[OE-core][dunfell 0/3] Patch review

[OE-core][dunfell 0/3] Patch review

[Steve Sakoman]

Please review this final set of patches for the 3.1.8 release and have
comments back by end of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2172

The following changes since commit cc49591d84d241d90e3dccb3e174ddfd737de311:

  meta/lib/oe/rootfs.py: Fix typo "Restoreing" -> "Restoring" (2021-05-14 07:16:38 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Richard Purdie (2):
  Revert "cml1.bbclass: Return sorted list of cfg files"
  sstate: Handle manifest 'corruption' issue

Stefan Ghinea (1):
  boost: fix do_fetch failure

 meta/classes/cml1.bbclass                   |  2 +-
 meta/classes/sstate.bbclass                 | 16 +++++++++++++++-
 meta/recipes-support/boost/boost-1.72.0.inc |  2 +-
 3 files changed, 17 insertions(+), 3 deletions(-)

-- 
2.25.1

[OE-core][dunfell 0/3] Patch review

[Steve Sakoman]

Please review this final set of patches for dunfell 3.1.10 release and have
comments back by end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2370

The following changes since commit 9b83aefa9c4a21d9dc1eea4a6b00af379466a288:

  busybox: add tmpdir option into mktemp applet (2021-07-14 12:27:38 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Bruce Ashfield (3):
  linux-yocto/5.4: update to v5.4.131
  linux-yocto/5.4: update to v5.4.132
  kernel-devsrc: fix 32bit ARM devsrc builds

 meta/recipes-kernel/linux/kernel-devsrc.bb    |  2 +-
 .../linux/linux-yocto-rt_5.4.bb               |  6 ++---
 .../linux/linux-yocto-tiny_5.4.bb             |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.4.bb  | 22 +++++++++----------
 4 files changed, 19 insertions(+), 19 deletions(-)

-- 
2.25.1

[OE-core][dunfell 0/3] Patch review

[Steve Sakoman]

Please review these patches for dunfell and have comments back by end of day
Monday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2876

The following changes since commit 6cd21ddc6f998eec4d9be05f080e32072fddd2bd:

  tzdata: update 2021d -> 2021e (2021-11-03 11:17:55 +0000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Richard Purdie (2):
  scripts/convert-srcuri: Backport SRC_URI conversion script from master
    branch
  meta/scripts: Manual git url branch additions

Steve Sakoman (1):
  meta: Add explict branch to git SRC_URIs, handle github url changes

 .../devtool/devtool-upgrade-test2_git.bb      |  2 +-
 .../devtool-upgrade-test2_git.bb.upgraded     |  2 +-
 meta/classes/devupstream.bbclass              |  2 +-
 .../distro/include/default-distrovars.inc     |  2 +-
 meta/lib/oeqa/selftest/cases/devtool.py       |  4 +-
 meta/lib/oeqa/selftest/cases/recipetool.py    |  6 +-
 meta/lib/oeqa/selftest/cases/sstatetests.py   |  2 +-
 meta/recipes-bsp/efibootmgr/efibootmgr_17.bb  |  2 +-
 meta/recipes-bsp/efivar/efivar_37.bb          |  2 +-
 meta/recipes-bsp/opensbi/opensbi_0.6.bb       |  2 +-
 meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb  |  2 +-
 meta/recipes-bsp/u-boot/u-boot-common.inc     |  2 +-
 .../connman/connman-gnome_0.7.bb              |  2 +-
 .../libnss-mdns/libnss-mdns_0.14.1.bb         |  2 +-
 .../mobile-broadband-provider-info_git.bb     |  2 +-
 .../resolvconf/resolvconf_1.82.bb             |  2 +-
 meta/recipes-core/dbus-wait/dbus-wait_git.bb  |  2 +-
 meta/recipes-core/expat/expat_2.2.9.bb        |  2 +-
 meta/recipes-core/fts/fts_1.2.7.bb            |  2 +-
 .../glibc/cross-localedef-native_2.31.bb      |  2 +-
 meta/recipes-core/glibc/glibc-version.inc     |  2 +-
 meta/recipes-core/ifupdown/ifupdown_0.8.35.bb |  2 +-
 meta/recipes-core/libxcrypt/libxcrypt.inc     |  2 +-
 meta/recipes-core/musl/libucontext_git.bb     |  2 +-
 meta/recipes-core/musl/musl-obstack.bb        |  2 +-
 meta/recipes-core/musl/musl-utils.bb          |  2 +-
 meta/recipes-core/musl/musl_git.bb            |  2 +-
 meta/recipes-core/ncurses/ncurses.inc         |  2 +-
 meta/recipes-core/psplash/psplash_git.bb      |  2 +-
 meta/recipes-core/systemd/systemd.inc         |  2 +-
 .../update-rc.d/update-rc.d_0.8.bb            |  2 +-
 .../bootchart2/bootchart2_0.14.9.bb           |  2 +-
 .../btrfs-tools/btrfs-tools_5.4.1.bb          |  2 +-
 .../build-compare/build-compare_git.bb        |  2 +-
 .../createrepo-c/createrepo-c_0.15.7.bb       |  2 +-
 meta/recipes-devtools/distcc/distcc_3.3.3.bb  |  2 +-
 meta/recipes-devtools/dnf/dnf_4.2.2.bb        |  2 +-
 meta/recipes-devtools/e2fsprogs/e2fsprogs.inc |  2 +-
 meta/recipes-devtools/file/file_5.38.bb       |  2 +-
 meta/recipes-devtools/glide/glide_0.13.3.bb   |  2 +-
 .../gnu-config/gnu-config_git.bb              |  2 +-
 meta/recipes-devtools/go/go-dep_0.5.4.bb      |  2 +-
 .../libcomps/libcomps_0.1.15.bb               |  2 +-
 meta/recipes-devtools/libdnf/libdnf_0.28.1.bb |  2 +-
 .../librepo/librepo_1.11.2.bb                 |  2 +-
 meta/recipes-devtools/llvm/llvm_git.bb        |  2 +-
 meta/recipes-devtools/mtd/mtd-utils_git.bb    |  2 +-
 meta/recipes-devtools/ninja/ninja_1.10.0.bb   |  2 +-
 .../patchelf/patchelf_0.10.bb                 |  2 +-
 meta/recipes-devtools/rpm/rpm_4.14.2.1.bb     |  2 +-
 .../squashfs-tools/squashfs-tools_git.bb      |  2 +-
 .../systemd-bootchart_233.bb                  |  2 +-
 .../tcf-agent/tcf-agent_git.bb                |  2 +-
 meta/recipes-devtools/unfs3/unfs3_git.bb      |  2 +-
 .../go-examples/go-helloworld_0.1.bb          |  2 +-
 .../iputils/iputils_s20190709.bb              |  2 +-
 .../recipes-extended/libaio/libaio_0.3.111.bb |  2 +-
 meta/recipes-extended/libnsl/libnsl2_git.bb   |  2 +-
 .../recipes-extended/libnss-nis/libnss-nis.bb |  2 +-
 .../libsolv/libsolv_0.7.10.bb                 |  2 +-
 meta/recipes-extended/ltp/ltp_20200120.bb     |  2 +-
 meta/recipes-extended/procps/procps_3.3.16.bb |  2 +-
 meta/recipes-extended/psmisc/psmisc_23.3.bb   |  2 +-
 .../rpcsvc-proto/rpcsvc-proto.bb              |  2 +-
 .../stress-ng/stress-ng_0.11.17.bb            |  2 +-
 meta/recipes-extended/sysklogd/sysklogd.inc   |  2 +-
 meta/recipes-extended/xinetd/xinetd_2.3.15.bb |  2 +-
 .../libfakekey/libfakekey_git.bb              |  2 +-
 .../libmatchbox/libmatchbox_1.12.bb           |  2 +-
 .../libva/libva-utils_2.6.0.bb                |  2 +-
 .../matchbox-wm/matchbox-wm_1.2.2.bb          |  2 +-
 meta/recipes-graphics/mx/mx-1.0_1.4.7.bb      |  2 +-
 meta/recipes-graphics/piglit/piglit_git.bb    |  2 +-
 .../virglrenderer/virglrenderer_0.8.2.bb      |  2 +-
 meta/recipes-graphics/vulkan/assimp_5.0.1.bb  |  2 +-
 .../vulkan/vulkan-demos_git.bb                |  6 +-
 .../vulkan/vulkan-headers_1.1.126.0.bb        |  2 +-
 .../vulkan/vulkan-loader_1.1.126.0.bb         |  2 +-
 .../vulkan/vulkan-tools_1.1.126.0.bb          |  2 +-
 .../xinput-calibrator_git.bb                  |  2 +-
 .../xorg-driver/xf86-video-intel_git.bb       |  2 +-
 meta/recipes-kernel/blktrace/blktrace_git.bb  |  2 +-
 meta/recipes-kernel/cryptodev/cryptodev.inc   |  2 +-
 meta/recipes-kernel/dtc/dtc.inc               |  2 +-
 .../kern-tools/kern-tools-native_git.bb       |  2 +-
 meta/recipes-kernel/kmod/kmod.inc             |  2 +-
 meta/recipes-kernel/powertop/powertop_2.10.bb |  2 +-
 .../systemtap/systemtap_git.inc               |  2 +-
 .../gstreamer/gst-examples_1.16.0.bb          |  2 +-
 meta/recipes-multimedia/x264/x264_git.bb      |  2 +-
 meta/recipes-sato/l3afpad/l3afpad_git.bb      |  2 +-
 .../matchbox-config-gtk_0.2.bb                |  2 +-
 .../matchbox-desktop/matchbox-desktop_2.2.bb  |  2 +-
 .../matchbox-panel-2/matchbox-panel-2_2.11.bb |  2 +-
 .../matchbox-terminal_0.2.bb                  |  2 +-
 .../matchbox-theme-sato_0.2.bb                |  2 +-
 meta/recipes-sato/puzzles/puzzles_git.bb      |  2 +-
 .../sato-screenshot/sato-screenshot_0.3.bb    |  2 +-
 .../settings-daemon/settings-daemon_0.0.2.bb  |  2 +-
 .../bmap-tools/bmap-tools_3.5.bb              |  2 +-
 .../ca-certificates_20211016.bb               |  2 +-
 .../dos2unix/dos2unix_7.4.1.bb                |  2 +-
 .../gnome-desktop-testing_2018.1.bb           |  2 +-
 .../libjitterentropy_2.2.0.bb                 |  2 +-
 meta/recipes-support/lz4/lz4_1.9.2.bb         |  2 +-
 .../p11-kit/p11-kit_0.23.22.bb                |  2 +-
 .../ptest-runner/ptest-runner_2.4.0.bb        |  2 +-
 .../rng-tools/rng-tools_6.9.bb                |  2 +-
 .../shared-mime-info/shared-mime-info_git.bb  |  2 +-
 meta/recipes-support/vim/vim.inc              |  2 +-
 scripts/contrib/convert-srcuri.py             | 77 +++++++++++++++++++
 scripts/lib/recipetool/create.py              |  3 +
 112 files changed, 195 insertions(+), 115 deletions(-)
 create mode 100755 scripts/contrib/convert-srcuri.py

-- 
2.25.1

[OE-core][dunfell 0/3] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3335

The following changes since commit 51844f2d60d77fb8cb46ffe460402f76ae216ca5:

  uninative: Upgrade to 3.5 (2022-03-03 07:43:07 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Jose Quaresma (1):
  sstate: inside the threadedpool don't write to the shared localdata

Richard Purdie (1):
  systemd: Ensure uid/gid ranges are set deterministically

Ross Burton (1):
  asciidoc: update git repository

 meta/classes/sstate.bbclass                      | 2 +-
 meta/recipes-core/systemd/systemd_244.5.bb       | 2 ++
 meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

-- 
2.25.1

[OE-core][dunfell 0/3] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3344

The following changes since commit 604146a242c3d5f5a9872bb756910f4bd1b58406:

  sstate: inside the threadedpool don't write to the shared localdata (2022-03-07 07:05:33 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Bruce Ashfield (1):
  perf-tests: add bash into RDEPENDS (v5.12-rc5+)

Richard Purdie (1):
  vim: Update to 8.2.4524 for further CVE fixes

sana kazi (1):
  tiff: Add backports for two CVEs from upstream

 meta/recipes-kernel/perf/perf.bb              |  2 +-
 ...99c99f987dc32ae110370cfdd7df7975586b.patch | 28 +++++++++++++++++
 ...0712f4c3a5b449f70c57988260a667ddbdef.patch | 30 +++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.1.0.bb |  2 ++
 meta/recipes-support/vim/vim.inc              |  4 +--
 5 files changed, 63 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch

-- 
2.25.1

[OE-core][dunfell 0/3] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Friday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3905

except for a known autobuilder intermittent issue on oe-selftest-centos:

https://bugzilla.yoctoproject.org/show_bug.cgi?id=14201

which passed on subsequent retest:

https://autobuilder.yoctoproject.org/typhoon/#/builders/79/builds/3820

The following changes since commit af25fff399fa623b4fd6efbca21e01ea6b4d1fd7:

  qemu: add PACKAGECONFIG for capstone (2022-07-12 04:08:20 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Joshua Watt (1):
  classes/cve-check: Move get_patches_cves to library

Ross Burton (1):
  vim: upgrade to 9.0.0021

Steve Sakoman (1):
  openssl: security upgrade 1.1.1p to 1.1.1q

 meta/classes/cve-check.bbclass                | 62 +-------------
 meta/lib/oe/cve_check.py                      | 82 +++++++++++++++++++
 .../{openssl_1.1.1p.bb => openssl_1.1.1q.bb}  |  2 +-
 meta/recipes-support/vim/vim.inc              |  4 +-
 4 files changed, 87 insertions(+), 63 deletions(-)
 rename meta/recipes-connectivity/openssl/{openssl_1.1.1p.bb => openssl_1.1.1q.bb} (98%)

-- 
2.25.1

[OE-core][dunfell 1/3] openssl: security upgrade 1.1.1p to 1.1.1q

[Steve Sakoman]

Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms (CVE-2022-2097)

Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssl/{openssl_1.1.1p.bb => openssl_1.1.1q.bb}            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/openssl/{openssl_1.1.1p.bb => openssl_1.1.1q.bb} (98%)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1p.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1q.bb
similarity index 98%
rename from meta/recipes-connectivity/openssl/openssl_1.1.1p.bb
rename to meta/recipes-connectivity/openssl/openssl_1.1.1q.bb
index 8916218c33..139b7fe935 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1p.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1q.bb
@@ -24,7 +24,7 @@ SRC_URI_append_class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "bf61b62aaa66c7c7639942a94de4c9ae8280c08f17d4eac2e44644d9fc8ace6f"
+SRC_URI[sha256sum] = "d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca"
 
 inherit lib_package multilib_header multilib_script ptest
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
-- 
2.25.1

[OE-core][dunfell 2/3] vim: upgrade to 9.0.0021

[Steve Sakoman]

From: Ross Burton <ross.burton@arm.com>

This fixes the following CVEs:
- CVE-2022-2257
- CVE-2022-2264
- CVE-2022-2284
- CVE-2022-2285
- CVE-2022-2286
- CVE-2022-2287

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 03c044a81a76b7505b9d5bf0d936dde75b51905e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 84c2eed4c8..1893759ae9 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -21,8 +21,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
            file://racefix.patch \
            "
 
-PV .= ".0005"
-SRCREV = "040674129f3382822eeb7b590380efa5228124a8"
+PV .= ".0021"
+SRCREV = "5e59ea54c0c37c2f84770f068d95280069828774"
 
 # Remove when 8.3 is out
 UPSTREAM_VERSION_UNKNOWN = "1"
-- 
2.25.1

[OE-core][dunfell 3/3] classes/cve-check: Move get_patches_cves to library

[Steve Sakoman]

From: Joshua Watt <JPEWhacker@gmail.com>

Moving the function will allow other classes to capture which CVEs have
been patched, in particular SBoM generation.

Also add a function to capture the CPE ID from the CVE Product and
Version

(From OE-Core rev: 75d34259a715120be1d023e4fd7b6b4b125f2443)

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fa6c07bc1a585f204dbdc28704f61448edb8fdc8)
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/cve-check.bbclass | 62 +------------------------
 meta/lib/oe/cve_check.py       | 82 ++++++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+), 60 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 1688fe2dfe..9eb9a95574 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -136,10 +136,11 @@ python do_cve_check () {
     """
     Check recipe for patched and unpatched CVEs
     """
+    from oe.cve_check import get_patched_cves
 
     if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
         try:
-            patched_cves = get_patches_cves(d)
+            patched_cves = get_patched_cves(d)
         except FileNotFoundError:
             bb.fatal("Failure in searching patches")
         whitelisted, patched, unpatched, status = check_cves(d, patched_cves)
@@ -247,65 +248,6 @@ ROOTFS_POSTPROCESS_COMMAND_prepend = "${@'cve_check_write_rootfs_manifest; ' if
 do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
 do_populate_sdk[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
 
-def get_patches_cves(d):
-    """
-    Get patches that solve CVEs using the "CVE: " tag.
-    """
-
-    import re
-
-    pn = d.getVar("PN")
-    cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
-
-    # Matches the last "CVE-YYYY-ID" in the file name, also if written
-    # in lowercase. Possible to have multiple CVE IDs in a single
-    # file name, but only the last one will be detected from the file name.
-    # However, patch files contents addressing multiple CVE IDs are supported
-    # (cve_match regular expression)
-
-    cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
-
-    patched_cves = set()
-    bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
-    for url in src_patches(d):
-        patch_file = bb.fetch.decodeurl(url)[2]
-
-        if not os.path.isfile(patch_file):
-            bb.error("File Not found: %s" % patch_file)
-            raise FileNotFoundError
-
-        # Check patch file name for CVE ID
-        fname_match = cve_file_name_match.search(patch_file)
-        if fname_match:
-            cve = fname_match.group(1).upper()
-            patched_cves.add(cve)
-            bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
-
-        with open(patch_file, "r", encoding="utf-8") as f:
-            try:
-                patch_text = f.read()
-            except UnicodeDecodeError:
-                bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
-                        " trying with iso8859-1" %  patch_file)
-                f.close()
-                with open(patch_file, "r", encoding="iso8859-1") as f:
-                    patch_text = f.read()
-
-        # Search for one or more "CVE: " lines
-        text_match = False
-        for match in cve_match.finditer(patch_text):
-            # Get only the CVEs without the "CVE: " tag
-            cves = patch_text[match.start()+5:match.end()]
-            for cve in cves.split():
-                bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
-                patched_cves.add(cve)
-                text_match = True
-
-        if not fname_match and not text_match:
-            bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
-
-    return patched_cves
-
 def check_cves(d, patched_cves):
     """
     Connect to the NVD database and find unpatched cves.
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index b17390de90..a4b831831b 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -89,3 +89,85 @@ def update_symlinks(target_path, link_path):
         if os.path.exists(os.path.realpath(link_path)):
             os.remove(link_path)
         os.symlink(os.path.basename(target_path), link_path)
+
+def get_patched_cves(d):
+    """
+    Get patches that solve CVEs using the "CVE: " tag.
+    """
+
+    import re
+    import oe.patch
+
+    pn = d.getVar("PN")
+    cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
+
+    # Matches the last "CVE-YYYY-ID" in the file name, also if written
+    # in lowercase. Possible to have multiple CVE IDs in a single
+    # file name, but only the last one will be detected from the file name.
+    # However, patch files contents addressing multiple CVE IDs are supported
+    # (cve_match regular expression)
+
+    cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
+
+    patched_cves = set()
+    bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
+    for url in oe.patch.src_patches(d):
+        patch_file = bb.fetch.decodeurl(url)[2]
+
+        if not os.path.isfile(patch_file):
+            bb.error("File Not found: %s" % patch_file)
+            raise FileNotFoundError
+
+        # Check patch file name for CVE ID
+        fname_match = cve_file_name_match.search(patch_file)
+        if fname_match:
+            cve = fname_match.group(1).upper()
+            patched_cves.add(cve)
+            bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
+
+        with open(patch_file, "r", encoding="utf-8") as f:
+            try:
+                patch_text = f.read()
+            except UnicodeDecodeError:
+                bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
+                        " trying with iso8859-1" %  patch_file)
+                f.close()
+                with open(patch_file, "r", encoding="iso8859-1") as f:
+                    patch_text = f.read()
+
+        # Search for one or more "CVE: " lines
+        text_match = False
+        for match in cve_match.finditer(patch_text):
+            # Get only the CVEs without the "CVE: " tag
+            cves = patch_text[match.start()+5:match.end()]
+            for cve in cves.split():
+                bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
+                patched_cves.add(cve)
+                text_match = True
+
+        if not fname_match and not text_match:
+            bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
+
+    return patched_cves
+
+
+def get_cpe_ids(cve_product, version):
+    """
+    Get list of CPE identifiers for the given product and version
+    """
+
+    version = version.split("+git")[0]
+
+    cpe_ids = []
+    for product in cve_product.split():
+        # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not,
+        # use wildcard for vendor.
+        if ":" in product:
+            vendor, product = product.split(":", 1)
+        else:
+            vendor = "*"
+
+        cpe_id = f'cpe:2.3:a:{vendor}:{product}:{version}:*:*:*:*:*:*:*'
+        cpe_ids.append(cpe_id)
+
+    return cpe_ids
-- 
2.25.1

[OE-core][dunfell 0/3] Patch review

[Steve Sakoman]

Please review this set of patches for dunfell and have comments back by end
of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4278

The following changes since commit 6227efbf03d2e7ca773ab29177705203f2550722:

  linux-firmware: package new Qualcomm firmware (2022-09-26 12:29:44 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Hitendra Prajapati (1):
  bluez: CVE-2022-39176 BlueZ allows physically proximate attackers

Martin Jansa (1):
  create-pull-request: don't switch the git remote protocol to git://

Richard Purdie (1):
  vim: Upgrade 9.0.0541 -> 9.0.0598

 meta/recipes-connectivity/bluez5/bluez5.inc   |   1 +
 .../bluez5/bluez5/CVE-2022-39176.patch        | 126 ++++++++++++++++++
 meta/recipes-support/vim/vim.inc              |   4 +-
 scripts/create-pull-request                   |   2 +-
 4 files changed, 130 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch

-- 
2.25.1

[OE-core][dunfell 0/3] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Thursday, January 4.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6406

The following changes since commit 94e9019d2f170a26206c2774381a1d183313ecaa:

  testimage: drop target_dumper and  host_dumper (2023-12-26 04:18:08 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Shubham Kulkarni (1):
  tzdata: Upgrade to 2023d

Vijay Anusuri (2):
  go: Fix CVE-2023-39326
  qemu: Fix CVE-2023-5088

 meta/recipes-devtools/go/go-1.14.inc          |   1 +
 .../go/go-1.14/CVE-2023-39326.patch           | 181 ++++++++++++++++++
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2023-5088.patch             | 114 +++++++++++
 meta/recipes-extended/timezone/timezone.inc   |   6 +-
 5 files changed, 300 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-39326.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch

-- 
2.34.1