* [OE-core][dunfell 00/11] Patch review
@ 2021-04-08 16:31 Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 01/11] selftest/reproducible: enable world reproducibility test Steve Sakoman
` (10 more replies)
0 siblings, 11 replies; 23+ messages in thread
From: Steve Sakoman @ 2021-04-08 16:31 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back by
end of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2031
except for a known autobuilder intermittent issue on qemuppc which passed on
subsequent retest:
https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/3261
The following changes since commit d044d9c0cb672c499059eb273e399ce4aee17e0d:
image,populate_sdk_base: move 'func' flag setting for sdk command vars (2021-04-02 04:21:56 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexander Kanavin (3):
selftest/reproducible: enable world reproducibility test
selftest/reproducible: add an exclusion list for items that are not
yet reproducible
selftest/reproducible: track unusued entries in the exclusion list
Guillaume Champagne (1):
image-live.bbclass: optional depends when ROOTFS empty
Mike Crowe (1):
curl: Patch CVE-2021-22876 & CVE-2021-22890
Peter Morrow (2):
goarch: map target os to windows for mingw* TARGET_OS
go_1.14: don't set -buildmode=pie when building for windows targets
Richard Purdie (3):
selftest/reproducible: Sort the unused exclusion list
diffoscope: Upgrade 136 -> 168
diffoscope: Upgrade 168 -> 172
Steve Sakoman (1):
selftest/reproducible: adjust exclusion list for dunfell
meta/classes/go.bbclass | 8 +-
meta/classes/goarch.bbclass | 2 +
meta/classes/image-live.bbclass | 2 +-
meta/lib/oeqa/selftest/cases/reproducible.py | 80 ++-
meta/recipes-devtools/go/go_1.14.bb | 8 +-
.../curl/curl/CVE-2021-22876.patch | 59 +++
.../curl/curl/CVE-2021-22890.patch | 464 ++++++++++++++++++
meta/recipes-support/curl/curl_7.69.1.bb | 2 +
.../{diffoscope_136.bb => diffoscope_172.bb} | 15 +-
9 files changed, 620 insertions(+), 20 deletions(-)
create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22876.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22890.patch
rename meta/recipes-support/diffoscope/{diffoscope_136.bb => diffoscope_172.bb} (46%)
--
2.25.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* [OE-core][dunfell 01/11] selftest/reproducible: enable world reproducibility test
2021-04-08 16:31 [OE-core][dunfell 00/11] Patch review Steve Sakoman
@ 2021-04-08 16:31 ` Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 02/11] selftest/reproducible: add an exclusion list for items that are not yet reproducible Steve Sakoman
` (9 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2021-04-08 16:31 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
Add systemd and pam distro features, and commercial license flag
to include more recipes into the world set.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ed8f94942c07784f9f6eef5c00b75aa9b398ea5e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/selftest/cases/reproducible.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index f570958f80..4b60b2e1b0 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -83,7 +83,7 @@ class ReproducibleTests(OESelftestTestCase):
package_classes = ['deb', 'ipk']
# targets are the things we want to test the reproducibility of
- targets = ['core-image-minimal', 'core-image-sato', 'core-image-full-cmdline']
+ targets = ['core-image-minimal', 'core-image-sato', 'core-image-full-cmdline', 'world']
# sstate targets are things to pull from sstate to potentially cut build/debugging time
sstate_targets = []
save_results = False
@@ -156,6 +156,8 @@ class ReproducibleTests(OESelftestTestCase):
PACKAGE_CLASSES = "{package_classes}"
INHIBIT_PACKAGE_STRIP = "1"
TMPDIR = "{tmpdir}"
+ LICENSE_FLAGS_WHITELIST = "commercial"
+ DISTRO_FEATURES_append = ' systemd pam'
''').format(package_classes=' '.join('package_%s' % c for c in self.package_classes),
tmpdir=tmpdir)
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [OE-core][dunfell 02/11] selftest/reproducible: add an exclusion list for items that are not yet reproducible
2021-04-08 16:31 [OE-core][dunfell 00/11] Patch review Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 01/11] selftest/reproducible: enable world reproducibility test Steve Sakoman
@ 2021-04-08 16:31 ` Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 03/11] selftest/reproducible: adjust exclusion list for dunfell Steve Sakoman
` (8 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2021-04-08 16:31 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
Hopefully over time this list will be reduced to an empty one.
Non-reproducible excluded packages are not given to diffoscope and do not cause a
failure, but still saved side-by-side with non-reproducible failing ones to make
investigation easier.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 406bd0d48d8f90e2c836f7d3e204f21d5f13c833)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/selftest/cases/reproducible.py | 82 +++++++++++++++++++-
1 file changed, 79 insertions(+), 3 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index 4b60b2e1b0..cf0375c8a1 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -17,6 +17,72 @@ import stat
import os
import datetime
+# For sample packages, see:
+# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201127-0t7wr_oo/
+# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201127-4s9ejwyp/
+# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201127-haiwdlbr/
+# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201127-hwds3mcl/
+# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201203-sua0pzvc/
+# (both packages/ and packages-excluded/)
+exclude_packages = [
+ 'acpica-src',
+ 'babeltrace2-ptest',
+ 'bootchart2-doc',
+ 'cups',
+ 'cwautomacros',
+ 'dtc',
+ 'efivar',
+ 'epiphany',
+ 'gcr',
+ 'git',
+ 'glide',
+ 'go-dep',
+ 'go-helloworld',
+ 'go-runtime',
+ 'go_',
+ 'groff',
+ 'gst-devtools',
+ 'gstreamer1.0-python',
+ 'gtk-doc',
+ 'igt-gpu-tools',
+ 'kernel-devsrc',
+ 'libaprutil',
+ 'libcap-ng',
+ 'libhandy-1-src',
+ 'libid3tag',
+ 'libproxy',
+ 'libsecret-dev',
+ 'libsecret-src',
+ 'lttng-tools-dbg',
+ 'lttng-tools-ptest',
+ 'ltp',
+ 'meson',
+ 'ovmf-shell-efi',
+ 'parted-ptest',
+ 'perf',
+ 'python3-cython',
+ 'qemu',
+ 'quilt-ptest',
+ 'rsync',
+ 'ruby',
+ 'spirv-tools-dev',
+ 'swig',
+ 'syslinux-misc',
+ 'systemd-bootchart',
+ 'valgrind-ptest',
+ 'vim',
+ 'watchdog',
+ 'xmlto',
+ 'xorg-minimal-fonts'
+ ]
+
+def is_excluded(package):
+ package_name = os.path.basename(package)
+ for i in exclude_packages:
+ if package_name.startswith(i):
+ return True
+ return False
+
MISSING = 'MISSING'
DIFFERENT = 'DIFFERENT'
SAME = 'SAME'
@@ -39,6 +105,7 @@ class PackageCompareResults(object):
self.total = []
self.missing = []
self.different = []
+ self.different_excluded = []
self.same = []
def add_result(self, r):
@@ -46,7 +113,10 @@ class PackageCompareResults(object):
if r.status == MISSING:
self.missing.append(r)
elif r.status == DIFFERENT:
- self.different.append(r)
+ if is_excluded(r.reference):
+ self.different_excluded.append(r)
+ else:
+ self.different.append(r)
else:
self.same.append(r)
@@ -54,10 +124,11 @@ class PackageCompareResults(object):
self.total.sort()
self.missing.sort()
self.different.sort()
+ self.different_excluded.sort()
self.same.sort()
def __str__(self):
- return 'same=%i different=%i missing=%i total=%i' % (len(self.same), len(self.different), len(self.missing), len(self.total))
+ return 'same=%i different=%i different_excluded=%i missing=%i total=%i' % (len(self.same), len(self.different), len(self.different_excluded), len(self.missing), len(self.total))
def compare_file(reference, test, diffutils_sysroot):
result = CompareResult()
@@ -226,6 +297,7 @@ class ReproducibleTests(OESelftestTestCase):
self.write_package_list(package_class, 'missing', result.missing)
self.write_package_list(package_class, 'different', result.different)
+ self.write_package_list(package_class, 'different_excluded', result.different_excluded)
self.write_package_list(package_class, 'same', result.same)
if self.save_results:
@@ -233,8 +305,12 @@ class ReproducibleTests(OESelftestTestCase):
self.copy_file(d.reference, '/'.join([save_dir, 'packages', strip_topdir(d.reference)]))
self.copy_file(d.test, '/'.join([save_dir, 'packages', strip_topdir(d.test)]))
+ for d in result.different_excluded:
+ self.copy_file(d.reference, '/'.join([save_dir, 'packages-excluded', strip_topdir(d.reference)]))
+ self.copy_file(d.test, '/'.join([save_dir, 'packages-excluded', strip_topdir(d.test)]))
+
if result.missing or result.different:
- fails.append("The following %s packages are missing or different: %s" %
+ fails.append("The following %s packages are missing or different and not in exclusion list: %s" %
(c, '\n'.join(r.test for r in (result.missing + result.different))))
# Clean up empty directories
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [OE-core][dunfell 03/11] selftest/reproducible: adjust exclusion list for dunfell
2021-04-08 16:31 [OE-core][dunfell 00/11] Patch review Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 01/11] selftest/reproducible: enable world reproducibility test Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 02/11] selftest/reproducible: add an exclusion list for items that are not yet reproducible Steve Sakoman
@ 2021-04-08 16:31 ` Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 04/11] selftest/reproducible: track unusued entries in the exclusion list Steve Sakoman
` (7 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2021-04-08 16:31 UTC (permalink / raw)
To: openembedded-core
Signed-off-be: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/selftest/cases/reproducible.py | 32 ++++++--------------
1 file changed, 10 insertions(+), 22 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index cf0375c8a1..c023c92d5d 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -27,11 +27,8 @@ import datetime
exclude_packages = [
'acpica-src',
'babeltrace2-ptest',
+ 'bind',
'bootchart2-doc',
- 'cups',
- 'cwautomacros',
- 'dtc',
- 'efivar',
'epiphany',
'gcr',
'git',
@@ -40,40 +37,31 @@ exclude_packages = [
'go-helloworld',
'go-runtime',
'go_',
- 'groff',
- 'gst-devtools',
'gstreamer1.0-python',
- 'gtk-doc',
- 'igt-gpu-tools',
+ 'hwlatdetect',
'kernel-devsrc',
'libaprutil',
'libcap-ng',
- 'libhandy-1-src',
- 'libid3tag',
+ 'libjson',
'libproxy',
- 'libsecret-dev',
- 'libsecret-src',
+ 'lsb-release',
'lttng-tools-dbg',
'lttng-tools-ptest',
'ltp',
- 'meson',
'ovmf-shell-efi',
'parted-ptest',
'perf',
- 'python3-cython',
+ 'piglit',
+ 'pybootchartgui',
'qemu',
- 'quilt-ptest',
+ "rpm",
'rsync',
'ruby',
- 'spirv-tools-dev',
- 'swig',
- 'syslinux-misc',
+ 'stress-ng',
'systemd-bootchart',
- 'valgrind-ptest',
+ 'systemtap',
'vim',
- 'watchdog',
- 'xmlto',
- 'xorg-minimal-fonts'
+ 'webkitgtk',
]
def is_excluded(package):
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [OE-core][dunfell 04/11] selftest/reproducible: track unusued entries in the exclusion list
2021-04-08 16:31 [OE-core][dunfell 00/11] Patch review Steve Sakoman
` (2 preceding siblings ...)
2021-04-08 16:31 ` [OE-core][dunfell 03/11] selftest/reproducible: adjust exclusion list for dunfell Steve Sakoman
@ 2021-04-08 16:31 ` Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 05/11] selftest/reproducible: Sort the unused " Steve Sakoman
` (6 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2021-04-08 16:31 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
This helps with trimming down the list, and towards 100% reproducibility :)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit da7a173d7a01524229c8515326465968a845e96f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/selftest/cases/reproducible.py | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index c023c92d5d..b331c3dedf 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -68,8 +68,8 @@ def is_excluded(package):
package_name = os.path.basename(package)
for i in exclude_packages:
if package_name.startswith(i):
- return True
- return False
+ return i
+ return None
MISSING = 'MISSING'
DIFFERENT = 'DIFFERENT'
@@ -95,14 +95,17 @@ class PackageCompareResults(object):
self.different = []
self.different_excluded = []
self.same = []
+ self.active_exclusions = set()
def add_result(self, r):
self.total.append(r)
if r.status == MISSING:
self.missing.append(r)
elif r.status == DIFFERENT:
- if is_excluded(r.reference):
+ exclusion = is_excluded(r.reference)
+ if exclusion:
self.different_excluded.append(r)
+ self.active_exclusions.add(exclusion)
else:
self.different.append(r)
else:
@@ -116,7 +119,10 @@ class PackageCompareResults(object):
self.same.sort()
def __str__(self):
- return 'same=%i different=%i different_excluded=%i missing=%i total=%i' % (len(self.same), len(self.different), len(self.different_excluded), len(self.missing), len(self.total))
+ return 'same=%i different=%i different_excluded=%i missing=%i total=%i\nunused_exclusions=%s' % (len(self.same), len(self.different), len(self.different_excluded), len(self.missing), len(self.total), self.unused_exclusions())
+
+ def unused_exclusions(self):
+ return set(exclude_packages) - self.active_exclusions
def compare_file(reference, test, diffutils_sysroot):
result = CompareResult()
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [OE-core][dunfell 05/11] selftest/reproducible: Sort the unused exclusion list
2021-04-08 16:31 [OE-core][dunfell 00/11] Patch review Steve Sakoman
` (3 preceding siblings ...)
2021-04-08 16:31 ` [OE-core][dunfell 04/11] selftest/reproducible: track unusued entries in the exclusion list Steve Sakoman
@ 2021-04-08 16:31 ` Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 06/11] diffoscope: Upgrade 136 -> 168 Steve Sakoman
` (5 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2021-04-08 16:31 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
This makes comparisions between lists easier.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d2c52125d1cdc06c7e08d507ca68f3e4612a4314)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/selftest/cases/reproducible.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index b331c3dedf..f5e3bff5a4 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -122,7 +122,7 @@ class PackageCompareResults(object):
return 'same=%i different=%i different_excluded=%i missing=%i total=%i\nunused_exclusions=%s' % (len(self.same), len(self.different), len(self.different_excluded), len(self.missing), len(self.total), self.unused_exclusions())
def unused_exclusions(self):
- return set(exclude_packages) - self.active_exclusions
+ return sorted(set(exclude_packages) - self.active_exclusions)
def compare_file(reference, test, diffutils_sysroot):
result = CompareResult()
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [OE-core][dunfell 06/11] diffoscope: Upgrade 136 -> 168
2021-04-08 16:31 [OE-core][dunfell 00/11] Patch review Steve Sakoman
` (4 preceding siblings ...)
2021-04-08 16:31 ` [OE-core][dunfell 05/11] selftest/reproducible: Sort the unused " Steve Sakoman
@ 2021-04-08 16:31 ` Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 07/11] diffoscope: Upgrade 168 -> 172 Steve Sakoman
` (4 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2021-04-08 16:31 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Needed to support reproducible build testing on autobuilder
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../{diffoscope_136.bb => diffoscope_168.bb} | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
rename meta/recipes-support/diffoscope/{diffoscope_136.bb => diffoscope_168.bb} (46%)
diff --git a/meta/recipes-support/diffoscope/diffoscope_136.bb b/meta/recipes-support/diffoscope/diffoscope_168.bb
similarity index 46%
rename from meta/recipes-support/diffoscope/diffoscope_136.bb
rename to meta/recipes-support/diffoscope/diffoscope_168.bb
index e699d15e90..00a8195c84 100644
--- a/meta/recipes-support/diffoscope/diffoscope_136.bb
+++ b/meta/recipes-support/diffoscope/diffoscope_168.bb
@@ -1,10 +1,5 @@
SUMMARY = "in-depth comparison of files, archives, and directories"
-DESCRIPTION = "Tries to get to the bottom of what makes files or directories \
-different. It will recursively unpack archives of many kinds and transform \
-various binary formats into more human-readable form to compare them. \
-It can compare two tarballs, ISO images, or PDF just as easily."
HOMEPAGE = "https://diffoscope.org/"
-BUGTRACKER = "https://salsa.debian.org/reproducible-builds/diffoscope/-/issues"
LICENSE = "GPL-3.0+"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
@@ -12,12 +7,18 @@ PYPI_PACKAGE = "diffoscope"
inherit pypi setuptools3
-SRC_URI[md5sum] = "c84d8d308a40176ba2f5dc4abdbf6f73"
-SRC_URI[sha256sum] = "0d6486d6eb6e0445ba21fee2e8bdd3a366ce786bfac98e00e5a95038b7815f15"
+SRC_URI[sha256sum] = "c6f1dc3e75b7e2e5ceac4f857fbd2ee0ddb3f0169c2b39ea9187af34208e98de"
RDEPENDS_${PN} += "binutils vim squashfs-tools python3-libarchive-c python3-magic"
# Dependencies don't build for musl
COMPATIBLE_HOST_libc-musl = 'null'
+do_install_append_class-native() {
+ create_wrapper ${D}${bindir}/diffoscope \
+ MAGIC=${STAGING_DIR_NATIVE}${datadir_native}/misc/magic.mgc \
+ RPM_CONFIGDIR=${STAGING_LIBDIR_NATIVE}/rpm \
+ RPM_ETCCONFIGDIR=${STAGING_DIR_NATIVE}
+}
+
BBCLASSEXTEND = "native"
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [OE-core][dunfell 07/11] diffoscope: Upgrade 168 -> 172
2021-04-08 16:31 [OE-core][dunfell 00/11] Patch review Steve Sakoman
` (5 preceding siblings ...)
2021-04-08 16:31 ` [OE-core][dunfell 06/11] diffoscope: Upgrade 136 -> 168 Steve Sakoman
@ 2021-04-08 16:31 ` Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 08/11] curl: Patch CVE-2021-22876 & CVE-2021-22890 Steve Sakoman
` (3 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2021-04-08 16:31 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
In particular 170 includes rpm header fixes which stop the webpages
for rpm diffs breaking web browsers and are important in the context
of the autobuilder.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 275738c3f2116de9b812b46e00d80b4de6975d7f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../diffoscope/{diffoscope_168.bb => diffoscope_172.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-support/diffoscope/{diffoscope_168.bb => diffoscope_172.bb} (88%)
diff --git a/meta/recipes-support/diffoscope/diffoscope_168.bb b/meta/recipes-support/diffoscope/diffoscope_172.bb
similarity index 88%
rename from meta/recipes-support/diffoscope/diffoscope_168.bb
rename to meta/recipes-support/diffoscope/diffoscope_172.bb
index 00a8195c84..eb85d6c854 100644
--- a/meta/recipes-support/diffoscope/diffoscope_168.bb
+++ b/meta/recipes-support/diffoscope/diffoscope_172.bb
@@ -7,7 +7,7 @@ PYPI_PACKAGE = "diffoscope"
inherit pypi setuptools3
-SRC_URI[sha256sum] = "c6f1dc3e75b7e2e5ceac4f857fbd2ee0ddb3f0169c2b39ea9187af34208e98de"
+SRC_URI[sha256sum] = "5ffe7f38555c6409bc7e7edc277ed77dd78641fe1306fc38d153dbbe445ddea4"
RDEPENDS_${PN} += "binutils vim squashfs-tools python3-libarchive-c python3-magic"
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [OE-core][dunfell 08/11] curl: Patch CVE-2021-22876 & CVE-2021-22890
2021-04-08 16:31 [OE-core][dunfell 00/11] Patch review Steve Sakoman
` (6 preceding siblings ...)
2021-04-08 16:31 ` [OE-core][dunfell 07/11] diffoscope: Upgrade 168 -> 172 Steve Sakoman
@ 2021-04-08 16:31 ` Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 09/11] image-live.bbclass: optional depends when ROOTFS empty Steve Sakoman
` (2 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2021-04-08 16:31 UTC (permalink / raw)
To: openembedded-core
From: Mike Crowe <mac@mcrowe.com>
Take patches from Ubuntu 20.04 7.68.0-1ubuntu2.5, which is close enough
that they apply without conflicts.
Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../curl/curl/CVE-2021-22876.patch | 59 +++
.../curl/curl/CVE-2021-22890.patch | 464 ++++++++++++++++++
meta/recipes-support/curl/curl_7.69.1.bb | 2 +
3 files changed, 525 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22876.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22890.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22876.patch b/meta/recipes-support/curl/curl/CVE-2021-22876.patch
new file mode 100644
index 0000000000..fc396aabef
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22876.patch
@@ -0,0 +1,59 @@
+transfer: strip credentials from the auto-referer header field
+
+CVE-2021-22876
+
+Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5.
+
+Bug: https://curl.se/docs/CVE-2021-22876.html
+Upstream-Status: backport
+---
+ lib/transfer.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index e76834eb3..744e1c00b 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1570,6 +1570,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
+ data->set.followlocation++; /* count location-followers */
+
+ if(data->set.http_auto_referer) {
++ CURLU *u;
++ char *referer;
++
+ /* We are asked to automatically set the previous URL as the referer
+ when we get the next URL. We pick the ->url field, which may or may
+ not be 100% correct */
+@@ -1579,9 +1582,27 @@ CURLcode Curl_follow(struct Curl_easy *data,
+ data->change.referer_alloc = FALSE;
+ }
+
+- data->change.referer = strdup(data->change.url);
+- if(!data->change.referer)
++ /* Make a copy of the URL without crenditals and fragment */
++ u = curl_url();
++ if(!u)
++ return CURLE_OUT_OF_MEMORY;
++
++ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
++ if(!uc)
++ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
++ if(!uc)
++ uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
++ if(!uc)
++ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
++ if(!uc)
++ uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
++
++ curl_url_cleanup(u);
++
++ if(uc || referer == NULL)
+ return CURLE_OUT_OF_MEMORY;
++
++ data->change.referer = referer;
+ data->change.referer_alloc = TRUE; /* yes, free this later */
+ }
+ }
+--
+2.20.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22890.patch b/meta/recipes-support/curl/curl/CVE-2021-22890.patch
new file mode 100644
index 0000000000..8c0ecbfe7f
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22890.patch
@@ -0,0 +1,464 @@
+vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
+
+To make sure we set and extract the correct session.
+
+Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5.
+
+CVE-2021-22890
+
+Reported-by: Mingtao Yang
+Bug: https://curl.se/docs/CVE-2021-22890.html
+Upstream-Status: backport
+---
+ lib/vtls/bearssl.c | 9 +++++---
+ lib/vtls/gtls.c | 9 +++++---
+ lib/vtls/mbedtls.c | 8 ++++---
+ lib/vtls/mesalink.c | 9 +++++---
+ lib/vtls/openssl.c | 52 ++++++++++++++++++++++++++++++++++----------
+ lib/vtls/schannel.c | 10 +++++----
+ lib/vtls/sectransp.c | 9 ++++----
+ lib/vtls/vtls.c | 9 ++++++--
+ lib/vtls/vtls.h | 2 ++
+ lib/vtls/wolfssl.c | 8 ++++---
+ 10 files changed, 88 insertions(+), 37 deletions(-)
+
+diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
+index 67f945831..32cb0a4c2 100644
+--- a/lib/vtls/bearssl.c
++++ b/lib/vtls/bearssl.c
+@@ -372,7 +372,8 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex)
+ void *session;
+
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ &session, NULL, sockindex)) {
+ br_ssl_engine_set_session_parameters(&BACKEND->ctx.eng, session);
+ infof(data, "BearSSL: re-using session ID\n");
+ }
+@@ -560,10 +561,12 @@ static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex)
+ return CURLE_OUT_OF_MEMORY;
+ br_ssl_engine_get_session_parameters(&BACKEND->ctx.eng, session);
+ Curl_ssl_sessionid_lock(conn);
+- incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex));
++ incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ &oldsession, NULL, sockindex));
+ if(incache)
+ Curl_ssl_delsessionid(conn, oldsession);
+- ret = Curl_ssl_addsessionid(conn, session, 0, sockindex);
++ ret = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ session, 0, sockindex);
+ Curl_ssl_sessionid_unlock(conn);
+ if(ret) {
+ free(session);
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 5f740eeba..46e149c7d 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -937,7 +937,8 @@ gtls_connect_step1(struct connectdata *conn,
+ size_t ssl_idsize;
+
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) {
++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, &ssl_idsize, sockindex)) {
+ /* we got a session id, use it! */
+ gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
+
+@@ -1485,7 +1486,8 @@ gtls_connect_step3(struct connectdata *conn,
+ gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
+
+ Curl_ssl_sessionid_lock(conn);
+- incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL,
++ incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, NULL,
+ sockindex));
+ if(incache) {
+ /* there was one before in the cache, so instead of risking that the
+@@ -1494,7 +1496,8 @@ gtls_connect_step3(struct connectdata *conn,
+ }
+
+ /* store this session id */
+- result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize,
++ result = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ connect_sessionid, connect_idsize,
+ sockindex);
+ Curl_ssl_sessionid_unlock(conn);
+ if(result) {
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index f057315f3..19df8478e 100644
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -453,7 +453,8 @@ mbed_connect_step1(struct connectdata *conn,
+ void *old_session = NULL;
+
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ &old_session, NULL, sockindex)) {
+ ret = mbedtls_ssl_set_session(&BACKEND->ssl, old_session);
+ if(ret) {
+ Curl_ssl_sessionid_unlock(conn);
+@@ -709,6 +710,7 @@ mbed_connect_step3(struct connectdata *conn,
+ int ret;
+ mbedtls_ssl_session *our_ssl_sessionid;
+ void *old_ssl_sessionid = NULL;
++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+
+ our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
+ if(!our_ssl_sessionid)
+@@ -727,10 +729,10 @@ mbed_connect_step3(struct connectdata *conn,
+
+ /* If there's already a matching session in the cache, delete it */
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex))
++ if(!Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, sockindex))
+ Curl_ssl_delsessionid(conn, old_ssl_sessionid);
+
+- retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex);
++ retcode = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0, sockindex);
+ Curl_ssl_sessionid_unlock(conn);
+ if(retcode) {
+ mbedtls_ssl_session_free(our_ssl_sessionid);
+diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c
+index cab1e390b..79d1e3dfa 100644
+--- a/lib/vtls/mesalink.c
++++ b/lib/vtls/mesalink.c
+@@ -263,7 +263,8 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex)
+ void *ssl_sessionid = NULL;
+
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, NULL, sockindex)) {
+ /* we got a session id, use it! */
+ if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
+ Curl_ssl_sessionid_unlock(conn);
+@@ -347,12 +348,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
+ bool incache;
+ SSL_SESSION *our_ssl_sessionid;
+ void *old_ssl_sessionid = NULL;
++ bool inproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+
+ our_ssl_sessionid = SSL_get_session(BACKEND->handle);
+
+ Curl_ssl_sessionid_lock(conn);
+ incache =
+- !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex));
++ !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid,
++ NULL, sockindex));
+ if(incache) {
+ if(old_ssl_sessionid != our_ssl_sessionid) {
+ infof(data, "old SSL session ID is stale, removing\n");
+@@ -363,7 +366,7 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
+
+ if(!incache) {
+ result = Curl_ssl_addsessionid(
+- conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
++ conn, isproxy, our_ssl_sessionid, 0 /* unknown size */, sockindex);
+ if(result) {
+ Curl_ssl_sessionid_unlock(conn);
+ failf(data, "failed to store ssl session");
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 1d09cadca..64f43605a 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -422,12 +422,23 @@ static int ossl_get_ssl_conn_index(void)
+ */
+ static int ossl_get_ssl_sockindex_index(void)
+ {
+- static int ssl_ex_data_sockindex_index = -1;
+- if(ssl_ex_data_sockindex_index < 0) {
+- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
+- NULL);
++ static int sockindex_index = -1;
++ if(sockindex_index < 0) {
++ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+ }
+- return ssl_ex_data_sockindex_index;
++ return sockindex_index;
++}
++
++/* Return an extra data index for proxy boolean.
++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
++ */
++static int ossl_get_proxy_index(void)
++{
++ static int proxy_index = -1;
++ if(proxy_index < 0) {
++ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
++ }
++ return proxy_index;
+ }
+
+ static int passwd_callback(char *buf, int num, int encrypting,
+@@ -1079,7 +1090,8 @@ static int Curl_ossl_init(void)
+ #endif
+
+ /* Initialize the extra data indexes */
+- if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0)
++ if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0 ||
++ ossl_get_proxy_index() < 0)
+ return 0;
+
+ return 1;
+@@ -2341,8 +2353,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+ curl_socket_t *sockindex_ptr;
+ int connectdata_idx = ossl_get_ssl_conn_index();
+ int sockindex_idx = ossl_get_ssl_sockindex_index();
++ int proxy_idx = ossl_get_proxy_index();
++ bool isproxy;
+
+- if(connectdata_idx < 0 || sockindex_idx < 0)
++ if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
+ return 0;
+
+ conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
+@@ -2355,13 +2369,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+ sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
+ sockindex = (int)(sockindex_ptr - conn->sock);
+
++ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
++
+ if(SSL_SET_OPTION(primary.sessionid)) {
+ bool incache;
+ void *old_ssl_sessionid = NULL;
+
+ Curl_ssl_sessionid_lock(conn);
+- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
+- sockindex));
++ if(isproxy)
++ incache = FALSE;
++ else
++ incache = !(Curl_ssl_getsessionid(conn, isproxy,
++ &old_ssl_sessionid, NULL, sockindex));
+ if(incache) {
+ if(old_ssl_sessionid != ssl_sessionid) {
+ infof(data, "old SSL session ID is stale, removing\n");
+@@ -2371,7 +2390,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+ }
+
+ if(!incache) {
+- if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
++ if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
+ 0 /* unknown size */, sockindex)) {
+ /* the session has been put into the session cache */
+ res = 1;
+@@ -2868,16 +2887,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+ void *ssl_sessionid = NULL;
+ int connectdata_idx = ossl_get_ssl_conn_index();
+ int sockindex_idx = ossl_get_ssl_sockindex_index();
++ int proxy_idx = ossl_get_proxy_index();
+
+- if(connectdata_idx >= 0 && sockindex_idx >= 0) {
++ if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) {
+ /* Store the data needed for the "new session" callback.
+ * The sockindex is stored as a pointer to an array element. */
+ SSL_set_ex_data(BACKEND->handle, connectdata_idx, conn);
+ SSL_set_ex_data(BACKEND->handle, sockindex_idx, conn->sock + sockindex);
++#ifndef CURL_DISABLE_PROXY
++ SSL_set_ex_data(BACKEND->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
++ NULL);
++#else
++ SSL_set_ex_data(BACKEND->handle, proxy_idx, NULL);
++#endif
++
+ }
+
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, NULL, sockindex)) {
+ /* we got a session id, use it! */
+ if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
+ Curl_ssl_sessionid_unlock(conn);
+diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
+index f665ee340..a354ce95d 100644
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -487,7 +487,8 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
+ /* check for an existing re-usable credential handle */
+ if(SSL_SET_OPTION(primary.sessionid)) {
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ (void **)&old_cred, NULL, sockindex)) {
+ BACKEND->cred = old_cred;
+ DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
+
+@@ -1193,8 +1194,9 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
+ struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ SECURITY_STATUS sspi_status = SEC_E_OK;
+ CERT_CONTEXT *ccert_context = NULL;
++ bool isproxy = SSL_IS_PROXY();
+ #ifdef DEBUGBUILD
+- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
++ const char * const hostname = isproxy ? conn->http_proxy.host.name :
+ conn->host.name;
+ #endif
+ #ifdef HAS_ALPN
+@@ -1268,7 +1270,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
+ struct curl_schannel_cred *old_cred = NULL;
+
+ Curl_ssl_sessionid_lock(conn);
+- incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL,
++ incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred, NULL,
+ sockindex));
+ if(incache) {
+ if(old_cred != BACKEND->cred) {
+@@ -1280,7 +1282,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
+ }
+ }
+ if(!incache) {
+- result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred,
++ result = Curl_ssl_addsessionid(conn, isproxy, (void *)BACKEND->cred,
+ sizeof(struct curl_schannel_cred),
+ sockindex);
+ if(result) {
+diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
+index 7dd028fb7..9c67d465a 100644
+--- a/lib/vtls/sectransp.c
++++ b/lib/vtls/sectransp.c
+@@ -1376,7 +1376,8 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
+ const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
+ const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
+ char * const ssl_cert = SSL_SET_OPTION(cert);
+- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
++ bool isproxy = SSL_IS_PROXY();
++ const char * const hostname = isproxy ? conn->http_proxy.host.name :
+ conn->host.name;
+ const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
+ #ifdef ENABLE_IPV6
+@@ -1584,7 +1585,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
+
+ #ifdef USE_NGHTTP2
+ if(data->set.httpversion >= CURL_HTTP_VERSION_2 &&
+- (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) {
++ (!isproxy || !conn->bits.tunnel_proxy)) {
+ CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
+ infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
+ }
+@@ -1916,7 +1917,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
+ size_t ssl_sessionid_len;
+
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid,
++ if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid,
+ &ssl_sessionid_len, sockindex)) {
+ /* we got a session id, use it! */
+ err = SSLSetPeerID(BACKEND->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
+@@ -1944,7 +1945,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+
+- result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len,
++ result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, ssl_sessionid_len,
+ sockindex);
+ Curl_ssl_sessionid_unlock(conn);
+ if(result) {
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index dfefa1bd5..aaf73ef8f 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -305,6 +305,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn)
+ * there's one suitable, it is provided. Returns TRUE when no entry matched.
+ */
+ bool Curl_ssl_getsessionid(struct connectdata *conn,
++ const bool isProxy,
+ void **ssl_sessionid,
+ size_t *idsize, /* set 0 if unknown */
+ int sockindex)
+@@ -315,7 +316,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
+ long *general_age;
+ bool no_match = TRUE;
+
+- const bool isProxy = CONNECT_PROXY_SSL();
+ struct ssl_primary_config * const ssl_config = isProxy ?
+ &conn->proxy_ssl_config :
+ &conn->ssl_config;
+@@ -324,6 +324,11 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
+ int port = isProxy ? (int)conn->port : conn->remote_port;
+ *ssl_sessionid = NULL;
+
++#ifdef CURL_DISABLE_PROXY
++ if(isProxy)
++ return TRUE;
++#endif
++
+ DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+
+ if(!SSL_SET_OPTION(primary.sessionid))
+@@ -411,6 +416,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
+ * later on.
+ */
+ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
++ bool isProxy,
+ void *ssl_sessionid,
+ size_t idsize,
+ int sockindex)
+@@ -423,7 +429,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+ char *clone_conn_to_host;
+ int conn_to_port;
+ long *general_age;
+- const bool isProxy = CONNECT_PROXY_SSL();
+ struct ssl_primary_config * const ssl_config = isProxy ?
+ &conn->proxy_ssl_config :
+ &conn->ssl_config;
+diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
+index a81b2f22d..a5e348752 100644
+--- a/lib/vtls/vtls.h
++++ b/lib/vtls/vtls.h
+@@ -202,6 +202,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn);
+ * under sessionid mutex).
+ */
+ bool Curl_ssl_getsessionid(struct connectdata *conn,
++ const bool isproxy,
+ void **ssl_sessionid,
+ size_t *idsize, /* set 0 if unknown */
+ int sockindex);
+@@ -211,6 +212,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
+ * object with cache (e.g. incrementing refcount on success)
+ */
+ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
++ const bool isProxy,
+ void *ssl_sessionid,
+ size_t idsize,
+ int sockindex);
+diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
+index 8c2d3f4a2..dd9f907ff 100644
+--- a/lib/vtls/wolfssl.c
++++ b/lib/vtls/wolfssl.c
+@@ -392,7 +392,8 @@ wolfssl_connect_step1(struct connectdata *conn,
+ void *ssl_sessionid = NULL;
+
+ Curl_ssl_sessionid_lock(conn);
+- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
++ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++ &ssl_sessionid, NULL, sockindex)) {
+ /* we got a session id, use it! */
+ if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
+ char error_buffer[WOLFSSL_MAX_ERROR_SZ];
+@@ -618,9 +619,10 @@ wolfssl_connect_step3(struct connectdata *conn,
+ void *old_ssl_sessionid = NULL;
+
+ our_ssl_sessionid = SSL_get_session(BACKEND->handle);
++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+
+ Curl_ssl_sessionid_lock(conn);
+- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
++ incache = !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL,
+ sockindex));
+ if(incache) {
+ if(old_ssl_sessionid != our_ssl_sessionid) {
+@@ -631,7 +633,7 @@ wolfssl_connect_step3(struct connectdata *conn,
+ }
+
+ if(!incache) {
+- result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
++ result = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid,
+ 0 /* unknown size */, sockindex);
+ if(result) {
+ Curl_ssl_sessionid_unlock(conn);
+--
+2.20.1
+
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 4cc35c2c51..13ab29cf69 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -17,6 +17,8 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2020-8284.patch \
file://CVE-2020-8285.patch \
file://CVE-2020-8286.patch \
+ file://CVE-2021-22876.patch \
+ file://CVE-2021-22890.patch \
"
SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [OE-core][dunfell 09/11] image-live.bbclass: optional depends when ROOTFS empty
2021-04-08 16:31 [OE-core][dunfell 00/11] Patch review Steve Sakoman
` (7 preceding siblings ...)
2021-04-08 16:31 ` [OE-core][dunfell 08/11] curl: Patch CVE-2021-22876 & CVE-2021-22890 Steve Sakoman
@ 2021-04-08 16:31 ` Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 10/11] goarch: map target os to windows for mingw* TARGET_OS Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 11/11] go_1.14: don't set -buildmode=pie when building for windows targets Steve Sakoman
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2021-04-08 16:31 UTC (permalink / raw)
To: openembedded-core
From: Guillaume Champagne <champagne.guillaume.c@gmail.com>
`ROOTFS` is optional. It can be empty if the live image doesn't require
a rootfs. In such cases, the build doesn't depend on
`do_image_{LIVE_ROOTFS_TYPE}`.
Signed-off-by: Guillaume Champagne <champagne.guillaume.c@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 96f47c39f1d17f073243913d524bde84add41d8f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/image-live.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/image-live.bbclass b/meta/classes/image-live.bbclass
index 54058b350d..e9eba1fc4b 100644
--- a/meta/classes/image-live.bbclass
+++ b/meta/classes/image-live.bbclass
@@ -30,7 +30,7 @@ do_bootimg[depends] += "dosfstools-native:do_populate_sysroot \
virtual/kernel:do_deploy \
${MLPREFIX}syslinux:do_populate_sysroot \
syslinux-native:do_populate_sysroot \
- ${PN}:do_image_${@d.getVar('LIVE_ROOTFS_TYPE').replace('-', '_')} \
+ ${@'%s:do_image_%s' % (d.getVar('PN'), d.getVar('LIVE_ROOTFS_TYPE').replace('-', '_')) if d.getVar('ROOTFS') else ''} \
"
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [OE-core][dunfell 10/11] goarch: map target os to windows for mingw* TARGET_OS
2021-04-08 16:31 [OE-core][dunfell 00/11] Patch review Steve Sakoman
` (8 preceding siblings ...)
2021-04-08 16:31 ` [OE-core][dunfell 09/11] image-live.bbclass: optional depends when ROOTFS empty Steve Sakoman
@ 2021-04-08 16:31 ` Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 11/11] go_1.14: don't set -buildmode=pie when building for windows targets Steve Sakoman
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2021-04-08 16:31 UTC (permalink / raw)
To: openembedded-core
From: Peter Morrow <pemorrow@linux.microsoft.com>
mingw32/mingw64 is not a supported value for GOOS, so map from 'mingw*' to
'windows' to enable building for windows targets.
Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/goarch.bbclass | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/classes/goarch.bbclass b/meta/classes/goarch.bbclass
index 1099b95769..ecd3044edd 100644
--- a/meta/classes/goarch.bbclass
+++ b/meta/classes/goarch.bbclass
@@ -114,6 +114,8 @@ def go_map_mips(a, f, d):
def go_map_os(o, d):
if o.startswith('linux'):
return 'linux'
+ elif o.startswith('mingw'):
+ return 'windows'
return o
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [OE-core][dunfell 11/11] go_1.14: don't set -buildmode=pie when building for windows targets
2021-04-08 16:31 [OE-core][dunfell 00/11] Patch review Steve Sakoman
` (9 preceding siblings ...)
2021-04-08 16:31 ` [OE-core][dunfell 10/11] goarch: map target os to windows for mingw* TARGET_OS Steve Sakoman
@ 2021-04-08 16:31 ` Steve Sakoman
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2021-04-08 16:31 UTC (permalink / raw)
To: openembedded-core
From: Peter Morrow <pemorrow@linux.microsoft.com>
go 1.14 for windows targets does not support -buildmode=pie, disable it and use
the default buildmode instead. Support for -buildmode=pie for windows targets
is added with go 1.15 (https://golang.org/doc/go1.15) which is added to poky in
gatesgarth.
Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/go.bbclass | 8 ++++----
meta/recipes-devtools/go/go_1.14.bb | 8 ++++----
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/meta/classes/go.bbclass b/meta/classes/go.bbclass
index e6c3591479..16e46398b1 100644
--- a/meta/classes/go.bbclass
+++ b/meta/classes/go.bbclass
@@ -145,11 +145,11 @@ FILES_${PN}-staticdev = "${libdir}/go/pkg"
INSANE_SKIP_${PN} += "ldflags"
-# Add -buildmode=pie to GOBUILDFLAGS to satisfy "textrel" QA checking, but mips
-# doesn't support -buildmode=pie, so skip the QA checking for mips and its
-# variants.
+# Add -buildmode=pie to GOBUILDFLAGS to satisfy "textrel" QA checking, but
+# windows/mips/riscv doesn't support -buildmode=pie, so skip the QA checking
+# for windows/mips/riscv and their variants.
python() {
- if 'mips' in d.getVar('TARGET_ARCH') or 'riscv' in d.getVar('TARGET_ARCH'):
+ if 'mips' in d.getVar('TARGET_ARCH') or 'riscv' in d.getVar('TARGET_ARCH') or 'windows' in d.getVar('TARGET_GOOS'):
d.appendVar('INSANE_SKIP_%s' % d.getVar('PN'), " textrel")
else:
d.appendVar('GOBUILDFLAGS', ' -buildmode=pie')
diff --git a/meta/recipes-devtools/go/go_1.14.bb b/meta/recipes-devtools/go/go_1.14.bb
index bc90a1329e..c17527998b 100644
--- a/meta/recipes-devtools/go/go_1.14.bb
+++ b/meta/recipes-devtools/go/go_1.14.bb
@@ -3,11 +3,11 @@ require go-target.inc
export GOBUILDMODE=""
export CGO_ENABLED_riscv64 = ""
-# Add pie to GOBUILDMODE to satisfy "textrel" QA checking, but mips/riscv
-# doesn't support -buildmode=pie, so skip the QA checking for mips/riscv and its
-# variants.
+# Add pie to GOBUILDMODE to satisfy "textrel" QA checking, but
+# windows/mips/riscv doesn't support -buildmode=pie, so skip the QA checking
+# for windows/mips/riscv and their variants.
python() {
- if 'mips' in d.getVar('TARGET_ARCH',True) or 'riscv' in d.getVar('TARGET_ARCH',True):
+ if 'mips' in d.getVar('TARGET_ARCH',True) or 'riscv' in d.getVar('TARGET_ARCH',True) or 'windows' in d.getVar('TARGET_GOOS', True):
d.appendVar('INSANE_SKIP_%s' % d.getVar('PN',True), " textrel")
else:
d.setVar('GOBUILDMODE', 'pie')
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [OE-core][dunfell 00/11] Patch review
@ 2022-01-13 14:37 Steve Sakoman
0 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-01-13 14:37 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3112
The following changes since commit da3bd5e0934b6462ae53225a58305235849b32d5:
asciidoc: properly detect and compare Python versions >= 3.10 (2022-01-09 06:49:29 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Akash Hadke (1):
glibc: Add fix for data races in pthread_create and TLS access
Alexander Kanavin (1):
parselogs: add a couple systemd false positives
Anuj Mittal (1):
xserver-xorg: update CVE_PRODUCT
Konrad Weihmann (1):
cve-check: add lockfile to task
Mingli Yu (1):
wic: use shutil.which
Ricardo Ribalda Delgado (1):
wic: misc: Do not find for executables in ASSUME_PROVIDED
Richard Purdie (1):
expat: Update HOMEPAGE to current url
Ross Burton (2):
cve-update-db-native: use fetch task
xserver-xorg: whitelist two CVEs
Steve Sakoman (2):
valgrind: skip flakey ptest (gdbserver_tests/hginfo)
oeqa/selftest/cases/tinfoil.py: increase timeout 60->120s
test_wait_event
meta/classes/cve-check.bbclass | 3 +-
meta/lib/oeqa/runtime/cases/parselogs.py | 2 +
meta/lib/oeqa/selftest/cases/tinfoil.py | 4 +-
meta/recipes-core/expat/expat_2.2.9.bb | 2 +-
...ate-slotinfo-to-avoid-use-after-free.patch | 66 +++++
...hread_create-and-TLS-access-BZ-19329.patch | 191 ++++++++++++
...d-atomics-for-racy-accesses-BZ-19329.patch | 206 +++++++++++++
.../0033-elf-Add-test-case-for-BZ-19329.patch | 144 +++++++++
...elf-Fix-DTV-gap-reuse-logic-BZ-27135.patch | 180 ++++++++++++
...-lazy-relocation-of-tlsdesc-BZ-27137.patch | 56 ++++
...-lazy-relocation-of-tlsdesc-BZ-27137.patch | 124 ++++++++
...ock-between-pthread_create-and-ctors.patch | 276 ++++++++++++++++++
meta/recipes-core/glibc/glibc_2.31.bb | 8 +
.../recipes-core/meta/cve-update-db-native.bb | 9 +-
.../valgrind/valgrind/remove-for-aarch64 | 1 +
.../valgrind/valgrind/remove-for-all | 1 +
.../xorg-xserver/xserver-xorg.inc | 10 +-
scripts/lib/wic/engine.py | 6 +-
scripts/lib/wic/misc.py | 16 +-
scripts/wic | 4 +-
20 files changed, 1292 insertions(+), 17 deletions(-)
create mode 100644 meta/recipes-core/glibc/glibc/0030-elf-Refactor_dl_update-slotinfo-to-avoid-use-after-free.patch
create mode 100644 meta/recipes-core/glibc/glibc/0031-elf-Fix-data-races-in-pthread_create-and-TLS-access-BZ-19329.patch
create mode 100644 meta/recipes-core/glibc/glibc/0032-elf-Use-relaxed-atomics-for-racy-accesses-BZ-19329.patch
create mode 100644 meta/recipes-core/glibc/glibc/0033-elf-Add-test-case-for-BZ-19329.patch
create mode 100644 meta/recipes-core/glibc/glibc/0034-elf-Fix-DTV-gap-reuse-logic-BZ-27135.patch
create mode 100644 meta/recipes-core/glibc/glibc/0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch
create mode 100644 meta/recipes-core/glibc/glibc/0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch
create mode 100644 meta/recipes-core/glibc/glibc/0037-Avoid-deadlock-between-pthread_create-and-ctors.patch
--
2.25.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* [OE-core][dunfell 00/11] Patch review
@ 2022-01-20 21:23 Steve Sakoman
0 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-01-20 21:23 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3141
The following changes since commit 01f256bc72fb45c80b6a6c77506bc4c375965a3a:
glibc: Add fix for data races in pthread_create and TLS access (2022-01-12 04:37:31 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Bruce Ashfield (5):
linux-yocto/5.4: update to v5.4.169
linux-yocto/5.4: update to v5.4.170
linux-yocto/5.4: update to v5.4.171
linux-yocto/5.4: update to v5.4.172
kernel: introduce python3-dtschema-wrapper
Kai Kang (1):
speex: fix CVE-2020-23903
Marek Vasut (1):
Revert "weston: Use systemd notify,"
Richard Purdie (1):
lttng-tools: Add missing DEPENDS on bison-native
Steve Sakoman (3):
expat fix CVE-2022-22822 through CVE-2022-22827
expat: fix CVE-2021-45960
expat: fix CVE-2021-46143
meta/conf/distro/include/maintainers.inc | 1 +
.../expat/expat/CVE-2021-45960.patch | 65 +++++
.../expat/expat/CVE-2021-46143.patch | 43 +++
.../expat/expat/CVE-2022-22822-27.patch | 257 ++++++++++++++++++
meta/recipes-core/expat/expat_2.2.9.bb | 3 +
.../wayland/weston-init/weston-start | 12 -
.../wayland/weston-init/weston@.service | 6 -
.../weston/systemd-notify.weston-start | 9 -
.../wayland/weston/xwayland.weston-start | 3 +-
meta/recipes-graphics/wayland/weston_8.0.0.bb | 6 -
.../python3-dtschema-wrapper/dt-doc-validate | 20 ++
.../dtc/python3-dtschema-wrapper/dt-mk-schema | 20 ++
.../dtc/python3-dtschema-wrapper/dt-validate | 20 ++
.../dtc/python3-dtschema-wrapper_2021.10.bb | 17 ++
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +-
.../lttng/lttng-tools_2.11.5.bb | 2 +-
.../speex/speex/CVE-2020-23903.patch | 30 ++
meta/recipes-multimedia/speex/speex_1.2.0.bb | 4 +-
20 files changed, 500 insertions(+), 54 deletions(-)
create mode 100644 meta/recipes-core/expat/expat/CVE-2021-45960.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2021-46143.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-22822-27.patch
delete mode 100644 meta/recipes-graphics/wayland/weston/systemd-notify.weston-start
create mode 100644 meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-doc-validate
create mode 100644 meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-mk-schema
create mode 100644 meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-validate
create mode 100644 meta/recipes-kernel/dtc/python3-dtschema-wrapper_2021.10.bb
create mode 100644 meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch
--
2.25.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* [OE-core][dunfell 00/11] Patch review
@ 2022-04-16 19:14 Steve Sakoman
0 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-04-16 19:14 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3537
with the exception of a known issue with meta-intel due to the zlib CVE fix, see:
https://lists.openembedded.org/g/openembedded-core/message/163793
The intent is to fix meta-intel after this patch set is merged to dunfell.
The following changes since commit aa762b7ca2417b80dd114a4ab263d69074912f82:
tzdata: update to 2022a (2022-04-04 04:22:32 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexandre Belloni (1):
pseudo: Fix handling of absolute links
Martin Jansa (1):
license_image.bbclass: close package.manifest file
Peter Kjellerstedt (1):
metadata_scm.bbclass: Use immediate expansion for the METADATA_*
variables
Ralph Siemsen (3):
gzip: fix CVE-2022-1271
xz: fix CVE-2022-1271
apt: add -fno-strict-aliasing to CXXFLAGS to fix SHA256 bug
Richard Purdie (4):
vim: Upgrade 8.2.4524 -> 8.2.4681
git: Ignore CVE-2022-24975
pseudo: Add patch to workaround paths with crazy lengths
libxshmfence: Correct LICENSE to HPND
Ross Burton (1):
zlib: backport the fix for CVE-2018-25032
.../recipeutils/recipeutils-test_1.2.bb | 2 +-
meta/classes/license_image.bbclass | 4 +-
meta/classes/metadata_scm.bbclass | 10 +-
.../zlib/zlib/CVE-2018-25032.patch | 347 ++++++++++++++++++
meta/recipes-core/zlib/zlib_1.2.11.bb | 1 +
meta/recipes-devtools/apt/apt.inc | 4 +
meta/recipes-devtools/git/git.inc | 5 +
meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
.../gzip/gzip-1.10/CVE-2022-1271.patch | 45 +++
meta/recipes-extended/gzip/gzip_1.10.bb | 1 +
.../xz/xz/CVE-2022-1271.patch | 96 +++++
meta/recipes-extended/xz/xz_5.2.4.bb | 4 +-
.../xorg-lib/libxshmfence_1.3.bb | 2 +-
meta/recipes-support/vim/vim.inc | 6 +-
14 files changed, 515 insertions(+), 14 deletions(-)
create mode 100644 meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
create mode 100644 meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch
create mode 100644 meta/recipes-extended/xz/xz/CVE-2022-1271.patch
--
2.25.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* [OE-core][dunfell 00/11] Patch review
@ 2022-06-02 2:30 Steve Sakoman
0 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-06-02 2:30 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Friday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3738
The following changes since commit add860e1a69f848097bbc511137a62d5746e5019:
oeqa/selftest/cve_check: add tests for recipe and image reports (2022-05-24 04:31:18 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Dan Tran (1):
ncurses: Fix CVE-2022-29458
Ernst Sjöstrand (2):
cve-check: Add helper for symlink handling
cve-check: Only include installed packages for rootfs manifest
Ranjitsinh Rathod (3):
ruby: Upgrade ruby to 2.7.6 for security fix
ruby: Whitelist CVE-2021-28966 as this affects Windows OS only
libsdl2: Add fix for CVE-2021-33657
Richard Purdie (2):
vim: Upgrade 8.2.4912 -> 8.2.5034 to fix 9 CVEs
cve-check: Allow warnings to be disabled
Riyaz (1):
libxml2: Fix CVE-2022-29824 for libxml2
Virendra Thakur (1):
ffmpeg: Fix for CVE-2022-1475
leimaohui (1):
cve-check.bbclass: Added do_populate_sdk[recrdeptask].
meta/classes/cve-check.bbclass | 109 ++++--
.../libxml2/CVE-2022-29824-dependent.patch | 53 +++
.../libxml/libxml2/CVE-2022-29824.patch | 348 ++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.10.bb | 2 +
.../ncurses/files/CVE-2022-29458.patch | 135 +++++++
meta/recipes-core/ncurses/ncurses_6.2.bb | 1 +
.../ruby/{ruby_2.7.5.bb => ruby_2.7.6.bb} | 8 +-
.../libsdl2/libsdl2/CVE-2021-33657.patch | 38 ++
.../libsdl2/libsdl2_2.0.12.bb | 1 +
.../ffmpeg/ffmpeg/CVE-2022-1475.patch | 36 ++
.../recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb | 1 +
meta/recipes-support/vim/vim.inc | 4 +-
12 files changed, 694 insertions(+), 42 deletions(-)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch
create mode 100644 meta/recipes-core/ncurses/files/CVE-2022-29458.patch
rename meta/recipes-devtools/ruby/{ruby_2.7.5.bb => ruby_2.7.6.bb} (90%)
create mode 100644 meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch
--
2.25.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* [OE-core][dunfell 00/11] Patch review
@ 2022-08-10 22:31 Steve Sakoman
0 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-08-10 22:31 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Friday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4058
The following changes since commit 73d2b640ad665f6ff3c4fbe8f5da4ef0dbb175f2:
libtirpc: CVE-2021-46828 DoS vulnerability with lots of connections (2022-07-28 06:26:48 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alex Kiernan (1):
openssh: Add openssh-sftp-server to openssh RDEPENDS
Bruce Ashfield (2):
linux-yocto/5.4: update to v5.4.208
linux-yocto/5.4: update to v5.4.209
Hitendra Prajapati (2):
grub2: Fix several security issue of integer underflow
gdk-pixbuf: CVE-2021-46829 a heap-based buffer overflow
Jose Quaresma (1):
gstreamer1.0: use the correct meson option for the capabilities
Khem Raj (1):
libmodule-build-perl: Use env utility to find perl interpreter
Martin Jansa (1):
libxml2: Port gentest.py to Python-3
Richard Purdie (1):
insane: Fix buildpaths test to work with special devices
Ross Burton (1):
cve_check: skip remote patches that haven't been fetched when
searching for CVE tags
Steve Sakoman (1):
selftest: skip virgl test on fedora 36
meta/classes/insane.bbclass | 6 +-
meta/lib/oe/cve_check.py | 5 +-
meta/lib/oeqa/selftest/cases/runtime_test.py | 2 +
.../grub/files/CVE-2022-28733.patch | 60 ++
.../grub/files/CVE-2022-28734.patch | 67 ++
.../grub/files/CVE-2022-28736.patch | 275 ++++++
meta/recipes-bsp/grub/grub2.inc | 3 +
.../openssh/openssh_8.2p1.bb | 2 +-
.../0001-Port-gentest.py-to-Python-3.patch | 813 ++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.10.bb | 11 +
.../perl/libmodule-build-perl_0.4231.bb | 1 +
.../gdk-pixbuf/CVE-2021-46829.patch | 61 ++
.../gdk-pixbuf/gdk-pixbuf_2.40.0.bb | 1 +
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +-
.../gstreamer/gstreamer1.0_1.16.3.bb | 2 +-
17 files changed, 1321 insertions(+), 24 deletions(-)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28733.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28734.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28736.patch
create mode 100644 meta/recipes-core/libxml/libxml2/0001-Port-gentest.py-to-Python-3.patch
create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-46829.patch
--
2.25.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* [OE-core][dunfell 00/11] Patch review
@ 2022-08-18 16:56 Steve Sakoman
0 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-08-18 16:56 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Sunday.
This is the final patch set for the 3.1.19 release.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4098
The following changes since commit ac6ea1a96645d2a4dd54660256603f0b191bb4d3:
gstreamer1.0: use the correct meson option for the capabilities (2022-08-10 05:04:10 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexander Kanavin (1):
linux-firmware: update 20220610 -> 20220708
Dmitry Baryshkov (1):
linux-firwmare: restore WHENCE_CHKSUM variable
Hitendra Prajapati (3):
qemu: CVE-2020-27821 heap buffer overflow in msix_table_mmio_write
gnutls: CVE-2022-2509 Double free during gnutls_pkcs7_verify
zlib: CVE-2022-37434 a heap-based buffer over-read
Ming Liu (1):
rootfs-postcommands.bbclass: move host-user-contaminated.txt to ${S}
Pascal Bach (1):
bin_package: install into base_prefix
Randy MacLeod (1):
vim: update from 9.0.0063 to 9.0.0115
Richard Purdie (2):
vim: Upgrade 9.0.0021 -> 9.0.0063
kernel-arch: Fix buildpaths leaking into external module compiles
Shruthi Ravichandran (1):
initscripts: run umountnfs as a KILL script
meta/classes/bin_package.bbclass | 3 +-
meta/classes/kernel-arch.bbclass | 2 +-
meta/classes/rootfs-postcommands.bbclass | 2 +-
.../initscripts/initscripts_1.0.bb | 2 +-
.../zlib/zlib/CVE-2022-37434.patch | 44 +++
meta/recipes-core/zlib/zlib_1.2.11.bb | 1 +
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2020-27821.patch | 73 +++++
...20220610.bb => linux-firmware_20220708.bb} | 14 +-
.../gnutls/gnutls/CVE-2022-2509.patch | 282 ++++++++++++++++++
meta/recipes-support/gnutls/gnutls_3.6.14.bb | 1 +
meta/recipes-support/vim/files/racefix.patch | 33 --
meta/recipes-support/vim/vim.inc | 10 +-
13 files changed, 418 insertions(+), 50 deletions(-)
create mode 100644 meta/recipes-core/zlib/zlib/CVE-2022-37434.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220610.bb => linux-firmware_20220708.bb} (98%)
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch
delete mode 100644 meta/recipes-support/vim/files/racefix.patch
--
2.25.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* [OE-core][dunfell 00/11] Patch review
@ 2022-11-12 14:09 Steve Sakoman
0 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-11-12 14:09 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4469
The following changes since commit babcb7cd3bbefe9c0ea28e960e4fd6cefbc03cae:
bluez5: add dbus to RDEPENDS (2022-11-04 07:52:01 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alex Kiernan (1):
openssl: upgrade 1.1.1q to 1.1.1s
Hitendra Prajapati (1):
bluez: CVE-2022-3637 A DoS exists in monitor/jlink.c
Martin Jansa (1):
externalsrc.bbclass: fix git repo detection
Peter Kjellerstedt (1):
externalsrc.bbclass: Remove a trailing slash from ${B}
Ross Burton (1):
sanity: check for GNU tar specifically
Sundeep KOKKONDA (2):
binutils: stable 2.34 branch updates
glibc : stable 2.31 branch updates.
Sunil Kumar (1):
go: Security Fix for CVE-2022-2879
Vivek Kumbhar (2):
curl: fix CVE-2022-32221 POST following PUT
qemu: fix CVE-2021-3638 ati-vga: inconsistent check in ati_2d_blt()
may lead to out-of-bounds write
ciarancourtney (1):
wic: swap partitions are not added to fstab
meta/classes/externalsrc.bbclass | 6 +-
meta/classes/sanity.bbclass | 8 ++
meta/recipes-connectivity/bluez5/bluez5.inc | 1 +
.../bluez5/bluez5/CVE-2022-3637.patch | 39 ++++++
.../{openssl_1.1.1q.bb => openssl_1.1.1s.bb} | 2 +-
meta/recipes-core/glibc/glibc-version.inc | 2 +-
.../glibc/glibc/CVE-2021-33574_1.patch | 26 ++--
.../binutils/binutils-2.34.inc | 2 +-
.../binutils/binutils/CVE-2020-16593.patch | 4 +-
.../binutils/binutils/CVE-2021-3549.patch | 80 ++++++-------
meta/recipes-devtools/go/go-1.14.inc | 1 +
.../go/go-1.14/CVE-2022-2879.patch | 111 ++++++++++++++++++
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3638.patch | 80 +++++++++++++
.../curl/curl/CVE-2022-32221.patch | 29 +++++
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
scripts/lib/wic/plugins/imager/direct.py | 2 +-
17 files changed, 329 insertions(+), 66 deletions(-)
create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch
rename meta/recipes-connectivity/openssl/{openssl_1.1.1q.bb => openssl_1.1.1s.bb} (98%)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-2879.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-32221.patch
--
2.25.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* [OE-core][dunfell 00/11] Patch review
@ 2023-05-20 16:04 Steve Sakoman
0 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2023-05-20 16:04 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5324
The following changes since commit 1bc254e7969f3d5470bacf9ad9f065d38b7b7fde:
run-postinsts: Set dependency for ldconfig to avoid boot issues (2023-05-11 07:47:14 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alex Kiernan (1):
pypi.bbclass: Set CVE_PRODUCT to PYPI_PACKAGE
Dmitry Baryshkov (1):
linux-firmware: upgrade 20230210 -> 20230404
Hitendra Prajapati (2):
git: fix CVE-2023-29007
git: fix CVE-2023-25652
Khem Raj (1):
perf: Depend on native setuptools3
Marek Vasut (1):
cpio: Fix wrong CRC with ASCII CRC for large files
Martin Jansa (1):
populate_sdk_ext.bbclass: set METADATA_REVISION with an DISTRO
override
Randolph Sapp (1):
wic/bootimg-efi: if fixed-size is set then use that for mkdosfs
Siddharth (1):
curl: ammend fix for CVE-2023-27534 to fix error when ssh is enabled
Steve Sakoman (1):
selftest: skip virgl test on ubuntu 22.10, fedora 37, and all rocky
Thomas Roos (1):
oeqa/utils/metadata.py: Fix running oe-selftest running with no distro
set
meta/classes/populate_sdk_ext.bbclass | 3 +-
meta/classes/pypi.bbclass | 2 +
meta/lib/oeqa/selftest/cases/runtime_test.py | 6 +
meta/lib/oeqa/utils/metadata.py | 6 +-
.../git/files/CVE-2023-25652.patch | 94 +++++++++++
.../git/files/CVE-2023-29007.patch | 159 ++++++++++++++++++
meta/recipes-devtools/git/git.inc | 2 +
...g-CRC-with-ASCII-CRC-for-large-files.patch | 39 +++++
meta/recipes-extended/cpio/cpio_2.13.bb | 1 +
...20230210.bb => linux-firmware_20230404.bb} | 6 +-
meta/recipes-kernel/perf/perf.bb | 2 +-
.../curl/curl/CVE-2023-27534-pre1.patch | 51 ++++++
.../curl/curl/CVE-2023-27534.patch | 122 ++------------
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
scripts/lib/wic/plugins/source/bootimg-efi.py | 7 +
15 files changed, 387 insertions(+), 114 deletions(-)
create mode 100644 meta/recipes-devtools/git/files/CVE-2023-25652.patch
create mode 100644 meta/recipes-devtools/git/files/CVE-2023-29007.patch
create mode 100644 meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230210.bb => linux-firmware_20230404.bb} (99%)
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
--
2.34.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* [OE-core][dunfell 00/11] Patch review
@ 2023-06-08 2:35 Steve Sakoman
0 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2023-06-08 2:35 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for dunfell and have comments back by
end of day Friday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5422
The following changes since commit e4b98a42970574296e0da06842691b9fc1ffc9a1:
selftest: skip virgl test on ubuntu 22.10, fedora 37, and all rocky (2023-05-20 06:02:24 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alex Kiernan (1):
openssh: Move sshdgenkeys.service to sshd.socket
Ashish Sharma (1):
golang: Fix CVE-2023-24539
Bruce Ashfield (5):
linux-yocto/5.4: update to v5.4.238
linux-yocto/5.4: update to v5.4.240
linux-yocto/5.4: update to v5.4.241
linux-yocto/5.4: update to v5.4.242
linux-yocto/5.4: update to v5.4.243
Nikhil R (1):
ffmpeg: Fix CVE-2022-48434
Vijay Anusuri (3):
ghostscript: Fix CVE-2023-28879
xserver-xorg: Security fix CVE-2023-0494 and CVE-2023-1393
go: Security fix CVE-2023-24540
.../openssh/openssh/sshd.socket | 1 +
.../openssh/openssh/sshd@.service | 2 -
meta/recipes-devtools/go/go-1.14.inc | 2 +
.../go/go-1.14/CVE-2023-24539.patch | 60 ++++++++
.../go/go-1.14/CVE-2023-24540.patch | 90 ++++++++++++
.../ghostscript/CVE-2023-28879.patch | 54 +++++++
.../ghostscript/ghostscript_9.52.bb | 1 +
.../xserver-xorg/CVE-2023-0494.patch | 38 +++++
.../xserver-xorg/CVE-2023-1393.patch | 46 ++++++
.../xorg-xserver/xserver-xorg_1.20.14.bb | 2 +
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +--
.../ffmpeg/ffmpeg/CVE-2022-48434.patch | 136 ++++++++++++++++++
.../recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb | 1 +
15 files changed, 449 insertions(+), 20 deletions(-)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
--
2.34.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* [OE-core][dunfell 00/11] Patch review
@ 2023-10-10 14:14 Steve Sakoman
0 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2023-10-10 14:14 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for dunfell and have comments back by
end of day Thursday, October 12.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6026
The following changes since commit 9a800a2e2c2b14eab8c1f83cb4ac3b94a70dd23c:
glibc: Fix CVE-2023-4911 "Looney Tunables" (2023-10-05 13:10:56 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Hitendra Prajapati (1):
xdg-utils: Fix CVE-2022-4055
Julian Haller (2):
dbus: Backport fix for CVE-2023-34969
dbus: Add missing CVE_PRODUCT
Marek Vasut (2):
busybox: Backport CVE-2022-48174 fix
cpio: Replace fix wrong CRC with ASCII CRC for large files with
upstream backport
Shinu Chandran (1):
libpcre2 : Follow up fix CVE-2022-1586
Shubham Kulkarni (1):
go: Update fix for CVE-2023-24538 & CVE-2023-39318
Sourav Pramanik (1):
openssl: Upgrade 1.1.1v -> 1.1.1w
Vijay Anusuri (3):
cups: Backport fix for CVE-2023-32360 and CVE-2023-4504
gawk: backport Debian patch to fix CVE-2023-4156
ghostscript: Backport fix CVE-2023-43115
.../{openssl_1.1.1v.bb => openssl_1.1.1w.bb} | 2 +-
.../busybox/busybox/CVE-2022-48174.patch | 82 +++
meta/recipes-core/busybox/busybox_1.31.1.bb | 1 +
meta/recipes-core/dbus/dbus.inc | 3 +
.../dbus/dbus/CVE-2023-34969.patch | 96 +++
meta/recipes-devtools/go/go-1.14.inc | 5 +-
.../go/go-1.14/CVE-2023-24538-1.patch | 4 +-
.../go/go-1.14/CVE-2023-24538-2.patch | 447 ++++++++++++-
.../go/go-1.14/CVE-2023-24538_3.patch | 393 ++++++++++++
.../go/go-1.14/CVE-2023-24538_4.patch | 497 +++++++++++++++
.../go/go-1.14/CVE-2023-24538_5.patch | 585 ++++++++++++++++++
...3-24538-3.patch => CVE-2023-24538_6.patch} | 175 +++++-
.../go/go-1.14/CVE-2023-39318.patch | 38 +-
...g-CRC-with-ASCII-CRC-for-large-files.patch | 39 --
...-calculation-of-CRC-in-copy-out-mode.patch | 58 ++
...appending-to-archives-bigger-than-2G.patch | 312 ++++++++++
meta/recipes-extended/cpio/cpio_2.13.bb | 3 +-
meta/recipes-extended/cups/cups.inc | 2 +
.../cups/cups/CVE-2023-32360.patch | 31 +
.../cups/cups/CVE-2023-4504.patch | 40 ++
.../gawk/gawk/CVE-2023-4156.patch | 28 +
meta/recipes-extended/gawk/gawk_5.0.1.bb | 1 +
.../ghostscript/CVE-2023-43115.patch | 62 ++
.../ghostscript/ghostscript_9.52.bb | 1 +
.../xdg-utils/xdg-utils/CVE-2022-4055.patch | 165 +++++
.../xdg-utils/xdg-utils_1.1.3.bb | 1 +
.../libpcre2/CVE-2022-1586-regression.patch | 30 +
.../recipes-support/libpcre/libpcre2_10.34.bb | 1 +
28 files changed, 3041 insertions(+), 61 deletions(-)
rename meta/recipes-connectivity/openssl/{openssl_1.1.1v.bb => openssl_1.1.1w.bb} (98%)
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
create mode 100644 meta/recipes-core/dbus/dbus/CVE-2023-34969.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
rename meta/recipes-devtools/go/go-1.14/{CVE-2023-24538-3.patch => CVE-2023-24538_6.patch} (53%)
delete mode 100644 meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch
create mode 100644 meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch
create mode 100644 meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32360.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-4504.patch
create mode 100644 meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
create mode 100644 meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch
create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch
--
2.34.1
^ permalink raw reply [flat|nested] 23+ messages in thread
* [OE-core][dunfell 00/11] Patch review
@ 2023-12-06 13:55 Steve Sakoman
0 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2023-12-06 13:55 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for dunfell and have comments back by
end of day Friday, December 8
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6293
The following changes since commit 0764da7e3f1d71eb390e5eb8a9aa1323c24d1c19:
vim: use upstream generated .po files (2023-11-28 12:31:43 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Ashish Sharma (1):
mdadm: Backport fix for CVE-2023-28938
Bruce Ashfield (3):
linux-yocto/5.4: update to v5.4.258
linux-yocto/5.4: update to v5.4.260
linux-yocto/5.4: update to v5.4.262
Lee Chee Yang (2):
epiphany: fix CVE-2022-29536
qemu: ignore CVE-2021-20295 CVE-2023-2680
Steve Sakoman (1):
cve-exclusion_5.4.inc: update for 5.4.262
Tim Orling (1):
vim: upgrade 9.0.2068 -> 9.0.2130
Vivek Kumbhar (1):
libsndfile: fix CVE-2022-33065 Signed integer overflow in src/mat4.c
poojitha adireddy (2):
binutils 2.34: Fix CVE-2021-46174
binutils: Mark CVE-2022-47696 as patched
.../binutils/binutils-2.34.inc | 1 +
.../binutils/binutils/CVE-2021-46174.patch | 35 ++++++++
.../binutils/binutils/CVE-2023-25588.patch | 3 +
meta/recipes-devtools/qemu/qemu.inc | 7 ++
.../mdadm/files/CVE-2023-28938.patch | 80 +++++++++++++++++++
meta/recipes-extended/mdadm/mdadm_4.1.bb | 1 +
.../recipes-gnome/epiphany/epiphany_3.34.4.bb | 1 +
.../epiphany/files/CVE-2022-29536.patch | 46 +++++++++++
.../linux/cve-exclusion_5.4.inc | 79 ++++++++++++++----
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 ++---
.../libsndfile1/CVE-2022-33065.patch | 46 +++++++++++
.../libsndfile/libsndfile1_1.0.28.bb | 3 +-
meta/recipes-support/vim/vim.inc | 4 +-
15 files changed, 306 insertions(+), 36 deletions(-)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch
create mode 100644 meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
create mode 100644 meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch
--
2.34.1
^ permalink raw reply [flat|nested] 23+ messages in thread
end of thread, other threads:[~2023-12-06 13:56 UTC | newest]
Thread overview: 23+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-04-08 16:31 [OE-core][dunfell 00/11] Patch review Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 01/11] selftest/reproducible: enable world reproducibility test Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 02/11] selftest/reproducible: add an exclusion list for items that are not yet reproducible Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 03/11] selftest/reproducible: adjust exclusion list for dunfell Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 04/11] selftest/reproducible: track unusued entries in the exclusion list Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 05/11] selftest/reproducible: Sort the unused " Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 06/11] diffoscope: Upgrade 136 -> 168 Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 07/11] diffoscope: Upgrade 168 -> 172 Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 08/11] curl: Patch CVE-2021-22876 & CVE-2021-22890 Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 09/11] image-live.bbclass: optional depends when ROOTFS empty Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 10/11] goarch: map target os to windows for mingw* TARGET_OS Steve Sakoman
2021-04-08 16:31 ` [OE-core][dunfell 11/11] go_1.14: don't set -buildmode=pie when building for windows targets Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2022-01-13 14:37 [OE-core][dunfell 00/11] Patch review Steve Sakoman
2022-01-20 21:23 Steve Sakoman
2022-04-16 19:14 Steve Sakoman
2022-06-02 2:30 Steve Sakoman
2022-08-10 22:31 Steve Sakoman
2022-08-18 16:56 Steve Sakoman
2022-11-12 14:09 Steve Sakoman
2023-05-20 16:04 Steve Sakoman
2023-06-08 2:35 Steve Sakoman
2023-10-10 14:14 Steve Sakoman
2023-12-06 13:55 Steve Sakoman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox