* [OE-core][scarthgap 0/7] Patch review
@ 2024-07-09 19:29 Steve Sakoman
0 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2024-07-09 19:29 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, July 11
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7115
The following changes since commit 1cab8d06ce5df7a8d00cff8531965a84d90d265a:
curl: locale-base-en-us isn't glibc-specific (2024-07-03 07:09:47 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Changqing Li (2):
apt-native: don't let dpkg overwrite files by default
apt: runtime error: filename too long (tmpdir length)
Hitendra Prajapati (1):
ghostscript: upgrade 10.02.1 -> 10.03.1
Peter Marko (2):
flac: fix buildpaths warnings
cargo: remove True option to getVar calls
Xiangyu Chen (1):
qemu: Upgrade 8.2.1 -> 8.2.2
aszh07 (1):
xz: Update LICENSE variable for xz packages
meta/classes-recipe/cargo_common.bbclass | 4 +-
meta/classes-recipe/ptest-cargo.bbclass | 18 ++--
...he-filename-can-t-be-longer-than-255.patch | 40 ++++++++
meta/recipes-devtools/apt/apt_2.6.1.bb | 3 +-
...u-native_8.2.1.bb => qemu-native_8.2.2.bb} | 0
...e_8.2.1.bb => qemu-system-native_8.2.2.bb} | 0
meta/recipes-devtools/qemu/qemu.inc | 3 +-
.../qemu/qemu/CVE-2023-6683.patch | 91 -----------------
.../qemu/{qemu_8.2.1.bb => qemu_8.2.2.bb} | 0
.../ghostscript/CVE-2024-29510.patch | 84 ----------------
.../ghostscript/CVE-2024-33869-0001.patch | 39 --------
.../ghostscript/CVE-2024-33869-0002.patch | 52 ----------
.../ghostscript/CVE-2024-33870.patch | 99 -------------------
.../ghostscript/CVE-2024-33871.patch | 43 --------
.../avoid-host-contamination.patch | 11 +--
...dd-option-to-explicitly-disable-neon.patch | 99 -------------------
...ript_10.02.1.bb => ghostscript_10.03.1.bb} | 8 +-
meta/recipes-extended/xz/xz_5.4.6.bb | 6 +-
meta/recipes-multimedia/flac/flac_1.4.3.bb | 7 ++
19 files changed, 69 insertions(+), 538 deletions(-)
create mode 100644 meta/recipes-devtools/apt/apt/0001-strutl.cc-the-filename-can-t-be-longer-than-255.patch
rename meta/recipes-devtools/qemu/{qemu-native_8.2.1.bb => qemu-native_8.2.2.bb} (100%)
rename meta/recipes-devtools/qemu/{qemu-system-native_8.2.1.bb => qemu-system-native_8.2.2.bb} (100%)
delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
rename meta/recipes-devtools/qemu/{qemu_8.2.1.bb => qemu_8.2.2.bb} (100%)
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0001.patch
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0002.patch
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33871.patch
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/configure.ac-add-option-to-explicitly-disable-neon.patch
rename meta/recipes-extended/ghostscript/{ghostscript_10.02.1.bb => ghostscript_10.03.1.bb} (88%)
--
2.34.1
^ permalink raw reply [flat|nested] 16+ messages in thread
* [OE-core][scarthgap 0/7] Patch review
@ 2025-02-18 21:15 Steve Sakoman
2025-02-18 21:15 ` [OE-core][scarthgap 1/7] subversion: ignore CVE-2024-45720 Steve Sakoman
` (6 more replies)
0 siblings, 7 replies; 16+ messages in thread
From: Steve Sakoman @ 2025-02-18 21:15 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, February 20
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1037
The following changes since commit 61880aac34ff408a8bc5060c6140bfd086b27524:
base-files: Drop /bin/sh dependency (2025-02-11 05:51:35 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Aleksandar Nikolic (1):
scripts/install-buildtools: Update to 5.0.7
Divya Chellam (1):
vim: Upgrade 9.1.0764 -> 9.1.1043
Johannes Schneider (1):
ppp: Revert lock path to /var/lock
Oleksandr Hnatiuk (1):
icu: remove host references in nativesdk to fix reproducibility
Peter Marko (3):
subversion: ignore CVE-2024-45720
gnutls: patch CVE-2024-12243
openssl: upgrade 3.2.3 -> 3.2.4
...ke-history-reporting-when-test-fails.patch | 40 +-
...1-Configure-do-not-tweak-mips-cflags.patch | 2 +-
...sysroot-and-debug-prefix-map-from-co.patch | 4 +-
.../openssl/openssl/CVE-2024-13176.patch | 126 --
.../openssl/openssl/CVE-2024-9143.patch | 202 ---
.../{openssl_3.2.3.bb => openssl_3.2.4.bb} | 4 +-
...001-Revert-lock-path-to-var-lock-435.patch | 63 +
meta/recipes-connectivity/ppp/ppp_2.5.0.bb | 1 +
.../subversion/subversion_1.14.3.bb | 2 +
.../gnutls/gnutls/CVE-2024-12243.patch | 1149 +++++++++++++++++
meta/recipes-support/gnutls/gnutls_3.8.4.bb | 1 +
meta/recipes-support/icu/icu_74-2.bb | 33 +-
meta/recipes-support/vim/vim.inc | 4 +-
scripts/install-buildtools | 4 +-
14 files changed, 1268 insertions(+), 367 deletions(-)
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
delete mode 100755 meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
rename meta/recipes-connectivity/openssl/{openssl_3.2.3.bb => openssl_3.2.4.bb} (98%)
create mode 100644 meta/recipes-connectivity/ppp/ppp/0001-Revert-lock-path-to-var-lock-435.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch
--
2.43.0
^ permalink raw reply [flat|nested] 16+ messages in thread
* [OE-core][scarthgap 1/7] subversion: ignore CVE-2024-45720
2025-02-18 21:15 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
@ 2025-02-18 21:15 ` Steve Sakoman
2025-02-19 8:32 ` Yoann Congal
2025-02-18 21:15 ` [OE-core][scarthgap 2/7] gnutls: patch CVE-2024-12243 Steve Sakoman
` (5 subsequent siblings)
6 siblings, 1 reply; 16+ messages in thread
From: Steve Sakoman @ 2025-02-18 21:15 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-45720
This CVE is relevant only for subversion running on Windows.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/subversion/subversion_1.14.3.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-devtools/subversion/subversion_1.14.3.bb b/meta/recipes-devtools/subversion/subversion_1.14.3.bb
index 1ef3d498a5..679228cbb8 100644
--- a/meta/recipes-devtools/subversion/subversion_1.14.3.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.14.3.bb
@@ -19,6 +19,8 @@ inherit autotools pkgconfig gettext python3native
CVE_PRODUCT = "apache:subversion"
+CVE_STATUS[CVE-2024-45720] = "not-applicable-platform: Issue only applies on Windows"
+
PACKAGECONFIG ?= ""
PACKAGECONFIG[boost] = "--with-boost=${RECIPE_SYSROOT}${exec_prefix},--without-boost,boost"
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [OE-core][scarthgap 2/7] gnutls: patch CVE-2024-12243
2025-02-18 21:15 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
2025-02-18 21:15 ` [OE-core][scarthgap 1/7] subversion: ignore CVE-2024-45720 Steve Sakoman
@ 2025-02-18 21:15 ` Steve Sakoman
2025-02-18 21:15 ` [OE-core][scarthgap 3/7] openssl: upgrade 3.2.3 -> 3.2.4 Steve Sakoman
` (4 subsequent siblings)
6 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2025-02-18 21:15 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Backport following patch to address this CVE:
https://gitlab.com/gnutls/gnutls/-/commit/4760bc63531e3f5039e70ede91a20e1194410892
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../gnutls/gnutls/CVE-2024-12243.patch | 1149 +++++++++++++++++
meta/recipes-support/gnutls/gnutls_3.8.4.bb | 1 +
2 files changed, 1150 insertions(+)
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch
new file mode 100644
index 0000000000..a7af87718f
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch
@@ -0,0 +1,1149 @@
+From 4760bc63531e3f5039e70ede91a20e1194410892 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 18 Nov 2024 17:23:46 +0900
+Subject: [PATCH] x509: optimize name constraints processing
+
+This switches the representation name constraints from linked lists to
+array lists to optimize the lookup performance from O(n) to O(1), also
+enforces a limit of name constraint checks against subject alternative
+names.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+CVE: CVE-2024-12243
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/4760bc63531e3f5039e70ede91a20e1194410892]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/datum.c | 7 +-
+ lib/x509/name_constraints.c | 595 +++++++++++++++++++++---------------
+ lib/x509/x509_ext.c | 80 +++--
+ lib/x509/x509_ext_int.h | 5 +
+ lib/x509/x509_int.h | 21 +-
+ 5 files changed, 399 insertions(+), 309 deletions(-)
+
+diff --git a/lib/datum.c b/lib/datum.c
+index 66e016965..5577c2b4a 100644
+--- a/lib/datum.c
++++ b/lib/datum.c
+@@ -29,6 +29,7 @@
+ #include "num.h"
+ #include "datum.h"
+ #include "errors.h"
++#include "intprops.h"
+
+ /* On error, @dat is not changed. */
+ int _gnutls_set_datum(gnutls_datum_t *dat, const void *data, size_t data_size)
+@@ -60,7 +61,11 @@ int _gnutls_set_strdatum(gnutls_datum_t *dat, const void *data,
+ if (data == NULL)
+ return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+
+- unsigned char *m = gnutls_malloc(data_size + 1);
++ size_t capacity;
++ if (!INT_ADD_OK(data_size, 1, &capacity))
++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++
++ unsigned char *m = gnutls_malloc(capacity);
+ if (!m)
+ return GNUTLS_E_MEMORY_ERROR;
+
+diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
+index 8327a9d94..3c6e30630 100644
+--- a/lib/x509/name_constraints.c
++++ b/lib/x509/name_constraints.c
+@@ -33,51 +33,98 @@
+ #include <gnutls/x509-ext.h>
+ #include "x509_b64.h"
+ #include "x509_int.h"
++#include "x509_ext_int.h"
+ #include <libtasn1.h>
+
+ #include "ip.h"
+ #include "ip-in-cidr.h"
++#include "intprops.h"
++
++#define MAX_NC_CHECKS (1 << 20)
++
++struct name_constraints_node_st {
++ unsigned type;
++ gnutls_datum_t name;
++};
++
++struct name_constraints_node_list_st {
++ struct name_constraints_node_st **data;
++ size_t size;
++ size_t capacity;
++};
++
++struct gnutls_name_constraints_st {
++ struct name_constraints_node_list_st nodes; /* owns elements */
++ struct name_constraints_node_list_st permitted; /* borrows elements */
++ struct name_constraints_node_list_st excluded; /* borrows elements */
++};
++
++static struct name_constraints_node_st *
++name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type,
++ unsigned char *data, unsigned int size);
++
++static int
++name_constraints_node_list_add(struct name_constraints_node_list_st *list,
++ struct name_constraints_node_st *node)
++{
++ if (!list->capacity || list->size == list->capacity) {
++ size_t new_capacity = list->capacity;
++ struct name_constraints_node_st **new_data;
++
++ if (!INT_MULTIPLY_OK(new_capacity, 2, &new_capacity) ||
++ !INT_ADD_OK(new_capacity, 1, &new_capacity))
++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++ new_data = _gnutls_reallocarray(
++ list->data, new_capacity,
++ sizeof(struct name_constraints_node_st *));
++ if (!new_data)
++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++ list->capacity = new_capacity;
++ list->data = new_data;
++ }
++ list->data[list->size++] = node;
++ return 0;
++}
+
+ // for documentation see the implementation
+-static int
+-name_constraints_intersect_nodes(name_constraints_node_st *nc1,
+- name_constraints_node_st *nc2,
+- name_constraints_node_st **intersection);
++static int name_constraints_intersect_nodes(
++ gnutls_x509_name_constraints_t nc,
++ const struct name_constraints_node_st *node1,
++ const struct name_constraints_node_st *node2,
++ struct name_constraints_node_st **intersection);
+
+ /*-
+- * is_nc_empty:
++ * _gnutls_x509_name_constraints_is_empty:
+ * @nc: name constraints structure
+- * @type: type (gnutls_x509_subject_alt_name_t)
++ * @type: type (gnutls_x509_subject_alt_name_t or 0)
+ *
+ * Test whether given name constraints structure has any constraints (permitted
+ * or excluded) of a given type. @nc must be allocated (not NULL) before the call.
++ * If @type is 0, type checking will be skipped.
+ *
+- * Returns: 0 if @nc contains constraints of type @type, 1 otherwise
++ * Returns: false if @nc contains constraints of type @type, true otherwise
+ -*/
+-static unsigned is_nc_empty(struct gnutls_name_constraints_st *nc,
+- unsigned type)
++bool _gnutls_x509_name_constraints_is_empty(gnutls_x509_name_constraints_t nc,
++ unsigned type)
+ {
+- name_constraints_node_st *t;
++ if (nc->permitted.size == 0 && nc->excluded.size == 0)
++ return true;
+
+- if (nc->permitted == NULL && nc->excluded == NULL)
+- return 1;
++ if (type == 0)
++ return false;
+
+- t = nc->permitted;
+- while (t != NULL) {
+- if (t->type == type)
+- return 0;
+- t = t->next;
++ for (size_t i = 0; i < nc->permitted.size; i++) {
++ if (nc->permitted.data[i]->type == type)
++ return false;
+ }
+
+- t = nc->excluded;
+- while (t != NULL) {
+- if (t->type == type)
+- return 0;
+- t = t->next;
++ for (size_t i = 0; i < nc->excluded.size; i++) {
++ if (nc->excluded.data[i]->type == type)
++ return false;
+ }
+
+ /* no constraint for that type exists */
+- return 1;
++ return true;
+ }
+
+ /*-
+@@ -115,21 +162,16 @@ static int validate_name_constraints_node(gnutls_x509_subject_alt_name_t type,
+ return GNUTLS_E_SUCCESS;
+ }
+
+-int _gnutls_extract_name_constraints(asn1_node c2, const char *vstr,
+- name_constraints_node_st **_nc)
++static int extract_name_constraints(gnutls_x509_name_constraints_t nc,
++ asn1_node c2, const char *vstr,
++ struct name_constraints_node_list_st *nodes)
+ {
+ int ret;
+ char tmpstr[128];
+ unsigned indx;
+ gnutls_datum_t tmp = { NULL, 0 };
+ unsigned int type;
+- struct name_constraints_node_st *nc, *prev;
+-
+- prev = *_nc;
+- if (prev != NULL) {
+- while (prev->next != NULL)
+- prev = prev->next;
+- }
++ struct name_constraints_node_st *node;
+
+ for (indx = 1;; indx++) {
+ snprintf(tmpstr, sizeof(tmpstr), "%s.?%u.base", vstr, indx);
+@@ -172,25 +214,19 @@ int _gnutls_extract_name_constraints(asn1_node c2, const char *vstr,
+ goto cleanup;
+ }
+
+- nc = gnutls_malloc(sizeof(struct name_constraints_node_st));
+- if (nc == NULL) {
++ node = name_constraints_node_new(nc, type, tmp.data, tmp.size);
++ _gnutls_free_datum(&tmp);
++ if (node == NULL) {
+ gnutls_assert();
+ ret = GNUTLS_E_MEMORY_ERROR;
+ goto cleanup;
+ }
+
+- memcpy(&nc->name, &tmp, sizeof(gnutls_datum_t));
+- nc->type = type;
+- nc->next = NULL;
+-
+- if (prev == NULL) {
+- *_nc = prev = nc;
+- } else {
+- prev->next = nc;
+- prev = nc;
++ ret = name_constraints_node_list_add(nodes, node);
++ if (ret < 0) {
++ gnutls_assert();
++ goto cleanup;
+ }
+-
+- tmp.data = NULL;
+ }
+
+ assert(ret < 0);
+@@ -205,84 +241,104 @@ cleanup:
+ return ret;
+ }
+
++int _gnutls_x509_name_constraints_extract(asn1_node c2,
++ const char *permitted_name,
++ const char *excluded_name,
++ gnutls_x509_name_constraints_t nc)
++{
++ int ret;
++
++ ret = extract_name_constraints(nc, c2, permitted_name, &nc->permitted);
++ if (ret < 0)
++ return gnutls_assert_val(ret);
++ ret = extract_name_constraints(nc, c2, excluded_name, &nc->excluded);
++ if (ret < 0)
++ return gnutls_assert_val(ret);
++
++ return ret;
++}
++
+ /*-
+- * _gnutls_name_constraints_node_free:
++ * name_constraints_node_free:
+ * @node: name constraints node
+ *
+- * Deallocate a list of name constraints nodes starting at the given node.
++ * Deallocate a name constraints node.
+ -*/
+-void _gnutls_name_constraints_node_free(name_constraints_node_st *node)
++static void name_constraints_node_free(struct name_constraints_node_st *node)
+ {
+- name_constraints_node_st *next, *t;
+-
+- t = node;
+- while (t != NULL) {
+- next = t->next;
+- gnutls_free(t->name.data);
+- gnutls_free(t);
+- t = next;
++ if (node) {
++ gnutls_free(node->name.data);
++ gnutls_free(node);
+ }
+ }
+
+ /*-
+ * name_constraints_node_new:
+ * @type: name constraints type to set (gnutls_x509_subject_alt_name_t)
++ * @nc: a %gnutls_x509_name_constraints_t
+ * @data: name.data to set or NULL
+ * @size: name.size to set
+ *
+ * Allocate a new name constraints node and set its type, name size and name data.
+- * If @data is set to NULL, name data will be an array of \x00 (the length of @size).
+- * The .next pointer is set to NULL.
+ *
+ * Returns: Pointer to newly allocated node or NULL in case of memory error.
+ -*/
+-static name_constraints_node_st *
+-name_constraints_node_new(unsigned type, unsigned char *data, unsigned int size)
++static struct name_constraints_node_st *
++name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type,
++ unsigned char *data, unsigned int size)
+ {
+- name_constraints_node_st *tmp =
+- gnutls_malloc(sizeof(struct name_constraints_node_st));
++ struct name_constraints_node_st *tmp;
++ int ret;
++
++ tmp = gnutls_calloc(1, sizeof(struct name_constraints_node_st));
+ if (tmp == NULL)
+ return NULL;
+ tmp->type = type;
+- tmp->next = NULL;
+- tmp->name.size = size;
+- tmp->name.data = NULL;
+- if (tmp->name.size > 0) {
+- tmp->name.data = gnutls_malloc(tmp->name.size);
+- if (tmp->name.data == NULL) {
++
++ if (data) {
++ ret = _gnutls_set_strdatum(&tmp->name, data, size);
++ if (ret < 0) {
++ gnutls_assert();
+ gnutls_free(tmp);
+ return NULL;
+ }
+- if (data != NULL) {
+- memcpy(tmp->name.data, data, size);
+- } else {
+- memset(tmp->name.data, 0, size);
+- }
+ }
++
++ ret = name_constraints_node_list_add(&nc->nodes, tmp);
++ if (ret < 0) {
++ gnutls_assert();
++ name_constraints_node_free(tmp);
++ return NULL;
++ }
++
+ return tmp;
+ }
+
+ /*-
+- * @brief _gnutls_name_constraints_intersect:
+- * @_nc: first name constraints list (permitted)
+- * @_nc2: name constraints list to merge with (permitted)
+- * @_nc_excluded: Corresponding excluded name constraints list
++ * @brief name_constraints_node_list_intersect:
++ * @nc: %gnutls_x509_name_constraints_t
++ * @permitted: first name constraints list (permitted)
++ * @permitted2: name constraints list to merge with (permitted)
++ * @excluded: Corresponding excluded name constraints list
+ *
+- * This function finds the intersection of @_nc and @_nc2. The result is placed in @_nc,
+- * the original @_nc is deallocated. @_nc2 is not changed. If necessary, a universal
++ * This function finds the intersection of @permitted and @permitted2. The result is placed in @permitted,
++ * the original @permitted is modified. @permitted2 is not changed. If necessary, a universal
+ * excluded name constraint node of the right type is added to the list provided
+- * in @_nc_excluded.
++ * in @excluded.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
+ -*/
+-static int
+-_gnutls_name_constraints_intersect(name_constraints_node_st **_nc,
+- name_constraints_node_st *_nc2,
+- name_constraints_node_st **_nc_excluded)
++static int name_constraints_node_list_intersect(
++ gnutls_x509_name_constraints_t nc,
++ struct name_constraints_node_list_st *permitted,
++ const struct name_constraints_node_list_st *permitted2,
++ struct name_constraints_node_list_st *excluded)
+ {
+- name_constraints_node_st *nc, *nc2, *t, *tmp, *dest = NULL,
+- *prev = NULL;
++ struct name_constraints_node_st *tmp;
+ int ret, type, used;
++ struct name_constraints_node_list_st removed = { .data = NULL,
++ .size = 0,
++ .capacity = 0 };
+
+ /* temporary array to see, if we need to add universal excluded constraints
+ * (see phase 3 for details)
+@@ -291,61 +347,73 @@ _gnutls_name_constraints_intersect(name_constraints_node_st **_nc,
+ memset(types_with_empty_intersection, 0,
+ sizeof(types_with_empty_intersection));
+
+- if (*_nc == NULL || _nc2 == NULL)
++ if (permitted->size == 0 || permitted2->size == 0)
+ return 0;
+
+ /* Phase 1
+- * For each name in _NC, if a _NC2 does not contain a name
+- * with the same type, preserve the original name.
+- * Do this also for node of unknown type (not DNS, email, IP */
+- t = nc = *_nc;
+- while (t != NULL) {
+- name_constraints_node_st *next = t->next;
+- nc2 = _nc2;
+- while (nc2 != NULL) {
+- if (t->type == nc2->type) {
++ * For each name in PERMITTED, if a PERMITTED2 does not contain a name
++ * with the same type, move the original name to REMOVED.
++ * Do this also for node of unknown type (not DNS, email, IP) */
++ for (size_t i = 0; i < permitted->size;) {
++ struct name_constraints_node_st *t = permitted->data[i];
++ const struct name_constraints_node_st *found = NULL;
++
++ for (size_t j = 0; j < permitted2->size; j++) {
++ const struct name_constraints_node_st *t2 =
++ permitted2->data[j];
++ if (t->type == t2->type) {
+ // check bounds (we will use 't->type' as index)
+- if (t->type > GNUTLS_SAN_MAX || t->type == 0)
+- return gnutls_assert_val(
+- GNUTLS_E_INTERNAL_ERROR);
++ if (t->type > GNUTLS_SAN_MAX || t->type == 0) {
++ gnutls_assert();
++ ret = GNUTLS_E_INTERNAL_ERROR;
++ goto cleanup;
++ }
+ // note the possibility of empty intersection for this type
+ // if we add something to the intersection in phase 2,
+ // we will reset this flag back to 0 then
+ types_with_empty_intersection[t->type - 1] = 1;
++ found = t2;
+ break;
+ }
+- nc2 = nc2->next;
+ }
+- if (nc2 == NULL || (t->type != GNUTLS_SAN_DNSNAME &&
+- t->type != GNUTLS_SAN_RFC822NAME &&
+- t->type != GNUTLS_SAN_IPADDRESS)) {
+- /* move node from NC to DEST */
+- if (prev != NULL)
+- prev->next = next;
+- else
+- prev = nc = next;
+- t->next = dest;
+- dest = t;
+- } else {
+- prev = t;
++
++ if (found != NULL && (t->type == GNUTLS_SAN_DNSNAME ||
++ t->type == GNUTLS_SAN_RFC822NAME ||
++ t->type == GNUTLS_SAN_IPADDRESS)) {
++ /* move node from PERMITTED to REMOVED */
++ ret = name_constraints_node_list_add(&removed, t);
++ if (ret < 0) {
++ gnutls_assert();
++ goto cleanup;
++ }
++ /* remove node by swapping */
++ if (i < permitted->size - 1)
++ permitted->data[i] =
++ permitted->data[permitted->size - 1];
++ permitted->size--;
++ continue;
+ }
+- t = next;
++ i++;
+ }
+
+ /* Phase 2
+- * iterate through all combinations from nc2 and nc1
++ * iterate through all combinations from PERMITTED2 and PERMITTED
+ * and create intersections of nodes with same type */
+- nc2 = _nc2;
+- while (nc2 != NULL) {
+- // current nc2 node has not yet been used for any intersection
+- // (and is not in DEST either)
++ for (size_t i = 0; i < permitted2->size; i++) {
++ const struct name_constraints_node_st *t2 = permitted2->data[i];
++
++ // current PERMITTED2 node has not yet been used for any intersection
++ // (and is not in REMOVED either)
+ used = 0;
+- t = nc;
+- while (t != NULL) {
++ for (size_t j = 0; j < removed.size; j++) {
++ const struct name_constraints_node_st *t =
++ removed.data[j];
+ // save intersection of name constraints into tmp
+- ret = name_constraints_intersect_nodes(t, nc2, &tmp);
+- if (ret < 0)
+- return gnutls_assert_val(ret);
++ ret = name_constraints_intersect_nodes(nc, t, t2, &tmp);
++ if (ret < 0) {
++ gnutls_assert();
++ goto cleanup;
++ }
+ used = 1;
+ // if intersection is not empty
+ if (tmp !=
+@@ -360,32 +428,34 @@ _gnutls_name_constraints_intersect(name_constraints_node_st **_nc,
+ // we will not add universal excluded constraint for this type
+ types_with_empty_intersection[tmp->type - 1] =
+ 0;
+- // add intersection node to DEST
+- tmp->next = dest;
+- dest = tmp;
++ // add intersection node to PERMITTED
++ ret = name_constraints_node_list_add(permitted,
++ tmp);
++ if (ret < 0) {
++ gnutls_assert();
++ goto cleanup;
++ }
+ }
+- t = t->next;
+ }
+- // if the node from nc2 was not used for intersection, copy it to DEST
++ // if the node from PERMITTED2 was not used for intersection, copy it to DEST
+ // Beware: also copies nodes other than DNS, email, IP,
+ // since their counterpart may have been moved in phase 1.
+ if (!used) {
+ tmp = name_constraints_node_new(
+- nc2->type, nc2->name.data, nc2->name.size);
++ nc, t2->type, t2->name.data, t2->name.size);
+ if (tmp == NULL) {
+- _gnutls_name_constraints_node_free(dest);
+- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++ gnutls_assert();
++ ret = GNUTLS_E_MEMORY_ERROR;
++ goto cleanup;
++ }
++ ret = name_constraints_node_list_add(permitted, tmp);
++ if (ret < 0) {
++ gnutls_assert();
++ goto cleanup;
+ }
+- tmp->next = dest;
+- dest = tmp;
+ }
+- nc2 = nc2->next;
+ }
+
+- /* replace the original with the new */
+- _gnutls_name_constraints_node_free(nc);
+- *_nc = dest;
+-
+ /* Phase 3
+ * For each type: If we have empty permitted name constraints now
+ * and we didn't have at the beginning, we have to add a new
+@@ -400,63 +470,77 @@ _gnutls_name_constraints_intersect(name_constraints_node_st **_nc,
+ switch (type) {
+ case GNUTLS_SAN_IPADDRESS:
+ // add universal restricted range for IPv4
+- tmp = name_constraints_node_new(GNUTLS_SAN_IPADDRESS,
+- NULL, 8);
++ tmp = name_constraints_node_new(
++ nc, GNUTLS_SAN_IPADDRESS, NULL, 8);
+ if (tmp == NULL) {
+- _gnutls_name_constraints_node_free(dest);
+- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++ gnutls_assert();
++ ret = GNUTLS_E_MEMORY_ERROR;
++ goto cleanup;
++ }
++ ret = name_constraints_node_list_add(excluded, tmp);
++ if (ret < 0) {
++ gnutls_assert();
++ goto cleanup;
+ }
+- tmp->next = *_nc_excluded;
+- *_nc_excluded = tmp;
+ // add universal restricted range for IPv6
+- tmp = name_constraints_node_new(GNUTLS_SAN_IPADDRESS,
+- NULL, 32);
++ tmp = name_constraints_node_new(
++ nc, GNUTLS_SAN_IPADDRESS, NULL, 32);
+ if (tmp == NULL) {
+- _gnutls_name_constraints_node_free(dest);
+- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++ gnutls_assert();
++ ret = GNUTLS_E_MEMORY_ERROR;
++ goto cleanup;
++ }
++ ret = name_constraints_node_list_add(excluded, tmp);
++ if (ret < 0) {
++ gnutls_assert();
++ goto cleanup;
+ }
+- tmp->next = *_nc_excluded;
+- *_nc_excluded = tmp;
+ break;
+ case GNUTLS_SAN_DNSNAME:
+ case GNUTLS_SAN_RFC822NAME:
+- tmp = name_constraints_node_new(type, NULL, 0);
++ tmp = name_constraints_node_new(nc, type, NULL, 0);
+ if (tmp == NULL) {
+- _gnutls_name_constraints_node_free(dest);
+- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++ gnutls_assert();
++ ret = GNUTLS_E_MEMORY_ERROR;
++ goto cleanup;
++ }
++ ret = name_constraints_node_list_add(excluded, tmp);
++ if (ret < 0) {
++ gnutls_assert();
++ goto cleanup;
+ }
+- tmp->next = *_nc_excluded;
+- *_nc_excluded = tmp;
+ break;
+ default: // do nothing, at least one node was already moved in phase 1
+ break;
+ }
+ }
+- return GNUTLS_E_SUCCESS;
++ ret = GNUTLS_E_SUCCESS;
++
++cleanup:
++ gnutls_free(removed.data);
++ return ret;
+ }
+
+-static int _gnutls_name_constraints_append(name_constraints_node_st **_nc,
+- name_constraints_node_st *_nc2)
++static int name_constraints_node_list_concat(
++ gnutls_x509_name_constraints_t nc,
++ struct name_constraints_node_list_st *nodes,
++ const struct name_constraints_node_list_st *nodes2)
+ {
+- name_constraints_node_st *nc, *nc2;
+- struct name_constraints_node_st *tmp;
+-
+- if (_nc2 == NULL)
+- return 0;
+-
+- nc2 = _nc2;
+- while (nc2) {
+- nc = *_nc;
+-
+- tmp = name_constraints_node_new(nc2->type, nc2->name.data,
+- nc2->name.size);
+- if (tmp == NULL)
++ for (size_t i = 0; i < nodes2->size; i++) {
++ const struct name_constraints_node_st *node = nodes2->data[i];
++ struct name_constraints_node_st *tmp;
++ int ret;
++
++ tmp = name_constraints_node_new(nc, node->type, node->name.data,
++ node->name.size);
++ if (tmp == NULL) {
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+-
+- tmp->next = nc;
+- *_nc = tmp;
+-
+- nc2 = nc2->next;
++ }
++ ret = name_constraints_node_list_add(nodes, tmp);
++ if (ret < 0) {
++ name_constraints_node_free(tmp);
++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++ }
+ }
+
+ return 0;
+@@ -524,6 +608,25 @@ cleanup:
+ return ret;
+ }
+
++void _gnutls_x509_name_constraints_clear(gnutls_x509_name_constraints_t nc)
++{
++ for (size_t i = 0; i < nc->nodes.size; i++) {
++ struct name_constraints_node_st *node = nc->nodes.data[i];
++ name_constraints_node_free(node);
++ }
++ gnutls_free(nc->nodes.data);
++ nc->nodes.capacity = 0;
++ nc->nodes.size = 0;
++
++ gnutls_free(nc->permitted.data);
++ nc->permitted.capacity = 0;
++ nc->permitted.size = 0;
++
++ gnutls_free(nc->excluded.data);
++ nc->excluded.capacity = 0;
++ nc->excluded.size = 0;
++}
++
+ /**
+ * gnutls_x509_name_constraints_deinit:
+ * @nc: The nameconstraints
+@@ -534,9 +637,7 @@ cleanup:
+ **/
+ void gnutls_x509_name_constraints_deinit(gnutls_x509_name_constraints_t nc)
+ {
+- _gnutls_name_constraints_node_free(nc->permitted);
+- _gnutls_name_constraints_node_free(nc->excluded);
+-
++ _gnutls_x509_name_constraints_clear(nc);
+ gnutls_free(nc);
+ }
+
+@@ -552,12 +653,15 @@ void gnutls_x509_name_constraints_deinit(gnutls_x509_name_constraints_t nc)
+ **/
+ int gnutls_x509_name_constraints_init(gnutls_x509_name_constraints_t *nc)
+ {
+- *nc = gnutls_calloc(1, sizeof(struct gnutls_name_constraints_st));
+- if (*nc == NULL) {
++ struct gnutls_name_constraints_st *tmp;
++
++ tmp = gnutls_calloc(1, sizeof(struct gnutls_name_constraints_st));
++ if (tmp == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
++ *nc = tmp;
+ return 0;
+ }
+
+@@ -565,36 +669,25 @@ static int name_constraints_add(gnutls_x509_name_constraints_t nc,
+ gnutls_x509_subject_alt_name_t type,
+ const gnutls_datum_t *name, unsigned permitted)
+ {
+- struct name_constraints_node_st *tmp, *prev = NULL;
++ struct name_constraints_node_st *tmp;
++ struct name_constraints_node_list_st *nodes;
+ int ret;
+
+ ret = validate_name_constraints_node(type, name);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+- if (permitted != 0)
+- prev = tmp = nc->permitted;
+- else
+- prev = tmp = nc->excluded;
++ nodes = permitted ? &nc->permitted : &nc->excluded;
+
+- while (tmp != NULL) {
+- tmp = tmp->next;
+- if (tmp != NULL)
+- prev = tmp;
+- }
+-
+- tmp = name_constraints_node_new(type, name->data, name->size);
++ tmp = name_constraints_node_new(nc, type, name->data, name->size);
+ if (tmp == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+- tmp->next = NULL;
+
+- if (prev == NULL) {
+- if (permitted != 0)
+- nc->permitted = tmp;
+- else
+- nc->excluded = tmp;
+- } else
+- prev->next = tmp;
++ ret = name_constraints_node_list_add(nodes, tmp);
++ if (ret < 0) {
++ name_constraints_node_free(tmp);
++ return gnutls_assert_val(ret);
++ }
+
+ return 0;
+ }
+@@ -620,14 +713,15 @@ int _gnutls_x509_name_constraints_merge(gnutls_x509_name_constraints_t nc,
+ {
+ int ret;
+
+- ret = _gnutls_name_constraints_intersect(&nc->permitted, nc2->permitted,
+- &nc->excluded);
++ ret = name_constraints_node_list_intersect(
++ nc, &nc->permitted, &nc2->permitted, &nc->excluded);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+- ret = _gnutls_name_constraints_append(&nc->excluded, nc2->excluded);
++ ret = name_constraints_node_list_concat(nc, &nc->excluded,
++ &nc2->excluded);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+@@ -804,50 +898,51 @@ static unsigned email_matches(const gnutls_datum_t *name,
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
+ -*/
+-static int
+-name_constraints_intersect_nodes(name_constraints_node_st *nc1,
+- name_constraints_node_st *nc2,
+- name_constraints_node_st **_intersection)
++static int name_constraints_intersect_nodes(
++ gnutls_x509_name_constraints_t nc,
++ const struct name_constraints_node_st *node1,
++ const struct name_constraints_node_st *node2,
++ struct name_constraints_node_st **_intersection)
+ {
+ // presume empty intersection
+- name_constraints_node_st *intersection = NULL;
+- name_constraints_node_st *to_copy = NULL;
++ struct name_constraints_node_st *intersection = NULL;
++ const struct name_constraints_node_st *to_copy = NULL;
+ unsigned iplength = 0;
+ unsigned byte;
+
+ *_intersection = NULL;
+
+- if (nc1->type != nc2->type) {
++ if (node1->type != node2->type) {
+ return GNUTLS_E_SUCCESS;
+ }
+- switch (nc1->type) {
++ switch (node1->type) {
+ case GNUTLS_SAN_DNSNAME:
+- if (!dnsname_matches(&nc2->name, &nc1->name))
++ if (!dnsname_matches(&node2->name, &node1->name))
+ return GNUTLS_E_SUCCESS;
+- to_copy = nc2;
++ to_copy = node2;
+ break;
+ case GNUTLS_SAN_RFC822NAME:
+- if (!email_matches(&nc2->name, &nc1->name))
++ if (!email_matches(&node2->name, &node1->name))
+ return GNUTLS_E_SUCCESS;
+- to_copy = nc2;
++ to_copy = node2;
+ break;
+ case GNUTLS_SAN_IPADDRESS:
+- if (nc1->name.size != nc2->name.size)
++ if (node1->name.size != node2->name.size)
+ return GNUTLS_E_SUCCESS;
+- iplength = nc1->name.size / 2;
++ iplength = node1->name.size / 2;
+ for (byte = 0; byte < iplength; byte++) {
+- if (((nc1->name.data[byte] ^
+- nc2->name.data[byte]) // XOR of addresses
+- &
+- nc1->name.data[byte + iplength] // AND mask from nc1
+- &
+- nc2->name.data[byte + iplength]) // AND mask from nc2
++ if (((node1->name.data[byte] ^
++ node2->name.data[byte]) // XOR of addresses
++ & node1->name.data[byte +
++ iplength] // AND mask from nc1
++ & node2->name.data[byte +
++ iplength]) // AND mask from nc2
+ != 0) {
+ // CIDRS do not intersect
+ return GNUTLS_E_SUCCESS;
+ }
+ }
+- to_copy = nc2;
++ to_copy = node2;
+ break;
+ default:
+ // for other types, we don't know how to do the intersection, assume empty
+@@ -856,8 +951,9 @@ name_constraints_intersect_nodes(name_constraints_node_st *nc1,
+
+ // copy existing node if applicable
+ if (to_copy != NULL) {
+- *_intersection = name_constraints_node_new(
+- to_copy->type, to_copy->name.data, to_copy->name.size);
++ *_intersection = name_constraints_node_new(nc, to_copy->type,
++ to_copy->name.data,
++ to_copy->name.size);
+ if (*_intersection == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ intersection = *_intersection;
+@@ -869,12 +965,12 @@ name_constraints_intersect_nodes(name_constraints_node_st *nc1,
+ _gnutls_mask_ip(intersection->name.data,
+ intersection->name.data + iplength,
+ iplength);
+- _gnutls_mask_ip(nc1->name.data,
+- nc1->name.data + iplength, iplength);
++ _gnutls_mask_ip(node1->name.data,
++ node1->name.data + iplength, iplength);
+ // update intersection, if necessary (we already know one is subset of other)
+ for (byte = 0; byte < 2 * iplength; byte++) {
+ intersection->name.data[byte] |=
+- nc1->name.data[byte];
++ node1->name.data[byte];
+ }
+ }
+ }
+@@ -1177,10 +1273,17 @@ gnutls_x509_name_constraints_check_crt(gnutls_x509_name_constraints_t nc,
+ unsigned idx, t, san_type;
+ gnutls_datum_t n;
+ unsigned found_one;
++ size_t checks;
+
+- if (is_nc_empty(nc, type) != 0)
++ if (_gnutls_x509_name_constraints_is_empty(nc, type) != 0)
+ return 1; /* shortcut; no constraints to check */
+
++ if (!INT_ADD_OK(nc->permitted.size, nc->excluded.size, &checks) ||
++ !INT_MULTIPLY_OK(checks, cert->san->size, &checks) ||
++ checks > MAX_NC_CHECKS) {
++ return gnutls_assert_val(0);
++ }
++
+ if (type == GNUTLS_SAN_RFC822NAME) {
+ found_one = 0;
+ for (idx = 0;; idx++) {
+@@ -1378,20 +1481,13 @@ int gnutls_x509_name_constraints_get_permitted(gnutls_x509_name_constraints_t nc
+ unsigned idx, unsigned *type,
+ gnutls_datum_t *name)
+ {
+- unsigned int i;
+- struct name_constraints_node_st *tmp = nc->permitted;
++ const struct name_constraints_node_st *tmp;
+
+- for (i = 0; i < idx; i++) {
+- if (tmp == NULL)
+- return gnutls_assert_val(
+- GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+-
+- tmp = tmp->next;
+- }
+-
+- if (tmp == NULL)
++ if (idx >= nc->permitted.size)
+ return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+
++ tmp = nc->permitted.data[idx];
++
+ *type = tmp->type;
+ *name = tmp->name;
+
+@@ -1421,20 +1517,13 @@ int gnutls_x509_name_constraints_get_excluded(gnutls_x509_name_constraints_t nc,
+ unsigned idx, unsigned *type,
+ gnutls_datum_t *name)
+ {
+- unsigned int i;
+- struct name_constraints_node_st *tmp = nc->excluded;
++ const struct name_constraints_node_st *tmp;
+
+- for (i = 0; i < idx; i++) {
+- if (tmp == NULL)
+- return gnutls_assert_val(
+- GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+-
+- tmp = tmp->next;
+- }
+-
+- if (tmp == NULL)
++ if (idx >= nc->excluded.size)
+ return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+
++ tmp = nc->excluded.data[idx];
++
+ *type = tmp->type;
+ *name = tmp->name;
+
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index ad3af1430..064ca8357 100644
+--- a/lib/x509/x509_ext.c
++++ b/lib/x509/x509_ext.c
+@@ -34,10 +34,6 @@
+ #include "intprops.h"
+
+ #define MAX_ENTRIES 64
+-struct gnutls_subject_alt_names_st {
+- struct name_st *names;
+- unsigned int size;
+-};
+
+ /**
+ * gnutls_subject_alt_names_init:
+@@ -389,22 +385,15 @@ int gnutls_x509_ext_import_name_constraints(const gnutls_datum_t *ext,
+ }
+
+ if (flags & GNUTLS_NAME_CONSTRAINTS_FLAG_APPEND &&
+- (nc->permitted != NULL || nc->excluded != NULL)) {
++ !_gnutls_x509_name_constraints_is_empty(nc, 0)) {
+ ret = gnutls_x509_name_constraints_init(&nc2);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+- ret = _gnutls_extract_name_constraints(c2, "permittedSubtrees",
+- &nc2->permitted);
+- if (ret < 0) {
+- gnutls_assert();
+- goto cleanup;
+- }
+-
+- ret = _gnutls_extract_name_constraints(c2, "excludedSubtrees",
+- &nc2->excluded);
++ ret = _gnutls_x509_name_constraints_extract(
++ c2, "permittedSubtrees", "excludedSubtrees", nc2);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+@@ -416,18 +405,10 @@ int gnutls_x509_ext_import_name_constraints(const gnutls_datum_t *ext,
+ goto cleanup;
+ }
+ } else {
+- _gnutls_name_constraints_node_free(nc->permitted);
+- _gnutls_name_constraints_node_free(nc->excluded);
++ _gnutls_x509_name_constraints_clear(nc);
+
+- ret = _gnutls_extract_name_constraints(c2, "permittedSubtrees",
+- &nc->permitted);
+- if (ret < 0) {
+- gnutls_assert();
+- goto cleanup;
+- }
+-
+- ret = _gnutls_extract_name_constraints(c2, "excludedSubtrees",
+- &nc->excluded);
++ ret = _gnutls_x509_name_constraints_extract(
++ c2, "permittedSubtrees", "excludedSubtrees", nc);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+@@ -463,9 +444,10 @@ int gnutls_x509_ext_export_name_constraints(gnutls_x509_name_constraints_t nc,
+ int ret, result;
+ uint8_t null = 0;
+ asn1_node c2 = NULL;
+- struct name_constraints_node_st *tmp;
++ unsigned rtype;
++ gnutls_datum_t rname;
+
+- if (nc->permitted == NULL && nc->excluded == NULL)
++ if (_gnutls_x509_name_constraints_is_empty(nc, 0))
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+ result = asn1_create_element(_gnutls_get_pkix(),
+@@ -475,11 +457,20 @@ int gnutls_x509_ext_export_name_constraints(gnutls_x509_name_constraints_t nc,
+ return _gnutls_asn2err(result);
+ }
+
+- if (nc->permitted == NULL) {
++ ret = gnutls_x509_name_constraints_get_permitted(nc, 0, &rtype, &rname);
++ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ (void)asn1_write_value(c2, "permittedSubtrees", NULL, 0);
+ } else {
+- tmp = nc->permitted;
+- do {
++ for (unsigned i = 0;; i++) {
++ ret = gnutls_x509_name_constraints_get_permitted(
++ nc, i, &rtype, &rname);
++ if (ret < 0) {
++ if (ret ==
++ GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
++ break;
++ gnutls_assert();
++ goto cleanup;
++ }
+ result = asn1_write_value(c2, "permittedSubtrees",
+ "NEW", 1);
+ if (result != ASN1_SUCCESS) {
+@@ -506,21 +497,29 @@ int gnutls_x509_ext_export_name_constraints(gnutls_x509_name_constraints_t nc,
+ }
+
+ ret = _gnutls_write_general_name(
+- c2, "permittedSubtrees.?LAST.base", tmp->type,
+- tmp->name.data, tmp->name.size);
++ c2, "permittedSubtrees.?LAST.base", rtype,
++ rname.data, rname.size);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+- tmp = tmp->next;
+- } while (tmp != NULL);
++ }
+ }
+
+- if (nc->excluded == NULL) {
++ ret = gnutls_x509_name_constraints_get_excluded(nc, 0, &rtype, &rname);
++ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ (void)asn1_write_value(c2, "excludedSubtrees", NULL, 0);
+ } else {
+- tmp = nc->excluded;
+- do {
++ for (unsigned i = 0;; i++) {
++ ret = gnutls_x509_name_constraints_get_excluded(
++ nc, i, &rtype, &rname);
++ if (ret < 0) {
++ if (ret ==
++ GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
++ break;
++ gnutls_assert();
++ goto cleanup;
++ }
+ result = asn1_write_value(c2, "excludedSubtrees", "NEW",
+ 1);
+ if (result != ASN1_SUCCESS) {
+@@ -546,14 +545,13 @@ int gnutls_x509_ext_export_name_constraints(gnutls_x509_name_constraints_t nc,
+ }
+
+ ret = _gnutls_write_general_name(
+- c2, "excludedSubtrees.?LAST.base", tmp->type,
+- tmp->name.data, tmp->name.size);
++ c2, "excludedSubtrees.?LAST.base", rtype,
++ rname.data, rname.size);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+- tmp = tmp->next;
+- } while (tmp != NULL);
++ }
+ }
+
+ ret = _gnutls_x509_der_encode(c2, "", ext, 0);
+diff --git a/lib/x509/x509_ext_int.h b/lib/x509/x509_ext_int.h
+index 558d61956..b37d74997 100644
+--- a/lib/x509/x509_ext_int.h
++++ b/lib/x509/x509_ext_int.h
+@@ -29,6 +29,11 @@ struct name_st {
+ gnutls_datum_t othername_oid;
+ };
+
++struct gnutls_subject_alt_names_st {
++ struct name_st *names;
++ unsigned int size;
++};
++
+ int _gnutls_alt_name_process(gnutls_datum_t *out, unsigned type,
+ const gnutls_datum_t *san, unsigned raw);
+
+diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h
+index 4ec55bd75..211743ced 100644
+--- a/lib/x509/x509_int.h
++++ b/lib/x509/x509_int.h
+@@ -485,20 +485,13 @@ int _gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert,
+ int crl_list_length,
+ gnutls_verify_output_function func);
+
+-typedef struct gnutls_name_constraints_st {
+- struct name_constraints_node_st *permitted;
+- struct name_constraints_node_st *excluded;
+-} gnutls_name_constraints_st;
+-
+-typedef struct name_constraints_node_st {
+- unsigned type;
+- gnutls_datum_t name;
+- struct name_constraints_node_st *next;
+-} name_constraints_node_st;
+-
+-int _gnutls_extract_name_constraints(asn1_node c2, const char *vstr,
+- name_constraints_node_st **_nc);
+-void _gnutls_name_constraints_node_free(name_constraints_node_st *node);
++bool _gnutls_x509_name_constraints_is_empty(gnutls_x509_name_constraints_t nc,
++ unsigned type);
++int _gnutls_x509_name_constraints_extract(asn1_node c2,
++ const char *permitted_name,
++ const char *excluded_name,
++ gnutls_x509_name_constraints_t nc);
++void _gnutls_x509_name_constraints_clear(gnutls_x509_name_constraints_t nc);
+ int _gnutls_x509_name_constraints_merge(gnutls_x509_name_constraints_t nc,
+ gnutls_x509_name_constraints_t nc2);
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index 20139b4dd4..e77960724b 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -23,6 +23,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
file://0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch \
file://run-ptest \
file://Add-ptest-support.patch \
+ file://CVE-2024-12243.patch \
"
SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [OE-core][scarthgap 3/7] openssl: upgrade 3.2.3 -> 3.2.4
2025-02-18 21:15 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
2025-02-18 21:15 ` [OE-core][scarthgap 1/7] subversion: ignore CVE-2024-45720 Steve Sakoman
2025-02-18 21:15 ` [OE-core][scarthgap 2/7] gnutls: patch CVE-2024-12243 Steve Sakoman
@ 2025-02-18 21:15 ` Steve Sakoman
2025-02-18 21:15 ` [OE-core][scarthgap 4/7] vim: Upgrade 9.1.0764 -> 9.1.1043 Steve Sakoman
` (3 subsequent siblings)
6 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2025-02-18 21:15 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Release information:
https://github.com/openssl/openssl/blob/openssl-3.2/NEWS.md#major-changes-between-openssl-323-and-openssl-324-11-feb-2025
Handles CVE-2024-12797 in addition to already patched CVEs.
Refresh patches and remove CVE patches included in the new version.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...ke-history-reporting-when-test-fails.patch | 40 ++--
...1-Configure-do-not-tweak-mips-cflags.patch | 2 +-
...sysroot-and-debug-prefix-map-from-co.patch | 4 +-
.../openssl/openssl/CVE-2024-13176.patch | 126 -----------
.../openssl/openssl/CVE-2024-9143.patch | 202 ------------------
.../{openssl_3.2.3.bb => openssl_3.2.4.bb} | 4 +-
6 files changed, 24 insertions(+), 354 deletions(-)
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
delete mode 100755 meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
rename meta/recipes-connectivity/openssl/{openssl_3.2.3.bb => openssl_3.2.4.bb} (98%)
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
index 9baa0c2d75..b05d7abf7c 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
@@ -8,10 +8,10 @@ Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481]
Signed-off-by: William Lyu <William.Lyu@windriver.com>
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
- test/helpers/handshake.c | 139 +++++++++++++++++++++++++++++----------
+ test/helpers/handshake.c | 137 +++++++++++++++++++++++++++++----------
test/helpers/handshake.h | 70 +++++++++++++++++++-
test/ssl_test.c | 44 +++++++++++++
- 3 files changed, 218 insertions(+), 35 deletions(-)
+ 3 files changed, 217 insertions(+), 34 deletions(-)
diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
index e0422469e4..ae2ad59dd4 100644
@@ -20,7 +20,7 @@ index e0422469e4..ae2ad59dd4 100644
@@ -24,6 +24,102 @@
#include <netinet/sctp.h>
#endif
-
+
+/* Shamelessly copied from test/helpers/ssl_test_ctx.c */
+/* Maps string names to various enumeration type */
+typedef struct {
@@ -120,10 +120,10 @@ index e0422469e4..ae2ad59dd4 100644
HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void)
{
HANDSHAKE_RESULT *ret;
-@@ -719,15 +815,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client,
+@@ -725,15 +821,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client,
SSL_set_post_handshake_auth(client, 1);
}
-
+
-/* The status for each connection phase. */
-typedef enum {
- PEER_SUCCESS,
@@ -136,10 +136,10 @@ index e0422469e4..ae2ad59dd4 100644
/* An SSL object and associated read-write buffers. */
typedef struct peer_st {
SSL *ssl;
-@@ -1074,17 +1161,6 @@ static void do_shutdown_step(PEER *peer)
+@@ -1080,17 +1167,6 @@ static void do_shutdown_step(PEER *peer)
}
}
-
+
-typedef enum {
- HANDSHAKE,
- RENEG_APPLICATION_DATA,
@@ -154,10 +154,10 @@ index e0422469e4..ae2ad59dd4 100644
static int renegotiate_op(const SSL_TEST_CTX *test_ctx)
{
switch (test_ctx->handshake_mode) {
-@@ -1162,19 +1238,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
+@@ -1168,19 +1244,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
}
}
-
+
-typedef enum {
- /* Both parties succeeded. */
- HANDSHAKE_SUCCESS,
@@ -174,10 +174,10 @@ index e0422469e4..ae2ad59dd4 100644
/*
* Determine the handshake outcome.
* last_status: the status of the peer to have acted last.
-@@ -1539,6 +1602,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
-
+@@ -1545,6 +1608,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+
start = time(NULL);
-
+
+ save_loop_history(&(ret->history),
+ phase, status, server.status, client.status,
+ client_turn_count, client_turn);
@@ -185,10 +185,10 @@ index e0422469e4..ae2ad59dd4 100644
/*
* Half-duplex handshake loop.
* Client and server speak to each other synchronously in the same process.
-@@ -1560,6 +1627,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+@@ -1566,6 +1633,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
0 /* server went last */);
}
-
+
+ save_loop_history(&(ret->history),
+ phase, status, server.status, client.status,
+ client_turn_count, client_turn);
@@ -208,9 +208,9 @@ index 78b03f9f4b..b9967c2623 100644
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -12,6 +12,11 @@
-
+
#include "ssl_test_ctx.h"
-
+
+#define MAX_HANDSHAKE_HISTORY_ENTRY_BIT 4
+#define MAX_HANDSHAKE_HISTORY_ENTRY (1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT)
+#define MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK \
@@ -222,7 +222,7 @@ index 78b03f9f4b..b9967c2623 100644
@@ -22,6 +27,63 @@ typedef struct ctx_data_st {
char *session_ticket_app_data;
} CTX_DATA;
-
+
+typedef enum {
+ HANDSHAKE,
+ RENEG_APPLICATION_DATA,
@@ -290,12 +290,12 @@ index 78b03f9f4b..b9967c2623 100644
+ /* handshake loop history */
+ HANDSHAKE_HISTORY history;
} HANDSHAKE_RESULT;
-
+
HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void);
@@ -95,4 +159,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
CTX_DATA *server2_ctx_data,
CTX_DATA *client_ctx_data);
-
+
+const char *handshake_connect_phase_name(connect_phase_t phase);
+const char *handshake_status_name(handshake_status_t handshake_status);
+const char *handshake_peer_status_name(peer_status_t peer_status);
@@ -308,7 +308,7 @@ index ea608518f9..9d6b093c81 100644
@@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL;
/* Currently the section names are of the form test-<number>, e.g. test-15. */
#define MAX_TESTCASE_NAME_LENGTH 100
-
+
+static void print_handshake_history(const HANDSHAKE_HISTORY *history)
+{
+ size_t first_idx;
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
index 502a7aaf32..3f6ab97795 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -20,7 +20,7 @@ diff --git a/Configure b/Configure
index 4569952..adf019b 100755
--- a/Configure
+++ b/Configure
-@@ -1422,16 +1422,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
+@@ -1485,16 +1485,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
push @{$config{shared_ldflag}}, "-mno-cygwin";
}
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
index bafdbaa46f..ce2acb2462 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
@@ -38,7 +38,7 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
===================================================================
--- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl
+++ openssl-3.0.4/Configurations/unix-Makefile.tmpl
-@@ -472,13 +472,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lfl
+@@ -481,13 +481,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
'$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
@@ -67,7 +67,7 @@ Index: openssl-3.0.4/crypto/build.info
===================================================================
--- openssl-3.0.4.orig/crypto/build.info
+++ openssl-3.0.4/crypto/build.info
-@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
+@@ -115,7 +115,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
DEPEND[info.o]=buildinf.h
DEPEND[cversion.o]=buildinf.h
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
deleted file mode 100644
index 28d4dd706a..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From 4b1cb94a734a7d4ec363ac0a215a25c181e11f65 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Wed, 15 Jan 2025 18:27:02 +0100
-Subject: [PATCH] Fix timing side-channel in ECDSA signature computation
-
-There is a timing signal of around 300 nanoseconds when the top word of
-the inverted ECDSA nonce value is zero. This can happen with significant
-probability only for some of the supported elliptic curves. In particular
-the NIST P-521 curve is affected. To be able to measure this leak, the
-attacker process must either be located in the same physical computer or
-must have a very fast network connection with low latency.
-
-Attacks on ECDSA nonce are also known as Minerva attack.
-
-Fixes CVE-2024-13176
-
-Reviewed-by: Tim Hudson <tjh@openssl.org>
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-(Merged from https://github.com/openssl/openssl/pull/26429)
-
-(cherry picked from commit 63c40a66c5dc287485705d06122d3a6e74a6a203)
-(cherry picked from commit 392dcb336405a0c94486aa6655057f59fd3a0902)
-
-CVE: CVE-2024-13176
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- crypto/bn/bn_exp.c | 21 +++++++++++++++------
- crypto/ec/ec_lib.c | 7 ++++---
- include/crypto/bn.h | 3 +++
- 3 files changed, 22 insertions(+), 9 deletions(-)
-
-diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
-index b876edbfac36e..af52e2ced6914 100644
---- a/crypto/bn/bn_exp.c
-+++ b/crypto/bn/bn_exp.c
-@@ -606,7 +606,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
- * out by Colin Percival,
- * http://www.daemonology.net/hyperthreading-considered-harmful/)
- */
--int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
-+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
- const BIGNUM *m, BN_CTX *ctx,
- BN_MONT_CTX *in_mont)
- {
-@@ -623,10 +623,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
- unsigned int t4 = 0;
- #endif
-
-- bn_check_top(a);
-- bn_check_top(p);
-- bn_check_top(m);
--
- if (!BN_is_odd(m)) {
- ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS);
- return 0;
-@@ -1146,7 +1142,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
- goto err;
- } else
- #endif
-- if (!BN_from_montgomery(rr, &tmp, mont, ctx))
-+ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx))
- goto err;
- ret = 1;
- err:
-@@ -1160,6 +1156,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
- return ret;
- }
-
-+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
-+ const BIGNUM *m, BN_CTX *ctx,
-+ BN_MONT_CTX *in_mont)
-+{
-+ bn_check_top(a);
-+ bn_check_top(p);
-+ bn_check_top(m);
-+ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont))
-+ return 0;
-+ bn_correct_top(rr);
-+ return 1;
-+}
-+
- int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
- {
-diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
-index c92b4dcb0ac45..a79fbb98cf6fa 100644
---- a/crypto/ec/ec_lib.c
-+++ b/crypto/ec/ec_lib.c
-@@ -21,6 +21,7 @@
- #include <openssl/opensslv.h>
- #include <openssl/param_build.h>
- #include "crypto/ec.h"
-+#include "crypto/bn.h"
- #include "internal/nelem.h"
- #include "ec_local.h"
-
-@@ -1261,10 +1262,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
- if (!BN_sub(e, group->order, e))
- goto err;
- /*-
-- * Exponent e is public.
-- * No need for scatter-gather or BN_FLG_CONSTTIME.
-+ * Although the exponent is public we want the result to be
-+ * fixed top.
- */
-- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))
-+ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data))
- goto err;
-
- ret = 1;
-diff --git a/include/crypto/bn.h b/include/crypto/bn.h
-index 302f031c2ff1d..499e1d10efab0 100644
---- a/include/crypto/bn.h
-+++ b/include/crypto/bn.h
-@@ -73,6 +73,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words);
- */
- int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
- BN_MONT_CTX *mont, BN_CTX *ctx);
-+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
-+ const BIGNUM *m, BN_CTX *ctx,
-+ BN_MONT_CTX *in_mont);
- int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
- BN_CTX *ctx);
- int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
deleted file mode 100755
index 99c16cd573..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
+++ /dev/null
@@ -1,202 +0,0 @@
-From bc7e04d7c8d509fb78fc0e285aa948fb0da04700 Mon Sep 17 00:00:00 2001
-From: Viktor Dukhovni <viktor@openssl.org>
-Date: Thu, 19 Sep 2024 01:02:40 +1000
-Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
-
-The BN_GF2m_poly2arr() function converts characteristic-2 field
-(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
-to a compact array with just the exponents of the non-zero terms.
-
-These polynomials are then used in BN_GF2m_mod_arr() to perform modular
-reduction. A precondition of calling BN_GF2m_mod_arr() is that the
-polynomial must have a non-zero constant term (i.e. the array has `0` as
-its final element).
-
-Internally, callers of BN_GF2m_poly2arr() did not verify that
-precondition, and binary EC curve parameters with an invalid polynomial
-could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
-
-The precondition is always true for polynomials that arise from the
-standard form of EC parameters for characteristic-two fields (X9.62).
-See the "Finite Field Identification" section of:
-
- https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
-
-The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
-basis X9.62 forms.
-
-This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
-the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
-
-Additionally, the return value is made unambiguous when there is not
-enough space to also pad the array with a final `-1` sentinel value.
-The return value is now always the number of elements (including the
-final `-1`) that would be filled when the output array is sufficiently
-large. Previously the same count was returned both when the array has
-just enough room for the final `-1` and when it had only enough space
-for non-sentinel values.
-
-Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
-degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
-CPU exhausition attacks via excessively large inputs.
-
-The above issues do not arise in processing X.509 certificates. These
-generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
-disallows explicit EC parameters. The TLS code in OpenSSL enforces this
-constraint only after the certificate is decoded, but, even if explicit
-parameters are specified, they are in X9.62 form, which cannot represent
-problem values as noted above.
-
-Initially reported as oss-fuzz issue 71623.
-
-A closely related issue was earlier reported in
-<https://github.com/openssl/openssl/issues/19826>.
-
-Severity: Low, CVE-2024-9143
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/25639)
-
-(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
-
-CVE: CVE-2024-9143
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- crypto/bn/bn_gf2m.c | 28 +++++++++++++++-------
- test/ec_internal_test.c | 51 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 71 insertions(+), 8 deletions(-)
-
-diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
-index 444c5ca7a3755..ae7e9d751c29c 100644
---- a/crypto/bn/bn_gf2m.c
-+++ b/crypto/bn/bn_gf2m.c
-@@ -15,6 +15,7 @@
- #include "bn_local.h"
-
- #ifndef OPENSSL_NO_EC2M
-+# include <openssl/ec.h>
-
- /*
- * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
-@@ -1130,16 +1131,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
- /*
- * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
- * x^i) into an array of integers corresponding to the bits with non-zero
-- * coefficient. Array is terminated with -1. Up to max elements of the array
-- * will be filled. Return value is total number of array elements that would
-- * be filled if array was large enough.
-+ * coefficient. The array is intended to be suitable for use with
-+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
-+ * zero. This translates to a requirement that the input BIGNUM `a` is odd.
-+ *
-+ * Given sufficient room, the array is terminated with -1. Up to max elements
-+ * of the array will be filled.
-+ *
-+ * The return value is total number of array elements that would be filled if
-+ * array was large enough, including the terminating `-1`. It is `0` when `a`
-+ * is not odd or the constant term is zero contrary to requirement.
-+ *
-+ * The return value is also `0` when the leading exponent exceeds
-+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
- */
- int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
- {
- int i, j, k = 0;
- BN_ULONG mask;
-
-- if (BN_is_zero(a))
-+ if (!BN_is_odd(a))
- return 0;
-
- for (i = a->top - 1; i >= 0; i--) {
-@@ -1157,12 +1168,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
- }
- }
-
-- if (k < max) {
-+ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
-+ return 0;
-+
-+ if (k < max)
- p[k] = -1;
-- k++;
-- }
-
-- return k;
-+ return k + 1;
- }
-
- /*
-diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
-index 5076f9894d5b8..92904cfc42b20 100644
---- a/test/ec_internal_test.c
-+++ b/test/ec_internal_test.c
-@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
- }
-
- #ifndef OPENSSL_NO_EC2M
-+/* Test that decoding of invalid GF2m field parameters fails. */
-+static int ec2m_field_sanity(void)
-+{
-+ int ret = 0;
-+ BN_CTX *ctx = BN_CTX_new();
-+ BIGNUM *p, *a, *b;
-+ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
-+
-+ TEST_info("Testing GF2m hardening\n");
-+
-+ BN_CTX_start(ctx);
-+ p = BN_CTX_get(ctx);
-+ a = BN_CTX_get(ctx);
-+ if (!TEST_ptr(b = BN_CTX_get(ctx))
-+ || !TEST_true(BN_one(a))
-+ || !TEST_true(BN_one(b)))
-+ goto out;
-+
-+ /* Even pentanomial value should be rejected */
-+ if (!TEST_true(BN_set_word(p, 0xf2)))
-+ goto out;
-+ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
-+ TEST_error("Zero constant term accepted in GF2m polynomial");
-+
-+ /* Odd hexanomial should also be rejected */
-+ if (!TEST_true(BN_set_word(p, 0xf3)))
-+ goto out;
-+ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
-+ TEST_error("Hexanomial accepted as GF2m polynomial");
-+
-+ /* Excessive polynomial degree should also be rejected */
-+ if (!TEST_true(BN_set_word(p, 0x71))
-+ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
-+ goto out;
-+ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
-+ TEST_error("GF2m polynomial degree > %d accepted",
-+ OPENSSL_ECC_MAX_FIELD_BITS);
-+
-+ ret = group1 == NULL && group2 == NULL && group3 == NULL;
-+
-+ out:
-+ EC_GROUP_free(group1);
-+ EC_GROUP_free(group2);
-+ EC_GROUP_free(group3);
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
-+
-+ return ret;
-+}
-+
- /* test EC_GF2m_simple_method directly */
- static int field_tests_ec2_simple(void)
- {
-@@ -443,6 +493,7 @@ int setup_tests(void)
- ADD_TEST(field_tests_ecp_simple);
- ADD_TEST(field_tests_ecp_mont);
- #ifndef OPENSSL_NO_EC2M
-+ ADD_TEST(ec2m_field_sanity);
- ADD_TEST(field_tests_ec2_simple);
- #endif
- ADD_ALL_TESTS(field_tests_default, crv_len);
diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.3.bb b/meta/recipes-connectivity/openssl/openssl_3.2.4.bb
similarity index 98%
rename from meta/recipes-connectivity/openssl/openssl_3.2.3.bb
rename to meta/recipes-connectivity/openssl/openssl_3.2.4.bb
index 0b47bab550..bada192fe9 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.2.3.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.2.4.bb
@@ -12,15 +12,13 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
file://0001-Configure-do-not-tweak-mips-cflags.patch \
file://0001-Added-handshake-history-reporting-when-test-fails.patch \
- file://CVE-2024-9143.patch \
- file://CVE-2024-13176.patch \
"
SRC_URI:append:class-nativesdk = " \
file://environment.d-openssl.sh \
"
-SRC_URI[sha256sum] = "52b5f1c6b8022bc5868c308c54fb77705e702d6c6f4594f99a0df216acf46239"
+SRC_URI[sha256sum] = "b23ad7fd9f73e43ad1767e636040e88ba7c9e5775bfa5618436a0dd2c17c3716"
inherit lib_package multilib_header multilib_script ptest perlnative manpages
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [OE-core][scarthgap 4/7] vim: Upgrade 9.1.0764 -> 9.1.1043
2025-02-18 21:15 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
` (2 preceding siblings ...)
2025-02-18 21:15 ` [OE-core][scarthgap 3/7] openssl: upgrade 3.2.3 -> 3.2.4 Steve Sakoman
@ 2025-02-18 21:15 ` Steve Sakoman
2025-02-18 21:15 ` [OE-core][scarthgap 5/7] scripts/install-buildtools: Update to 5.0.7 Steve Sakoman
` (2 subsequent siblings)
6 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2025-02-18 21:15 UTC (permalink / raw)
To: openembedded-core
From: Divya Chellam <divya.chellam@windriver.com>
This includes CVE-fix for CVE-2025-22134 and CVE-2025-24014
Changes between 9.1.0764 -> 9.1.1043
====================================
https://github.com/vim/vim/compare/v9.1.0764...v9.1.1043
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-support/vim/vim.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 582eddcb9d..4ac9c58c80 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -18,8 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
"
-PV .= ".0764"
-SRCREV = "51b62387be93c65fa56bbabe1c3c1ea5df187641"
+PV .= ".1043"
+SRCREV = "9d1bed5eccdbb46a26b8a484f5e9163c40e63919"
# Do not consider .z in x.y.z, as that is updated with every commit
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+)\.0"
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [OE-core][scarthgap 5/7] scripts/install-buildtools: Update to 5.0.7
2025-02-18 21:15 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
` (3 preceding siblings ...)
2025-02-18 21:15 ` [OE-core][scarthgap 4/7] vim: Upgrade 9.1.0764 -> 9.1.1043 Steve Sakoman
@ 2025-02-18 21:15 ` Steve Sakoman
2025-02-18 21:15 ` [OE-core][scarthgap 6/7] ppp: Revert lock path to /var/lock Steve Sakoman
2025-02-18 21:15 ` [OE-core][scarthgap 7/7] icu: remove host references in nativesdk to fix reproducibility Steve Sakoman
6 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2025-02-18 21:15 UTC (permalink / raw)
To: openembedded-core
From: Aleksandar Nikolic <aleksandar.nikolic@zeiss.com>
Update to the 5.0.7 release of the 5.0 series for buildtools.
Signed-off-by: Aleksandar Nikolic <aleksandar.nikolic@zeiss.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
scripts/install-buildtools | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/scripts/install-buildtools b/scripts/install-buildtools
index 972671d50f..e4d472023d 100755
--- a/scripts/install-buildtools
+++ b/scripts/install-buildtools
@@ -57,8 +57,8 @@ logger = scriptutils.logger_create(PROGNAME, stream=sys.stdout)
DEFAULT_INSTALL_DIR = os.path.join(os.path.split(scripts_path)[0],'buildtools')
DEFAULT_BASE_URL = 'https://downloads.yoctoproject.org/releases/yocto'
-DEFAULT_RELEASE = 'yocto-5.0.6'
-DEFAULT_INSTALLER_VERSION = '5.0.6'
+DEFAULT_RELEASE = 'yocto-5.0.7'
+DEFAULT_INSTALLER_VERSION = '5.0.7'
DEFAULT_BUILDDATE = '202110XX'
# Python version sanity check
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [OE-core][scarthgap 6/7] ppp: Revert lock path to /var/lock
2025-02-18 21:15 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
` (4 preceding siblings ...)
2025-02-18 21:15 ` [OE-core][scarthgap 5/7] scripts/install-buildtools: Update to 5.0.7 Steve Sakoman
@ 2025-02-18 21:15 ` Steve Sakoman
2025-02-18 21:15 ` [OE-core][scarthgap 7/7] icu: remove host references in nativesdk to fix reproducibility Steve Sakoman
6 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2025-02-18 21:15 UTC (permalink / raw)
To: openembedded-core
From: Johannes Schneider <johannes.schneider@leica-geosystems.com>
ppp version 2.5.0 fails to run properly if an expected /run/pppd/lock
directory does not exist, which is not usually created in a yocto
built OS.
Backport the patch from upstream version 2.5.1 that fixes the issue by
reverting back to /var/lock.
The related github issue upstream was:
"lock directory moved in ppp-2.5.0 #419" [1]
Link: https://github.com/ppp-project/ppp/issues/419
Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...001-Revert-lock-path-to-var-lock-435.patch | 63 +++++++++++++++++++
meta/recipes-connectivity/ppp/ppp_2.5.0.bb | 1 +
2 files changed, 64 insertions(+)
create mode 100644 meta/recipes-connectivity/ppp/ppp/0001-Revert-lock-path-to-var-lock-435.patch
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-Revert-lock-path-to-var-lock-435.patch b/meta/recipes-connectivity/ppp/ppp/0001-Revert-lock-path-to-var-lock-435.patch
new file mode 100644
index 0000000000..573eb413b0
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/0001-Revert-lock-path-to-var-lock-435.patch
@@ -0,0 +1,63 @@
+From 99cbf5e269994482edaf64624be8b1c806f9587c Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <asmadeus@codewreck.org>
+Date: Tue, 10 Oct 2023 10:05:50 +0900
+Subject: [PATCH] Revert lock path to /var/lock (#435)
+
+lock dir changed on linux from /var/lock to /run/pppd/lock with
+pppd-2.5.0, which makes pppd fail to start if the distribution does not
+pre-create the directory.
+
+This reverts it back to /var/lock.
+
+The paths for other OS should be identical as LOCALSTATEDIR should be
+/var, but also revert them back as well just in case.
+Since the variable is no longer used remove it from makefiles.
+
+Fixes: 66a8c74c3f73 ("Let ./configure control the paths for pppd")
+Fixes: #419
+
+Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
+Co-authored-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
+
+Upstream-Status: Backport [https://github.com/ppp-project/ppp/commit/99cbf5e269994482edaf64624be8b1c806f9587c]
+---
+ pppd/Makefile.am | 2 +-
+ pppd/pathnames.h | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/pppd/Makefile.am b/pppd/Makefile.am
+index e5bedf2..7cb3005 100644
+--- a/pppd/Makefile.am
++++ b/pppd/Makefile.am
+@@ -83,7 +83,7 @@ pppd_SOURCES = \
+ upap.c \
+ utils.c
+
+-pppd_CPPFLAGS = -DSYSCONFDIR=\"${sysconfdir}\" -DLOCALSTATEDIR=\"${localstatedir}\" -DPPPD_RUNTIME_DIR='"@PPPD_RUNTIME_DIR@"' -DPPPD_LOGFILE_DIR='"@PPPD_LOGFILE_DIR@"'
++pppd_CPPFLAGS = -DSYSCONFDIR=\"${sysconfdir}\" -DPPPD_RUNTIME_DIR='"@PPPD_RUNTIME_DIR@"' -DPPPD_LOGFILE_DIR='"@PPPD_LOGFILE_DIR@"'
+ pppd_LDFLAGS =
+ pppd_LIBS =
+
+diff --git a/pppd/pathnames.h b/pppd/pathnames.h
+index de2fb68..12609a9 100644
+--- a/pppd/pathnames.h
++++ b/pppd/pathnames.h
+@@ -120,12 +120,12 @@
+ #define PPP_PATH_PPPDB PPP_PATH_VARRUN "/pppd2.tdb"
+
+ #ifdef __linux__
+-#define PPP_PATH_LOCKDIR PPP_PATH_VARRUN "/lock"
++#define PPP_PATH_LOCKDIR "/var/lock"
+ #else
+ #ifdef SVR4
+-#define PPP_PATH_LOCKDIR LOCALSTATEDIR "/spool/locks"
++#define PPP_PATH_LOCKDIR "/var/spool/locks"
+ #else
+-#define PPP_PATH_LOCKDIR LOCALSTATEDIR "/spool/lock"
++#define PPP_PATH_LOCKDIR "/var/spool/lock"
+ #endif
+ #endif
+
+--
+2.43.0
+
diff --git a/meta/recipes-connectivity/ppp/ppp_2.5.0.bb b/meta/recipes-connectivity/ppp/ppp_2.5.0.bb
index 5f0c75de83..badf22db97 100644
--- a/meta/recipes-connectivity/ppp/ppp_2.5.0.bb
+++ b/meta/recipes-connectivity/ppp/ppp_2.5.0.bb
@@ -23,6 +23,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
file://ppp_on_boot \
file://provider \
file://ppp@.service \
+ file://0001-Revert-lock-path-to-var-lock-435.patch \
"
SRC_URI[sha256sum] = "5cae0e8075f8a1755f16ca290eb44e6b3545d3f292af4da65ecffe897de636ff"
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [OE-core][scarthgap 7/7] icu: remove host references in nativesdk to fix reproducibility
2025-02-18 21:15 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
` (5 preceding siblings ...)
2025-02-18 21:15 ` [OE-core][scarthgap 6/7] ppp: Revert lock path to /var/lock Steve Sakoman
@ 2025-02-18 21:15 ` Steve Sakoman
6 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2025-02-18 21:15 UTC (permalink / raw)
To: openembedded-core
From: Oleksandr Hnatiuk <ohnatiuk@cisco.com>
Fix is only done for target. Use same code for nativesdk.
Backport from poky master: https://git.yoctoproject.org/poky/commit/?id=c63b8f28ac52047fad689b78d605aa792baf1ad8
(From OE-Core rev: dc6306883cc2c7d4d98d595442e5bf4037a160c5)
Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com>
Signed-off-by: Oleksandr Hnatiuk <ohnatiuk@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c63b8f28ac52047fad689b78d605aa792baf1ad8)
Signed-off-by: Bhabu Bindu <bindu.bhabu@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-support/icu/icu_74-2.bb | 33 ++++++++++++++++++++--------
1 file changed, 24 insertions(+), 9 deletions(-)
diff --git a/meta/recipes-support/icu/icu_74-2.bb b/meta/recipes-support/icu/icu_74-2.bb
index 8352bf2a5b..53853e24a5 100644
--- a/meta/recipes-support/icu/icu_74-2.bb
+++ b/meta/recipes-support/icu/icu_74-2.bb
@@ -30,7 +30,7 @@ TARGET_CXXFLAGS:append = "${@oe.utils.conditional('SITEINFO_ENDIANNESS', 'be', '
ASNEEDED = ""
-do_compile:prepend:class-target () {
+remove_build_host_references_from_libicutu () {
# Make sure certain build host references do not end up being compiled
# in the image. This only affects libicutu and icu-dbg
sed \
@@ -39,6 +39,14 @@ do_compile:prepend:class-target () {
-i ${B}/tools/toolutil/Makefile
}
+do_compile:prepend:class-target () {
+ remove_build_host_references_from_libicutu
+}
+
+do_compile:prepend:class-nativesdk () {
+ remove_build_host_references_from_libicutu
+}
+
PREPROCESS_RELOCATE_DIRS = "${datadir}/${BPN}/${PV}"
do_install:append:class-native() {
mkdir -p ${D}/${STAGING_ICU_DIR_NATIVE}/config
@@ -49,6 +57,15 @@ do_install:append:class-native() {
cp -r ${B}/tools ${D}/${STAGING_ICU_DIR_NATIVE}
}
+remove_build_host_references() {
+ sed -i \
+ -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \
+ -e 's|${DEBUG_PREFIX_MAP}||g' \
+ -e 's:${HOSTTOOLS_DIR}/::g' \
+ ${D}/${libdir}/${BPN}/${@icu_install_folder(d)}/Makefile.inc \
+ ${D}/${libdir}/${BPN}/${@icu_install_folder(d)}/pkgdata.inc
+}
+
do_install:append:class-target() {
# The native pkgdata can not generate the correct data file.
# Use icupkg to re-generate it.
@@ -56,14 +73,12 @@ do_install:append:class-target() {
rm -f ${D}/${datadir}/${BPN}/${@icu_install_folder(d)}/icudt${ICU_MAJOR_VER}b.dat
icupkg -tb ${S}/data/in/icudt${ICU_MAJOR_VER}l.dat ${D}/${datadir}/${BPN}/${@icu_install_folder(d)}/icudt${ICU_MAJOR_VER}b.dat
fi
-
- # Remove build host references...
- sed -i \
- -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \
- -e 's|${DEBUG_PREFIX_MAP}||g' \
- -e 's:${HOSTTOOLS_DIR}/::g' \
- ${D}/${libdir}/${BPN}/${@icu_install_folder(d)}/Makefile.inc \
- ${D}/${libdir}/${BPN}/${@icu_install_folder(d)}/pkgdata.inc
+
+ remove_build_host_references
+}
+
+do_install:append:class-nativesdk() {
+ remove_build_host_references
}
PACKAGES =+ "libicudata libicuuc libicui18n libicutu libicuio"
--
2.43.0
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [OE-core][scarthgap 1/7] subversion: ignore CVE-2024-45720
2025-02-18 21:15 ` [OE-core][scarthgap 1/7] subversion: ignore CVE-2024-45720 Steve Sakoman
@ 2025-02-19 8:32 ` Yoann Congal
2025-02-19 14:41 ` Steve Sakoman
0 siblings, 1 reply; 16+ messages in thread
From: Yoann Congal @ 2025-02-19 8:32 UTC (permalink / raw)
To: steve; +Cc: openembedded-core, Sofiane HAMAM
[-- Attachment #1: Type: text/plain, Size: 2007 bytes --]
Le mar. 18 févr. 2025 à 22:15, Steve Sakoman via lists.openembedded.org
<steve=sakoman.com@lists.openembedded.org> a écrit :
> From: Peter Marko <peter.marko@siemens.com>
>
> Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-45720
>
> This CVE is relevant only for subversion running on Windows.
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
>
Hi Steve,
Sorry to bother you with this but Sofiane Hamam gave its Reviewed-by here:
https://lists.openembedded.org/g/openembedded-core/topic/111147177#msg211378
He worked on fixing the CVE but Peter was faster so he gave its
reviewed-by. It would be nice if that ended up in the repository.
Thanks!
> ---
> meta/recipes-devtools/subversion/subversion_1.14.3.bb | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/meta/recipes-devtools/subversion/subversion_1.14.3.bb
> b/meta/recipes-devtools/subversion/subversion_1.14.3.bb
> index 1ef3d498a5..679228cbb8 100644
> --- a/meta/recipes-devtools/subversion/subversion_1.14.3.bb
> +++ b/meta/recipes-devtools/subversion/subversion_1.14.3.bb
> @@ -19,6 +19,8 @@ inherit autotools pkgconfig gettext python3native
>
> CVE_PRODUCT = "apache:subversion"
>
> +CVE_STATUS[CVE-2024-45720] = "not-applicable-platform: Issue only applies
> on Windows"
> +
> PACKAGECONFIG ?= ""
>
> PACKAGECONFIG[boost] =
> "--with-boost=${RECIPE_SYSROOT}${exec_prefix},--without-boost,boost"
> --
> 2.43.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#211653):
> https://lists.openembedded.org/g/openembedded-core/message/211653
> Mute This Topic: https://lists.openembedded.org/mt/111258880/4316185
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> yoann.congal@smile.fr]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
--
Yoann Congal
Smile ECS - Tech expert
[-- Attachment #2: Type: text/html, Size: 4352 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [OE-core][scarthgap 1/7] subversion: ignore CVE-2024-45720
2025-02-19 8:32 ` Yoann Congal
@ 2025-02-19 14:41 ` Steve Sakoman
2025-02-19 14:49 ` Yoann Congal
0 siblings, 1 reply; 16+ messages in thread
From: Steve Sakoman @ 2025-02-19 14:41 UTC (permalink / raw)
To: Yoann Congal; +Cc: openembedded-core, Sofiane HAMAM
On Wed, Feb 19, 2025 at 12:33 AM Yoann Congal <yoann.congal@smile.fr> wrote:
>
>
>
> Le mar. 18 févr. 2025 à 22:15, Steve Sakoman via lists.openembedded.org <steve=sakoman.com@lists.openembedded.org> a écrit :
>>
>> From: Peter Marko <peter.marko@siemens.com>
>>
>> Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-45720
>>
>> This CVE is relevant only for subversion running on Windows.
>>
>> Signed-off-by: Peter Marko <peter.marko@siemens.com>
>> Signed-off-by: Steve Sakoman <steve@sakoman.com>
>
>
> Hi Steve,
>
> Sorry to bother you with this but Sofiane Hamam gave its Reviewed-by here:
> https://lists.openembedded.org/g/openembedded-core/topic/111147177#msg211378
>
> He worked on fixing the CVE but Peter was faster so he gave its reviewed-by. It would be nice if that ended up in the repository.
OK, I'll make it so!
Steve
>> meta/recipes-devtools/subversion/subversion_1.14.3.bb | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/meta/recipes-devtools/subversion/subversion_1.14.3.bb b/meta/recipes-devtools/subversion/subversion_1.14.3.bb
>> index 1ef3d498a5..679228cbb8 100644
>> --- a/meta/recipes-devtools/subversion/subversion_1.14.3.bb
>> +++ b/meta/recipes-devtools/subversion/subversion_1.14.3.bb
>> @@ -19,6 +19,8 @@ inherit autotools pkgconfig gettext python3native
>>
>> CVE_PRODUCT = "apache:subversion"
>>
>> +CVE_STATUS[CVE-2024-45720] = "not-applicable-platform: Issue only applies on Windows"
>> +
>> PACKAGECONFIG ?= ""
>>
>> PACKAGECONFIG[boost] = "--with-boost=${RECIPE_SYSROOT}${exec_prefix},--without-boost,boost"
>> --
>> 2.43.0
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#211653): https://lists.openembedded.org/g/openembedded-core/message/211653
>> Mute This Topic: https://lists.openembedded.org/mt/111258880/4316185
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [yoann.congal@smile.fr]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
>
>
> --
> Yoann Congal
> Smile ECS - Tech expert
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [OE-core][scarthgap 1/7] subversion: ignore CVE-2024-45720
2025-02-19 14:41 ` Steve Sakoman
@ 2025-02-19 14:49 ` Yoann Congal
0 siblings, 0 replies; 16+ messages in thread
From: Yoann Congal @ 2025-02-19 14:49 UTC (permalink / raw)
To: Steve Sakoman; +Cc: openembedded-core, Sofiane HAMAM
[-- Attachment #1: Type: text/plain, Size: 2457 bytes --]
Le mer. 19 févr. 2025 à 15:42, Steve Sakoman <steve@sakoman.com> a écrit :
> On Wed, Feb 19, 2025 at 12:33 AM Yoann Congal <yoann.congal@smile.fr>
> wrote:
> >
> >
> >
> > Le mar. 18 févr. 2025 à 22:15, Steve Sakoman via lists.openembedded.org
> <steve=sakoman.com@lists.openembedded.org> a écrit :
> >>
> >> From: Peter Marko <peter.marko@siemens.com>
> >>
> >> Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-45720
> >>
> >> This CVE is relevant only for subversion running on Windows.
> >>
> >> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> >> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> >
> >
> > Hi Steve,
> >
> > Sorry to bother you with this but Sofiane Hamam gave its Reviewed-by
> here:
> >
> https://lists.openembedded.org/g/openembedded-core/topic/111147177#msg211378
> >
> > He worked on fixing the CVE but Peter was faster so he gave its
> reviewed-by. It would be nice if that ended up in the repository.
>
> OK, I'll make it so!
>
Thanks Steve! :)
>
> Steve
>
> >> meta/recipes-devtools/subversion/subversion_1.14.3.bb | 2 ++
> >> 1 file changed, 2 insertions(+)
> >>
> >> diff --git a/meta/recipes-devtools/subversion/subversion_1.14.3.bb
> b/meta/recipes-devtools/subversion/subversion_1.14.3.bb
> >> index 1ef3d498a5..679228cbb8 100644
> >> --- a/meta/recipes-devtools/subversion/subversion_1.14.3.bb
> >> +++ b/meta/recipes-devtools/subversion/subversion_1.14.3.bb
> >> @@ -19,6 +19,8 @@ inherit autotools pkgconfig gettext python3native
> >>
> >> CVE_PRODUCT = "apache:subversion"
> >>
> >> +CVE_STATUS[CVE-2024-45720] = "not-applicable-platform: Issue only
> applies on Windows"
> >> +
> >> PACKAGECONFIG ?= ""
> >>
> >> PACKAGECONFIG[boost] =
> "--with-boost=${RECIPE_SYSROOT}${exec_prefix},--without-boost,boost"
> >> --
> >> 2.43.0
> >>
> >>
> >> -=-=-=-=-=-=-=-=-=-=-=-
> >> Links: You receive all messages sent to this group.
> >> View/Reply Online (#211653):
> https://lists.openembedded.org/g/openembedded-core/message/211653
> >> Mute This Topic: https://lists.openembedded.org/mt/111258880/4316185
> >> Group Owner: openembedded-core+owner@lists.openembedded.org
> >> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> yoann.congal@smile.fr]
> >> -=-=-=-=-=-=-=-=-=-=-=-
> >>
> >
> >
> > --
> > Yoann Congal
> > Smile ECS - Tech expert
>
--
Yoann Congal
Smile ECS - Tech expert
[-- Attachment #2: Type: text/html, Size: 5064 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* [OE-core][scarthgap 0/7] Patch review
@ 2025-05-06 15:13 Steve Sakoman
0 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2025-05-06 15:13 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, May 8
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1529
The following changes since commit 00dd4901e364d16d96cfab864823a9cfdd336eeb:
Revert "cve-update-nvd2-native: Tweak to work better with NFS DL_DIR" (2025-04-29 10:21:16 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Ashish Sharma (1):
libsoup: patch CVE-2025-46420
Deepesh Varatharajan (2):
glibc: stable 2.39 branch updates
binutils: stable 2.42 branch updates
Jeroen Hofstee (2):
bluez5: make media control a PACKAGECONFIG option
bluez5: backport a patch to fix btmgmt -i
Peter Marko (1):
sqlite3: mark CVE-2025-29087 as patched
Soumya Sambu (1):
elfutils: Fix CVE-2025-1371
meta/recipes-connectivity/bluez5/bluez5.inc | 3 +
...ndex-option-for-non-interactive-mode.patch | 29 +++++++++
meta/recipes-core/glibc/glibc-version.inc | 2 +-
.../binutils/binutils-2.42.inc | 2 +-
.../elfutils/elfutils_0.191.bb | 1 +
.../elfutils/files/CVE-2025-1371.patch | 41 +++++++++++++
.../libsoup-3.4.4/CVE-2025-46420.patch | 60 +++++++++++++++++++
meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 +
.../sqlite/sqlite3/CVE-2025-3277.patch | 1 +
9 files changed, 138 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-connectivity/bluez5/bluez5/toolsbtmgmt-fix-index-option-for-non-interactive-mode.patch
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1371.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-46420.patch
--
2.43.0
^ permalink raw reply [flat|nested] 16+ messages in thread
* [OE-core][scarthgap 0/7] Patch review
@ 2025-05-21 14:59 Steve Sakoman
0 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2025-05-21 14:59 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Friday, May 23
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1625
The following changes since commit b214cc84a922f7a3fb7ebbc501189ce25e8bd2bd:
glibc-y2038-tests: remove glibc-y2038-tests_2.39.bb recipe (2025-05-15 09:42:55 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Ashish Sharma (1):
libsoup-2.4: Fix CVE-2025-46420
Nguyen Dat Tho (1):
libatomic-ops: Update GITHUB_BASE_URI
Praveen Kumar (2):
connman :fix CVE-2025-32366
glib-2.0: fix CVE-2025-4373
Sunil Dora (1):
binutils: Fix CVE-2025-1153
Vijay Anusuri (1):
openssh: Fix for CVE-2025-32728
Vyacheslav Yurkov (1):
systemd: Password agents shouldn't be optional
.../connman/connman/CVE-2025-32366.patch | 41 +
.../connman/connman_1.42.bb | 1 +
.../openssh/openssh/CVE-2025-32728.patch | 44 +
.../openssh/openssh_9.6p1.bb | 1 +
.../glib-2.0/glib-2.0/CVE-2025-4373-01.patch | 120 +
.../glib-2.0/glib-2.0/CVE-2025-4373-02.patch | 29 +
meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 2 +
meta/recipes-core/systemd/systemd_255.18.bb | 10 -
.../binutils/binutils-2.42.inc | 3 +
.../binutils/0019-CVE-2025-1153-1.patch | 3207 ++++++++++++++
.../binutils/0020-CVE-2025-1153-2.patch | 840 ++++
.../binutils/0021-CVE-2025-1153-3.patch | 3756 +++++++++++++++++
.../libatomic-ops/libatomic-ops_7.8.2.bb | 4 +-
.../libsoup/libsoup-2.4/CVE-2025-46420.patch | 60 +
.../libsoup/libsoup-2.4_2.74.3.bb | 1 +
15 files changed, 8107 insertions(+), 12 deletions(-)
create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-02.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0019-CVE-2025-1153-1.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0020-CVE-2025-1153-2.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0021-CVE-2025-1153-3.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch
--
2.43.0
^ permalink raw reply [flat|nested] 16+ messages in thread
* [OE-core][scarthgap 0/7] Patch review
@ 2025-11-04 14:47 Steve Sakoman
0 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2025-11-04 14:47 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, November 6
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2676
The following changes since commit 4cb834388759540ea5bf7265389b9f1b2e15333a:
bind: upgrade 9.18.33 -> 9.18.41 (2025-10-29 07:13:09 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Bastian Krause (1):
util-linux: fix pointer usage in hwclock param handling
Michael Haener (1):
Remove empty file
Peter Marko (4):
wpa-supplicant: patch CVE-2025-24912
binutils: patch CVE-2025-11414
binutils: patch CVE-2025-11412
binutils: patch CVE-2025-11413
Yannic Moog (1):
perf: add arm64 source files for unistd_64.h
.../wpa-supplicant/CVE-2025-24912-01.patch | 79 +++++++++++++++++
.../wpa-supplicant/CVE-2025-24912-02.patch | 70 ++++++++++++++++
.../wpa-supplicant/wpa-supplicant_2.10.bb | 2 +
meta/recipes-core/util-linux/util-linux.inc | 1 +
...-utils-hwclock-rtc-fix-pointer-usage.patch | 27 ++++++
.../binutils/binutils-2.42.inc | 3 +
.../binutils/binutils/CVE-2025-11412.patch | 35 ++++++++
.../binutils/binutils/CVE-2025-11413.patch | 38 +++++++++
.../binutils/binutils/CVE-2025-11414.patch | 84 +++++++++++++++++++
meta/recipes-kernel/perf/perf.bb | 3 +-
test | 0
11 files changed, 341 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-01.patch
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-02.patch
create mode 100644 meta/recipes-core/util-linux/util-linux/sys-utils-hwclock-rtc-fix-pointer-usage.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch
delete mode 100644 test
--
2.43.0
^ permalink raw reply [flat|nested] 16+ messages in thread
* [OE-core][scarthgap 0/7] Patch review
@ 2025-12-12 15:39 Steve Sakoman
0 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2025-12-12 15:39 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, December 16
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/2849
The following changes since commit ef198b0c6063ede32cb93fe44eb89937c076a073:
curl: Ensure 'CURL_CA_BUNDLE' from host env is indeed respected (2025-12-05 07:08:31 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Daniel Turull (1):
classes/create-spdx-2.2: Define SPDX_VERSION to 2.2
Hitendra Prajapati (1):
libxml2: Security fix for CVE-2025-7425
Peter Marko (3):
libpng: patch CVE-2025-66293
libmicrohttpd: disable experimental code by default
Revert "lib/oe/go: document map_arch, and raise an error on unknown
architecture"
Vijay Anusuri (2):
libssh2: upgrade 1.11.0 -> 1.11.1
libssh2: fix regression in KEX method validation (GH-1553)
meta/classes/create-spdx-2.2.bbclass | 2 +
meta/lib/oe/go.py | 6 +-
.../libxml/libxml2/CVE-2025-7425.patch | 802 ++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.12.10.bb | 1 +
.../libpng/files/CVE-2025-66293-01.patch | 60 ++
.../libpng/files/CVE-2025-66293-02.patch | 125 +++
.../libpng/libpng_1.6.42.bb | 2 +
.../libmicrohttpd/libmicrohttpd_1.0.1.bb | 4 +
...rror-if-user-KEX-methods-are-invalid.patch | 73 ++
.../libssh2/libssh2/CVE-2023-48795.patch | 466 ----------
.../{libssh2_1.11.0.bb => libssh2_1.11.1.bb} | 6 +-
11 files changed, 1073 insertions(+), 474 deletions(-)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-7425.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch
create mode 100644 meta/recipes-support/libssh2/libssh2/0001-Return-error-if-user-KEX-methods-are-invalid.patch
delete mode 100644 meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch
rename meta/recipes-support/libssh2/{libssh2_1.11.0.bb => libssh2_1.11.1.bb} (87%)
--
2.43.0
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2025-12-12 15:40 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-02-18 21:15 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
2025-02-18 21:15 ` [OE-core][scarthgap 1/7] subversion: ignore CVE-2024-45720 Steve Sakoman
2025-02-19 8:32 ` Yoann Congal
2025-02-19 14:41 ` Steve Sakoman
2025-02-19 14:49 ` Yoann Congal
2025-02-18 21:15 ` [OE-core][scarthgap 2/7] gnutls: patch CVE-2024-12243 Steve Sakoman
2025-02-18 21:15 ` [OE-core][scarthgap 3/7] openssl: upgrade 3.2.3 -> 3.2.4 Steve Sakoman
2025-02-18 21:15 ` [OE-core][scarthgap 4/7] vim: Upgrade 9.1.0764 -> 9.1.1043 Steve Sakoman
2025-02-18 21:15 ` [OE-core][scarthgap 5/7] scripts/install-buildtools: Update to 5.0.7 Steve Sakoman
2025-02-18 21:15 ` [OE-core][scarthgap 6/7] ppp: Revert lock path to /var/lock Steve Sakoman
2025-02-18 21:15 ` [OE-core][scarthgap 7/7] icu: remove host references in nativesdk to fix reproducibility Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2025-12-12 15:39 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
2025-11-04 14:47 Steve Sakoman
2025-05-21 14:59 Steve Sakoman
2025-05-06 15:13 Steve Sakoman
2024-07-09 19:29 Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.