* [OE-core][dunfell 00/12] Patch review
@ 2020-08-03 14:26 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2020-08-03 14:26 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back
by end of day Wednesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1224
The following changes since commit 7ce425fa1295a9dca48f8474be58db3ac8aa540d:
glibc: Secruity fix for CVE-2020-6096 (2020-07-27 12:15:56 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexander Kanavin (1):
gnutls: upgrade 3.6.13 -> 3.6.14
Andrei Gherzan (2):
initscripts: Fix various shellcheck warnings in populate-volatile.sh
initscripts: Fix populate-volatile.sh bug when file/dir exists
Changqing Li (2):
layer.conf: fix adwaita-icon-theme signature change problem
gtk-icon-cache.bbclass: add features_check
Konrad Weihmann (1):
cve-update: handle baseMetricV2 as optional
Lee Chee Yang (1):
checklayer: check layer in BBLAYERS before test
Matt Madison (1):
cogl-1.0: correct X11 dependencies
Steve Sakoman (1):
glib-networking: upgrade 2.62.3 to 2.62.4
Viktor Rosendahl (1):
boost: backport fix to make async_pipes work with asio
Yi Zhao (1):
bind: upgrade 9.11.19 -> 9.11.21
zhengruoqin (1):
gnutls: Fix krb5 code license to GPLv2.1+ to match the LICENSE file.
meta/classes/gtk-icon-cache.bbclass | 5 ++
meta/conf/layer.conf | 2 +
.../bind/{bind_9.11.19.bb => bind_9.11.21.bb} | 2 +-
...ng_2.62.3.bb => glib-networking_2.62.4.bb} | 4 +-
.../initscripts-1.0/populate-volatile.sh | 80 ++++++++---------
.../recipes-core/meta/cve-update-db-native.bb | 13 ++-
meta/recipes-graphics/cogl/cogl-1.0.inc | 2 +-
.../0001-added-typedef-executor_type.patch | 54 +++++++++++
meta/recipes-support/boost/boost_1.72.0.bb | 1 +
...se-to-GPLv2.1-to-keep-with-LICENSE-f.patch | 90 +++++++++++++++++++
.../{gnutls_3.6.13.bb => gnutls_3.6.14.bb} | 4 +-
scripts/lib/checklayer/__init__.py | 14 +++
scripts/yocto-check-layer | 9 +-
13 files changed, 229 insertions(+), 51 deletions(-)
rename meta/recipes-connectivity/bind/{bind_9.11.19.bb => bind_9.11.21.bb} (98%)
rename meta/recipes-core/glib-networking/{glib-networking_2.62.3.bb => glib-networking_2.62.4.bb} (88%)
create mode 100644 meta/recipes-support/boost/boost/0001-added-typedef-executor_type.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch
rename meta/recipes-support/gnutls/{gnutls_3.6.13.bb => gnutls_3.6.14.bb} (92%)
--
2.17.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][dunfell 00/12] Patch review
@ 2020-08-24 15:14 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2020-08-24 15:14 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back
by end of day Wednesday.
The following changes since commit 553a96644957ca6ad0f13b75a6e3a596357d1d52:
linux-yocto/5.4: update to v5.4.57 (2020-08-13 04:47:52 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Adrian Bunk (1):
librsvg: Upgrade 2.40.20 -> 2.40.21
Bruce Ashfield (2):
linux-yocto/5.4: update to v5.4.58
linux-yocto/5.4: perf cs-etm: Move definition of 'traceid_list' global
variable from header file
Changqing Li (1):
libffi: fix multilib header conflict
Chen Qi (1):
fribidi: extend CVE_PRODUCT to include fribidi
Lee Chee Yang (2):
ghostscript: update to 9.52
perl: fix CVE-2020-12723
Mikko Rapeli (2):
alsa-topology-conf: use ${datadir} in do_install()
alsa-ucm-conf: use ${datadir} in do_install()
Richard Purdie (1):
selftest/tinfoil: Increase wait event timeout
Vasyl Vavrychuk (1):
runqemu: Check gtk or sdl option is passed together with gl or gl-es
options.
Wang Mingyu (1):
xserver-xorg: upgrade 1.20.7 -> 1.20.8
meta/lib/oeqa/selftest/cases/tinfoil.py | 5 +-
.../perl/files/CVE-2020-12723.patch | 302 ++++++++++++++++++
meta/recipes-devtools/perl/perl_5.30.1.bb | 1 +
.../do-not-check-local-libpng-source.patch | 37 +--
.../ghostscript/CVE-2019-14869-0001.patch | 70 ----
.../ghostscript/ghostscript/aarch64/objarch.h | 40 ---
.../ghostscript/ghostscript/arm/objarch.h | 40 ---
.../ghostscript/ghostscript/armeb/objarch.h | 40 ---
.../ghostscript-9.02-genarch.patch | 38 ---
.../ghostscript/ghostscript/i586/objarch.h | 41 ---
.../ghostscript/ghostscript/i686 | 1 -
.../ghostscript/microblaze/objarch.h | 40 ---
.../ghostscript/microblazeel/objarch.h | 40 ---
.../ghostscript/mipsarchn32eb/objarch.h | 40 ---
.../ghostscript/mipsarchn32el/objarch.h | 40 ---
.../ghostscript/mipsarchn64eb/objarch.h | 40 ---
.../ghostscript/mipsarchn64el/objarch.h | 40 ---
.../ghostscript/mipsarcho32eb/objarch.h | 40 ---
.../ghostscript/mipsarcho32el/objarch.h | 40 ---
.../ghostscript/ghostscript/nios2/objarch.h | 40 ---
.../ghostscript/ghostscript/powerpc/objarch.h | 40 ---
.../ghostscript/powerpc64/objarch.h | 40 ---
.../ghostscript/powerpc64le/objarch.h | 40 ---
.../ghostscript/ghostscript/x86-64/objarch.h | 40 ---
...hostscript_9.50.bb => ghostscript_9.52.bb} | 27 +-
...{librsvg_2.40.20.bb => librsvg_2.40.21.bb} | 3 +-
...-xorg_1.20.7.bb => xserver-xorg_1.20.8.bb} | 4 +-
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +-
.../alsa/alsa-topology-conf_1.2.1.bb | 4 +-
.../alsa/alsa-ucm-conf_1.2.1.2.bb | 6 +-
meta/recipes-support/fribidi/fribidi_1.0.9.bb | 2 +-
meta/recipes-support/libffi/libffi_3.3.bb | 2 +-
scripts/runqemu | 3 +-
35 files changed, 361 insertions(+), 861 deletions(-)
create mode 100644 meta/recipes-devtools/perl/files/CVE-2020-12723.patch
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14869-0001.patch
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/aarch64/objarch.h
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/arm/objarch.h
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/armeb/objarch.h
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/ghostscript-9.02-genarch.patch
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/i586/objarch.h
delete mode 120000 meta/recipes-extended/ghostscript/ghostscript/i686
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/microblaze/objarch.h
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/microblazeel/objarch.h
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/mipsarchn32eb/objarch.h
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/mipsarchn32el/objarch.h
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/mipsarchn64eb/objarch.h
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/mipsarchn64el/objarch.h
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/mipsarcho32eb/objarch.h
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/mipsarcho32el/objarch.h
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/nios2/objarch.h
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/powerpc/objarch.h
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/powerpc64/objarch.h
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/powerpc64le/objarch.h
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/x86-64/objarch.h
rename meta/recipes-extended/ghostscript/{ghostscript_9.50.bb => ghostscript_9.52.bb} (87%)
rename meta/recipes-gnome/librsvg/{librsvg_2.40.20.bb => librsvg_2.40.21.bb} (92%)
rename meta/recipes-graphics/xorg-xserver/{xserver-xorg_1.20.7.bb => xserver-xorg_1.20.8.bb} (89%)
--
2.17.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][dunfell 00/12] Patch review
@ 2020-11-09 2:56 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2020-11-09 2:56 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back
by end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1560
The following changes since commit 8d54034bb8e522f9827ec6422b32cbd4e5bf1346:
sqlite3: fix CVE-2020-13632 (2020-11-05 04:07:15 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexander Kanavin (1):
linux-firmware: upgrade 20200817 -> 20201022
Chee Yang Lee (1):
ruby: fix CVE-2020-25613
Khem Raj (1):
qemuboot.bbclass: Fix a typo
Max Krummenacher (2):
linux-firmware: package marvel sdio 8997 firmware
linux-firmware: package nvidia firmware
Maxime Roussin-Bélanger (1):
meta: fix some unresponsive homepages and bugtracker links
Mingli Yu (1):
update_udev_hwdb: clean hwdb.bin
Neil Armstrong (1):
linux-firmware: add Amlogic VDEC firmware package
Steve Sakoman (2):
netbase: update SRC_URI to reflect new file name
netbase: bump PE to purge bogus hash equivalence from autobuilder
Yongxin Liu (2):
grub: fix several CVEs in grub 2.04
grub: clean up CVE patches
meta/classes/qemuboot.bbclass | 2 +-
...308-calloc-Use-calloc-at-most-places.patch | 1863 +++++++++++++++++
...low-checking-primitives-where-we-do-.patch | 1330 ++++++++++++
...se-after-free-when-redefining-a-func.patch | 117 ++
...er-overflows-in-initrd-size-handling.patch | 177 ++
...-we-always-have-an-overflow-checking.patch | 246 +++
...dd-LVM-cache-logical-volume-handling.patch | 287 +++
...e-arithmetic-primitives-that-check-f.patch | 94 +
...used-fields-from-grub_script_functio.patch | 37 +
meta/recipes-bsp/grub/grub2.inc | 8 +
meta/recipes-bsp/v86d/v86d_0.1.10.bb | 2 +-
.../recipes-connectivity/bind/bind_9.11.22.bb | 2 +-
meta/recipes-connectivity/iw/iw_5.4.bb | 2 +-
meta/recipes-core/netbase/netbase_6.1.bb | 9 +-
meta/recipes-core/readline/readline.inc | 2 +-
meta/recipes-core/util-linux/util-linux.inc | 4 +-
meta/recipes-devtools/chrpath/chrpath_0.16.bb | 3 +-
meta/recipes-devtools/ninja/ninja_1.10.0.bb | 2 +-
.../ruby/ruby/CVE-2020-25613.patch | 40 +
meta/recipes-devtools/ruby/ruby_2.7.1.bb | 1 +
meta/recipes-extended/lsb/lsb-release_1.4.bb | 2 +-
.../recipes-extended/minicom/minicom_2.7.1.bb | 2 +-
meta/recipes-extended/pbzip2/pbzip2_1.1.13.bb | 2 +-
meta/recipes-extended/which/which_2.21.bb | 2 +-
meta/recipes-gnome/gnome/gconf_3.2.6.bb | 2 +-
meta/recipes-gnome/gtk-doc/gtk-doc_1.32.bb | 3 +-
meta/recipes-kernel/kmod/kmod.inc | 2 +-
...20200817.bb => linux-firmware_20201022.bb} | 51 +-
.../wireless-regdb_2020.04.29.bb | 2 +-
.../libvorbis/libvorbis_1.3.6.bb | 4 +-
.../settings-daemon/settings-daemon_0.0.2.bb | 2 +-
meta/recipes-support/atk/atk_2.34.1.bb | 5 +-
.../bash-completion/bash-completion_2.10.bb | 4 +-
meta/recipes-support/npth/npth_1.6.bb | 4 +-
scripts/postinst-intercepts/update_udev_hwdb | 1 +
35 files changed, 4279 insertions(+), 37 deletions(-)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-14308-calloc-Use-calloc-at-most-places.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch
create mode 100644 meta/recipes-bsp/grub/files/calloc-Make-sure-we-always-have-an-overflow-checking.patch
create mode 100644 meta/recipes-bsp/grub/files/lvm-Add-LVM-cache-logical-volume-handling.patch
create mode 100644 meta/recipes-bsp/grub/files/safemath-Add-some-arithmetic-primitives-that-check-f.patch
create mode 100644 meta/recipes-bsp/grub/files/script-Remove-unused-fields-from-grub_script_functio.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20200817.bb => linux-firmware_20201022.bb} (95%)
--
2.17.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][dunfell 00/12] Patch review
@ 2021-01-11 0:45 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2021-01-11 0:45 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1739
The following changes since commit af4fbea9a1656bdf95d85831cae13cae3a60d5ee:
patch: fix CVE-2019-20633 (2021-01-04 04:50:23 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Bruce Ashfield (1):
linux-yocto/5.4: update to v5.4.85
Daniel Ammann (1):
wic: fix typo
Mikko Rapeli (3):
glibc: update to 2.31 stable tree head
glib-2.0: add patch for CVE-2020-35457
systemd: update from 244.3 to 244.5 stable release
Milan Shah (1):
oe-pkgdata-util: Added a test to verify oe-pkgdata-util without
parameters
Ovidiu Panait (1):
timezone: upgrade to 2020f
Paul Barker (1):
selftest: Add argument to keep build dir
Richard Purdie (1):
gcc: Fix mangled patch
Ross Burton (2):
diffstat: point the license checksum at the license
ruby: remove tcl DEPENDS
Wang Mingyu (1):
mobile-broadband-provider-info: upgrade 20190618 ->20201225
meta/lib/oeqa/selftest/cases/pkgdata.py | 6 ++
meta/lib/oeqa/selftest/context.py | 17 +++-
.../mobile-broadband-provider-info_git.bb | 4 +-
...econdition-to-avoid-GOptionEntry-lis.patch | 41 ++++++++
meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb | 1 +
meta/recipes-core/glibc/glibc-version.inc | 2 +-
...md-boot_244.3.bb => systemd-boot_244.5.bb} | 0
meta/recipes-core/systemd/systemd.inc | 2 +-
.../systemd/systemd/CVE-2020-13776.patch | 96 -------------------
...temd-udev-seclabel-options-crash-fix.patch | 30 ------
.../{systemd_244.3.bb => systemd_244.5.bb} | 5 +-
.../diffstat/diffstat_1.63.bb | 4 +-
...gcc-Fix-argument-list-too-long-error.patch | 6 +-
meta/recipes-devtools/ruby/ruby.inc | 2 +-
meta/recipes-extended/timezone/timezone.inc | 6 +-
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 ++---
.../wic/plugins/source/bootimg-partition.py | 2 +-
19 files changed, 97 insertions(+), 163 deletions(-)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/0001-goption-Add-a-precondition-to-avoid-GOptionEntry-lis.patch
rename meta/recipes-core/systemd/{systemd-boot_244.3.bb => systemd-boot_244.5.bb} (100%)
delete mode 100644 meta/recipes-core/systemd/systemd/CVE-2020-13776.patch
delete mode 100644 meta/recipes-core/systemd/systemd/systemd-udev-seclabel-options-crash-fix.patch
rename meta/recipes-core/systemd/{systemd_244.3.bb => systemd_244.5.bb} (99%)
--
2.17.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][dunfell 00/12] Patch review
@ 2021-04-30 15:33 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2021-04-30 15:33 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2087
The following changes since commit 2cc9e06807026b86038db88c2175c626feadc0be:
linux-yocto/5.4: fix arm defconfig warnings (2021-04-22 06:23:22 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexander Kanavin (2):
oeqa: tear down oeqa decorators if one of them raises an exception in
setup
meta/lib/oeqa/core/tests/cases/timeout.py: add a testcase for the
previous fix
Diego Sueiro (1):
oeqa/selftest/bblayers: Add test case for bitbake-layers
layerindex-show-depends
Khem Raj (1):
go: Use dl.google.com for SRC_URI
Konrad Weihmann (1):
cve-update-db-native: skip on empty cpe23Uri
Marek Vasut (1):
linux-firmware: Package RSI 911x WiFi firmware
Reto Schneider (2):
license_image.bbclass: Detect broken symlinks
license_image.bbclass: Fix symlink to generic license files
Richard Purdie (1):
yocto-check-layer: Avoid bug when iterating and autoadding
dependencies
Vinay Kumar (1):
Binutils: Fix CVE-2021-20197
Zhang Qiang (1):
kernel.bbclass: Configuration for environment with HOSTCXX
wangmy (1):
go: update SRC_URI to use https protocol
meta/classes/kernel.bbclass | 2 +
meta/classes/license_image.bbclass | 20 +-
meta/lib/oeqa/core/case.py | 9 +-
meta/lib/oeqa/core/decorator/oetimeout.py | 5 +-
meta/lib/oeqa/core/tests/cases/timeout.py | 13 +
meta/lib/oeqa/core/tests/test_decorators.py | 6 +
meta/lib/oeqa/selftest/cases/bblayers.py | 5 +
.../recipes-core/meta/cve-update-db-native.bb | 7 +-
.../binutils/binutils-2.34.inc | 1 +
.../binutils/binutils/CVE-2021-20197.patch | 572 ++++++++++++++++++
meta/recipes-devtools/go/go-common.inc | 2 +-
.../linux-firmware/linux-firmware_20210208.bb | 11 +
scripts/yocto-check-layer | 3 +
13 files changed, 646 insertions(+), 10 deletions(-)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch
--
2.25.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][dunfell 00/12] Patch review
@ 2021-07-12 15:31 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2021-07-12 15:31 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back by
end of day Wednesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2338
The following changes since commit c96bcf97272f243df14598c84a41097746884b65:
oeqa/selftest/archiver: Allow tests to ignore empty directories (2021-07-06 04:37:02 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexander Kanavin (1):
bootchart2: update 0.14.8 -> 0.14.9
Chen Qi (1):
busybox: fix CVE-2021-28831
Khem Raj (1):
webkitgtk: Upgrade to 2.28.4
Marek Vasut (1):
update-rc.d: update SRCREV to pull in fix for non-bash shell support
Minjae Kim (1):
dhcp: fix CVE-2021-25217
Richard Purdie (4):
webkitgtk: upgrade 2.28.2 -> 2.28.3
dwarfsrcfiles: Avoid races over debug-link files
oeqa/selftest/multiprocesslauch: Fix test race
report-error: Drop pointless inherit
Steve Sakoman (1):
glibc: update to lastest 2.31 release HEAD
Tim Orling (1):
python3: upgrade 3.8.10 -> 3.8.11
Zoltán Böszörményi (1):
tzdata: Allow controlling zoneinfo binary format
meta/classes/report-error.bbclass | 2 -
meta/lib/oeqa/selftest/cases/oelib/utils.py | 3 +-
.../dhcp/dhcp/CVE-2021-25217.patch | 66 ++++
meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb | 1 +
...ss_gunzip-Fix-DoS-if-gzip-is-corrupt.patch | 51 +++
meta/recipes-core/busybox/busybox_1.31.1.bb | 3 +-
meta/recipes-core/glibc/glibc-version.inc | 2 +-
.../update-rc.d/update-rc.d_0.8.bb | 2 +-
...tchart2_0.14.8.bb => bootchart2_0.14.9.bb} | 3 +-
.../dwarfsrcfiles/files/dwarfsrcfiles.c | 13 +-
.../recipes-devtools/python/python3_3.8.11.bb | 362 ++++++++++++++++++
meta/recipes-extended/timezone/tzdata.bb | 10 +-
...build-errors-due-to-WWc-11-narrowing.patch | 66 ++++
.../webkit/webkitgtk/CVE-2020-13753.patch | 15 -
...ebkitgtk_2.28.2.bb => webkitgtk_2.28.4.bb} | 5 +-
15 files changed, 571 insertions(+), 33 deletions(-)
create mode 100644 meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch
create mode 100644 meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
rename meta/recipes-devtools/bootchart2/{bootchart2_0.14.8.bb => bootchart2_0.14.9.bb} (99%)
create mode 100644 meta/recipes-devtools/python/python3_3.8.11.bb
create mode 100644 meta/recipes-sato/webkit/webkitgtk/0001-clang-11-fix-build-errors-due-to-WWc-11-narrowing.patch
delete mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2020-13753.patch
rename meta/recipes-sato/webkit/{webkitgtk_2.28.2.bb => webkitgtk_2.28.4.bb} (97%)
--
2.25.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][dunfell 00/12] Patch review
@ 2021-08-19 19:07 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2021-08-19 19:07 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back by
end of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2469
The following changes since commit ce78c16409363741d59a2f787aca66077bec93cd:
sstate.bbclass: fix error handling when sstate mirrors is ro (2021-08-16 04:41:07 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexandre Belloni (1):
oeqa/runtime/cases: make date.DateTest.test_date more reliable
Bruce Ashfield (3):
linux-yocto/5.4: update to v5.4.137
linux-yocto/5.4: update to v5.4.139
linux-yocto/5.4: update to v5.4.141
Dmitry Baryshkov (1):
linux-firmware: add more Qualcomm firmware packages
Dragos-Marian Panait (1):
util-linux: fix CVE-2021-37600
Khem Raj (1):
sdk: Enable do_populate_sdk with multilibs
Purushottam Choudhary (1):
python3: Remove unused python3 recipe
Richard Purdie (1):
oeqa/selftest/glibc: Handle incorrect encoding issuesin glibc test
results
Ross Burton (2):
tar: ignore node-tar CVEs
ovmf: build natively everywhere
hongxu (1):
sdk: fix relocate symlink failed
meta/classes/multilib.bbclass | 1 -
meta/classes/populate_sdk_base.bbclass | 2 +-
meta/files/toolchain-shar-relocate.sh | 2 +-
meta/lib/oeqa/runtime/cases/date.py | 9 +-
meta/lib/oeqa/selftest/cases/glibc.py | 2 +-
meta/recipes-core/ovmf/ovmf_git.bb | 2 +-
.../util-linux/CVE-2021-37600.patch | 33 ++
.../util-linux/util-linux_2.35.1.bb | 1 +
.../recipes-devtools/python/python3_3.8.10.bb | 363 ------------------
meta/recipes-extended/tar/tar_1.32.bb | 3 +
.../linux-firmware/linux-firmware_20210511.bb | 17 +-
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +-
14 files changed, 79 insertions(+), 392 deletions(-)
create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch
delete mode 100644 meta/recipes-devtools/python/python3_3.8.10.bb
--
2.25.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][dunfell 00/12] Patch review
@ 2022-01-09 22:04 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-01-09 22:04 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Tuesday.
Passed a-full on auto builder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3096
with the exception of a known intermmitent autobuilder issue on oe-selftest-fedora,
which passed on subsequent retest:
https://autobuilder.yoctoproject.org/typhoon/#/builders/86/builds/3004
The following changes since commit 1ab7aee542589f6b6c76f8515b4230ce870a8678:
selftest: skip virgl test on fedora 34 entirely (2021-12-23 06:21:37 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexander Kanavin (1):
lib/oe/reproducible: correctly set .git location when recursively
looking for git repos
Marek Vasut (1):
weston: Backport patches to always activate the top-level surface
Marta Rybczynska (1):
grub: fix CVE-2020-14372 and CVE-2020-27779
Richard Purdie (4):
openssl: Add reproducibility fix
oeqa/selftest/bbtests: Use YP sources mirror instead of GNU
oeqa/selftest/tinfoil: Update to use test command
scripts: Update to use exec_module() instead of load_module()
Steve Sakoman (3):
libpcre2: update SRC_URI
selftest: skip virgl test on fedora 35
asciidoc: properly detect and compare Python versions >= 3.10
Tim Orling (1):
scripts/buildhistory-diff: drop use of distutils
wangmy (1):
linux-firmware: upgrade 20211027 -> 20211216
meta/lib/oe/reproducible.py | 2 +-
meta/lib/oeqa/selftest/cases/bbtests.py | 2 +-
meta/lib/oeqa/selftest/cases/runtime_test.py | 2 +
meta/lib/oeqa/selftest/cases/tinfoil.py | 6 +-
.../grub/files/CVE-2020-14372.patch | 76 +++
.../grub/files/CVE-2020-14372_1.patch | 130 ++++++
.../grub/files/CVE-2020-14372_2.patch | 431 ++++++++++++++++++
.../grub/files/CVE-2020-14372_3.patch | 57 +++
.../grub/files/CVE-2020-14372_4.patch | 52 +++
.../grub/files/CVE-2020-14372_5.patch | 158 +++++++
.../grub/files/CVE-2020-27779.patch | 70 +++
.../grub/files/CVE-2020-27779_2.patch | 105 +++++
.../grub/files/CVE-2020-27779_3.patch | 37 ++
.../grub/files/CVE-2020-27779_4.patch | 35 ++
.../grub/files/CVE-2020-27779_5.patch | 62 +++
.../grub/files/CVE-2020-27779_6.patch | 61 +++
.../grub/files/CVE-2020-27779_7.patch | 65 +++
.../grub/files/no-insmod-on-sb.patch | 107 +++++
meta/recipes-bsp/grub/grub2.inc | 14 +
.../openssl/openssl/reproducibility.patch | 22 +
.../openssl/openssl_1.1.1l.bb | 1 +
.../asciidoc/detect-python-version.patch | 42 ++
.../asciidoc/asciidoc_8.6.9.bb | 3 +-
...move-no-op-de-activation-of-the-xdg-.patch | 32 ++
...name-gain-lose-keyboard-focus-to-act.patch | 57 +++
...bed-keyboard-focus-handle-code-when-.patch | 99 ++++
meta/recipes-graphics/wayland/weston_8.0.0.bb | 3 +
...20211027.bb => linux-firmware_20211216.bb} | 4 +-
.../recipes-support/libpcre/libpcre2_10.34.bb | 2 +-
scripts/buildhistory-diff | 5 -
scripts/lib/scriptutils.py | 7 +-
scripts/lib/wic/pluginbase.py | 8 +-
32 files changed, 1739 insertions(+), 18 deletions(-)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-14372.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-27779.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch
create mode 100644 meta/recipes-bsp/grub/files/no-insmod-on-sb.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/reproducibility.patch
create mode 100644 meta/recipes-extended/asciidoc/asciidoc/detect-python-version.patch
create mode 100644 meta/recipes-graphics/wayland/weston/0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch
create mode 100644 meta/recipes-graphics/wayland/weston/0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch
create mode 100644 meta/recipes-graphics/wayland/weston/0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20211027.bb => linux-firmware_20211216.bb} (99%)
--
2.25.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][dunfell 00/12] Patch review
@ 2022-06-19 19:34 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-06-19 19:34 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3790
The following changes since commit 7e056e79a5acce8261cb5124c172cc40ad608b82:
linux-yocto/5.4: update to v5.4.196 (2022-06-07 08:56:30 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Jose Quaresma (2):
archiver: use bb.note instead of echo
archiver: don't use machine variables in shared recipes
Marcel Ziswiler (1):
alsa-plugins: fix libavtp vs. avtp packageconfig
Martin Jansa (1):
rootfs.py: close kernel_abi_ver_file
Mingli Yu (1):
oescripts: change compare logic in OEListPackageconfigTests
Pawan Badganchi (1):
openssh: Whitelist CVE-2021-36368
Peter Kjellerstedt (1):
license.bbclass: Bound beginline and endline in copy_license_files()
Rasmus Villemoes (1):
e2fsprogs: add alternatives handling of lsattr as well
Richard Purdie (2):
vim: Upgrade 8.2.5034 -> 8.2.5083
gcc-source: Fix incorrect task dependencies from ${B}
Stefan Wiehler (1):
kernel-yocto.bbclass: Reset to exiting on non-zero return code at end
of task
Steve Sakoman (1):
cups: fix CVE-2022-26691
meta/classes/archiver.bbclass | 11 +++++--
meta/classes/kernel-yocto.bbclass | 8 +++++
meta/classes/license.bbclass | 8 ++---
meta/lib/oe/rootfs.py | 4 ++-
meta/lib/oeqa/selftest/cases/oescripts.py | 3 +-
.../openssh/openssh_8.2p1.bb | 7 ++++
.../e2fsprogs/e2fsprogs_1.45.7.bb | 5 ++-
meta/recipes-devtools/gcc/gcc-common.inc | 2 +-
meta/recipes-devtools/gcc/gcc-source.inc | 1 +
meta/recipes-extended/cups/cups.inc | 3 +-
.../cups/cups/CVE-2022-26691.patch | 33 +++++++++++++++++++
.../alsa/alsa-plugins_1.2.1.bb | 2 +-
meta/recipes-support/vim/vim.inc | 4 +--
13 files changed, 76 insertions(+), 15 deletions(-)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2022-26691.patch
--
2.25.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][dunfell 00/12] Patch review
@ 2022-06-30 16:23 Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 01/12] golang: CVE-2022-24675 encoding/pem: fix stack overflow in Decode Steve Sakoman
` (11 more replies)
0 siblings, 12 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-06-30 16:23 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3844
With the exception of a known autobuilder intermittent issue:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14788
which passed on subsequent retest:
https://autobuilder.yoctoproject.org/typhoon/#/builders/42/builds/5413
The following changes since commit c6f5fb5e7545636ef7948ad1562548b7b64dac35:
linux-firmware: upgrade 20220509 -> 20220610 (2022-06-20 07:32:00 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Ahmed Hossam (1):
insane.bbclass: host-user-contaminated: Correct per package home path
Alexander Kanavin (1):
wireless-regdb: upgrade 2022.04.08 -> 2022.06.06
Hitendra Prajapati (3):
golang: CVE-2022-24675 encoding/pem: fix stack overflow in Decode
golang: CVE-2021-31525 net/http: panic in ReadRequest and ReadResponse
when reading a very large header
grub2: CVE-2021-3981 Incorrect permission in grub.cfg allow
unprivileged user to read the file content
Joe Slater (1):
unzip: fix CVE-2021-4217
Marek Vasut (1):
lttng-modules: Backport Linux 5.18+, 5.15.44+, 5.10.119+ fixes
Marta Rybczynska (2):
cve-check: add support for Ignored CVEs
oeqa/selftest/cve_check: add tests for Ignored and partial reports
Martin Jansa (1):
wic: fix WicError message
Muhammad Hamza (1):
initramfs-framework: move storage mounts to actual rootfs
Richard Purdie (1):
unzip: Port debian fixes for two CVEs
meta/classes/cve-check.bbclass | 41 ++-
meta/classes/insane.bbclass | 2 +-
meta/lib/oeqa/selftest/cases/cve_check.py | 82 ++++++
.../grub/files/CVE-2021-3981.patch | 32 +++
meta/recipes-bsp/grub/grub2.inc | 1 +
.../initrdscripts/initramfs-framework/finish | 9 +
meta/recipes-devtools/go/go-1.14.inc | 2 +
.../go/go-1.14/CVE-2021-31525.patch | 38 +++
.../go/go-1.14/CVE-2022-24675.patch | 271 ++++++++++++++++++
.../unzip/unzip/CVE-2021-4217.patch | 67 +++++
.../unzip/unzip/CVE-2022-0529.patch | 39 +++
.../unzip/unzip/CVE-2022-0530.patch | 33 +++
meta/recipes-extended/unzip/unzip_6.0.bb | 3 +
...ndom-remove-unused-tracepoints-v5.18.patch | 46 +++
...emove-unused-tracepoints-v5.10-v5.15.patch | 45 +++
...racepoints-removed-in-stable-kernels.patch | 51 ++++
.../lttng/lttng-modules_2.11.6.bb | 3 +
....04.08.bb => wireless-regdb_2022.06.06.bb} | 2 +-
scripts/wic | 2 +-
19 files changed, 754 insertions(+), 15 deletions(-)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3981.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2021-31525.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch
create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch
create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch
create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0017-fix-random-remove-unused-tracepoints-v5.18.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0019-fix-random-tracepoints-removed-in-stable-kernels.patch
rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2022.04.08.bb => wireless-regdb_2022.06.06.bb} (94%)
--
2.25.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][dunfell 01/12] golang: CVE-2022-24675 encoding/pem: fix stack overflow in Decode
2022-06-30 16:23 [OE-core][dunfell 00/12] Patch review Steve Sakoman
@ 2022-06-30 16:23 ` Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 02/12] golang: CVE-2021-31525 net/http: panic in ReadRequest and ReadResponse when reading a very large header Steve Sakoman
` (10 subsequent siblings)
11 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-06-30 16:23 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Source: https://go-review.googlesource.com/c/go
MR: 117551
Type: Security Fix
Disposition: Backport from https://go-review.googlesource.com/c/go/+/399816/
ChangeID: 347f22f93e8eaecb3d39f8d6c0fe5a70c5cf7b7c
Description:
CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode.
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.14.inc | 1 +
.../go/go-1.14/CVE-2022-24675.patch | 271 ++++++++++++++++++
2 files changed, 272 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 4827c6adfa..773d252bd1 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -23,6 +23,7 @@ SRC_URI += "\
file://CVE-2022-23806.patch \
file://CVE-2022-23772.patch \
file://CVE-2021-44717.patch \
+ file://CVE-2022-24675.patch \
"
SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch
new file mode 100644
index 0000000000..4bc012be21
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch
@@ -0,0 +1,271 @@
+From 1eb931d60a24501a9668e5cb4647593e19115507 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Fri, 17 Jun 2022 12:22:53 +0530
+Subject: [PATCH] CVE-2022-24675
+
+Upstream-Status: Backport [https://go-review.googlesource.com/c/go/+/399816/]
+CVE: CVE-2022-24675
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/encoding/pem/pem.go | 174 +++++++++++++++--------------------
+ src/encoding/pem/pem_test.go | 28 +++++-
+ 2 files changed, 101 insertions(+), 101 deletions(-)
+
+diff --git a/src/encoding/pem/pem.go b/src/encoding/pem/pem.go
+index a7272da..1bee1c1 100644
+--- a/src/encoding/pem/pem.go
++++ b/src/encoding/pem/pem.go
+@@ -87,123 +87,97 @@ func Decode(data []byte) (p *Block, rest []byte) {
+ // pemStart begins with a newline. However, at the very beginning of
+ // the byte array, we'll accept the start string without it.
+ rest = data
+- if bytes.HasPrefix(data, pemStart[1:]) {
+- rest = rest[len(pemStart)-1 : len(data)]
+- } else if i := bytes.Index(data, pemStart); i >= 0 {
+- rest = rest[i+len(pemStart) : len(data)]
+- } else {
+- return nil, data
+- }
+-
+- typeLine, rest := getLine(rest)
+- if !bytes.HasSuffix(typeLine, pemEndOfLine) {
+- return decodeError(data, rest)
+- }
+- typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)]
+-
+- p = &Block{
+- Headers: make(map[string]string),
+- Type: string(typeLine),
+- }
+-
+ for {
+- // This loop terminates because getLine's second result is
+- // always smaller than its argument.
+- if len(rest) == 0 {
++ if bytes.HasPrefix(rest, pemStart[1:]) {
++ rest = rest[len(pemStart)-1:]
++ } else if i := bytes.Index(rest, pemStart); i >= 0 {
++ rest = rest[i+len(pemStart) : len(rest)]
++ } else {
+ return nil, data
+ }
+- line, next := getLine(rest)
+
+- i := bytes.IndexByte(line, ':')
+- if i == -1 {
+- break
++ var typeLine []byte
++ typeLine, rest = getLine(rest)
++ if !bytes.HasSuffix(typeLine, pemEndOfLine) {
++ continue
+ }
++ typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)]
+
+- // TODO(agl): need to cope with values that spread across lines.
+- key, val := line[:i], line[i+1:]
+- key = bytes.TrimSpace(key)
+- val = bytes.TrimSpace(val)
+- p.Headers[string(key)] = string(val)
+- rest = next
+- }
++ p = &Block{
++ Headers: make(map[string]string),
++ Type: string(typeLine),
++ }
+
+- var endIndex, endTrailerIndex int
++ for {
++ // This loop terminates because getLine's second result is
++ // always smaller than its argument.
++ if len(rest) == 0 {
++ return nil, data
++ }
++ line, next := getLine(rest)
+
+- // If there were no headers, the END line might occur
+- // immediately, without a leading newline.
+- if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) {
+- endIndex = 0
+- endTrailerIndex = len(pemEnd) - 1
+- } else {
+- endIndex = bytes.Index(rest, pemEnd)
+- endTrailerIndex = endIndex + len(pemEnd)
+- }
++ i := bytes.IndexByte(line, ':')
++ if i == -1 {
++ break
++ }
+
+- if endIndex < 0 {
+- return decodeError(data, rest)
+- }
++ // TODO(agl): need to cope with values that spread across lines.
++ key, val := line[:i], line[i+1:]
++ key = bytes.TrimSpace(key)
++ val = bytes.TrimSpace(val)
++ p.Headers[string(key)] = string(val)
++ rest = next
++ }
+
+- // After the "-----" of the ending line, there should be the same type
+- // and then a final five dashes.
+- endTrailer := rest[endTrailerIndex:]
+- endTrailerLen := len(typeLine) + len(pemEndOfLine)
+- if len(endTrailer) < endTrailerLen {
+- return decodeError(data, rest)
+- }
++ var endIndex, endTrailerIndex int
+
+- restOfEndLine := endTrailer[endTrailerLen:]
+- endTrailer = endTrailer[:endTrailerLen]
+- if !bytes.HasPrefix(endTrailer, typeLine) ||
+- !bytes.HasSuffix(endTrailer, pemEndOfLine) {
+- return decodeError(data, rest)
+- }
++ // If there were no headers, the END line might occur
++ // immediately, without a leading newline.
++ if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) {
++ endIndex = 0
++ endTrailerIndex = len(pemEnd) - 1
++ } else {
++ endIndex = bytes.Index(rest, pemEnd)
++ endTrailerIndex = endIndex + len(pemEnd)
++ }
+
+- // The line must end with only whitespace.
+- if s, _ := getLine(restOfEndLine); len(s) != 0 {
+- return decodeError(data, rest)
+- }
++ if endIndex < 0 {
++ continue
++ }
+
+- base64Data := removeSpacesAndTabs(rest[:endIndex])
+- p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data)))
+- n, err := base64.StdEncoding.Decode(p.Bytes, base64Data)
+- if err != nil {
+- return decodeError(data, rest)
+- }
+- p.Bytes = p.Bytes[:n]
++ // After the "-----" of the ending line, there should be the same type
++ // and then a final five dashes.
++ endTrailer := rest[endTrailerIndex:]
++ endTrailerLen := len(typeLine) + len(pemEndOfLine)
++ if len(endTrailer) < endTrailerLen {
++ continue
++ }
++
++ restOfEndLine := endTrailer[endTrailerLen:]
++ endTrailer = endTrailer[:endTrailerLen]
++ if !bytes.HasPrefix(endTrailer, typeLine) ||
++ !bytes.HasSuffix(endTrailer, pemEndOfLine) {
++ continue
++ }
+
+- // the -1 is because we might have only matched pemEnd without the
+- // leading newline if the PEM block was empty.
+- _, rest = getLine(rest[endIndex+len(pemEnd)-1:])
++ // The line must end with only whitespace.
++ if s, _ := getLine(restOfEndLine); len(s) != 0 {
++ continue
++ }
+
+- return
+-}
++ base64Data := removeSpacesAndTabs(rest[:endIndex])
++ p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data)))
++ n, err := base64.StdEncoding.Decode(p.Bytes, base64Data)
++ if err != nil {
++ continue
++ }
++ p.Bytes = p.Bytes[:n]
+
+-func decodeError(data, rest []byte) (*Block, []byte) {
+- // If we get here then we have rejected a likely looking, but
+- // ultimately invalid PEM block. We need to start over from a new
+- // position. We have consumed the preamble line and will have consumed
+- // any lines which could be header lines. However, a valid preamble
+- // line is not a valid header line, therefore we cannot have consumed
+- // the preamble line for the any subsequent block. Thus, we will always
+- // find any valid block, no matter what bytes precede it.
+- //
+- // For example, if the input is
+- //
+- // -----BEGIN MALFORMED BLOCK-----
+- // junk that may look like header lines
+- // or data lines, but no END line
+- //
+- // -----BEGIN ACTUAL BLOCK-----
+- // realdata
+- // -----END ACTUAL BLOCK-----
+- //
+- // we've failed to parse using the first BEGIN line
+- // and now will try again, using the second BEGIN line.
+- p, rest := Decode(rest)
+- if p == nil {
+- rest = data
++ // the -1 is because we might have only matched pemEnd without the
++ // leading newline if the PEM block was empty.
++ _, rest = getLine(rest[endIndex+len(pemEnd)-1:])
++ return p, rest
+ }
+- return p, rest
+ }
+
+ const pemLineLength = 64
+diff --git a/src/encoding/pem/pem_test.go b/src/encoding/pem/pem_test.go
+index 8515b46..4485581 100644
+--- a/src/encoding/pem/pem_test.go
++++ b/src/encoding/pem/pem_test.go
+@@ -107,6 +107,12 @@ const pemMissingEndingSpace = `
+ dGVzdA==
+ -----ENDBAR-----`
+
++const pemMissingEndLine = `
++-----BEGIN FOO-----
++Header: 1`
++
++var pemRepeatingBegin = strings.Repeat("-----BEGIN \n", 10)
++
+ var badPEMTests = []struct {
+ name string
+ input string
+@@ -131,14 +137,34 @@ var badPEMTests = []struct {
+ "missing ending space",
+ pemMissingEndingSpace,
+ },
++ {
++ "repeating begin",
++ pemRepeatingBegin,
++ },
++ {
++ "missing end line",
++ pemMissingEndLine,
++ },
+ }
+
+ func TestBadDecode(t *testing.T) {
+ for _, test := range badPEMTests {
+- result, _ := Decode([]byte(test.input))
++ result, rest := Decode([]byte(test.input))
+ if result != nil {
+ t.Errorf("unexpected success while parsing %q", test.name)
+ }
++ if string(rest) != test.input {
++ t.Errorf("unexpected rest: %q; want = %q", rest, test.input)
++ }
++ }
++}
++
++func TestCVE202224675(t *testing.T) {
++ // Prior to CVE-2022-24675, this input would cause a stack overflow.
++ input := []byte(strings.Repeat("-----BEGIN \n", 10000000))
++ result, rest := Decode(input)
++ if result != nil || !reflect.DeepEqual(rest, input) {
++ t.Errorf("Encode of %#v decoded as %#v", input, rest)
+ }
+ }
+
+--
+2.25.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 02/12] golang: CVE-2021-31525 net/http: panic in ReadRequest and ReadResponse when reading a very large header
2022-06-30 16:23 [OE-core][dunfell 00/12] Patch review Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 01/12] golang: CVE-2022-24675 encoding/pem: fix stack overflow in Decode Steve Sakoman
@ 2022-06-30 16:23 ` Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 03/12] unzip: fix CVE-2021-4217 Steve Sakoman
` (9 subsequent siblings)
11 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-06-30 16:23 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Source: https://github.com/argoheyard/lang-net
MR: 114874
Type: Security Fix
Disposition: Backport from https://github.com/argoheyard/lang-net/commit/701957006ef151feb43f86aa99c8a1f474f69282
ChangeID: bd3c4f9f44dd1c45e810172087004778522d28eb
Description:
CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header.
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.14.inc | 1 +
.../go/go-1.14/CVE-2021-31525.patch | 38 +++++++++++++++++++
2 files changed, 39 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2021-31525.patch
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 773d252bd1..b160222f76 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -24,6 +24,7 @@ SRC_URI += "\
file://CVE-2022-23772.patch \
file://CVE-2021-44717.patch \
file://CVE-2022-24675.patch \
+ file://CVE-2021-31525.patch \
"
SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-31525.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-31525.patch
new file mode 100644
index 0000000000..afe4b0d2b8
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-31525.patch
@@ -0,0 +1,38 @@
+From efb465ada003d23353a91ef930be408eb575dba6 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 16 Jun 2022 17:40:12 +0530
+Subject: [PATCH] CVE-2021-31525
+
+Upstream-Status: Backport [https://github.com/argoheyard/lang-net/commit/701957006ef151feb43f86aa99c8a1f474f69282]
+CVE: CVE-2021-31525
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+---
+ src/vendor/golang.org/x/net/http/httpguts/httplex.go | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/vendor/golang.org/x/net/http/httpguts/httplex.go b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
+index e7de24e..c79aa73 100644
+--- a/src/vendor/golang.org/x/net/http/httpguts/httplex.go
++++ b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
+@@ -137,11 +137,13 @@ func trimOWS(x string) string {
+ // contains token amongst its comma-separated tokens, ASCII
+ // case-insensitively.
+ func headerValueContainsToken(v string, token string) bool {
+- v = trimOWS(v)
+- if comma := strings.IndexByte(v, ','); comma != -1 {
+- return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token)
++ for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') {
++ if tokenEqual(trimOWS(v[:comma]), token) {
++ return true
++ }
++ v = v[comma+1:]
+ }
+- return tokenEqual(v, token)
++ return tokenEqual(trimOWS(v), token)
+ }
+
+ // lowerASCII returns the ASCII lowercase version of b.
+--
+2.25.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 03/12] unzip: fix CVE-2021-4217
2022-06-30 16:23 [OE-core][dunfell 00/12] Patch review Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 01/12] golang: CVE-2022-24675 encoding/pem: fix stack overflow in Decode Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 02/12] golang: CVE-2021-31525 net/http: panic in ReadRequest and ReadResponse when reading a very large header Steve Sakoman
@ 2022-06-30 16:23 ` Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 04/12] unzip: Port debian fixes for two CVEs Steve Sakoman
` (8 subsequent siblings)
11 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-06-30 16:23 UTC (permalink / raw)
To: openembedded-core
From: Joe Slater <joe.slater@windriver.com>
Avoid a null pointer dereference.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 36db85b9b127e5a9f5d3d6e428168cf597ab95f3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../unzip/unzip/CVE-2021-4217.patch | 67 +++++++++++++++++++
meta/recipes-extended/unzip/unzip_6.0.bb | 1 +
2 files changed, 68 insertions(+)
create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch
new file mode 100644
index 0000000000..6ba2b879a3
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch
@@ -0,0 +1,67 @@
+From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001
+From: Nils Bars <nils.bars@t-online.de>
+Date: Mon, 17 Jan 2022 16:53:16 +0000
+Subject: [PATCH] Fix null pointer dereference and use of uninitialized data
+
+This fixes a bug that causes use of uninitialized heap data if `readbuf` fails
+to read as many bytes as indicated by the extra field length attribute.
+Furthermore, this fixes a null pointer dereference if an archive contains an
+`EF_UNIPATH` extra field but does not have a filename set.
+---
+ fileio.c | 5 ++++-
+ process.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+---
+
+Patch from:
+https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077
+https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch
+Regenerated to apply without offsets.
+
+CVE: CVE-2021-4217
+
+Upstream-Status: Pending [infozip upstream inactive]
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+
+diff --git a/fileio.c b/fileio.c
+index 14460f3..1dc319e 100644
+--- a/fileio.c
++++ b/fileio.c
+@@ -2301,8 +2301,11 @@ int do_string(__G__ length, option) /* return PK-type error code */
+ seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes +
+ (G.inptr-G.inbuf) + length);
+ } else {
+- if (readbuf(__G__ (char *)G.extra_field, length) == 0)
++ unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length);
++ if (bytes_read == 0)
+ return PK_EOF;
++ if (bytes_read != length)
++ return PK_ERR;
+ /* Looks like here is where extra fields are read */
+ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
+ {
+diff --git a/process.c b/process.c
+index 5f8f6c6..de843a5 100644
+--- a/process.c
++++ b/process.c
+@@ -2058,10 +2058,14 @@ int getUnicodeData(__G__ ef_buf, ef_len)
+ G.unipath_checksum = makelong(offset + ef_buf);
+ offset += 4;
+
++ if (!G.filename_full) {
++ /* Check if we have a unicode extra section but no filename set */
++ return PK_ERR;
++ }
++
+ /*
+ * Compute 32-bit crc
+ */
+-
+ chksum = crc32(chksum, (uch *)(G.filename_full),
+ strlen(G.filename_full));
+
+--
+2.32.0
+
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index af5530ab38..3e253afe65 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -26,6 +26,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/
file://CVE-2019-13232_p1.patch \
file://CVE-2019-13232_p2.patch \
file://CVE-2019-13232_p3.patch \
+ file://CVE-2021-4217.patch \
"
UPSTREAM_VERSION_UNKNOWN = "1"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 04/12] unzip: Port debian fixes for two CVEs
2022-06-30 16:23 [OE-core][dunfell 00/12] Patch review Steve Sakoman
` (2 preceding siblings ...)
2022-06-30 16:23 ` [OE-core][dunfell 03/12] unzip: fix CVE-2021-4217 Steve Sakoman
@ 2022-06-30 16:23 ` Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 05/12] cve-check: add support for Ignored CVEs Steve Sakoman
` (7 subsequent siblings)
11 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-06-30 16:23 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Add two fixes from debian for two CVEs. From:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355
I wans't able to get the reproducers to work but the added error
checking isn't probably a bad thing.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 054be00a632c2918dd1f973e76514e459fc6f017)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../unzip/unzip/CVE-2022-0529.patch | 39 +++++++++++++++++++
.../unzip/unzip/CVE-2022-0530.patch | 33 ++++++++++++++++
meta/recipes-extended/unzip/unzip_6.0.bb | 2 +
3 files changed, 74 insertions(+)
create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch
create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch
new file mode 100644
index 0000000000..1c1e120deb
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch
@@ -0,0 +1,39 @@
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355
+
+CVE: CVE-2022-0529
+Upstream-Status: Inactive-Upstream [need a new release]
+
+diff --git a/process.c b/process.c
+index d2a846e..99b9c7b 100644
+--- a/process.c
++++ b/process.c
+@@ -2507,13 +2507,15 @@ char *wide_to_local_string(wide_string, escape_all)
+ char buf[9];
+ char *buffer = NULL;
+ char *local_string = NULL;
++ size_t buffer_size;
+
+ for (wsize = 0; wide_string[wsize]; wsize++) ;
+
+ if (max_bytes < MAX_ESCAPE_BYTES)
+ max_bytes = MAX_ESCAPE_BYTES;
+
+- if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
++ buffer_size = wsize * max_bytes + 1;
++ if ((buffer = (char *)malloc(buffer_size)) == NULL) {
+ return NULL;
+ }
+
+@@ -2552,7 +2554,11 @@ char *wide_to_local_string(wide_string, escape_all)
+ /* no MB for this wide */
+ /* use escape for wide character */
+ char *escape_string = wide_to_escape_string(wide_string[i]);
+- strcat(buffer, escape_string);
++ size_t buffer_len = strlen(buffer);
++ size_t escape_string_len = strlen(escape_string);
++ if (buffer_len + escape_string_len + 1 > buffer_size)
++ escape_string_len = buffer_size - buffer_len - 1;
++ strncat(buffer, escape_string, escape_string_len);
+ free(escape_string);
+ }
+ }
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch
new file mode 100644
index 0000000000..363dafddc9
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch
@@ -0,0 +1,33 @@
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355
+
+CVE: CVE-2022-0530
+Upstream-Status: Inactive-Upstream [need a new release]
+
+diff --git a/fileio.c b/fileio.c
+index 6290824..77e4b5f 100644
+--- a/fileio.c
++++ b/fileio.c
+@@ -2361,6 +2361,9 @@ int do_string(__G__ length, option) /* return PK-type error code */
+ /* convert UTF-8 to local character set */
+ fn = utf8_to_local_string(G.unipath_filename,
+ G.unicode_escape_all);
++ if (fn == NULL)
++ return PK_ERR;
++
+ /* make sure filename is short enough */
+ if (strlen(fn) >= FILNAMSIZ) {
+ fn[FILNAMSIZ - 1] = '\0';
+diff --git a/process.c b/process.c
+index d2a846e..715bc0f 100644
+--- a/process.c
++++ b/process.c
+@@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all)
+ int escape_all;
+ {
+ zwchar *wide = utf8_to_wide_string(utf8_string);
++ if (wide == NULL)
++ return NULL;
+ char *loc = wide_to_local_string(wide, escape_all);
+ free(wide);
+ return loc;
+
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 3e253afe65..fa57c8f5bd 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -27,6 +27,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/
file://CVE-2019-13232_p2.patch \
file://CVE-2019-13232_p3.patch \
file://CVE-2021-4217.patch \
+ file://CVE-2022-0529.patch \
+ file://CVE-2022-0530.patch \
"
UPSTREAM_VERSION_UNKNOWN = "1"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 05/12] cve-check: add support for Ignored CVEs
2022-06-30 16:23 [OE-core][dunfell 00/12] Patch review Steve Sakoman
` (3 preceding siblings ...)
2022-06-30 16:23 ` [OE-core][dunfell 04/12] unzip: Port debian fixes for two CVEs Steve Sakoman
@ 2022-06-30 16:23 ` Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 06/12] grub2: CVE-2021-3981 Incorrect permission in grub.cfg allow unprivileged user to read the file content Steve Sakoman
` (6 subsequent siblings)
11 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-06-30 16:23 UTC (permalink / raw)
To: openembedded-core
From: Marta Rybczynska <rybczynska@gmail.com>
Ignored CVEs aren't patched, but do not apply in our configuration
for some reason. Up till now they were only partially supported
and reported as "Patched".
This patch adds separate reporting of Ignored CVEs. The variable
CVE_CHECK_REPORT_PATCHED now manages reporting of both patched
and ignored CVEs.
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry-picked from c773102d4828fc4ddd1024f6115d577e23f1afe4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/cve-check.bbclass | 41 ++++++++++++++++++++++++----------
1 file changed, 29 insertions(+), 12 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 894cebaaa4..d0f6970db8 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -47,7 +47,9 @@ CVE_CHECK_MANIFEST_JSON ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX
CVE_CHECK_COPY_FILES ??= "1"
CVE_CHECK_CREATE_MANIFEST ??= "1"
+# Report Patched or Ignored/Whitelisted CVEs
CVE_CHECK_REPORT_PATCHED ??= "1"
+
CVE_CHECK_SHOW_WARNINGS ??= "1"
# Provide text output
@@ -142,7 +144,7 @@ python do_cve_check () {
bb.fatal("Failure in searching patches")
whitelisted, patched, unpatched, status = check_cves(d, patched_cves)
if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
- cve_data = get_cve_info(d, patched + unpatched)
+ cve_data = get_cve_info(d, patched + unpatched + whitelisted)
cve_write_data(d, patched, unpatched, whitelisted, cve_data, status)
else:
bb.note("No CVE database found, skipping CVE check")
@@ -315,6 +317,7 @@ def check_cves(d, patched_cves):
suffix = d.getVar("CVE_VERSION_SUFFIX")
cves_unpatched = []
+ cves_ignored = []
cves_status = []
cves_in_recipe = False
# CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
@@ -349,8 +352,7 @@ def check_cves(d, patched_cves):
if cve in cve_whitelist:
bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
- # TODO: this should be in the report as 'whitelisted'
- patched_cves.add(cve)
+ cves_ignored.append(cve)
continue
elif cve in patched_cves:
bb.note("%s has been patched" % (cve))
@@ -362,9 +364,13 @@ def check_cves(d, patched_cves):
cves_in_recipe = True
vulnerable = False
+ ignored = False
+
for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)):
(_, _, _, version_start, operator_start, version_end, operator_end) = row
#bb.debug(2, "Evaluating row " + str(row))
+ if cve in cve_whitelist:
+ ignored = True
if (operator_start == '=' and pv == version_start) or version_start == '-':
vulnerable = True
@@ -397,13 +403,16 @@ def check_cves(d, patched_cves):
vulnerable = vulnerable_start or vulnerable_end
if vulnerable:
- bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve))
- cves_unpatched.append(cve)
+ if ignored:
+ bb.note("%s is ignored in %s-%s" % (cve, pn, real_pv))
+ cves_ignored.append(cve)
+ else:
+ bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve))
+ cves_unpatched.append(cve)
break
if not vulnerable:
bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve))
- # TODO: not patched but not vulnerable
patched_cves.add(cve)
if not cves_in_product:
@@ -412,7 +421,7 @@ def check_cves(d, patched_cves):
conn.close()
- return (list(cve_whitelist), list(patched_cves), cves_unpatched, cves_status)
+ return (list(cves_ignored), list(patched_cves), cves_unpatched, cves_status)
def get_cve_info(d, cves):
"""
@@ -450,6 +459,8 @@ def cve_write_data_text(d, patched, unpatched, whitelisted, cve_data):
include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
+ report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
+
if exclude_layers and layer in exclude_layers:
return
@@ -457,7 +468,7 @@ def cve_write_data_text(d, patched, unpatched, whitelisted, cve_data):
return
# Early exit, the text format does not report packages without CVEs
- if not patched+unpatched:
+ if not patched+unpatched+whitelisted:
return
nvd_link = "https://nvd.nist.gov/vuln/detail/"
@@ -467,13 +478,16 @@ def cve_write_data_text(d, patched, unpatched, whitelisted, cve_data):
for cve in sorted(cve_data):
is_patched = cve in patched
- if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"):
+ is_ignored = cve in whitelisted
+
+ if (is_patched or is_ignored) and not report_all:
continue
+
write_string += "LAYER: %s\n" % layer
write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
write_string += "CVE: %s\n" % cve
- if cve in whitelisted:
+ if is_ignored:
write_string += "CVE STATUS: Whitelisted\n"
elif is_patched:
write_string += "CVE STATUS: Patched\n"
@@ -550,6 +564,8 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
+ report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
+
if exclude_layers and layer in exclude_layers:
return
@@ -576,10 +592,11 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
for cve in sorted(cve_data):
is_patched = cve in patched
+ is_ignored = cve in ignored
status = "Unpatched"
- if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"):
+ if (is_patched or is_ignored) and not report_all:
continue
- if cve in ignored:
+ if is_ignored:
status = "Ignored"
elif is_patched:
status = "Patched"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 06/12] grub2: CVE-2021-3981 Incorrect permission in grub.cfg allow unprivileged user to read the file content
2022-06-30 16:23 [OE-core][dunfell 00/12] Patch review Steve Sakoman
` (4 preceding siblings ...)
2022-06-30 16:23 ` [OE-core][dunfell 05/12] cve-check: add support for Ignored CVEs Steve Sakoman
@ 2022-06-30 16:23 ` Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 07/12] oeqa/selftest/cve_check: add tests for Ignored and partial reports Steve Sakoman
` (5 subsequent siblings)
11 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-06-30 16:23 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Source: https://git.savannah.gnu.org/cgit/grub.git/
MR: 116495
Type: Security Fix
Disposition: Backport from https://git.savannah.gnu.org/cgit/grub.git/diff/util/grub-mkconfig.in?id=0adec29674561034771c13e446069b41ef41e4d4
ChangeID: fce3d59e50320bef247bb981352051b8f953a4fc
Description:
CVE-2021-3981 grub2: Incorrect permission in grub.cfg allow unprivileged user to read the file content.
Affects "grub2 < 2.06"
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../grub/files/CVE-2021-3981.patch | 32 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 33 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3981.patch
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981.patch b/meta/recipes-bsp/grub/files/CVE-2021-3981.patch
new file mode 100644
index 0000000000..e27027ea65
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3981.patch
@@ -0,0 +1,32 @@
+From 67740c43c9326956ea5cd6be77f813b5499a56a5 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 27 Jun 2022 10:15:29 +0530
+Subject: [PATCH] CVE-2021-3981
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/diff/util/grub-mkconfig.in?id=0adec29674561034771c13e446069b41ef41e4d4]
+CVE: CVE-2021-3981
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ util/grub-mkconfig.in | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index 9f477ff..ead94a6 100644
+--- a/util/grub-mkconfig.in
++++ b/util/grub-mkconfig.in
+@@ -287,7 +287,11 @@ and /etc/grub.d/* files or please file a bug report with
+ exit 1
+ else
+ # none of the children aborted with error, install the new grub.cfg
+- mv -f ${grub_cfg}.new ${grub_cfg}
++ oldumask=$(umask)
++ umask 077
++ cat ${grub_cfg}.new > ${grub_cfg}
++ umask $oldumask
++ rm -f ${grub_cfg}.new
+ fi
+ fi
+
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 0d3f6d05da..9e98d8249d 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -95,6 +95,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch \
file://0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch \
file://0046-script-execute-Avoid-crash-when-using-outside-a-func.patch \
+ file://CVE-2021-3981.patch\
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 07/12] oeqa/selftest/cve_check: add tests for Ignored and partial reports
2022-06-30 16:23 [OE-core][dunfell 00/12] Patch review Steve Sakoman
` (5 preceding siblings ...)
2022-06-30 16:23 ` [OE-core][dunfell 06/12] grub2: CVE-2021-3981 Incorrect permission in grub.cfg allow unprivileged user to read the file content Steve Sakoman
@ 2022-06-30 16:23 ` Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 08/12] wireless-regdb: upgrade 2022.04.08 -> 2022.06.06 Steve Sakoman
` (4 subsequent siblings)
11 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-06-30 16:23 UTC (permalink / raw)
To: openembedded-core
From: Marta Rybczynska <rybczynska@gmail.com>
Add testcases for partial reports with CVE_CHECK_REPORT_PATCHED and
Ignored CVEs.
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry-picked from 3f7639b90004973782a2e74925fd2e9a764c1090)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/selftest/cases/cve_check.py | 82 +++++++++++++++++++++++
1 file changed, 82 insertions(+)
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index 2f26f606d7..d0b2213703 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -117,3 +117,85 @@ CVE_CHECK_FORMAT_JSON = "1"
self.assertEqual(report["version"], "1")
self.assertEqual(len(report["package"]), 1)
self.assertEqual(report["package"][0]["name"], recipename)
+
+
+ def test_recipe_report_json_unpatched(self):
+ config = """
+INHERIT += "cve-check"
+CVE_CHECK_FORMAT_JSON = "1"
+CVE_CHECK_REPORT_PATCHED = "0"
+"""
+ self.write_config(config)
+
+ vars = get_bb_vars(["CVE_CHECK_SUMMARY_DIR", "CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
+ summary_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], vars["CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
+ recipe_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], "m4-native_cve.json")
+
+ try:
+ os.remove(summary_json)
+ os.remove(recipe_json)
+ except FileNotFoundError:
+ pass
+
+ bitbake("m4-native -c cve_check")
+
+ def check_m4_json(filename):
+ with open(filename) as f:
+ report = json.load(f)
+ self.assertEqual(report["version"], "1")
+ self.assertEqual(len(report["package"]), 1)
+ package = report["package"][0]
+ self.assertEqual(package["name"], "m4-native")
+ #m4 had only Patched CVEs, so the issues array will be empty
+ self.assertEqual(package["issue"], [])
+
+ self.assertExists(summary_json)
+ check_m4_json(summary_json)
+ self.assertExists(recipe_json)
+ check_m4_json(recipe_json)
+
+
+ def test_recipe_report_json_ignored(self):
+ config = """
+INHERIT += "cve-check"
+CVE_CHECK_FORMAT_JSON = "1"
+CVE_CHECK_REPORT_PATCHED = "1"
+"""
+ self.write_config(config)
+
+ vars = get_bb_vars(["CVE_CHECK_SUMMARY_DIR", "CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
+ summary_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], vars["CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
+ recipe_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], "logrotate_cve.json")
+
+ try:
+ os.remove(summary_json)
+ os.remove(recipe_json)
+ except FileNotFoundError:
+ pass
+
+ bitbake("logrotate -c cve_check")
+
+ def check_m4_json(filename):
+ with open(filename) as f:
+ report = json.load(f)
+ self.assertEqual(report["version"], "1")
+ self.assertEqual(len(report["package"]), 1)
+ package = report["package"][0]
+ self.assertEqual(package["name"], "logrotate")
+ found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+ # m4 CVE should not be in logrotate
+ self.assertNotIn("CVE-2008-1687", found_cves)
+ # logrotate has both Patched and Ignored CVEs
+ self.assertIn("CVE-2011-1098", found_cves)
+ self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+ self.assertIn("CVE-2011-1548", found_cves)
+ self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+ self.assertIn("CVE-2011-1549", found_cves)
+ self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+ self.assertIn("CVE-2011-1550", found_cves)
+ self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+
+ self.assertExists(summary_json)
+ check_m4_json(summary_json)
+ self.assertExists(recipe_json)
+ check_m4_json(recipe_json)
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 08/12] wireless-regdb: upgrade 2022.04.08 -> 2022.06.06
2022-06-30 16:23 [OE-core][dunfell 00/12] Patch review Steve Sakoman
` (6 preceding siblings ...)
2022-06-30 16:23 ` [OE-core][dunfell 07/12] oeqa/selftest/cve_check: add tests for Ignored and partial reports Steve Sakoman
@ 2022-06-30 16:23 ` Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 09/12] lttng-modules: Backport Linux 5.18+, 5.15.44+, 5.10.119+ fixes Steve Sakoman
` (3 subsequent siblings)
11 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-06-30 16:23 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4c27711292f93dfad1ffdeab6d715becad32a4ff)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...ireless-regdb_2022.04.08.bb => wireless-regdb_2022.06.06.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2022.04.08.bb => wireless-regdb_2022.06.06.bb} (94%)
diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.04.08.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.06.06.bb
similarity index 94%
rename from meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.04.08.bb
rename to meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.06.06.bb
index ad6ba8dc8b..91775bce5c 100644
--- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.04.08.bb
+++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.06.06.bb
@@ -5,7 +5,7 @@ LICENSE = "ISC"
LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c"
SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz"
-SRC_URI[sha256sum] = "884ba2e3c1e8b98762b6dc25ff60b5ec75c8d33a39e019b3ed4aa615491460d3"
+SRC_URI[sha256sum] = "ac00f97efecce5046ed069d1d93f3365fdf994c7c7854a8fc50831e959537230"
inherit bin_package allarch
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 09/12] lttng-modules: Backport Linux 5.18+, 5.15.44+, 5.10.119+ fixes
2022-06-30 16:23 [OE-core][dunfell 00/12] Patch review Steve Sakoman
` (7 preceding siblings ...)
2022-06-30 16:23 ` [OE-core][dunfell 08/12] wireless-regdb: upgrade 2022.04.08 -> 2022.06.06 Steve Sakoman
@ 2022-06-30 16:23 ` Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 10/12] initramfs-framework: move storage mounts to actual rootfs Steve Sakoman
` (2 subsequent siblings)
11 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-06-30 16:23 UTC (permalink / raw)
To: openembedded-core
From: Marek Vasut <marex@denx.de>
The Linux kernel commit 14c174633f349 ("random: remove unused tracepoints")
removed unused tracepoints and has been backported to stable Linux kernel
releases. This causes build failure of lttng-modules:
"
lttng-modules-2.11.6/probes/lttng-probe-random.c:18:10: fatal error: trace/events/random.h: No such file or directory
| 18 | #include <trace/events/random.h>
| | ^~~~~~~~~~~~~~~~~~~~~~~
| compilation terminated.
"
Backport patches from lttng-modules master branch to address the build
failure on all of Linux 5.18.y, 5.15.y 5.10.y, 5.4, 4.19, 4.14, and 4.9 kernel versions.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Bruce Ashfield <bruce.ashfield@gmail.com>
Cc: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...ndom-remove-unused-tracepoints-v5.18.patch | 46 +++++++++++++++++
...emove-unused-tracepoints-v5.10-v5.15.patch | 45 ++++++++++++++++
...racepoints-removed-in-stable-kernels.patch | 51 +++++++++++++++++++
.../lttng/lttng-modules_2.11.6.bb | 3 ++
4 files changed, 145 insertions(+)
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0017-fix-random-remove-unused-tracepoints-v5.18.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0019-fix-random-tracepoints-removed-in-stable-kernels.patch
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0017-fix-random-remove-unused-tracepoints-v5.18.patch b/meta/recipes-kernel/lttng/lttng-modules/0017-fix-random-remove-unused-tracepoints-v5.18.patch
new file mode 100644
index 0000000000..3fc7fd733d
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/0017-fix-random-remove-unused-tracepoints-v5.18.patch
@@ -0,0 +1,46 @@
+From 25b70c486bb96de0caf7cea1da42ed07801cca84 Mon Sep 17 00:00:00 2001
+From: Michael Jeanson <mjeanson@efficios.com>
+Date: Mon, 4 Apr 2022 14:33:42 -0400
+Subject: [PATCH 17/19] fix: random: remove unused tracepoints (v5.18)
+
+See upstream commit :
+
+ commit 14c174633f349cb41ea90c2c0aaddac157012f74
+ Author: Jason A. Donenfeld <Jason@zx2c4.com>
+ Date: Thu Feb 10 16:40:44 2022 +0100
+
+ random: remove unused tracepoints
+
+ These explicit tracepoints aren't really used and show sign of aging.
+ It's work to keep these up to date, and before I attempted to keep them
+ up to date, they weren't up to date, which indicates that they're not
+ really used. These days there are better ways of introspecting anyway.
+
+Upstream-Status: Backport [369d82bb1746447514c877088d7c5fd0f39140f8]
+Change-Id: I3b8c3e2732e7efdd76ce63204ac53a48784d0df6
+Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+---
+ probes/Kbuild | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/probes/Kbuild b/probes/Kbuild
+index 3ae2d39e..58da82b8 100644
+--- a/probes/Kbuild
++++ b/probes/Kbuild
+@@ -215,8 +215,11 @@ ifneq ($(CONFIG_FRAME_WARN),0)
+ CFLAGS_lttng-probe-printk.o += -Wframe-larger-than=2200
+ endif
+
++# Introduced in v3.6, remove in v5.18
+ obj-$(CONFIG_LTTNG) += $(shell \
+- if [ $(VERSION) -ge 4 \
++ if [ \( ! \( $(VERSION) -ge 6 -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \) \) \
++ -a \
++ $(VERSION) -ge 4 \
+ -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -ge 6 \) \
+ -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 5 -a $(SUBLEVEL) -ge 2 \) \
+ -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 4 -a $(SUBLEVEL) -ge 9 \) \
+--
+2.35.1
+
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch b/meta/recipes-kernel/lttng/lttng-modules/0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch
new file mode 100644
index 0000000000..5c324a9bde
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch
@@ -0,0 +1,45 @@
+From da956d1444139883f5d01078d945078738ffade4 Mon Sep 17 00:00:00 2001
+From: He Zhe <zhe.he@windriver.com>
+Date: Thu, 2 Jun 2022 06:36:08 +0000
+Subject: [PATCH 18/19] fix: random: remove unused tracepoints (v5.10, v5.15)
+
+The following kernel commit has been back ported to v5.10.119 and v5.15.44.
+
+commit 14c174633f349cb41ea90c2c0aaddac157012f74
+Author: Jason A. Donenfeld <Jason@zx2c4.com>
+Date: Thu Feb 10 16:40:44 2022 +0100
+
+ random: remove unused tracepoints
+
+ These explicit tracepoints aren't really used and show sign of aging.
+ It's work to keep these up to date, and before I attempted to keep them
+ up to date, they weren't up to date, which indicates that they're not
+ really used. These days there are better ways of introspecting anyway.
+
+Upstream-Status: Backport [1901e0eb58795e850e8fdcb5e1c235e4397b470d]
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Change-Id: I0b7eb8aa78b5bd2039e20ae3e1da4c5eb9018789
+---
+ probes/Kbuild | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/probes/Kbuild b/probes/Kbuild
+index 58da82b8..87f2d681 100644
+--- a/probes/Kbuild
++++ b/probes/Kbuild
+@@ -217,7 +217,10 @@ endif
+
+ # Introduced in v3.6, remove in v5.18
+ obj-$(CONFIG_LTTNG) += $(shell \
+- if [ \( ! \( $(VERSION) -ge 6 -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \) \) \
++ if [ \( ! \( $(VERSION) -ge 6 \
++ -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \
++ -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -eq 15 -a $(SUBLEVEL) -ge 44 \) \
++ -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -eq 10 -a $(SUBLEVEL) -ge 119\) \) \) \
+ -a \
+ $(VERSION) -ge 4 \
+ -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -ge 6 \) \
+--
+2.35.1
+
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0019-fix-random-tracepoints-removed-in-stable-kernels.patch b/meta/recipes-kernel/lttng/lttng-modules/0019-fix-random-tracepoints-removed-in-stable-kernels.patch
new file mode 100644
index 0000000000..73ba4d06bc
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/0019-fix-random-tracepoints-removed-in-stable-kernels.patch
@@ -0,0 +1,51 @@
+From 2c98e0cd03eba0aa935796bc7413c51b5e4b055c Mon Sep 17 00:00:00 2001
+From: Michael Jeanson <mjeanson@efficios.com>
+Date: Tue, 31 May 2022 15:24:48 -0400
+Subject: [PATCH 19/19] fix: 'random' tracepoints removed in stable kernels
+
+The upstream commit 14c174633f349cb41ea90c2c0aaddac157012f74 removing
+the 'random' tracepoints is being backported to multiple stable kernel
+branches, I don't see how that qualifies as a fix but here we are.
+
+Use the presence of 'include/trace/events/random.h' in the kernel source
+tree instead of the rather tortuous version check to determine if we
+need to build 'lttng-probe-random.ko'.
+
+Upstream-Status: Backport [ed1149ef88fb62c365ac66cf62c58ac6abd8d7e8]
+Change-Id: I8f5f2f4c9e09c61127c49c7949b22dd3fab0460d
+Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+---
+ probes/Kbuild | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/probes/Kbuild b/probes/Kbuild
+index 87f2d681..f09d6b65 100644
+--- a/probes/Kbuild
++++ b/probes/Kbuild
+@@ -216,18 +216,10 @@ ifneq ($(CONFIG_FRAME_WARN),0)
+ endif
+
+ # Introduced in v3.6, remove in v5.18
+-obj-$(CONFIG_LTTNG) += $(shell \
+- if [ \( ! \( $(VERSION) -ge 6 \
+- -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \
+- -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -eq 15 -a $(SUBLEVEL) -ge 44 \) \
+- -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -eq 10 -a $(SUBLEVEL) -ge 119\) \) \) \
+- -a \
+- $(VERSION) -ge 4 \
+- -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -ge 6 \) \
+- -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 5 -a $(SUBLEVEL) -ge 2 \) \
+- -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 4 -a $(SUBLEVEL) -ge 9 \) \
+- -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 0 -a $(SUBLEVEL) -ge 41 \) ] ; then \
+- echo "lttng-probe-random.o" ; fi;)
++random_dep = $(srctree)/include/trace/events/random.h
++ifneq ($(wildcard $(random_dep)),)
++ obj-$(CONFIG_LTTNG) += lttng-probe-random.o
++endif
+
+ obj-$(CONFIG_LTTNG) += $(shell \
+ if [ $(VERSION) -ge 4 \
+--
+2.35.1
+
diff --git a/meta/recipes-kernel/lttng/lttng-modules_2.11.6.bb b/meta/recipes-kernel/lttng/lttng-modules_2.11.6.bb
index 3145f0298c..76b9f13618 100644
--- a/meta/recipes-kernel/lttng/lttng-modules_2.11.6.bb
+++ b/meta/recipes-kernel/lttng/lttng-modules_2.11.6.bb
@@ -28,6 +28,9 @@ SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0014-Revert-fix-include-order-for-older-kernels.patch \
file://0015-fix-backport-of-fix-tracepoint-Optimize-using-static.patch \
file://0016-fix-adjust-version-range-for-trace_find_free_extent.patch \
+ file://0017-fix-random-remove-unused-tracepoints-v5.18.patch \
+ file://0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch \
+ file://0019-fix-random-tracepoints-removed-in-stable-kernels.patch \
"
SRC_URI[md5sum] = "8ef09fdfcdec669d33f7fc1c1c80f2c4"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 10/12] initramfs-framework: move storage mounts to actual rootfs
2022-06-30 16:23 [OE-core][dunfell 00/12] Patch review Steve Sakoman
` (8 preceding siblings ...)
2022-06-30 16:23 ` [OE-core][dunfell 09/12] lttng-modules: Backport Linux 5.18+, 5.15.44+, 5.10.119+ fixes Steve Sakoman
@ 2022-06-30 16:23 ` Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 11/12] wic: fix WicError message Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 12/12] insane.bbclass: host-user-contaminated: Correct per package home path Steve Sakoman
11 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-06-30 16:23 UTC (permalink / raw)
To: openembedded-core
From: Muhammad Hamza <Muhammad_Hamza@mentor.com>
Operations such as mkfs fail on devices that are not
switched to the actual rootfs before switch_root is
called. The kernel interprets these devices as still
being used even after unmounting and errors such as
below are seen when the target is fully booted
root@v1000:~# umount /dev/sdb1
root@v1000:~# mkfs.ext4 /dev/sdb1
mke2fs 1.43.8 (1-Jan-2018)
/dev/sdb1 contains a ext4 file system
last mounted on Wed Nov 28 07:33:54 2018
Proceed anyway? (y,N) y
/dev/sdb1 is apparently in use by the system; will not make a filesystem here!
Signed-off-by: Awais Belal <awais_belal@mentor.com>
Signed-off-by: Muhammad Hamza <muhammad_hamza@mentor.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit ec53ffd01972d1be2d6a28de828b3f0b80dc1e61)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../initrdscripts/initramfs-framework/finish | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/meta/recipes-core/initrdscripts/initramfs-framework/finish b/meta/recipes-core/initrdscripts/initramfs-framework/finish
index 717383ebac..dee3ab3387 100755
--- a/meta/recipes-core/initrdscripts/initramfs-framework/finish
+++ b/meta/recipes-core/initrdscripts/initramfs-framework/finish
@@ -14,6 +14,15 @@ finish_run() {
info "Switching root to '$ROOTFS_DIR'..."
+ debug "Moving basic mounts onto rootfs"
+ for dir in `awk '/\/dev.* \/run\/media/{print $2}' /proc/mounts`; do
+ # Parse any OCT or HEX encoded chars such as spaces
+ # in the mount points to actual ASCII chars
+ dir=`printf $dir`
+ mkdir -p "${ROOTFS_DIR}/media/${dir##*/}"
+ mount -n --move "$dir" "${ROOTFS_DIR}/media/${dir##*/}"
+ done
+
debug "Moving /dev, /proc and /sys onto rootfs..."
mount --move /dev $ROOTFS_DIR/dev
mount --move /proc $ROOTFS_DIR/proc
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 11/12] wic: fix WicError message
2022-06-30 16:23 [OE-core][dunfell 00/12] Patch review Steve Sakoman
` (9 preceding siblings ...)
2022-06-30 16:23 ` [OE-core][dunfell 10/12] initramfs-framework: move storage mounts to actual rootfs Steve Sakoman
@ 2022-06-30 16:23 ` Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 12/12] insane.bbclass: host-user-contaminated: Correct per package home path Steve Sakoman
11 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-06-30 16:23 UTC (permalink / raw)
To: openembedded-core
From: Martin Jansa <Martin.Jansa@gmail.com>
* add missing % to print the values instead of:
| INFO: Build artifacts not found, exiting.
| INFO: (Please check that the build artifacts for the machine
| INFO: selected in local.conf actually exist and that they
| INFO: are the correct artifacts for the image (.wks file)).
|
| ERROR: ("The artifact that couldn't be found was %s:\n %s", 'kernel-dir', '/OE/build/deploy/images/qemux86-64')
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e104c2b1273d8c5bd97893f318bf2a2699ef7f2d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
scripts/wic | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/wic b/scripts/wic
index 6547abe0e9..99a8a97ccb 100755
--- a/scripts/wic
+++ b/scripts/wic
@@ -206,7 +206,7 @@ def wic_create_subcommand(options, usage_str):
logger.info(" (Please check that the build artifacts for the machine")
logger.info(" selected in local.conf actually exist and that they")
logger.info(" are the correct artifacts for the image (.wks file)).\n")
- raise WicError("The artifact that couldn't be found was %s:\n %s", not_found, not_found_dir)
+ raise WicError("The artifact that couldn't be found was %s:\n %s" % (not_found, not_found_dir))
krootfs_dir = options.rootfs_dir
if krootfs_dir is None:
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 12/12] insane.bbclass: host-user-contaminated: Correct per package home path
2022-06-30 16:23 [OE-core][dunfell 00/12] Patch review Steve Sakoman
` (10 preceding siblings ...)
2022-06-30 16:23 ` [OE-core][dunfell 11/12] wic: fix WicError message Steve Sakoman
@ 2022-06-30 16:23 ` Steve Sakoman
11 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-06-30 16:23 UTC (permalink / raw)
To: openembedded-core
From: Ahmed Hossam <Ahmed.Hossam@opensynergy.com>
The current home path that is compared against is incorrect as it is missing the
package name, this patch adds it.
[YOCTO #14553]
Signed-off-by: Ahmed Hossam <Ahmed.Hossam@opensynergy.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit ae8f22d9e2694eea5ede3b31c6f3bca404ea4a5a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/insane.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
index eb19425652..77a2039738 100644
--- a/meta/classes/insane.bbclass
+++ b/meta/classes/insane.bbclass
@@ -945,7 +945,7 @@ def package_qa_check_host_user(path, name, d, elf, messages):
dest = d.getVar('PKGDEST')
pn = d.getVar('PN')
- home = os.path.join(dest, 'home')
+ home = os.path.join(dest, name, 'home')
if path == home or path.startswith(home + os.sep):
return
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 00/12] Patch review
@ 2023-02-04 21:48 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2023-02-04 21:48 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4885
The following changes since commit 4f069121ddb99bb6e2f186724cd60ca07f74f503:
python3: fix packaging of Windows distutils installer stubs (2023-02-04 04:34:20 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Bruce Ashfield (2):
linux-yocto/5.4: update to v5.4.229
linux-yocto/5.4: update to v5.4.230
Khem Raj (1):
libtirpc: Check if file exists before operating on it
Niko Mauno (1):
Fix missing leading whitespace with ':append'
Ranjitsinh Rathod (1):
libsdl2: Add fix for CVE-2022-4743
Steve Sakoman (4):
lttng-modules: update 2.11.6 -> 2.11.7
lttng-modules: update 2.11.7 -> 2.11.8
lttng-modules: update 2.11.8 -> 2.11.9
lttng-modules: fix build with 5.4.229 kernel
Thomas Roos (1):
devtool: fix devtool finish when gitmodules file is empty
Vivek Kumbhar (1):
go: fix CVE-2022-1962 go/parser stack exhaustion in all Parse*
functions
Xiaobing Luo (1):
devtool: Fix _copy_file() TypeError
meta/classes/externalsrc.bbclass | 2 +-
meta/classes/populate_sdk_ext.bbclass | 2 +-
meta/recipes-devtools/go/go-1.14.inc | 1 +
.../go/go-1.14/CVE-2022-1962.patch | 357 ++++++++++++++++++
.../libtirpc/libtirpc_1.2.6.bb | 2 +-
.../libsdl2/libsdl2/CVE-2022-4743.patch | 38 ++
.../libsdl2/libsdl2_2.0.12.bb | 1 +
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +-
...ncpy-equals-destination-size-warning.patch | 42 ---
...jtool-Rename-frame.h-objtool.h-v5.10.patch | 88 -----
...oints-output-proper-root-owner-for-t.patch | 316 ----------------
...rdered-extent-tracepoint-take-btrfs_.patch | 179 ---------
...ext4-fast-commit-recovery-path-v5.10.patch | 91 -----
...intr-vectoring-info-and-error-code-t.patch | 124 ------
...x86-mmu-Add-TDP-MMU-PF-handler-v5.10.patch | 82 ----
...Return-unique-RET_PF_-values-if-the-.patch | 71 ----
...int-Optimize-using-static_call-v5.10.patch | 155 --------
...-fix-include-order-for-older-kernels.patch | 31 --
.../0011-Add-release-maintainer-script.patch | 59 ---
.../0012-Improve-the-release-script.patch | 173 ---------
...fix-ext4-fast-commit-recovery-path-v.patch | 32 --
...-fix-include-order-for-older-kernels.patch | 32 --
...fix-tracepoint-Optimize-using-static.patch | 46 ---
...ion-range-for-trace_find_free_extent.patch | 30 --
...ix-jbd2-use-the-correct-print-format.patch | 147 ++++++++
...ules_2.11.6.bb => lttng-modules_2.11.9.bb} | 21 +-
scripts/lib/devtool/standard.py | 2 +-
29 files changed, 569 insertions(+), 1591 deletions(-)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-1962.patch
create mode 100644 meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-strncpy-equals-destination-size-warning.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0002-fix-objtool-Rename-frame.h-objtool.h-v5.10.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0003-fix-btrfs-tracepoints-output-proper-root-owner-for-t.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0004-fix-btrfs-make-ordered-extent-tracepoint-take-btrfs_.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0005-fix-ext4-fast-commit-recovery-path-v5.10.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0006-fix-KVM-x86-Add-intr-vectoring-info-and-error-code-t.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0007-fix-kvm-x86-mmu-Add-TDP-MMU-PF-handler-v5.10.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0008-fix-KVM-x86-mmu-Return-unique-RET_PF_-values-if-the-.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0009-fix-tracepoint-Optimize-using-static_call-v5.10.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0010-fix-include-order-for-older-kernels.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0011-Add-release-maintainer-script.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0012-Improve-the-release-script.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0013-fix-backport-of-fix-ext4-fast-commit-recovery-path-v.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0014-Revert-fix-include-order-for-older-kernels.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0015-fix-backport-of-fix-tracepoint-Optimize-using-static.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0016-fix-adjust-version-range-for-trace_find_free_extent.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/fix-jbd2-use-the-correct-print-format.patch
rename meta/recipes-kernel/lttng/{lttng-modules_2.11.6.bb => lttng-modules_2.11.9.bb} (59%)
--
2.25.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][dunfell 00/12] Patch review
@ 2024-03-20 16:43 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2024-03-20 16:43 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for dunfell and have comments back by
end of day Friday, March 22
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6692
The following changes since commit b49b0a3dd74c24f3a011c9c0b5cf8f6530956cfa:
build-appliance-image: Update to dunfell head revision (2024-03-01 03:19:51 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alex Kiernan (1):
wireless-regdb: Upgrade 2023.09.01 -> 2024.01.23
Alexander Kanavin (1):
linux-firmware: upgrade 20231211 -> 20240220
Alexander Sverdlin (1):
linux-firmware: upgrade 20231030 -> 20231211
Michael Halstead (1):
yocto-uninative: Update to 4.4 for glibc 2.39
Vijay Anusuri (1):
libxml2: Backport fix for CVE-2024-25062
Wang Mingyu (1):
wireless-regdb: upgrade 2023.05.03 -> 2023.09.01
Yoann Congal (6):
cve-update-nvd2-native: Fix typo in comment
cve-update-nvd2-native: Add an age threshold for incremental update
cve-update-nvd2-native: Remove duplicated CVE_CHECK_DB_FILE definition
cve-update-nvd2-native: nvd_request_next: Improve comment
cve-update-nvd2-native: Fix CVE configuration update
cve-update-nvd2-native: Remove rejected CVE from database
meta/conf/distro/include/yocto-uninative.inc | 10 ++---
.../libxml/libxml2/CVE-2024-25062-pre1.patch | 38 +++++++++++++++++++
.../libxml/libxml2/CVE-2024-25062.patch | 33 ++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.10.bb | 2 +
.../meta/cve-update-nvd2-native.bb | 35 +++++++++++++----
...20231030.bb => linux-firmware_20240220.bb} | 7 ++--
....05.03.bb => wireless-regdb_2024.01.23.bb} | 4 +-
7 files changed, 111 insertions(+), 18 deletions(-)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2024-25062-pre1.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20231030.bb => linux-firmware_20240220.bb} (99%)
rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2023.05.03.bb => wireless-regdb_2024.01.23.bb} (88%)
--
2.34.1
^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2024-03-20 16:44 UTC | newest]
Thread overview: 24+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-06-30 16:23 [OE-core][dunfell 00/12] Patch review Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 01/12] golang: CVE-2022-24675 encoding/pem: fix stack overflow in Decode Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 02/12] golang: CVE-2021-31525 net/http: panic in ReadRequest and ReadResponse when reading a very large header Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 03/12] unzip: fix CVE-2021-4217 Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 04/12] unzip: Port debian fixes for two CVEs Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 05/12] cve-check: add support for Ignored CVEs Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 06/12] grub2: CVE-2021-3981 Incorrect permission in grub.cfg allow unprivileged user to read the file content Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 07/12] oeqa/selftest/cve_check: add tests for Ignored and partial reports Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 08/12] wireless-regdb: upgrade 2022.04.08 -> 2022.06.06 Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 09/12] lttng-modules: Backport Linux 5.18+, 5.15.44+, 5.10.119+ fixes Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 10/12] initramfs-framework: move storage mounts to actual rootfs Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 11/12] wic: fix WicError message Steve Sakoman
2022-06-30 16:23 ` [OE-core][dunfell 12/12] insane.bbclass: host-user-contaminated: Correct per package home path Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2024-03-20 16:43 [OE-core][dunfell 00/12] Patch review Steve Sakoman
2023-02-04 21:48 Steve Sakoman
2022-06-19 19:34 Steve Sakoman
2022-01-09 22:04 Steve Sakoman
2021-08-19 19:07 Steve Sakoman
2021-07-12 15:31 Steve Sakoman
2021-04-30 15:33 Steve Sakoman
2021-01-11 0:45 Steve Sakoman
2020-11-09 2:56 Steve Sakoman
2020-08-24 15:14 Steve Sakoman
2020-08-03 14:26 Steve Sakoman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox