;
+@@ -3949,6 +3967,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
+ session->remote.kexinit = NULL;
+ }
+
++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX;
+ session->state &= ~LIBSSH2_STATE_KEX_ACTIVE;
+ session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS;
+
+diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h
+index 82c3afe2..ee1d8b5c 100644
+--- a/src/libssh2_priv.h
++++ b/src/libssh2_priv.h
+@@ -699,6 +699,9 @@ struct _LIBSSH2_SESSION
+ /* key signing algorithm preferences -- NULL yields server order */
+ char *sign_algo_prefs;
+
++ /* Whether to use the OpenSSH Strict KEX extension */
++ int kex_strict;
++
+ /* (remote as source of data -- packet_read ) */
+ libssh2_endpoint_data remote;
+
+@@ -870,6 +873,7 @@ struct _LIBSSH2_SESSION
+ int fullpacket_macstate;
+ size_t fullpacket_payload_len;
+ int fullpacket_packet_type;
++ uint32_t fullpacket_required_type;
+
+ /* State variables used in libssh2_sftp_init() */
+ libssh2_nonblocking_states sftpInit_state;
+@@ -910,10 +914,11 @@ struct _LIBSSH2_SESSION
+ };
+
+ /* session.state bits */
+-#define LIBSSH2_STATE_EXCHANGING_KEYS 0x00000001
+-#define LIBSSH2_STATE_NEWKEYS 0x00000002
+-#define LIBSSH2_STATE_AUTHENTICATED 0x00000004
+-#define LIBSSH2_STATE_KEX_ACTIVE 0x00000008
++#define LIBSSH2_STATE_INITIAL_KEX 0x00000001
++#define LIBSSH2_STATE_EXCHANGING_KEYS 0x00000002
++#define LIBSSH2_STATE_NEWKEYS 0x00000004
++#define LIBSSH2_STATE_AUTHENTICATED 0x00000008
++#define LIBSSH2_STATE_KEX_ACTIVE 0x00000010
+
+ /* session.flag helpers */
+ #ifdef MSG_NOSIGNAL
+@@ -1144,6 +1149,11 @@ ssize_t _libssh2_send(libssh2_socket_t socket, const void *buffer,
+ int _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
+ key_exchange_state_t * state);
+
++unsigned char *_libssh2_kex_agree_instr(unsigned char *haystack,
++ size_t haystack_len,
++ const unsigned char *needle,
++ size_t needle_len);
++
+ /* Let crypt.c/hostkey.c expose their method structs */
+ const LIBSSH2_CRYPT_METHOD **libssh2_crypt_methods(void);
+ const LIBSSH2_HOSTKEY_METHOD **libssh2_hostkey_methods(void);
+diff --git a/src/packet.c b/src/packet.c
+index b5b41981..35d4d39e 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -605,14 +605,13 @@ authagent_exit:
+ * layer when it has received a packet.
+ *
+ * The input pointer 'data' is pointing to allocated data that this function
+- * is asked to deal with so on failure OR success, it must be freed fine.
+- * The only exception is when the return code is LIBSSH2_ERROR_EAGAIN.
++ * will be freed unless return the code is LIBSSH2_ERROR_EAGAIN.
+ *
+ * This function will always be called with 'datalen' greater than zero.
+ */
+ int
+ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+- size_t datalen, int macstate)
++ size_t datalen, int macstate, uint32_t seq)
+ {
+ int rc = 0;
+ unsigned char *message = NULL;
+@@ -657,6 +656,70 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ break;
+ }
+
++ if(session->state & LIBSSH2_STATE_INITIAL_KEX) {
++ if(msg == SSH_MSG_KEXINIT) {
++ if(!session->kex_strict) {
++ if(datalen < 17) {
++ LIBSSH2_FREE(session, data);
++ session->packAdd_state = libssh2_NB_state_idle;
++ return _libssh2_error(session,
++ LIBSSH2_ERROR_BUFFER_TOO_SMALL,
++ "Data too short extracting kex");
++ }
++ else {
++ const unsigned char *strict =
++ (unsigned char *)"kex-strict-s-v00@openssh.com";
++ struct string_buf buf;
++ unsigned char *algs = NULL;
++ size_t algs_len = 0;
++
++ buf.data = (unsigned char *)data;
++ buf.dataptr = buf.data;
++ buf.len = datalen;
++ buf.dataptr += 17; /* advance past type and cookie */
++
++ if(_libssh2_get_string(&buf, &algs, &algs_len)) {
++ LIBSSH2_FREE(session, data);
++ session->packAdd_state = libssh2_NB_state_idle;
++ return _libssh2_error(session,
++ LIBSSH2_ERROR_BUFFER_TOO_SMALL,
++ "Algs too short");
++ }
++
++ if(algs_len == 0 ||
++ _libssh2_kex_agree_instr(algs, algs_len, strict, 28)) {
++ session->kex_strict = 1;
++ }
++ }
++ }
++
++ if(session->kex_strict && seq) {
++ LIBSSH2_FREE(session, data);
++ session->socket_state = LIBSSH2_SOCKET_DISCONNECTED;
++ session->packAdd_state = libssh2_NB_state_idle;
++ libssh2_session_disconnect(session, "strict KEX violation: "
++ "KEXINIT was not the first packet");
++
++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT,
++ "strict KEX violation: "
++ "KEXINIT was not the first packet");
++ }
++ }
++
++ if(session->kex_strict && session->fullpacket_required_type &&
++ session->fullpacket_required_type != msg) {
++ LIBSSH2_FREE(session, data);
++ session->socket_state = LIBSSH2_SOCKET_DISCONNECTED;
++ session->packAdd_state = libssh2_NB_state_idle;
++ libssh2_session_disconnect(session, "strict KEX violation: "
++ "unexpected packet type");
++
++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT,
++ "strict KEX violation: "
++ "unexpected packet type");
++ }
++ }
++
+ if(session->packAdd_state == libssh2_NB_state_allocated) {
+ /* A couple exceptions to the packet adding rule: */
+ switch(msg) {
+@@ -1341,6 +1404,15 @@ _libssh2_packet_ask(LIBSSH2_SESSION * session, unsigned char packet_type,
+
+ return 0;
+ }
++ else if(session->kex_strict &&
++ (session->state & LIBSSH2_STATE_INITIAL_KEX)) {
++ libssh2_session_disconnect(session, "strict KEX violation: "
++ "unexpected packet type");
++
++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT,
++ "strict KEX violation: "
++ "unexpected packet type");
++ }
+ packet = _libssh2_list_next(&packet->node);
+ }
+ return -1;
+@@ -1402,7 +1474,10 @@ _libssh2_packet_require(LIBSSH2_SESSION * session, unsigned char packet_type,
+ }
+
+ while(session->socket_state == LIBSSH2_SOCKET_CONNECTED) {
+- int ret = _libssh2_transport_read(session);
++ int ret;
++ session->fullpacket_required_type = packet_type;
++ ret = _libssh2_transport_read(session);
++ session->fullpacket_required_type = 0;
+ if(ret == LIBSSH2_ERROR_EAGAIN)
+ return ret;
+ else if(ret < 0) {
+diff --git a/src/packet.h b/src/packet.h
+index 79018bcf..6ea100a5 100644
+--- a/src/packet.h
++++ b/src/packet.h
+@@ -71,6 +71,6 @@ int _libssh2_packet_burn(LIBSSH2_SESSION * session,
+ int _libssh2_packet_write(LIBSSH2_SESSION * session, unsigned char *data,
+ unsigned long data_len);
+ int _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+- size_t datalen, int macstate);
++ size_t datalen, int macstate, uint32_t seq);
+
+ #endif /* __LIBSSH2_PACKET_H */
+diff --git a/src/session.c b/src/session.c
+index a4d602ba..f4bafb57 100644
+--- a/src/session.c
++++ b/src/session.c
+@@ -464,6 +464,8 @@ libssh2_session_init_ex(LIBSSH2_ALLOC_FUNC((*my_alloc)),
+ session->abstract = abstract;
+ session->api_timeout = 0; /* timeout-free API by default */
+ session->api_block_mode = 1; /* blocking API by default */
++ session->state = LIBSSH2_STATE_INITIAL_KEX;
++ session->fullpacket_required_type = 0;
+ session->packet_read_timeout = LIBSSH2_DEFAULT_READ_TIMEOUT;
+ session->flag.quote_paths = 1; /* default behavior is to quote paths
+ for the scp subsystem */
+@@ -1186,6 +1188,7 @@ libssh2_session_disconnect_ex(LIBSSH2_SESSION *session, int reason,
+ const char *desc, const char *lang)
+ {
+ int rc;
++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX;
+ session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS;
+ BLOCK_ADJUST(rc, session,
+ session_disconnect(session, reason, desc, lang));
+diff --git a/src/transport.c b/src/transport.c
+index 6d902d33..3b30ff84 100644
+--- a/src/transport.c
++++ b/src/transport.c
+@@ -187,6 +187,7 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
+ struct transportpacket *p = &session->packet;
+ int rc;
+ int compressed;
++ uint32_t seq = session->remote.seqno;
+
+ if(session->fullpacket_state == libssh2_NB_state_idle) {
+ session->fullpacket_macstate = LIBSSH2_MAC_CONFIRMED;
+@@ -318,7 +319,7 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
+ if(session->fullpacket_state == libssh2_NB_state_created) {
+ rc = _libssh2_packet_add(session, p->payload,
+ session->fullpacket_payload_len,
+- session->fullpacket_macstate);
++ session->fullpacket_macstate, seq);
+ if(rc == LIBSSH2_ERROR_EAGAIN)
+ return rc;
+ if(rc) {
+@@ -329,6 +330,11 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
+
+ session->fullpacket_state = libssh2_NB_state_idle;
+
++ if(session->kex_strict &&
++ session->fullpacket_packet_type == SSH_MSG_NEWKEYS) {
++ session->remote.seqno = 0;
++ }
++
+ return session->fullpacket_packet_type;
+ }
+
+@@ -1091,6 +1097,10 @@ int _libssh2_transport_send(LIBSSH2_SESSION *session,
+
+ session->local.seqno++;
+
++ if(session->kex_strict && data[0] == SSH_MSG_NEWKEYS) {
++ session->local.seqno = 0;
++ }
++
+ ret = LIBSSH2_SEND(session, p->outbuf, total_length,
+ LIBSSH2_SOCKET_SEND_FLAGS(session));
+ if(ret < 0)
+--
+2.34.1
+
diff --git a/meta/recipes-support/libssh2/libssh2_1.11.0.bb b/meta/recipes-support/libssh2/libssh2_1.11.0.bb
index edc25db1b1..5100e6f7f9 100644
--- a/meta/recipes-support/libssh2/libssh2_1.11.0.bb
+++ b/meta/recipes-support/libssh2/libssh2_1.11.0.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=24a33237426720395ebb1dd1349ca225"
SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
file://run-ptest \
+ file://CVE-2023-48795.patch \
"
SRC_URI[sha256sum] = "3736161e41e2693324deb38c26cfdc3efe6209d634ba4258db1cecff6a5ad461"
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 05/21] gcc: Update status of CVE-2023-4039
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (3 preceding siblings ...)
2024-02-15 16:17 ` [OE-core][nanbield 04/21] libssh2: backport fix for CVE-2023-48795 Steve Sakoman
@ 2024-02-15 16:17 ` Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 06/21] cve_check: handle CVE_STATUS being set to the empty string Steve Sakoman
` (15 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:17 UTC (permalink / raw)
To: openembedded-core
From: Simone Weiß <simone.p.weiss@posteo.com>
This is fixed via a patch added in gcc-13.2.inc already, but still
reported e.g. for libgcc as it is not defining an own source but use the
shared gcc-source.
Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 301d45eacfd4ae6bddfb13207e2af9e8b4662bc8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/gcc/gcc-13.2.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-devtools/gcc/gcc-13.2.inc b/meta/recipes-devtools/gcc/gcc-13.2.inc
index 359db1e278..32fddd11c2 100644
--- a/meta/recipes-devtools/gcc/gcc-13.2.inc
+++ b/meta/recipes-devtools/gcc/gcc-13.2.inc
@@ -115,3 +115,4 @@ EXTRA_OECONF_PATHS = "\
"
CVE_STATUS[CVE-2021-37322] = "cpe-incorrect: Is a binutils 2.26 issue, not gcc"
+CVE_STATUS[CVE-2023-4039] = "fixed-version: Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source"
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 06/21] cve_check: handle CVE_STATUS being set to the empty string
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (4 preceding siblings ...)
2024-02-15 16:17 ` [OE-core][nanbield 05/21] gcc: Update status of CVE-2023-4039 Steve Sakoman
@ 2024-02-15 16:17 ` Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 07/21] cve_check: cleanup logging Steve Sakoman
` (14 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:17 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@arm.com>
Handle CVE_STATUS[...] being set to an empty string just as if it was
not set at all.
This is needed for evaluated CVE_STATUS values to work, i.e. when
setting not-applicable-config if a PACKAGECONFIG is disabled.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c9f20f746251505d9d09262600199ffa87731a2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oe/cve_check.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index 3fa77bf9a7..b5fc5364dc 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -231,7 +231,7 @@ def decode_cve_status(d, cve):
Convert CVE_STATUS into status, detail and description.
"""
status = d.getVarFlag("CVE_STATUS", cve)
- if status is None:
+ if not status:
return ("", "", "")
status_split = status.split(':', 1)
@@ -240,7 +240,7 @@ def decode_cve_status(d, cve):
status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail)
if status_mapping is None:
- bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status))
+ bb.warn('Invalid detail "%s" for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status))
status_mapping = "Unpatched"
return (status_mapping, detail, description)
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 07/21] cve_check: cleanup logging
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (5 preceding siblings ...)
2024-02-15 16:17 ` [OE-core][nanbield 06/21] cve_check: handle CVE_STATUS being set to the empty string Steve Sakoman
@ 2024-02-15 16:17 ` Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 08/21] gtk: Set CVE_PRODUCT Steve Sakoman
` (13 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:17 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@arm.com>
Primarily list the number of patches found, useful when debugging.
Also clean up some bad escaping that caused warnings and use
re.IGNORECASE instead of manually doing case-insenstive rang matches.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 10acc75b7f3387b968bacd51aade6a8dc11a463f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oe/cve_check.py | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index b5fc5364dc..ed5c714cb8 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -79,20 +79,19 @@ def get_patched_cves(d):
import re
import oe.patch
- pn = d.getVar("PN")
- cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
+ cve_match = re.compile(r"CVE:( CVE-\d{4}-\d+)+")
# Matches the last "CVE-YYYY-ID" in the file name, also if written
# in lowercase. Possible to have multiple CVE IDs in a single
# file name, but only the last one will be detected from the file name.
# However, patch files contents addressing multiple CVE IDs are supported
# (cve_match regular expression)
-
- cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
+ cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)", re.IGNORECASE)
patched_cves = set()
- bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
- for url in oe.patch.src_patches(d):
+ patches = oe.patch.src_patches(d)
+ bb.debug(2, "Scanning %d patches for CVEs" % len(patches))
+ for url in patches:
patch_file = bb.fetch.decodeurl(url)[2]
# Check patch file name for CVE ID
@@ -100,7 +99,7 @@ def get_patched_cves(d):
if fname_match:
cve = fname_match.group(1).upper()
patched_cves.add(cve)
- bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
+ bb.debug(2, "Found %s from patch file name %s" % (cve, patch_file))
# Remote patches won't be present and compressed patches won't be
# unpacked, so say we're not scanning them
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 08/21] gtk: Set CVE_PRODUCT
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (6 preceding siblings ...)
2024-02-15 16:17 ` [OE-core][nanbield 07/21] cve_check: cleanup logging Steve Sakoman
@ 2024-02-15 16:17 ` Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 09/21] glibc: stable 2.38 branch updates Steve Sakoman
` (12 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:17 UTC (permalink / raw)
To: openembedded-core
From: Robert Joslyn <robert.joslyn@redrectangle.org>
The CPE vendor is "gnome" and the CPE product is "gtk" for both gtk+3
and gtk4 recipes. Set CVE_PRODUCT so we properly match the NVD database.
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 253f5f745d66acefcc739f1c9ad2dd46be630e47)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-gnome/gtk+/gtk+3_3.24.38.bb | 2 ++
meta/recipes-gnome/gtk+/gtk4_4.12.3.bb | 2 ++
2 files changed, 4 insertions(+)
diff --git a/meta/recipes-gnome/gtk+/gtk+3_3.24.38.bb b/meta/recipes-gnome/gtk+/gtk+3_3.24.38.bb
index 37fa0a7290..c23c46a689 100644
--- a/meta/recipes-gnome/gtk+/gtk+3_3.24.38.bb
+++ b/meta/recipes-gnome/gtk+/gtk+3_3.24.38.bb
@@ -13,3 +13,5 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2 \
file://gtk/gtk.h;endline=25;md5=1d8dc0fccdbfa26287a271dce88af737 \
file://gdk/gdk.h;endline=25;md5=c920ce39dc88c6f06d3e7c50e08086f2 \
file://tests/testgtk.c;endline=25;md5=cb732daee1d82af7a2bf953cf3cf26f1"
+
+CVE_PRODUCT = "gnome:gtk"
diff --git a/meta/recipes-gnome/gtk+/gtk4_4.12.3.bb b/meta/recipes-gnome/gtk+/gtk4_4.12.3.bb
index 001b06934e..2c85e7e75f 100644
--- a/meta/recipes-gnome/gtk+/gtk4_4.12.3.bb
+++ b/meta/recipes-gnome/gtk+/gtk4_4.12.3.bb
@@ -41,6 +41,8 @@ SRC_URI[sha256sum] = "148ce262f6c86487455fb1d9793c3f58bc3e1da477a29617fadb0420f5
S = "${WORKDIR}/gtk-${PV}"
+CVE_PRODUCT = "gnome:gtk"
+
inherit meson gettext pkgconfig gi-docgen update-alternatives gsettings features_check gobject-introspection
# TBD: nativesdk
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 09/21] glibc: stable 2.38 branch updates
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (7 preceding siblings ...)
2024-02-15 16:17 ` [OE-core][nanbield 08/21] gtk: Set CVE_PRODUCT Steve Sakoman
@ 2024-02-15 16:17 ` Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 10/21] linux-firmware: upgrade 20231030 -> 20231211 Steve Sakoman
` (11 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:17 UTC (permalink / raw)
To: openembedded-core
From: Benjamin Bara <benjamin.bara@skidata.com>
Pull in fixes for CVE-2023-6246, CVE-2023-6779 and CVE-2023-6780.
Signed-off-by: Benjamin Bara <benjamin.bara@skidata.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/glibc/glibc-version.inc | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index eaa6d53181..212f960cb5 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
SRCBRANCH ?= "release/2.38/master"
PV = "2.38+git"
-SRCREV_glibc ?= "44f757a6364a546359809d48c76b3debd26e77d4"
+SRCREV_glibc ?= "d37c2b20a4787463d192b32041c3406c2bd91de0"
SRCREV_localedef ?= "e0eca29583b9e0f62645c4316ced93cf4e4e26e1"
GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https"
@@ -13,3 +13,6 @@ CVE_STATUS[CVE-2023-4806] = "fixed-version: Fixed in stable branch updates"
CVE_STATUS[CVE-2023-5156] = "fixed-version: Fixed in stable branch updates"
CVE_STATUS[CVE-2023-4527] = "fixed-version: Fixed in stable branch updates"
CVE_STATUS[CVE-2023-0687] = "fixed-version: Fixed in stable branch updates"
+CVE_STATUS[CVE-2023-6246] = "fixed-version: Fixed in stable branch updates"
+CVE_STATUS[CVE-2023-6779] = "fixed-version: Fixed in stable branch updates"
+CVE_STATUS[CVE-2023-6780] = "fixed-version: Fixed in stable branch updates"
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 10/21] linux-firmware: upgrade 20231030 -> 20231211
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (8 preceding siblings ...)
2024-02-15 16:17 ` [OE-core][nanbield 09/21] glibc: stable 2.38 branch updates Steve Sakoman
@ 2024-02-15 16:17 ` Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 11/21] xserver-xorg: 21.1.9 -> 21.1.11 Steve Sakoman
` (10 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:17 UTC (permalink / raw)
To: openembedded-core
From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0caafdbbf4e7dc84b919afe14f7cb8c46a9e4ac2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...nux-firmware_20231030.bb => linux-firmware_20231211.bb} | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20231030.bb => linux-firmware_20231211.bb} (99%)
diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20231030.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20231211.bb
similarity index 99%
rename from meta/recipes-kernel/linux-firmware/linux-firmware_20231030.bb
rename to meta/recipes-kernel/linux-firmware/linux-firmware_20231211.bb
index b1f5247975..0ed4d91f8a 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20231030.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20231211.bb
@@ -151,7 +151,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
"
# WHENCE checksum is defined separately to ease overriding it if
# class-devupstream is selected.
-WHENCE_CHKSUM = "ceb5248746d24d165b603e71b288cf75"
+WHENCE_CHKSUM = "3113c4ea08e5171555f3bf49eceb5b07"
# These are not common licenses, set NO_GENERIC_LICENSE for them
# so that the license files will be copied from fetched source
@@ -237,7 +237,7 @@ SRC_URI:class-devupstream = "git://git.kernel.org/pub/scm/linux/kernel/git/firmw
# Pin this to the 20220509 release, override this in local.conf
SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae"
-SRC_URI[sha256sum] = "c98d200fc4a3120de1a594713ce34e135819dff23e883a4ed387863ba25679c7"
+SRC_URI[sha256sum] = "96af7e4b5eabd37869cdb3dcbb7ab36911106d39b76e799fa1caab16a9dbe8bb"
inherit allarch
@@ -248,7 +248,8 @@ do_compile() {
}
do_install() {
- oe_runmake 'DESTDIR=${D}' 'FIRMWAREDIR=${nonarch_base_libdir}/firmware' install
+ # install-nodedup avoids rdfind dependency
+ oe_runmake 'DESTDIR=${D}' 'FIRMWAREDIR=${nonarch_base_libdir}/firmware' install-nodedup
cp GPL-2 LICEN[CS]E.* WHENCE ${D}${nonarch_base_libdir}/firmware/
}
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 11/21] xserver-xorg: 21.1.9 -> 21.1.11
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (9 preceding siblings ...)
2024-02-15 16:17 ` [OE-core][nanbield 10/21] linux-firmware: upgrade 20231030 -> 20231211 Steve Sakoman
@ 2024-02-15 16:17 ` Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 12/21] at-spi2-core: upgrade 2.50.0 -> 2.50.1 Steve Sakoman
` (9 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:17 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
Update xserver-xorg from 21.1.9 to 21.1.11.
Release Notes of 21.1.11 [1]:
This release contains fixes for the issues reported in today's security
advisory: https://lists.x.org/archives/xorg/2024-January/061525.html
* CVE-2023-6816
* CVE-2024-0229
* CVE-2024-21885
* CVE-2024-21886
* CVE-2024-0408
* CVE-2024-0409
Additionally, it also contains a fix for XRandR to allow for multiple virtual
monitors on a physical display.
Release Notes of 21.1.10 [2]:
This release contains fixes for CVE-2023-6377 and CVE-2023-6478 as
reported in today's security advisory:
https://lists.x.org/archives/xorg-announce/2023-December/003435.html
[1]: https://lists.x.org/archives/xorg/2024-January/061526.html
[2]: https://lists.x.org/archives/xorg/2023-December/061518.html
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fc9da07bd181ee6f7ae51a5b6db40af0b94cd046)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../{xserver-xorg_21.1.9.bb => xserver-xorg_21.1.11.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-graphics/xorg-xserver/{xserver-xorg_21.1.9.bb => xserver-xorg_21.1.11.bb} (92%)
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.9.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.11.bb
similarity index 92%
rename from meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.9.bb
rename to meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.11.bb
index 43c06181e3..6506d775ca 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.9.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.11.bb
@@ -3,7 +3,7 @@ require xserver-xorg.inc
SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
"
-SRC_URI[sha256sum] = "ff697be2011b4c4966b7806929e51b7a08e9d33800d505305d26d9ccde4b533a"
+SRC_URI[sha256sum] = "1d3dadbd57fb86b16a018e9f5f957aeeadf744f56c0553f55737628d06d326ef"
# These extensions are now integrated into the server, so declare the migration
# path for in-place upgrades.
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 12/21] at-spi2-core: upgrade 2.50.0 -> 2.50.1
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (10 preceding siblings ...)
2024-02-15 16:17 ` [OE-core][nanbield 11/21] xserver-xorg: 21.1.9 -> 21.1.11 Steve Sakoman
@ 2024-02-15 16:17 ` Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 13/21] cpio: upgrade 2.14 -> 2.15 Steve Sakoman
` (8 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:17 UTC (permalink / raw)
To: openembedded-core
From: Wang Mingyu <wangmy@fujitsu.com>
Changelog:
atk-adaptor: Fix critical when no table cell array is returned.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9bed9f07aea6c425748c8908641ce8a99fd5162f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../atk/{at-spi2-core_2.50.0.bb => at-spi2-core_2.50.1.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-support/atk/{at-spi2-core_2.50.0.bb => at-spi2-core_2.50.1.bb} (95%)
diff --git a/meta/recipes-support/atk/at-spi2-core_2.50.0.bb b/meta/recipes-support/atk/at-spi2-core_2.50.1.bb
similarity index 95%
rename from meta/recipes-support/atk/at-spi2-core_2.50.0.bb
rename to meta/recipes-support/atk/at-spi2-core_2.50.1.bb
index 57958fb7f5..6996ebebcd 100644
--- a/meta/recipes-support/atk/at-spi2-core_2.50.0.bb
+++ b/meta/recipes-support/atk/at-spi2-core_2.50.1.bb
@@ -11,7 +11,7 @@ MAJ_VER = "${@oe.utils.trim_version("${PV}", 2)}"
SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz"
-SRC_URI[sha256sum] = "e9f5a8c8235c9dd963b2171de9120301129c677dde933955e1df618b949c4adc"
+SRC_URI[sha256sum] = "5727b5c0687ac57ba8040e79bd6731b714a36b8fcf32190f236b8fb3698789e7"
DEPENDS = " \
dbus \
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 13/21] cpio: upgrade 2.14 -> 2.15
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (11 preceding siblings ...)
2024-02-15 16:17 ` [OE-core][nanbield 12/21] at-spi2-core: upgrade 2.50.0 -> 2.50.1 Steve Sakoman
@ 2024-02-15 16:17 ` Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 14/21] gstreamer: upgrade 1.22.8 -> 1.22.9 Steve Sakoman
` (7 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:17 UTC (permalink / raw)
To: openembedded-core
From: Wang Mingyu <wangmy@fujitsu.com>
Changelog:
==========
* Fix operation of --no-absolute-filenames --make-directories
* Restore access and modification times of symlinks in copy-in
and copy-pass modes.
0001-configure-Include-needed-header-for-major-minor-macr.patch
revmoed since it's included in 2.15
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c4fb7512a5b1c13234e3733cba1c4bf246c77861)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../cpio/{cpio_2.14.bb => cpio_2.15.bb} | 3 +-
| 48 -------------------
2 files changed, 1 insertion(+), 50 deletions(-)
rename meta/recipes-extended/cpio/{cpio_2.14.bb => cpio_2.15.bb} (94%)
delete mode 100644 meta/recipes-extended/cpio/files/0001-configure-Include-needed-header-for-major-minor-macr.patch
diff --git a/meta/recipes-extended/cpio/cpio_2.14.bb b/meta/recipes-extended/cpio/cpio_2.15.bb
similarity index 94%
rename from meta/recipes-extended/cpio/cpio_2.14.bb
rename to meta/recipes-extended/cpio/cpio_2.15.bb
index 560038d2a6..55e9add5cd 100644
--- a/meta/recipes-extended/cpio/cpio_2.14.bb
+++ b/meta/recipes-extended/cpio/cpio_2.15.bb
@@ -7,12 +7,11 @@ LICENSE = "GPL-3.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949"
SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \
- file://0001-configure-Include-needed-header-for-major-minor-macr.patch \
file://run-ptest \
file://test.sh \
"
-SRC_URI[sha256sum] = "145a340fd9d55f0b84779a44a12d5f79d77c99663967f8cfa168d7905ca52454"
+SRC_URI[sha256sum] = "efa50ef983137eefc0a02fdb51509d624b5e3295c980aa127ceee4183455499e"
inherit autotools gettext texinfo ptest
diff --git a/meta/recipes-extended/cpio/files/0001-configure-Include-needed-header-for-major-minor-macr.patch b/meta/recipes-extended/cpio/files/0001-configure-Include-needed-header-for-major-minor-macr.patch
deleted file mode 100644
index 95ece0bbf3..0000000000
--- a/meta/recipes-extended/cpio/files/0001-configure-Include-needed-header-for-major-minor-macr.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 8179be21e664cedb2e9d238cc2f6d04965e97275 Mon Sep 17 00:00:00 2001
-From: Sergey Poznyakoff <gray@gnu.org>
-Date: Thu, 11 May 2023 10:18:44 +0300
-Subject: [PATCH] configure: Include needed header for major/minor macros
-
-This helps in avoiding the warning about implicit function declaration
-which is elevated as error with newer compilers e.g. clang 16
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
----
- configure.ac | 18 ++++++++++++++++--
- 1 file changed, 16 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index de479e7..c601029 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -43,8 +43,22 @@ AC_TYPE_UID_T
- AC_CHECK_TYPE(gid_t, int)
-
- AC_HEADER_DIRENT
--AX_COMPILE_CHECK_RETTYPE([major], [0])
--AX_COMPILE_CHECK_RETTYPE([minor], [0])
-+AX_COMPILE_CHECK_RETTYPE([major], [0], [
-+#include <sys/types.h>
-+#ifdef MAJOR_IN_MKDEV
-+# include <sys/mkdev.h>
-+#endif
-+#ifdef MAJOR_IN_SYSMACROS
-+# include <sys/sysmacros.h>
-+#endif])
-+AX_COMPILE_CHECK_RETTYPE([minor], [0], [
-+#include <sys/types.h>
-+#ifdef MAJOR_IN_MKDEV
-+# include <sys/mkdev.h>
-+#endif
-+#ifdef MAJOR_IN_SYSMACROS
-+# include <sys/sysmacros.h>
-+#endif])
-
- AC_CHECK_FUNCS([fchmod fchown])
- # This is needed for mingw build
---
-2.34.1
-
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 14/21] gstreamer: upgrade 1.22.8 -> 1.22.9
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (12 preceding siblings ...)
2024-02-15 16:17 ` [OE-core][nanbield 13/21] cpio: upgrade 2.14 -> 2.15 Steve Sakoman
@ 2024-02-15 16:17 ` Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 15/21] allarch: Fix allarch corner case Steve Sakoman
` (6 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:17 UTC (permalink / raw)
To: openembedded-core
From: Wang Mingyu <wangmy@fujitsu.com>
Changelog:
https://gstreamer.freedesktop.org/releases/1.22
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 30b3835c367ff1de00d24cddf3bd920ea29f15c5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../{gst-devtools_1.22.8.bb => gst-devtools_1.22.9.bb} | 2 +-
...treamer1.0-libav_1.22.8.bb => gstreamer1.0-libav_1.22.9.bb} | 2 +-
.../{gstreamer1.0-omx_1.22.8.bb => gstreamer1.0-omx_1.22.9.bb} | 2 +-
...lugins-bad_1.22.8.bb => gstreamer1.0-plugins-bad_1.22.9.bb} | 2 +-
...gins-base_1.22.8.bb => gstreamer1.0-plugins-base_1.22.9.bb} | 2 +-
...gins-good_1.22.8.bb => gstreamer1.0-plugins-good_1.22.9.bb} | 2 +-
...gins-ugly_1.22.8.bb => gstreamer1.0-plugins-ugly_1.22.9.bb} | 3 ++-
...eamer1.0-python_1.22.8.bb => gstreamer1.0-python_1.22.9.bb} | 2 +-
...tsp-server_1.22.8.bb => gstreamer1.0-rtsp-server_1.22.9.bb} | 2 +-
...treamer1.0-vaapi_1.22.8.bb => gstreamer1.0-vaapi_1.22.9.bb} | 2 +-
.../{gstreamer1.0_1.22.8.bb => gstreamer1.0_1.22.9.bb} | 2 +-
11 files changed, 12 insertions(+), 11 deletions(-)
rename meta/recipes-multimedia/gstreamer/{gst-devtools_1.22.8.bb => gst-devtools_1.22.9.bb} (95%)
rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-libav_1.22.8.bb => gstreamer1.0-libav_1.22.9.bb} (91%)
rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-omx_1.22.8.bb => gstreamer1.0-omx_1.22.9.bb} (95%)
rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-bad_1.22.8.bb => gstreamer1.0-plugins-bad_1.22.9.bb} (98%)
rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-base_1.22.8.bb => gstreamer1.0-plugins-base_1.22.9.bb} (98%)
rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-good_1.22.8.bb => gstreamer1.0-plugins-good_1.22.9.bb} (97%)
rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-ugly_1.22.8.bb => gstreamer1.0-plugins-ugly_1.22.9.bb} (94%)
rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-python_1.22.8.bb => gstreamer1.0-python_1.22.9.bb} (91%)
rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-rtsp-server_1.22.8.bb => gstreamer1.0-rtsp-server_1.22.9.bb} (90%)
rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-vaapi_1.22.8.bb => gstreamer1.0-vaapi_1.22.9.bb} (95%)
rename meta/recipes-multimedia/gstreamer/{gstreamer1.0_1.22.8.bb => gstreamer1.0_1.22.9.bb} (97%)
diff --git a/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.8.bb b/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.9.bb
similarity index 95%
rename from meta/recipes-multimedia/gstreamer/gst-devtools_1.22.8.bb
rename to meta/recipes-multimedia/gstreamer/gst-devtools_1.22.9.bb
index 16a2dd85ce..f60234b528 100644
--- a/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.8.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.9.bb
@@ -12,7 +12,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-devtools/gst-devtools-${PV}
file://0001-connect-has-a-different-signature-on-musl.patch \
"
-SRC_URI[sha256sum] = "cd634056fcb16d035b3df5953ec85ae8bd56c68f29920b720ef920ca71ea76a7"
+SRC_URI[sha256sum] = "02e29400b44e9cc603aa6444dee5726b57edabef6455e6d0921ffed6f13840ee"
DEPENDS = "json-glib glib-2.0 glib-2.0-native gstreamer1.0 gstreamer1.0-plugins-base"
RRECOMMENDS:${PN} = "git"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.8.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.9.bb
similarity index 91%
rename from meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.8.bb
rename to meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.9.bb
index 7c75173989..10536acc87 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.8.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.9.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=69333daa044cb77e486cc36129f7a770 \
"
SRC_URI = "https://gstreamer.freedesktop.org/src/gst-libav/gst-libav-${PV}.tar.xz"
-SRC_URI[sha256sum] = "be39349bc07ab4cdbd9a5fd6ea9848c601c7560ba5a0577ad5200b83bd424981"
+SRC_URI[sha256sum] = "192f7d27d21c1e7c72c339a2647a9b0c247fedc62ea5029115f8c3e22ebb87d8"
S = "${WORKDIR}/gst-libav-${PV}"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.8.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.9.bb
similarity index 95%
rename from meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.8.bb
rename to meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.9.bb
index 5aa9c9cc41..05d64748bb 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.8.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.9.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \
SRC_URI = "https://gstreamer.freedesktop.org/src/gst-omx/gst-omx-${PV}.tar.xz"
-SRC_URI[sha256sum] = "94df10e7713618f0c8a4223f6e047f2d8f0ccecba1d585618e791f13037762df"
+SRC_URI[sha256sum] = "9362d6117985d09dcf6e27bdaef377dc08efb7df01d00101d04fb644addac61e"
S = "${WORKDIR}/gst-omx-${PV}"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.8.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.9.bb
similarity index 98%
rename from meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.8.bb
rename to meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.9.bb
index a14a4efce9..6e5aa2f206 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.8.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.9.bb
@@ -10,7 +10,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
file://0002-avoid-including-sys-poll.h-directly.patch \
file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \
"
-SRC_URI[sha256sum] = "458783f8236068991e3e296edd671c8eddb8be6fac933c1c2e1503462864ea0f"
+SRC_URI[sha256sum] = "1bc65d0fd5f53a3636564efd3fcf318c3edcdec39c4109a503c1fc8203840a1d"
S = "${WORKDIR}/gst-plugins-bad-${PV}"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.8.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.9.bb
similarity index 98%
rename from meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.8.bb
rename to meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.9.bb
index df5eab0464..980766c74b 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.8.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.9.bb
@@ -11,7 +11,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba
file://0003-viv-fb-Make-sure-config.h-is-included.patch \
file://0002-ssaparse-enhance-SSA-text-lines-parsing.patch \
"
-SRC_URI[sha256sum] = "eb6792e5c73c6defb9159c36ea6e4b78a2f8af6512678b4bd3b02c8d2d492acf"
+SRC_URI[sha256sum] = "fac3e0dd2d8e9370388b34bf8c21b89d5f63bc3cfc12cd7fdc8fc6c1cba03334"
S = "${WORKDIR}/gst-plugins-base-${PV}"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.8.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.9.bb
similarity index 97%
rename from meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.8.bb
rename to meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.9.bb
index dd309fc6fe..052ba1801b 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.8.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.9.bb
@@ -8,7 +8,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go
file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \
file://0001-v4l2-Define-ioctl_req_t-for-posix-linux-case.patch"
-SRC_URI[sha256sum] = "e305b9f07f52743ca481da0a4e0c76c35efd60adaf1b0694eb3bb021e2137e39"
+SRC_URI[sha256sum] = "26959fcfebfff637d4ea08ef40316baf31b61bb7729820b0684e800c3a1478b6"
S = "${WORKDIR}/gst-plugins-good-${PV}"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.8.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.9.bb
similarity index 94%
rename from meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.8.bb
rename to meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.9.bb
index 478fa8f318..722f8e9fe3 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.8.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.9.bb
@@ -14,7 +14,8 @@ LICENSE_FLAGS = "commercial"
SRC_URI = " \
https://gstreamer.freedesktop.org/src/gst-plugins-ugly/gst-plugins-ugly-${PV}.tar.xz \
"
-SRC_URI[sha256sum] = "0761d96ba508e01c0271881b26828c2bffd7d8afd50872219f088f755b252ca7"
+
+SRC_URI[sha256sum] = "0bf685d66015a01dd3fc1671b64a1c8acb321dd9d4ab9e05a29ab19782aa6236"
S = "${WORKDIR}/gst-plugins-ugly-${PV}"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.8.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.9.bb
similarity index 91%
rename from meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.8.bb
rename to meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.9.bb
index fc182af976..e086fa6866 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.8.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.9.bb
@@ -8,7 +8,7 @@ LICENSE = "LGPL-2.1-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=c34deae4e395ca07e725ab0076a5f740"
SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz"
-SRC_URI[sha256sum] = "d5cb8f144054a2a110e6672bd512e4b15d5b1b8d9879c192b9723535efb70b8f"
+SRC_URI[sha256sum] = "3f9d5c6ffefda268703744b592a6b3983aa6723273b1220ecbcb62c2a5800009"
DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base python3-pygobject"
RDEPENDS:${PN} += "gstreamer1.0 gstreamer1.0-plugins-base python3-pygobject"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.8.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.9.bb
similarity index 90%
rename from meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.8.bb
rename to meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.9.bb
index 97fa86b533..e232263a46 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.8.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.9.bb
@@ -10,7 +10,7 @@ PNREAL = "gst-rtsp-server"
SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz"
-SRC_URI[sha256sum] = "705177051c229976f171adcd7ab9762ae6bcc4bb77dc308a0bd80a63da6c337f"
+SRC_URI[sha256sum] = "808af148f89404ff74850f8ca5272bed4bfe67f9620231dc4514fd07eb26d0a4"
S = "${WORKDIR}/${PNREAL}-${PV}"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.8.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.9.bb
similarity index 95%
rename from meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.8.bb
rename to meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.9.bb
index 52ac7cd2a5..c53ee29051 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.8.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.9.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=4fbd65380cdd255951079008b364516c"
SRC_URI = "https://gstreamer.freedesktop.org/src/${REALPN}/${REALPN}-${PV}.tar.xz"
-SRC_URI[sha256sum] = "1298ba347a70c42b88cdebf91b659fea02b1bb7269eabf8e29e3c0bd58278928"
+SRC_URI[sha256sum] = "8ba20da8c4cbf5b2953dba904672c4275d0053e1528f97fdf8e59942c7883ca8"
S = "${WORKDIR}/${REALPN}-${PV}"
DEPENDS = "libva gstreamer1.0 gstreamer1.0-plugins-base gstreamer1.0-plugins-bad"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.8.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.9.bb
similarity index 97%
rename from meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.8.bb
rename to meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.9.bb
index 374a32ef96..b4ab6ad10c 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.8.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.9.bb
@@ -22,7 +22,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gstreamer/gstreamer-${PV}.tar.x
file://0003-tests-use-a-dictionaries-for-environment.patch;striplevel=3 \
file://0004-tests-add-helper-script-to-run-the-installed_tests.patch;striplevel=3 \
"
-SRC_URI[sha256sum] = "ad4e3db1771139b1db17b1afa7c05db083ae0100bd4da244b71f162dcce41bfc"
+SRC_URI[sha256sum] = "1e7124d347e8cdc80f08ec1d370c201be513002af1102bb20e83c5279cb48ebd"
PACKAGECONFIG ??= "${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)} \
check \
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 15/21] allarch: Fix allarch corner case
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (13 preceding siblings ...)
2024-02-15 16:17 ` [OE-core][nanbield 14/21] gstreamer: upgrade 1.22.8 -> 1.22.9 Steve Sakoman
@ 2024-02-15 16:17 ` Steve Sakoman
2024-02-15 16:17 ` [OE-core][nanbield 16/21] reproducible: Fix race with externalsrc/devtool over lockfile Steve Sakoman
` (5 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:17 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Most of the allarch code is conditional and only set if the recipe remains marked
as allarch. The qemu wrapper handling is not handled in the same way however and
is unconditional.
Move the code to some slightly uglier inline python to allow it to be conditional
and match the way the rest of the code works.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dfd704f1741dccd9a85338c5d45dee4be079064d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes-recipe/allarch.bbclass | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/classes-recipe/allarch.bbclass b/meta/classes-recipe/allarch.bbclass
index 9138f40ed8..e429b92437 100644
--- a/meta/classes-recipe/allarch.bbclass
+++ b/meta/classes-recipe/allarch.bbclass
@@ -63,9 +63,9 @@ python () {
d.appendVarFlag("emit_pkgdata", "vardepsexclude", " MULTILIB_VARIANTS")
d.appendVarFlag("write_specfile", "vardepsexclude", " MULTILIBS")
d.appendVarFlag("do_package", "vardepsexclude", " package_do_shlibs")
+
+ d.setVar("qemu_wrapper_cmdline", "def qemu_wrapper_cmdline(data, rootfs_path, library_paths):\n return 'false'")
elif bb.data.inherits_class('packagegroup', d) and not bb.data.inherits_class('nativesdk', d):
bb.error("Please ensure recipe %s sets PACKAGE_ARCH before inherit packagegroup" % d.getVar("FILE"))
}
-def qemu_wrapper_cmdline(data, rootfs_path, library_paths):
- return 'false'
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 16/21] reproducible: Fix race with externalsrc/devtool over lockfile
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (14 preceding siblings ...)
2024-02-15 16:17 ` [OE-core][nanbield 15/21] allarch: Fix allarch corner case Steve Sakoman
@ 2024-02-15 16:17 ` Steve Sakoman
2024-02-15 16:18 ` [OE-core][nanbield 17/21] externalsrc: fix task dependency for do_populate_lic Steve Sakoman
` (4 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:17 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
We occasionally see races over the lockfile used by externalsrc/devtool
when walking files for the source_date_epock calculation. Skip this file
if present to avoid the issues and fix a real issue where SDE could be
contaminated too.
[YOCTO #14921]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4bc0eb4bd90e6e6e46581a8ed367212bdd910a26)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oe/reproducible.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/lib/oe/reproducible.py b/meta/lib/oe/reproducible.py
index 9ac75c02e3..448befce33 100644
--- a/meta/lib/oe/reproducible.py
+++ b/meta/lib/oe/reproducible.py
@@ -131,6 +131,9 @@ def get_source_date_epoch_from_youngest_file(d, sourcedir):
files = [f for f in files if not f[0] == '.']
for fname in files:
+ if fname == "singletask.lock":
+ # Ignore externalsrc/devtool lockfile [YOCTO #14921]
+ continue
filename = os.path.join(root, fname)
try:
mtime = int(os.lstat(filename).st_mtime)
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 17/21] externalsrc: fix task dependency for do_populate_lic
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (15 preceding siblings ...)
2024-02-15 16:17 ` [OE-core][nanbield 16/21] reproducible: Fix race with externalsrc/devtool over lockfile Steve Sakoman
@ 2024-02-15 16:18 ` Steve Sakoman
2024-02-15 16:18 ` [OE-core][nanbield 18/21] udev-extraconf: fix unmount directories containing octal-escaped chars Steve Sakoman
` (3 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:18 UTC (permalink / raw)
To: openembedded-core
From: Julien Stephan <jstephan@baylibre.com>
do_populate_lic dependencies are defined inside license.bbclass such as:
addtask populate_lic after do_patch before do_build
but externalsrc deletes the do_patch task, so the only dependency left for
do_populate_lic is "before do_build"
On a devtool context, when doing devtool modify, sources are extracted inside
build/workspace/sources/${BPN}/ and local files inside
build/workspace/sources/${BPN}/oe-local-files
When building the recipe after a devtool modify, do_unpack is called again to
unpack (possibly modified) local files from
build/workspace/sources/${BPN}/oe-local-files into ${WORKDIR}.
Since the only left dependency for do_populate_lic is do_build, the
do_populate_lic can be called BEFORE do_unpack. Most of the time this is not a
problem, because license files are generally located inside ${S}, which
corresponds to build/workspace/sources/${BPN} (and is already unpacked),
but this can lead to an issue if recipe sets LIC_FILES_CHKSUM to look for
files in ${WORKDIR} (example from init-ifupdown_1.0.bb):
LIC_FILES_CHKSUM = "file://${WORKDIR}/copyright;md5=3dd6192d306f582dee7687da3d8748ab"
So devtool modify init-ifupdown && bitbake init-ifupdown gives the following
error:
WARNING: init-ifupdown-1.0-r0 do_populate_lic: Could not copy license file <...>/build/tmp/work/qemux86_64-poky-linux/init-ifupdown/1.0/copyright to <...>/build/tmp/work/qemux86_64-poky-linux/init-ifupdown/1.0/license-destdir/qemux86_64/init-ifupdown/copyright: [Errno 2] No such file or directory: '<...>/build/tmp/work/qemux86_64-poky-linux/init-ifupdown/1.0/copyright'
ERROR: init-ifupdown-1.0-r0 do_populate_lic: QA Issue: init-ifupdown: LIC_FILES_CHKSUM points to an invalid file: <...>/build/tmp/work/qemux86_64-poky-linux/init-ifupdown/1.0/copyright [license-checksum]
ERROR: init-ifupdown-1.0-r0 do_populate_lic: Fatal QA errors were found, failing task.
ERROR: Logfile of failure stored in: <...>/build/tmp/work/qemux86_64-poky-linux/init-ifupdown/1.0/temp/log.do_populate_lic.838584
ERROR: Task (<...>/poky/meta/recipes-core/init-ifupdown/init-ifupdown_1.0.bb:do_populate_lic) failed with exit code '1'
Fix this by forcing the do_populate_lic task to run after do_unpack
Signed-off-by: Julien Stephan <jstephan@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ea6a0cccdd274534809df62a0a196bf83489a1e5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/externalsrc.bbclass | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/classes/externalsrc.bbclass b/meta/classes/externalsrc.bbclass
index a54f316aa0..70e27a8d35 100644
--- a/meta/classes/externalsrc.bbclass
+++ b/meta/classes/externalsrc.bbclass
@@ -104,6 +104,7 @@ python () {
# If we deltask do_patch, there's no dependency to ensure do_unpack gets run, so add one
# Note that we cannot use d.appendVarFlag() here because deps is expected to be a list object, not a string
d.setVarFlag('do_configure', 'deps', (d.getVarFlag('do_configure', 'deps', False) or []) + ['do_unpack'])
+ d.setVarFlag('do_populate_lic', 'deps', (d.getVarFlag('do_populate_lic', 'deps', False) or []) + ['do_unpack'])
for task in d.getVar("SRCTREECOVEREDTASKS").split():
if local_srcuri and task in fetch_tasks:
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 18/21] udev-extraconf: fix unmount directories containing octal-escaped chars
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (16 preceding siblings ...)
2024-02-15 16:18 ` [OE-core][nanbield 17/21] externalsrc: fix task dependency for do_populate_lic Steve Sakoman
@ 2024-02-15 16:18 ` Steve Sakoman
2024-02-15 16:18 ` [OE-core][nanbield 19/21] pseudo: Update to pull in gcc14 fix and missing statvfs64 intercept Steve Sakoman
` (2 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:18 UTC (permalink / raw)
To: openembedded-core
From: Jonathan GUILLOT <jonathan@joggee.fr>
USB devices are auto-mounted in a directory named like theirs labels.
Special characters like whitespace are octal-escaped in /proc/mounts
output. Using directly this output file as an argument for umount failed
and the mount directory can't be removed as still busy.
Using printf allows these special characters to be unescaped.
Signed-off-by: Jonathan GUILLOT <jonathan@joggee.fr>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 37f17625d931a06888388682dc2b1f5a2d298125)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
| 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--git a/meta/recipes-core/udev/udev-extraconf/mount.sh b/meta/recipes-core/udev/udev-extraconf/mount.sh
index b7e86dbc0e..6cb0a9fea8 100644
--- a/meta/recipes-core/udev/udev-extraconf/mount.sh
+++ b/meta/recipes-core/udev/udev-extraconf/mount.sh
@@ -196,7 +196,7 @@ if [ "$ACTION" = "remove" ] || [ "$ACTION" = "change" ] && [ -x "$UMOUNT" ] && [
logger "mount.sh/remove" "cleaning up $DEVNAME, was mounted by the auto-mounter"
for mnt in `cat /proc/mounts | grep "$DEVNAME" | cut -f 2 -d " " `
do
- $UMOUNT $mnt
+ $UMOUNT "`printf $mnt`"
done
# Remove mount directory created by the auto-mounter
# and clean up our tmp cache file
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 19/21] pseudo: Update to pull in gcc14 fix and missing statvfs64 intercept
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (17 preceding siblings ...)
2024-02-15 16:18 ` [OE-core][nanbield 18/21] udev-extraconf: fix unmount directories containing octal-escaped chars Steve Sakoman
@ 2024-02-15 16:18 ` Steve Sakoman
2024-02-15 16:18 ` [OE-core][nanbield 20/21] overlayfs: add missing closing parenthesis in selftest Steve Sakoman
2024-02-15 16:18 ` [OE-core][nanbield 21/21] multilib_global.bbclass: fix parsing error with no kernel module split Steve Sakoman
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:18 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
rpm 4.19 now builds with LFS64 support enabled by default,
so it calls statvfs64() to get the space available on the
filesystem it is installing packages into. This is not
getting caught by pseudo, so rpm is checking the host's
root filesystem, rather than the filesystem where the
build is happening.
Merge in that fix and a gcc14 fix.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f6d021c860b2b99f46c604149317b326f493022d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/pseudo/files/glibc238.patch | 13 -------------
meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
2 files changed, 1 insertion(+), 14 deletions(-)
diff --git a/meta/recipes-devtools/pseudo/files/glibc238.patch b/meta/recipes-devtools/pseudo/files/glibc238.patch
index 76ca8c11eb..da4b8caee3 100644
--- a/meta/recipes-devtools/pseudo/files/glibc238.patch
+++ b/meta/recipes-devtools/pseudo/files/glibc238.patch
@@ -44,19 +44,6 @@ Index: git/pseudo_util.c
#include <ctype.h>
#include <errno.h>
-Index: git/pseudolog.c
-===================================================================
---- git.orig/pseudolog.c
-+++ git/pseudolog.c
-@@ -8,7 +8,7 @@
- */
- /* We need _XOPEN_SOURCE for strptime(), but if we define that,
- * we then don't get S_IFSOCK... _GNU_SOURCE turns on everything. */
--#define _GNU_SOURCE
-+#define _DEFAULT_SOURCE
-
- #include <ctype.h>
- #include <limits.h>
Index: git/pseudo_client.c
===================================================================
--- git.orig/pseudo_client.c
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 699cab11c6..025cf0fc9c 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -14,7 +14,7 @@ SRC_URI:append:class-nativesdk = " \
file://older-glibc-symbols.patch"
SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
-SRCREV = "a8453eea4d902bbb0e01c786f1cb4a178c3bbee3"
+SRCREV = "516a0a3c4b46f046895d27bfa019d685fe462dfa"
S = "${WORKDIR}/git"
PV = "1.9.0+git"
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 20/21] overlayfs: add missing closing parenthesis in selftest
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (18 preceding siblings ...)
2024-02-15 16:18 ` [OE-core][nanbield 19/21] pseudo: Update to pull in gcc14 fix and missing statvfs64 intercept Steve Sakoman
@ 2024-02-15 16:18 ` Steve Sakoman
2024-02-15 16:18 ` [OE-core][nanbield 21/21] multilib_global.bbclass: fix parsing error with no kernel module split Steve Sakoman
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:18 UTC (permalink / raw)
To: openembedded-core
From: "baruch@tkos.co.il" <baruch@tkos.co.il>
Cc: Vyacheslav Yurkov <uvv.mail@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit aebd526cdfea738745e57183b1015fd327bd94df)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta-selftest/recipes-test/overlayfs-user/overlayfs-user.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-selftest/recipes-test/overlayfs-user/overlayfs-user.bb b/meta-selftest/recipes-test/overlayfs-user/overlayfs-user.bb
index 50cba9514b..20f4213a62 100644
--- a/meta-selftest/recipes-test/overlayfs-user/overlayfs-user.bb
+++ b/meta-selftest/recipes-test/overlayfs-user/overlayfs-user.bb
@@ -18,5 +18,5 @@ do_install() {
FILES:${PN} += "\
${exec_prefix} \
- ${sysconfdir \
+ ${sysconfdir} \
"
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread* [OE-core][nanbield 21/21] multilib_global.bbclass: fix parsing error with no kernel module split
2024-02-15 16:17 [OE-core][nanbield 00/21] Patch review Steve Sakoman
` (19 preceding siblings ...)
2024-02-15 16:18 ` [OE-core][nanbield 20/21] overlayfs: add missing closing parenthesis in selftest Steve Sakoman
@ 2024-02-15 16:18 ` Steve Sakoman
20 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-15 16:18 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
The problem could be reproduced with the following settings:
MACHINE = "qemux86-64"
KERNEL_SPLIT_MODULES = "0"
require conf/multilib.conf
MULTILIBS ?= "multilib:lib32"
DEFAULTTUNE:virtclass-multilib-lib32 ?= "core2-32"
The error message is as below:
bb.data_smart.ExpansionError: Failure expanding variable KERNEL_VERSION_PKG_NAME, expression was ${@legitimize_package_name(d.getVar('KERNEL_VERSION'))} which triggered exception TypeError: expected string or bytes-like object
The variable dependency chain for the failure is: KERNEL_VERSION_PKG_NAME -> RPROVIDES:kernel-modules
This is because multilib_virtclass_handler_global function in
multilib_global.bbclass deletes KERNEL_VERSION. So we need to handle
such situation. We'll also need to delete KERNEL_VERSION_PKG_NAME
to avoid this parsing error.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 43dd497bc161ac44faecfdff052db03679dbb4f8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/multilib_global.bbclass | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/classes/multilib_global.bbclass b/meta/classes/multilib_global.bbclass
index dcd89b2f63..6095d278dd 100644
--- a/meta/classes/multilib_global.bbclass
+++ b/meta/classes/multilib_global.bbclass
@@ -195,6 +195,7 @@ python multilib_virtclass_handler_global () {
# from a copy of the datastore
localdata = bb.data.createCopy(d)
localdata.delVar("KERNEL_VERSION")
+ localdata.delVar("KERNEL_VERSION_PKG_NAME")
variants = (e.data.getVar("MULTILIB_VARIANTS") or "").split()
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread