[meta-security][kirkstone][PATCH 0/9] Assorted fixes

[meta-security][kirkstone][PATCH 0/9] Assorted fixes

[Scott Murray]

This patch series pulls together the couple of recent contributions
to kirkstone branch with selected backported changes for known broken
recipes plus getting the base CI build tests working.  These changes
are on the kirkstone-next branch of meta-security, and my plan is to
merge them to kirkstone tomorrow evening (EST) if there are no
objections.

Things to note:
- The Parsec and musl build tests fail, and given the impending EOL
  of kirkstone, debugging the failures is currently a low priority.
- checksecurity and lynis have ended up with minor upgrades due to
  the process of working through cherry-picking fixes from master.
  I believe in both cases the upgrades are minor enough to not be an
  issue, and that seems a small tradeoff for actually building now.
  I would have considered being a bit more aggressive with updating
  lynis, but it does not seem worthwhile given the impending kirkstone
  EOL, and no one having complained about the recipe not building.

Scott


Changes:

Armin Kuster (2):
  chkrootkit: update SRC_URI
  checksecurity: update to 2.0.16

Marta Rybczynska (3):
  CI: update build for new CI
  kas: update configuration
  checksecurity: update the debian package

Scott Murray (2):
  Update maintainers
  meta-security-compliance: Update lynis

Vijay Anusuri (2):
  sssd: Fix for CVE-2025-11561
  clamav: Fix for CVE-2024-20328

 .gitlab-ci.yml                                |  49 +++---
 README                                        |   4 +-
 conf/distro/include/maintainers.inc           |  72 ++++-----
 kas/kas-security-alt.yml                      |   4 +-
 kas/kas-security-base.yml                     |  21 ++-
 kas/kas-security-dm.yml                       |   2 +-
 kas/kas-security-parsec.yml                   |   4 +-
 kas/qemuarm64-musl.yml                        |   1 +
 kas/qemux86-musl.yml                          |   1 +
 kas/qemux86-test.yml                          |   4 +
 meta-hardening/README                         |   4 +-
 meta-integrity/README.md                      |   4 +-
 meta-parsec/README.md                         |   1 -
 .../lynis/{lynis_3.0.0.bb => lynis_3.0.9.bb}  |   6 +-
 meta-tpm/README                               |   4 +-
 meta-tpm/conf/distro/include/maintainers.inc  |  33 ++--
 ...rity_2.0.15.bb => checksecurity_2.0.16.bb} |  17 +-
 ...k-setuid-use-more-portable-find-args.patch |  16 +-
 .../files/setuid-log-folder.patch             |  52 ------
 recipes-scanners/clamav/clamav_0.104.0.bb     |   1 +
 .../clamav/files/CVE-2024-20328.patch         | 153 ++++++++++++++++++
 recipes-scanners/rootkits/chkrootkit_0.55.bb  |   2 +-
 .../sssd/files/CVE-2025-11561.patch           |  50 ++++++
 recipes-security/sssd/sssd_2.5.2.bb           |   1 +
 24 files changed, 346 insertions(+), 160 deletions(-)
 rename meta-security-compliance/recipes-auditors/lynis/{lynis_3.0.0.bb => lynis_3.0.9.bb} (84%)
 rename recipes-scanners/checksecurity/{checksecurity_2.0.15.bb => checksecurity_2.0.16.bb} (57%)
 delete mode 100644 recipes-scanners/checksecurity/files/setuid-log-folder.patch
 create mode 100644 recipes-scanners/clamav/files/CVE-2024-20328.patch
 create mode 100644 recipes-security/sssd/files/CVE-2025-11561.patch

-- 
2.51.0

[meta-security][kirkstone][PATCH 1/9] Update maintainers

[Scott Murray]

Add Marta and myself as maintainers for meta-security and the other
embedded layers that Armin had been maintaining.  To avoid Armin
getting bugged about individual recipes, set the RECIPE_MAINTAINER
variables to myself.

(backport from master)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 README                                       |  4 +-
 conf/distro/include/maintainers.inc          | 72 ++++++++++----------
 meta-hardening/README                        |  4 +-
 meta-integrity/README.md                     |  4 +-
 meta-parsec/README.md                        |  1 -
 meta-tpm/README                              |  4 +-
 meta-tpm/conf/distro/include/maintainers.inc | 33 +++++----
 7 files changed, 64 insertions(+), 58 deletions(-)

diff --git a/README b/README
index 081669f..7bd7f7c 100644
--- a/README
+++ b/README
@@ -92,7 +92,9 @@ Now you can just do 'git send-email origin/master' to send all local patches.
 
 For pull requests, please use create-pull-request and send-pull-request. 
 
-Maintainers:    Armin Kuster <akuster808@gmail.com>
+Maintainers:
+Scott Murray <scott.murray@konsulko.com>
+Marta Rybczynska <rybczynska@gmail.com>
 
 
 License
diff --git a/conf/distro/include/maintainers.inc b/conf/distro/include/maintainers.inc
index f623d70..c052695 100644
--- a/conf/distro/include/maintainers.inc
+++ b/conf/distro/include/maintainers.inc
@@ -19,39 +19,39 @@
 #	RECIPE_MAINTAINER:pn-<recipe name> = "Full Name <address@domain>"
 #
 # Please keep this list in alphabetical order.
-RECIPE_MAINTAINER:pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-apparmor = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-bastille = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-buck-security = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-ccs-tools = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-checksec = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-checksecurity = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-clamav = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-ding-libs = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-ecryptfs-utils = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-fscryptctl = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-google-authenticator-libpam = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-hash-perl = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-isic = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-keyutils = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-libaes-siv = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-libgssglue = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-libhtp = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-libmhash = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-libmspack = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-lib-perl = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-libseccomp = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-libwhisker2-perl = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-ncrack = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-nikto = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-paxctl = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-python3-fail2ban = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-python3-scapy = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-python-fail2ban = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-python-scapy = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-redhat-security = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-samhain = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-smack = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-sssd = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-suricata = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-tripwire = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER:pn-aircrack-ng = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-apparmor = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-bastille = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-buck-security = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-ccs-tools = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-checksec = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-checksecurity = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-clamav = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-ding-libs = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-ecryptfs-utils = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-fscryptctl = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-google-authenticator-libpam = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-hash-perl = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-isic = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-keyutils = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-libaes-siv = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-libgssglue = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-libhtp = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-libmhash = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-libmspack = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-lib-perl = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-libseccomp = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-libwhisker2-perl = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-ncrack = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-nikto = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-paxctl = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-python3-fail2ban = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-python3-scapy = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-python-fail2ban = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-python-scapy = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-redhat-security = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-samhain = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-smack = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-sssd = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-suricata = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-tripwire = "Scott Murray <scott.murray@konsulko.com>"
diff --git a/meta-hardening/README b/meta-hardening/README
index 191253c..e804bcb 100644
--- a/meta-hardening/README
+++ b/meta-hardening/README
@@ -76,7 +76,9 @@ $ git config format.subjectPrefix meta-hardening][PATCH
 
 Now you can just do 'git send-email origin/master' to send all local patches.
 
-Maintainers:  Armin Kuster <akuster808@gmail.com>
+Maintainers:
+Scott Murray <scott.murray@konsulko.com>
+Marta Rybczynska <rybczynska@gmail.com>
 
 License
 =======
diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index eae1c57..b0196dc 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -45,7 +45,9 @@ yocto@yoctoproject.org mailing list. When submitting patches that way,
 make sure to copy the maintainer and add a "[meta-integrity]"
 prefix to the subject of the mails.
 
-Maintainer: Armin Kuster <akuster808@gmail.com>
+Maintainers:
+Scott Murray <scott.murray@konsulko.com>
+Marta Rybczynska <rybczynska@gmail.com>
 
 
 Table of Contents
diff --git a/meta-parsec/README.md b/meta-parsec/README.md
index 97026ea..292d99d 100644
--- a/meta-parsec/README.md
+++ b/meta-parsec/README.md
@@ -190,7 +190,6 @@ $ git config format.subjectPrefix meta-parsec][PATCH
 Now you can just do 'git send-email origin/master' to send all local patches.
 
 Maintainers:    Anton Antonov <Anton.Antonov@arm.com>
-                Armin Kuster <akuster808@gmail.com>
 
 
 License
diff --git a/meta-tpm/README b/meta-tpm/README
index 5722a92..e3667da 100644
--- a/meta-tpm/README
+++ b/meta-tpm/README
@@ -69,7 +69,9 @@ $ git config format.subjectPrefix meta-security][PATCH
 
 Now you can just do 'git send-email origin/master' to send all local patches.
 
-Maintainers:    Armin Kuster <akuster808@gmail.com>
+Maintainers:    
+Scott Murray <scott.murray@konsulko.com>
+Marta Rybczynska <rybczynska@gmail.com>
 
 
 License
diff --git a/meta-tpm/conf/distro/include/maintainers.inc b/meta-tpm/conf/distro/include/maintainers.inc
index e7b216d..829f198 100644
--- a/meta-tpm/conf/distro/include/maintainers.inc
+++ b/meta-tpm/conf/distro/include/maintainers.inc
@@ -19,20 +19,19 @@
 #	RECIPE_MAINTAINER:pn-<recipe name> = "Full Name <address@domain>"
 #
 # Please keep this list in alphabetical order.
-RECIPE_MAINTAINER:pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-pcr-extend = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-tpm-quote-tools = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-libtpm = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-trousers = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-swtpm = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-openssl-tpm-engine = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-tpm-tools = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-tpm2-abrmd = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-tpm2-totp = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-tpm2-tcti-uefi = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-tpm2-tss-engine = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-tpm2-pkcs11 = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-tpm2-tss = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-tpm2-tools = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER:pn-ibmswtpm2 = "Armin Kuster <akuster808@gmail.com>"
-
+RECIPE_MAINTAINER:pn-aircrack-ng = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-pcr-extend = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-tpm-quote-tools = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-libtpms = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-trousers = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-swtpm = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-openssl-tpm-engine = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-tpm-tools = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-tpm2-abrmd = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-tpm2-totp = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-tpm2-tcti-uefi = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-tpm2-tss-engine = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-tpm2-pkcs11 = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-tpm2-tss = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-tpm2-tools = "Scott Murray <scott.murray@konsulko.com>"
+RECIPE_MAINTAINER:pn-ibmswtpm2 = "Scott Murray <scott.murray@konsulko.com>"
-- 
2.51.0

[meta-security][kirkstone][PATCH 2/9] CI: update build for new CI

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

Update for Ubuntu 24.04 runners:
- use venv for installing kas
- add missing directories
- assume that python3 and pip are installed.

Other changes:
- add logging of jobs to files

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
(reworked for kirkstone branch)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .gitlab-ci.yml | 49 ++++++++++++++++++++++++++++---------------------
 1 file changed, 28 insertions(+), 21 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index a4137cb..e37a161 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,10 +1,13 @@
 .before-my-script: &before-my-script
     - echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error
     - echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error
+    - echo "$CI_PROJECT_DIR" >> ~/.ci_project_dir
     - export PATH=~/.local/bin:$PATH
-    - wget https://bootstrap.pypa.io/get-pip.py
-    - python3 get-pip.py
+    - python3 -m venv ~/kas_env/
+    - source ~/kas_env/bin/activate
     - python3 -m pip install kas
+    - mkdir -p $CI_PROJECT_DIR/build/tmp/log/error-report/
+    - mkdir -p $CI_PROJECT_DIR/log/
 
 .after-my-script: &after-my-script
     - cd $CI_PROJECT_DIR/poky
@@ -26,6 +29,10 @@ stages:
   stage: base 
   after_script:
     - *after-my-script
+  artifacts:
+    paths:
+      - $CI_PROJECT_DIR/log/*
+    when: always
 
 .parsec:
   before_script:
@@ -51,78 +58,78 @@ stages:
 qemux86:
   extends: .base
   script:
-  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image integrity-image-minimal"
-  - kas build --target security-build-image kas/$CI_JOB_NAME-comp.yml
-  - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml
+  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image integrity-image-minimal" 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_security_image.txt
+  - kas build --target security-build-image kas/$CI_JOB_NAME-comp.yml  2>&1 | tee $CI_PROJECT_DIR/log/qemux86_compliance_image.txt
+  - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_harden_image.txt
 
 qemux86-musl:
   extends: .musl
   needs: ['qemux86']
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_musl_security_image.txt
 
 qemux86-parsec:
   extends: .parsec
   needs: ['qemux86']
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_parsec_security_image.txt
 
 qemux86-test:
   extends: .test
   needs: ['qemux86']
   allow_failure: true
   script:
-  - kas build --target security-test-image kas/$CI_JOB_NAME.yml
-  - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-test-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_test_security_image.txt
+  - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_testimage_security_image.txt
 
 qemux86-64:
   extends: .base
   script:
-  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image security-tpm-image security-tpm2-image integrity-image-minimal"
-  - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml
-  - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml
+  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k core-image-minimal security-build-image security-tpm-image security-tpm2-image integrity-image-minimal" 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_security_image.txt
+  - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_dm_verify.txt
+  - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_security_build_image.txt
 
 qemux86-64-parsec:
   extends: .parsec
   needs: ['qemux86-64']
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_parsec_security_image.txt
 
 qemuarm:
   extends: .base
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm_security_image.txt
 
 qemuarm-parsec:
   extends: .parsec
   needs: ['qemuarm']
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm_parsec_security_image.txt
 
 qemuarm64:
   extends: .base
   script:
-  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image security-tpm2-image integrity-image-minimal"
-  - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml
+  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image security-tpm2-image integrity-image-minimal" 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_security_image.txt
+  - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_build_security_image.txt
 
 qemuarm64-musl:
   extends: .musl
   needs: ['qemuarm64']
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_musl_security_image.txt
 
 qemuarm64-parsec:
   extends: .parsec
   needs: ['qemuarm64']
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_parsec_security_image.txt
 
 qemumips64:
   extends: .base
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemumips64_security_image.txt
 
 qemuriscv64:
   extends: .base
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuriscv64_security_image.txt
-- 
2.51.0

[meta-security][kirkstone][PATCH 3/9] kas: update configuration

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

Update based on latest master configuration.

Changes:
- switch to kirkstone
- add required usrmerge feature to kas-security-alt configuration
- add whitespaces around assignement
- add common dldir/sstate
- don't build apparmor in musl configs
- only enable ptest for the test image
- Update the kas configuration file versions to 19 to match kas 4.8.x.
- Change refspec to branch to remove deprecation warnings.
- Add quoting around URLs to match upstream examples.

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 kas/kas-security-alt.yml    |  4 ++--
 kas/kas-security-base.yml   | 21 +++++++++++++--------
 kas/kas-security-dm.yml     |  2 +-
 kas/kas-security-parsec.yml |  4 ++--
 kas/qemuarm64-musl.yml      |  1 +
 kas/qemux86-musl.yml        |  1 +
 kas/qemux86-test.yml        |  4 ++++
 7 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/kas/kas-security-alt.yml b/kas/kas-security-alt.yml
index 3ee9808..2a449c5 100644
--- a/kas/kas-security-alt.yml
+++ b/kas/kas-security-alt.yml
@@ -1,8 +1,8 @@
 header:
-    version: 9
+    version: 19
     includes: 
         - kas-security-base.yml
 
 local_conf_header:
   alt: |
-      DISTRO_FEATURES:append = " systemd"
+      INIT_MANAGER = "systemd"
diff --git a/kas/kas-security-base.yml b/kas/kas-security-base.yml
index 3bf46db..78c0b04 100644
--- a/kas/kas-security-base.yml
+++ b/kas/kas-security-base.yml
@@ -1,5 +1,5 @@
 header:
-  version: 9
+  version: 19
 
 distro: poky
 
@@ -13,16 +13,16 @@ repos:
       meta-hardening:
 
   poky:
-    url: https://git.yoctoproject.org/git/poky
-    refspec: master
+    url: "https://git.yoctoproject.org/git/poky"
+    branch: kirkstone
     layers:
       meta:
       meta-poky:
       meta-yocto-bsp:
-
+ 
   meta-openembedded:
-    url: http://git.openembedded.org/meta-openembedded
-    refspec: master
+    url: "http://git.openembedded.org/meta-openembedded"
+    branch: kirkstone
     layers:
       meta-oe:
       meta-perl:
@@ -41,8 +41,8 @@ local_conf_header:
     INHERIT += "report-error"
     INHERIT += "testimage"
     INHERIT += "rm_work"
-    BB_NUMBER_THREADS="24"
-    BB_NUMBER_PARSE_THREADS="12"
+    BB_NUMBER_THREADS = "24"
+    BB_NUMBER_PARSE_THREADS = "12"
     BB_TASK_NICE_LEVEL = '5'
     BB_TASK_NICE_LEVEL_task-testimage = '0'
     BB_TASK_IONICE_LEVEL = '2.7'
@@ -52,6 +52,7 @@ local_conf_header:
     PACKAGE_CLASSES = "package_ipk"
 
     DISTRO_FEATURES:append = " security pam apparmor smack ima tpm tpm2"
+    DISTRO_FEATURES:remove = "ptest"
     MACHINE_FEATURES:append = " tpm tpm2"
 
   diskmon: |
@@ -65,6 +66,10 @@ local_conf_header:
     ABORT,${SSTATE_DIR},100M,1K \
     ABORT,/tmp,10M,1K"
 
+  dlsstate: |
+    DL_DIR = "/home/gitlab-runner/build/downloads"
+    SSTATE_DIR = "/home/gitlab-runner/build/sstate-cache"
+
 bblayers_conf_header:
   base: |
     BBPATH = "${TOPDIR}"
diff --git a/kas/kas-security-dm.yml b/kas/kas-security-dm.yml
index c03b336..fe74d25 100644
--- a/kas/kas-security-dm.yml
+++ b/kas/kas-security-dm.yml
@@ -1,5 +1,5 @@
 header:
-    version: 9
+    version: 19
     includes: 
         - kas-security-base.yml
 
diff --git a/kas/kas-security-parsec.yml b/kas/kas-security-parsec.yml
index 9a009be..cb59fba 100644
--- a/kas/kas-security-parsec.yml
+++ b/kas/kas-security-parsec.yml
@@ -1,5 +1,5 @@
 header:
-    version: 9
+    version: 19
     includes:
         - kas-security-base.yml
 
@@ -10,7 +10,7 @@ repos:
 
   meta-clang:
     url: https://github.com/kraj/meta-clang.git
-    refspec: master
+    branch: kirkstone
 
 local_conf_header:
   meta-parsec: |
diff --git a/kas/qemuarm64-musl.yml b/kas/qemuarm64-musl.yml
index b353eb4..f01f759 100644
--- a/kas/qemuarm64-musl.yml
+++ b/kas/qemuarm64-musl.yml
@@ -6,5 +6,6 @@ header:
 local_conf_header:
     musl: |
         TCLIBC = "musl"
+        DISTRO_FEATURES:remove = "apparmor"
 
 machine: qemuarm64
diff --git a/kas/qemux86-musl.yml b/kas/qemux86-musl.yml
index 61d9572..aa6572c 100644
--- a/kas/qemux86-musl.yml
+++ b/kas/qemux86-musl.yml
@@ -6,5 +6,6 @@ header:
 local_conf_header:
     musl: |
         TCLIBC = "musl"
+        DISTRO_FEATURES:remove = "apparmor"
 
 machine: qemux86
diff --git a/kas/qemux86-test.yml b/kas/qemux86-test.yml
index 83a5353..98f1e7f 100644
--- a/kas/qemux86-test.yml
+++ b/kas/qemux86-test.yml
@@ -3,4 +3,8 @@ header:
   includes:
     - kas-security-base.yml
 
+local_conf_header:
+  ptest: |
+      DISTRO_FEATURES:append = " ptest"
+
 machine: qemux86
-- 
2.51.0

[meta-security][kirkstone][PATCH 4/9] chkrootkit: update SRC_URI

[Scott Murray]

From: Armin Kuster <akuster808@gmail.com>

0.55 no longer hosted from main source. Use Ubuntu archive

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-scanners/rootkits/chkrootkit_0.55.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-scanners/rootkits/chkrootkit_0.55.bb b/recipes-scanners/rootkits/chkrootkit_0.55.bb
index 20015a1..4293aec 100644
--- a/recipes-scanners/rootkits/chkrootkit_0.55.bb
+++ b/recipes-scanners/rootkits/chkrootkit_0.55.bb
@@ -5,7 +5,7 @@ SECTION = "security"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=fdbe53788f7081c63387d8087273f5ff"
 
-SRC_URI = "ftp://ftp.pangeia.com.br/pub/seg/pac/${BPN}.tar.gz"
+SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/c/${BPN}/${BPN}_${PV}.orig.tar.gz"
 SRC_URI[sha256sum] = "a81c0286ec449313f953701202a00e81b204fc2cf43e278585a11c12a5e0258b"
 
 inherit autotools-brokensep
-- 
2.51.0

[meta-security][kirkstone][PATCH 5/9] checksecurity: update to 2.0.16

[Scott Murray]

From: Armin Kuster <akuster808@gmail.com>

Drop setuid-log-folder.patch, using sed instead.
Refresh patch check-setuid-use-more-portable-find-args.patch

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 ...rity_2.0.15.bb => checksecurity_2.0.16.bb} | 18 +++++--
 ...k-setuid-use-more-portable-find-args.patch | 16 +++---
 .../files/setuid-log-folder.patch             | 52 -------------------
 3 files changed, 21 insertions(+), 65 deletions(-)
 rename recipes-scanners/checksecurity/{checksecurity_2.0.15.bb => checksecurity_2.0.16.bb} (57%)
 delete mode 100644 recipes-scanners/checksecurity/files/setuid-log-folder.patch

diff --git a/recipes-scanners/checksecurity/checksecurity_2.0.15.bb b/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
similarity index 57%
rename from recipes-scanners/checksecurity/checksecurity_2.0.15.bb
rename to recipes-scanners/checksecurity/checksecurity_2.0.16.bb
index e053a15..8006c9f 100644
--- a/recipes-scanners/checksecurity/checksecurity_2.0.15.bb
+++ b/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
@@ -4,14 +4,22 @@ SECTION = "security"
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
 
-SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz \
-           file://setuid-log-folder.patch \
-           file://check-setuid-use-more-portable-find-args.patch"
+SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}+nmu1.tar.gz \
+           file://check-setuid-use-more-portable-find-args.patch \
+          "
 
-SRC_URI[md5sum] = "a30161c3e24d3be710b2fd13fcd1f32f"
-SRC_URI[sha256sum] = "67abe3d6391c96146e96f376d3fd6eb7a9418b0f7fe205b465219889791dba32"
+SRC_URI[sha256sum] = "9803b3760e9ec48e06ebaf48cec081db48c6fe72254a476224e4c5c55ed97fb0"
+
+S = "${WORKDIR}/checksecurity-${PV}+nmu1"
+
+
+# allow for anylocal, no need to patch
+LOGDIR="/etc/checksecurity"
 
 do_compile() {
+    sed -i -e "s;LOGDIR=/var/log/setuid;LOGDIR=${LOGDIR};g" ${B}/etc/check-setuid.conf
+    sed -i -e "s;LOGDIR=/var/log/setuid;LOGDIR=${LOGDIR};g" ${B}/plugins/check-setuid
+    sed -i -e "s;LOGDIR:=/var/log/setuid;LOGDIR:=${LOGDIR};g" ${B}/plugins/check-setuid
 }
 
 do_install() {
diff --git a/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch b/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
index f1fe8ed..1a2f364 100644
--- a/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
+++ b/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
@@ -8,16 +8,16 @@ Signed-off-by: Christopher Larson <chris_larson@mentor.com>
  plugins/check-setuid | 6 +++---
  1 file changed, 3 insertions(+), 3 deletions(-)
 
-Index: checksecurity-2.0.15/plugins/check-setuid
+Index: checksecurity-2.0.16+nmu1/plugins/check-setuid
 ===================================================================
---- checksecurity-2.0.15.orig/plugins/check-setuid	2018-09-06 00:49:23.930934294 +0500
-+++ checksecurity-2.0.15/plugins/check-setuid	2018-09-06 00:49:49.694934757 +0500
-@@ -99,7 +99,7 @@
- ionice -t -c3 \
+--- checksecurity-2.0.16+nmu1.orig/plugins/check-setuid
++++ checksecurity-2.0.16+nmu1/plugins/check-setuid
+@@ -100,7 +100,7 @@ ionice -t -c3 \
  find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3` \
+         -ignore_readdir_race  \
  	-xdev $PATHCHK \
--	\( -type f -perm +06000 -o \( \( -type b -o -type c \) \
-+	\( -type f \( -perm -4000 -o -perm -2000 \) -o \( \( -type b -o -type c \) \
+-	\( -type f -perm /06000 -o \( \( -type b -o -type c \) \
++    \( -type f \( -perm -4000 -o -perm -2000 \) -o \( \( -type b -o -type c \) \	
  	$DEVCHK \) \) \
-         -ignore_readdir_race  \
  	-printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" |
+ 	sort -k 12 >$TMPSETUID
diff --git a/recipes-scanners/checksecurity/files/setuid-log-folder.patch b/recipes-scanners/checksecurity/files/setuid-log-folder.patch
deleted file mode 100644
index 540ea9c..0000000
--- a/recipes-scanners/checksecurity/files/setuid-log-folder.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 24dbeec135ff83f2fd35ef12fe9842f02d6fd337 Mon Sep 17 00:00:00 2001
-From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
-Date: Thu, 20 Jun 2013 15:14:55 +0300
-Subject: [PATCH] changed log folder for check-setuid
-
-check-setuid was creating logs in /var/log directory,
-which cannot be created persistently. To avoid errors
-the log folder was changed to /etc/checksecurity/.
-
-Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
----
- etc/check-setuid.conf |    2 +-
- plugins/check-setuid  |    6 +++---
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/etc/check-setuid.conf b/etc/check-setuid.conf
-index 621336f..e1532c0 100644
---- a/etc/check-setuid.conf
-+++ b/etc/check-setuid.conf
-@@ -116,4 +116,4 @@ CHECKSECURITY_PATHFILTER="-false"
- #
- # Location of setuid file databases. 
- #
--LOGDIR=/var/log/setuid
-+LOGDIR=/etc/checksecurity/
-diff --git a/plugins/check-setuid b/plugins/check-setuid
-index 8d6f90b..bdb21c1 100755
---- a/plugins/check-setuid
-+++ b/plugins/check-setuid
-@@ -44,8 +44,8 @@ if [ `/usr/bin/id -u` != 0 ] ; then
-    exit 1
- fi
- 
--TMPSETUID=${LOGDIR:=/var/log/setuid}/setuid.new.tmp
--TMPDIFF=${LOGDIR:=/var/log/setuid}/setuid.diff.tmp
-+TMPSETUID=${LOGDIR:=/etc/checksecurity/}/setuid.new.tmp
-+TMPDIFF=${LOGDIR:=/etc/checksecurity/}/setuid.diff.tmp
- 
- #
- # Check for NFS/AFS mounts that are not nosuid/nodev
-@@ -75,7 +75,7 @@ if [ "$CHECKSECURITY_NOFINDERRORS" = "TRUE" ] ; then
- fi
- 
- # Guard against undefined vars
--[ -z "$LOGDIR" ] && LOGDIR=/var/log/setuid
-+[ -z "$LOGDIR" ] && LOGDIR=/etc/checksecurity/
- if [ ! -e "$LOGDIR" ] ; then
-     echo "ERROR: Log directory $LOGDIR does not exist"
-     exit 1
--- 
-1.7.9.5
-
-- 
2.51.0

[meta-security][kirkstone][PATCH 6/9] checksecurity: update the debian package

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

The previously used package (nmu1) is not longer available, use the latest current
one (nmu3). The changelog between the two:

checksecurity (2.0.16+nmu3) unstable; urgency=medium

  * Non-maintainer upload.
  * Fix "missing required debian/rules targets build-arch and/or build-
    indep": Add targets to debian/rules.
    (Closes: #999082)
  * Fix "Removal of obsolete debhelper compat 5 and 6 in bookworm":
    Bump to 7 in debian/{compat,control}.
    (Closes: #965448)
  * Fix some grave packaging errors:
    - move debhelper from Build-Depends-Indep to Build-Depends
    - remove temporary files debian/postrm.debhelper and debian/substvars from
      source package

 -- gregor herrmann <gregoa@debian.org>  Sun, 26 Dec 2021 01:56:10 +0100

checksecurity (2.0.16+nmu2) unstable; urgency=medium

  * Non maintainer upload by the Reproducible Builds team.
  * No source change upload to rebuild on buildd with .buildinfo files.

 -- Holger Levsen <holger@debian.org>  Fri, 01 Jan 2021 19:17:53 +0100

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
(adapted from 828a78314f51b919baf638d64e8e12c0c0a408ad)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-scanners/checksecurity/checksecurity_2.0.16.bb | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/recipes-scanners/checksecurity/checksecurity_2.0.16.bb b/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
index 8006c9f..6a223f8 100644
--- a/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
+++ b/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
@@ -4,14 +4,13 @@ SECTION = "security"
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
 
-SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}+nmu1.tar.gz \
+SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}+nmu3.tar.gz \
            file://check-setuid-use-more-portable-find-args.patch \
           "
 
-SRC_URI[sha256sum] = "9803b3760e9ec48e06ebaf48cec081db48c6fe72254a476224e4c5c55ed97fb0"
-
-S = "${WORKDIR}/checksecurity-${PV}+nmu1"
+SRC_URI[sha256sum] = "12b043dc7b38512cdf0735c7c147a4f9e60d83a397b5b8ec130c65ceddbe1a0c"
 
+S = "${WORKDIR}/checksecurity-${PV}+nmu3"
 
 # allow for anylocal, no need to patch
 LOGDIR="/etc/checksecurity"
-- 
2.51.0

[meta-security][kirkstone][PATCH 7/9] meta-security-compliance: Update lynis

[Scott Murray]

Update lynis SRC_URI to fix building, and while at it bump to 3.0.9
which hopefully be a transparent upgrade for anyone still on kirkstone.

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../lynis/{lynis_3.0.0.bb => lynis_3.0.9.bb}                | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 rename meta-security-compliance/recipes-auditors/lynis/{lynis_3.0.0.bb => lynis_3.0.9.bb} (84%)

diff --git a/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb b/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.9.bb
similarity index 84%
rename from meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb
rename to meta-security-compliance/recipes-auditors/lynis/lynis_3.0.9.bb
index f665e29..e72589e 100644
--- a/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb
+++ b/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.9.bb
@@ -6,9 +6,11 @@ HOMEDIR = "https://cisofy.com/"
 LICENSE = "GPL-3.0-only"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
 
-SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz"
+SRC_URI = "https://downloads.cisofy.com/lynis/archive/${BPN}-${PV}.tar.gz"
 
-SRC_URI[sha256sum] = "3cc165f9007ba41de6d0b693a1167dbaf0179085f9506dcba64b4b8e37e1bda2"
+SRC_URI[sha256sum] = "f394df7d20391fb76e975ae88f3eba1da05ac9c4945e2c7f709326e185e17025"
+
+UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis"
 
 S = "${WORKDIR}/${BPN}"
 
-- 
2.51.0

[meta-security][kirkstone][PATCH 8/9] sssd: Fix for CVE-2025-11561

[Scott Murray]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/a0336f4cd69c25b3d501a3d361d3d286c00da4d2]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../sssd/files/CVE-2025-11561.patch           | 50 +++++++++++++++++++
 recipes-security/sssd/sssd_2.5.2.bb           |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 recipes-security/sssd/files/CVE-2025-11561.patch

diff --git a/recipes-security/sssd/files/CVE-2025-11561.patch b/recipes-security/sssd/files/CVE-2025-11561.patch
new file mode 100644
index 0000000..0bfed6d
--- /dev/null
+++ b/recipes-security/sssd/files/CVE-2025-11561.patch
@@ -0,0 +1,50 @@
+From a0336f4cd69c25b3d501a3d361d3d286c00da4d2 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 10 Oct 2025 12:57:40 +0200
+Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a client is joined to AD or IPA SSSD's localauth plugin can handle
+the mapping of Kerberos principals to local accounts. In case it cannot
+map the Kerberos principals libkrb5 is currently configured to fall back
+to the default localauth plugins 'default', 'rule', 'names',
+'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
+All plugins except 'an2ln' require some explicit configuration by either
+the administrator or the local user. To avoid some unexpected mapping is
+done by the 'an2ln' plugin this patch disables it in the configuration
+snippets for SSSD's localauth plugin.
+
+Resolves: https://github.com/SSSD/sssd/issues/8021
+
+:relnote: After startup SSSD already creates a Kerberos configuration
+ snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
+ if the AD or IPA providers are used. This enables SSSD's localauth plugin.
+ Starting with this release the an2ln plugin is disabled in the
+ configuration snippet as well. If this file or its content are included in
+ the Kerberos configuration it will fix CVE-2025-11561.
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310)
+
+Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/a0336f4cd69c25b3d501a3d361d3d286c00da4d2]
+CVE: CVE-2025-11561
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/util/domain_info_utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
+index e131a5d96af..160e1711bcd 100644
+--- a/src/util/domain_info_utils.c
++++ b/src/util/domain_info_utils.c
+@@ -751,6 +751,7 @@ static errno_t sss_write_krb5_snippet_common(const char *file_name,
+ #define LOCALAUTH_PLUGIN_CONFIG \
+ "[plugins]\n" \
+ " localauth = {\n" \
++"  disable = an2ln\n" \
+ "  module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
+ " }\n"
+ 
diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/sssd_2.5.2.bb
index c07559c..43c31ee 100644
--- a/recipes-security/sssd/sssd_2.5.2.bb
+++ b/recipes-security/sssd/sssd_2.5.2.bb
@@ -25,6 +25,7 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g
            file://musl_fixup.patch \
            file://CVE-2021-3621.patch \
            file://CVE-2023-3758.patch \
+           file://CVE-2025-11561.patch \
            "
 
 SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f"
-- 
2.51.0

[meta-security][kirkstone][PATCH 9/9] clamav: Fix for CVE-2024-20328

[Scott Murray]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport [https://github.com/Cisco-Talos/clamav/commit/fe7638287bb11419474ea314652404e7e9b314b2]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-scanners/clamav/clamav_0.104.0.bb     |   1 +
 .../clamav/files/CVE-2024-20328.patch         | 153 ++++++++++++++++++
 2 files changed, 154 insertions(+)
 create mode 100644 recipes-scanners/clamav/files/CVE-2024-20328.patch

diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb b/recipes-scanners/clamav/clamav_0.104.0.bb
index 0a6b92a..39abda9 100644
--- a/recipes-scanners/clamav/clamav_0.104.0.bb
+++ b/recipes-scanners/clamav/clamav_0.104.0.bb
@@ -21,6 +21,7 @@ SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.104;protocol=http
     file://headers_fixup.patch \
     file://oe_cmake_fixup.patch \
     file://fix_systemd_socket.patch \
+    file://CVE-2024-20328.patch \
     file://CVE-2024-20505.patch \
     file://CVE-2024-20506.patch \
 "
diff --git a/recipes-scanners/clamav/files/CVE-2024-20328.patch b/recipes-scanners/clamav/files/CVE-2024-20328.patch
new file mode 100644
index 0000000..2f422cf
--- /dev/null
+++ b/recipes-scanners/clamav/files/CVE-2024-20328.patch
@@ -0,0 +1,153 @@
+From fe7638287bb11419474ea314652404e7e9b314b2 Mon Sep 17 00:00:00 2001
+From: Micah Snyder <micasnyd@cisco.com>
+Date: Wed, 10 Jan 2024 12:09:15 -0500
+Subject: [PATCH] ClamD: Disable VirusEvent '%f' feature, use environment var
+ instead
+
+The '%f' filename format character has been disabled and will no longer
+be replaced with the file name, due to command injection security concerns.
+Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
+
+For the same reason, you should NOT use the environment variables in the
+command directly, but should use it carefully from your executed script.
+
+Upstream-Status: Backport [https://github.com/Cisco-Talos/clamav/commit/fe7638287bb11419474ea314652404e7e9b314b2]
+CVE: CVE-2024-20328
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ clamd/clamd_others.c                  |  8 +++++---
+ common/optparser.c                    |  2 +-
+ docs/man/clamd.conf.5.in              | 14 ++++++++++----
+ etc/clamd.conf.sample                 | 18 ++++++++++++------
+ win32/conf_examples/clamd.conf.sample | 18 ++++++++++++------
+ 5 files changed, 40 insertions(+), 20 deletions(-)
+
+diff --git a/clamd/clamd_others.c b/clamd/clamd_others.c
+index 23f3b022c7..32d0701a0d 100644
+--- a/clamd/clamd_others.c
++++ b/clamd/clamd_others.c
+@@ -101,6 +101,8 @@ void virusaction(const char *filename, const char *virname,
+ #define VE_FILENAME "CLAM_VIRUSEVENT_FILENAME"
+ #define VE_VIRUSNAME "CLAM_VIRUSEVENT_VIRUSNAME"
+ 
++#define FILENAME_DISABLED_MESSAGE "The filename format character has been disabled due to security concerns, use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead."
++
+ void virusaction(const char *filename, const char *virname,
+                  const struct optstruct *opts)
+ {
+@@ -145,7 +147,7 @@ void virusaction(const char *filename, const char *virname,
+     }
+     len = strlen(opt->strarg);
+     buffer_cmd =
+-        (char *)calloc(len + v * strlen(virname) + f * strlen(filename) + 1, sizeof(char));
++        (char *)calloc(len + v * strlen(virname) + f * strlen(FILENAME_DISABLED_MESSAGE) + 1, sizeof(char));
+     if (!buffer_cmd) {
+         if (path)
+             xfree(env[0]);
+@@ -160,8 +162,8 @@ void virusaction(const char *filename, const char *virname,
+             j += strlen(virname);
+             i++;
+         } else if (i + 1 < len && opt->strarg[i] == '%' && opt->strarg[i + 1] == 'f') {
+-            strcat(buffer_cmd, filename);
+-            j += strlen(filename);
++            strcat(buffer_cmd, FILENAME_DISABLED_MESSAGE);
++            j += strlen(FILENAME_DISABLED_MESSAGE);
+             i++;
+         } else {
+             buffer_cmd[j++] = opt->strarg[i];
+diff --git a/common/optparser.c b/common/optparser.c
+index a7bdbee064..1be7afe867 100644
+--- a/common/optparser.c
++++ b/common/optparser.c
+@@ -333,7 +333,7 @@ const struct clam_option __clam_options[] = {
+ 
+     {"DisableCache", "disable-cache", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option allows you to disable clamd's caching feature.", "no"},
+ 
+-    {"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when a virus is found. In the command string %v will be\nreplaced with the virus name and %f will be replaced with the file name.\nAdditionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME\nand $CLAM_VIRUSEVENT_VIRUSNAME.", "/usr/bin/mailx -s \"ClamAV VIRUS ALERT: %v\" alert < /dev/null"},
++    {"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when virus is found.\nUse the following environment variables to identify the file and virus names:\n- $CLAM_VIRUSEVENT_FILENAME\n- $CLAM_VIRUSEVENT_VIRUSNAME\nIn the command string, '%v' will also be replaced with the virus name.\nNote: The '%f' filename format character has been disabled and will no longer\nbe replaced with the file name, due to command injection security concerns.\nUse the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.\nFor the same reason, you should NOT use the environment variables in the\ncommand directly, but should use it carefully from your executed script.", "/opt/send_virus_alert_sms.sh"},
+ 
+     {"ExitOnOOM", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "Stop the daemon when libclamav reports an out of memory condition.", "yes"},
+ 
+diff --git a/docs/man/clamd.conf.5.in b/docs/man/clamd.conf.5.in
+index 2d9748a39e..a9926533b9 100644
+--- a/docs/man/clamd.conf.5.in
++++ b/docs/man/clamd.conf.5.in
+@@ -240,10 +240,16 @@ Enable non-blocking (multi-threaded/concurrent) database reloads. This feature w
+ Default: yes
+ .TP
+ \fBVirusEvent COMMAND\fR
+-Execute a command when a virus is found. In the command string %v will be
+-replaced with the virus name and %f will be replaced with the file name.
+-Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
+-and $CLAM_VIRUSEVENT_VIRUSNAME.
++Execute a command when virus is found.
++Use the following environment variables to identify the file and virus names:
++- $CLAM_VIRUSEVENT_FILENAME
++- $CLAM_VIRUSEVENT_VIRUSNAME
++In the command string, '%v' will also be replaced with the virus name.
++Note: The '%f' filename format character has been disabled and will no longer
++be replaced with the file name, due to command injection security concerns.
++Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
++For the same reason, you should NOT use the environment variables in the
++command directly, but should use it carefully from your executed script.
+ \fR
+ .br
+ Default: disabled
+diff --git a/etc/clamd.conf.sample b/etc/clamd.conf.sample
+index 37fb03bf20..54738128da 100644
+--- a/etc/clamd.conf.sample
++++ b/etc/clamd.conf.sample
+@@ -209,12 +209,18 @@ Example
+ # Default: yes
+ #ConcurrentDatabaseReload no
+ 
+-# Execute a command when virus is found. In the command string %v will
+-# be replaced with the virus name and %f will be replaced with the file name.
+-# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
+-# and $CLAM_VIRUSEVENT_VIRUSNAME.
+-# Default: no
+-#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f"
++# Execute a command when virus is found.
++# Use the following environment variables to identify the file and virus names:
++# - $CLAM_VIRUSEVENT_FILENAME
++# - $CLAM_VIRUSEVENT_VIRUSNAME
++# In the command string, '%v' will also be replaced with the virus name.
++# Note: The '%f' filename format character has been disabled and will no longer
++# be replaced with the file name, due to command injection security concerns.
++# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
++# For the same reason, you should NOT use the environment variables in the
++# command directly, but should use it carefully from your executed script.
++# Default: no
++#VirusEvent /opt/send_virus_alert_sms.sh
+ 
+ # Run as another user (clamd must be started by root for this option to work)
+ # Default: don't drop privileges
+diff --git a/win32/conf_examples/clamd.conf.sample b/win32/conf_examples/clamd.conf.sample
+index 5a8a9cfeae..a4813f99cb 100644
+--- a/win32/conf_examples/clamd.conf.sample
++++ b/win32/conf_examples/clamd.conf.sample
+@@ -182,12 +182,18 @@ TCPAddr localhost
+ # Default: yes
+ #ConcurrentDatabaseReload no
+ 
+-# Execute a command when virus is found. In the command string %v will
+-# be replaced with the virus name and %f will be replaced with the file name.
+-# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
+-# and $CLAM_VIRUSEVENT_VIRUSNAME.
+-# Default: no
+-#VirusEvent "C:\example\SendEmail.ps1" email@addresscom "VIRUS ALERT: %v in %f"
++# Execute a command when virus is found.
++# Use the following environment variables to identify the file and virus names:
++# - $CLAM_VIRUSEVENT_FILENAME
++# - $CLAM_VIRUSEVENT_VIRUSNAME
++# In the command string, '%v' will also be replaced with the virus name.
++# Note: The '%f' filename format character has been disabled and will no longer
++# be replaced with the file name, due to command injection security concerns.
++# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
++# For the same reason, you should NOT use the environment variables in the
++# command directly, but should use it carefully from your executed script.
++# Default: no
++#VirusEvent "C:\example\SendVirusAlertEmail.ps1"
+ 
+ # Run as another user (clamd must be started by root for this option to work)
+ # Default: don't drop privileges
-- 
2.51.0