* [OE-core][kirkstone 0/8] Patch review
@ 2022-08-09 21:27 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-08-09 21:27 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for the kirkstone 4.0.3 release.
The following changes since commit c33eb7fb1d1e91a005b22b65d221d4b899ec69dc:
openssh: Add openssh-sftp-server to openssh RDEPENDS (2022-08-02 12:32:44 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Kanavin (1):
lttng-modules: update 2.13.3 -> 2.13.4
Bruce Ashfield (5):
linux-yocto/5.10: update to v5.10.135
linux-yocto/5.15: update to v5.15.58
linux-yocto-rt/5.15: update to -rt48 (and fix -stable merge)
linux-yocto/5.15: update to v5.15.59
linux-yocto/5.15: fix reproducibility issues
He Zhe (1):
lttng-modules: Fix build failure for kernel v5.15.58
Sundeep KOKKONDA (1):
glibc : stable 2.35 branch updates
meta/recipes-core/glibc/glibc-version.inc | 2 +-
.../linux/linux-yocto-rt_5.10.bb | 6 +-
.../linux/linux-yocto-rt_5.15.bb | 6 +-
.../linux/linux-yocto-tiny_5.10.bb | 8 +-
.../linux/linux-yocto-tiny_5.15.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +--
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +--
...x-compaction-migratepages-event-name.patch | 37 ----
...oduce-kfree_skb_reason-v5.15.58.v5.1.patch | 53 +++++
...emove-unused-tracepoints-v5.10-v5.15.patch | 44 -----
...g-Append-prev_state-to-tp-args-inste.patch | 59 ------
...vent-allow-same-provider-and-event-n.patch | 48 -----
...g-Don-t-re-read-p-state-when-emittin.patch | 183 ------------------
.../0004-fix-block-remove-genhd.h-v5.18.patch | 45 -----
...emove-REQ_OP_WRITE_SAME-support-v5.1.patch | 79 --------
...ndom-remove-unused-tracepoints-v5.18.patch | 47 -----
...rethook-for-kretprobe-if-possible-v5.patch | 72 -------
...ore-Remove-scsi-scsi_request.h-v5.18.patch | 44 -----
...n-cleanup-the-compaction-trace-event.patch | 106 ----------
...ules_2.13.3.bb => lttng-modules_2.13.4.bb} | 16 +-
20 files changed, 95 insertions(+), 816 deletions(-)
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-Fix-compaction-migratepages-event-name.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-net-skb-introduce-kfree_skb_reason-v5.15.58.v5.1.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-sched-tracing-Append-prev_state-to-tp-args-inste.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0002-Fix-tracepoint-event-allow-same-provider-and-event-n.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0003-fix-sched-tracing-Don-t-re-read-p-state-when-emittin.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0004-fix-block-remove-genhd.h-v5.18.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0005-fix-scsi-block-Remove-REQ_OP_WRITE_SAME-support-v5.1.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0006-fix-random-remove-unused-tracepoints-v5.18.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0007-fix-kprobes-Use-rethook-for-kretprobe-if-possible-v5.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0008-fix-scsi-core-Remove-scsi-scsi_request.h-v5.18.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0010-fix-mm-compaction-cleanup-the-compaction-trace-event.patch
rename meta/recipes-kernel/lttng/{lttng-modules_2.13.3.bb => lttng-modules_2.13.4.bb} (60%)
--
2.25.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/8] Patch review
@ 2022-10-27 2:36 Steve Sakoman
2022-10-28 2:07 ` Tim Orling
0 siblings, 1 reply; 24+ messages in thread
From: Steve Sakoman @ 2022-10-27 2:36 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by
end of day Friday.
This should be the final set of patches for the 4.0.5 release.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4380
The following changes since commit 4781fee6aea9512b7cb390b76e6f9f0a86a5bd11:
lttng-modules: Fix crash on powerpc64 (2022-10-17 04:30:43 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Bruce Ashfield (2):
linux-yocto/5.10: update to v5.10.147
linux-yocto/5.10: update to v5.10.149
Steve Sakoman (1):
Revert "lttng-tools: Upgrade 2.13.4 -> 2.13.8"
Tim Orling (1):
git: upgrade 2.35.4 -> 2.35.5
Vyacheslav Yurkov (2):
files: overlayfs-etc: refactor preinit template
classes: files: Extend overlayfs-etc class
Yash Shinde (2):
binutils: stable 2.38 branch updates
glibc: stable 2.35 branch updates.
meta/classes/overlayfs-etc.bbclass | 5 +++-
meta/files/overlayfs-etc-preinit.sh.in | 23 ++++++++++++++----
meta/recipes-core/glibc/glibc-version.inc | 2 +-
.../binutils/binutils-2.38.inc | 2 +-
.../git/{git_2.35.4.bb => git_2.35.5.bb} | 2 +-
.../linux/linux-yocto-rt_5.10.bb | 6 ++---
.../linux/linux-yocto-tiny_5.10.bb | 8 +++----
meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +++++++++----------
...-tools_2.13.8.bb => lttng-tools_2.13.4.bb} | 2 +-
9 files changed, 45 insertions(+), 29 deletions(-)
rename meta/recipes-devtools/git/{git_2.35.4.bb => git_2.35.5.bb} (98%)
rename meta/recipes-kernel/lttng/{lttng-tools_2.13.8.bb => lttng-tools_2.13.4.bb} (98%)
--
2.25.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [OE-core][kirkstone 0/8] Patch review
2022-10-27 2:36 Steve Sakoman
@ 2022-10-28 2:07 ` Tim Orling
0 siblings, 0 replies; 24+ messages in thread
From: Tim Orling @ 2022-10-28 2:07 UTC (permalink / raw)
To: Steve Sakoman; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2531 bytes --]
On Wed, Oct 26, 2022 at 7:36 PM Steve Sakoman <steve@sakoman.com> wrote:
> Please review this set of patches for kirkstone and have comments back by
> end of day Friday.
>
> This should be the final set of patches for the 4.0.5 release.
I am intentionally holding off on a Python 3.10.8 upgrade just to let this
release get out in a stable manner.
>
> Passed a-full on autobuilder:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4380
>
> The following changes since commit
> 4781fee6aea9512b7cb390b76e6f9f0a86a5bd11:
>
> lttng-modules: Fix crash on powerpc64 (2022-10-17 04:30:43 -1000)
>
> are available in the Git repository at:
>
> https://git.openembedded.org/openembedded-core-contrib
> stable/kirkstone-nut
>
> http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
>
> Bruce Ashfield (2):
> linux-yocto/5.10: update to v5.10.147
> linux-yocto/5.10: update to v5.10.149
>
> Steve Sakoman (1):
> Revert "lttng-tools: Upgrade 2.13.4 -> 2.13.8"
>
> Tim Orling (1):
> git: upgrade 2.35.4 -> 2.35.5
>
> Vyacheslav Yurkov (2):
> files: overlayfs-etc: refactor preinit template
> classes: files: Extend overlayfs-etc class
>
> Yash Shinde (2):
> binutils: stable 2.38 branch updates
> glibc: stable 2.35 branch updates.
>
> meta/classes/overlayfs-etc.bbclass | 5 +++-
> meta/files/overlayfs-etc-preinit.sh.in | 23 ++++++++++++++----
> meta/recipes-core/glibc/glibc-version.inc | 2 +-
> .../binutils/binutils-2.38.inc | 2 +-
> .../git/{git_2.35.4.bb => git_2.35.5.bb} | 2 +-
> .../linux/linux-yocto-rt_5.10.bb | 6 ++---
> .../linux/linux-yocto-tiny_5.10.bb | 8 +++----
> meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +++++++++----------
> ...-tools_2.13.8.bb => lttng-tools_2.13.4.bb} | 2 +-
> 9 files changed, 45 insertions(+), 29 deletions(-)
> rename meta/recipes-devtools/git/{git_2.35.4.bb => git_2.35.5.bb} (98%)
> rename meta/recipes-kernel/lttng/{lttng-tools_2.13.8.bb =>
> lttng-tools_2.13.4.bb} (98%)
>
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#172179):
> https://lists.openembedded.org/g/openembedded-core/message/172179
> Mute This Topic: https://lists.openembedded.org/mt/94596838/924729
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> ticotimo@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
[-- Attachment #2: Type: text/html, Size: 5084 bytes --]
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/8] Patch review
@ 2023-04-22 15:54 Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 1/8] ruby: CVE-2023-28756 ReDoS vulnerability in Time Steve Sakoman
` (7 more replies)
0 siblings, 8 replies; 24+ messages in thread
From: Steve Sakoman @ 2023-04-22 15:54 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5209
The following changes since commit b67e714b367a08fdeeeff68c2d9495ec9bc07304:
package.bbclass: correct check for /build in copydebugsources() (2023-04-14 07:19:08 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Hitendra Prajapati (2):
ruby: CVE-2023-28756 ReDoS vulnerability in Time
screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs
Peter Marko (1):
go: ignore CVE-2022-41716
Shubham Kulkarni (1):
go-runtime: Security fix for CVE-2022-41722
Siddharth Doshi (1):
curl: Security fix for CVE-2023-27535, CVE-2023-27536, CVE-2023-27538
Sundeep KOKKONDA (1):
cargo : non vulnerable cve-2022-46176 added to excluded list
Vivek Kumbhar (1):
go: fix CVE-2023-24537 Infinite loop in parsing
Xiangyu Chen (1):
shadow: backport patch to fix CVE-2023-29383
.../distro/include/cve-extra-exclusions.inc | 5 +
meta/recipes-devtools/go/go-1.17.13.inc | 5 +
.../go/go-1.18/CVE-2022-41722.patch | 103 +++++++++
.../go/go-1.18/CVE-2023-24537.patch | 75 +++++++
.../ruby/ruby/CVE-2023-28756.patch | 73 +++++++
meta/recipes-devtools/ruby/ruby_3.1.3.bb | 1 +
.../screen/screen/CVE-2023-24626.patch | 40 ++++
meta/recipes-extended/screen/screen_4.9.0.bb | 1 +
.../files/0001-Overhaul-valid_field.patch | 65 ++++++
.../shadow/files/CVE-2023-29383.patch | 53 +++++
meta/recipes-extended/shadow/shadow.inc | 2 +
.../curl/curl/CVE-2023-27535-pre1.patch | 196 ++++++++++++++++++
.../CVE-2023-27535_and_CVE-2023-27538.patch | 170 +++++++++++++++
.../curl/curl/CVE-2023-27536.patch | 52 +++++
meta/recipes-support/curl/curl_7.82.0.bb | 3 +
15 files changed, 844 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
create mode 100644 meta/recipes-extended/screen/screen/CVE-2023-24626.patch
create mode 100644 meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-29383.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch
--
2.34.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 1/8] ruby: CVE-2023-28756 ReDoS vulnerability in Time
2023-04-22 15:54 [OE-core][kirkstone 0/8] Patch review Steve Sakoman
@ 2023-04-22 15:54 ` Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 2/8] curl: Security fix for CVE-2023-27535, CVE-2023-27536, CVE-2023-27538 Steve Sakoman
` (6 subsequent siblings)
7 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2023-04-22 15:54 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Upstream-Status: Backport from https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ruby/ruby/CVE-2023-28756.patch | 73 +++++++++++++++++++
meta/recipes-devtools/ruby/ruby_3.1.3.bb | 1 +
2 files changed, 74 insertions(+)
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
new file mode 100644
index 0000000000..cf24b13f53
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
@@ -0,0 +1,73 @@
+From 957bb7cb81995f26c671afce0ee50a5c660e540e Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Wed, 29 Mar 2023 13:28:25 +0900
+Subject: [PATCH] CVE-2023-28756
+
+CVE: CVE-2023-28756
+Upstream-Status: Backport [https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/time.gemspec | 2 +-
+ lib/time.rb | 6 +++---
+ test/test_time.rb | 9 +++++++++
+ 3 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/lib/time.gemspec b/lib/time.gemspec
+index 72fba34..bada91a 100644
+--- a/lib/time.gemspec
++++ b/lib/time.gemspec
+@@ -1,6 +1,6 @@
+ Gem::Specification.new do |spec|
+ spec.name = "time"
+- spec.version = "0.2.0"
++ spec.version = "0.2.2"
+ spec.authors = ["Tanaka Akira"]
+ spec.email = ["akr@fsij.org"]
+
+diff --git a/lib/time.rb b/lib/time.rb
+index bd20a1a..6a13212 100644
+--- a/lib/time.rb
++++ b/lib/time.rb
+@@ -509,8 +509,8 @@ class Time
+ (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
+ (\d{2,})\s+
+ (\d{2})\s*
+- :\s*(\d{2})\s*
+- (?::\s*(\d{2}))?\s+
++ :\s*(\d{2})
++ (?:\s*:\s*(\d\d))?\s+
+ ([+-]\d{4}|
+ UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
+ # Since RFC 2822 permit comments, the regexp has no right anchor.
+@@ -701,7 +701,7 @@ class Time
+ #
+ # If self is a UTC time, Z is used as TZD. [+-]hh:mm is used otherwise.
+ #
+- # +fractional_digits+ specifies a number of digits to use for fractional
++ # +fraction_digits+ specifies a number of digits to use for fractional
+ # seconds. Its default value is 0.
+ #
+ # require 'time'
+diff --git a/test/test_time.rb b/test/test_time.rb
+index b50d841..23e8e10 100644
+--- a/test/test_time.rb
++++ b/test/test_time.rb
+@@ -62,6 +62,15 @@ class TestTimeExtension < Test::Unit::TestCase # :nodoc:
+ assert_equal(true, t.utc?)
+ end
+
++ def test_rfc2822_nonlinear
++ pre = ->(n) {"0 Feb 00 00 :00" + " " * n}
++ assert_linear_performance([100, 500, 5000, 50_000], pre: pre) do |s|
++ assert_raise(ArgumentError) do
++ Time.rfc2822(s)
++ end
++ end
++ end
++
+ if defined?(Ractor)
+ def test_rfc2822_ractor
+ assert_ractor(<<~RUBY, require: 'time')
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
index c8454da3a9..92efc5db91 100644
--- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \
file://0006-Make-gemspecs-reproducible.patch \
file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \
+ file://CVE-2023-28756.patch \
"
UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
--
2.34.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 2/8] curl: Security fix for CVE-2023-27535, CVE-2023-27536, CVE-2023-27538
2023-04-22 15:54 [OE-core][kirkstone 0/8] Patch review Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 1/8] ruby: CVE-2023-28756 ReDoS vulnerability in Time Steve Sakoman
@ 2023-04-22 15:54 ` Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 3/8] cargo : non vulnerable cve-2022-46176 added to excluded list Steve Sakoman
` (5 subsequent siblings)
7 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2023-04-22 15:54 UTC (permalink / raw)
To: openembedded-core
From: Siddharth Doshi <sdoshi@mvista.com>
Upstream-Status: Backport from [https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878, https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1, https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb, https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../curl/curl/CVE-2023-27535-pre1.patch | 196 ++++++++++++++++++
.../CVE-2023-27535_and_CVE-2023-27538.patch | 170 +++++++++++++++
.../curl/curl/CVE-2023-27536.patch | 52 +++++
meta/recipes-support/curl/curl_7.82.0.bb | 3 +
4 files changed, 421 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
new file mode 100644
index 0000000000..57e1cb9e13
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
@@ -0,0 +1,196 @@
+From ed5095ed94281989e103c72e032200b83be37878 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 00:49:10 +0200
+Subject: [PATCH] strcase: add and use Curl_timestrcmp
+
+This is a strcmp() alternative function for comparing "secrets",
+designed to take the same time no matter the content to not leak
+match/non-match info to observers based on how fast it is.
+
+The time this function takes is only a function of the shortest input
+string.
+
+Reported-by: Trail of Bits
+
+Closes #9658
+
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878]
+Comment: to backport fix for CVE-2023-27535, add function Curl_timestrcmp.
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ lib/netrc.c | 6 +++---
+ lib/strcase.c | 22 ++++++++++++++++++++++
+ lib/strcase.h | 1 +
+ lib/url.c | 33 +++++++++++++--------------------
+ lib/vauth/digest_sspi.c | 4 ++--
+ lib/vtls/vtls.c | 4 ++--
+ 6 files changed, 43 insertions(+), 27 deletions(-)
+
+diff --git a/lib/netrc.c b/lib/netrc.c
+index 0a4ae2c..b771b60 100644
+--- a/lib/netrc.c
++++ b/lib/netrc.c
+@@ -140,9 +140,9 @@ static int parsenetrc(const char *host,
+ /* we are now parsing sub-keywords concerning "our" host */
+ if(state_login) {
+ if(specific_login) {
+- state_our_login = strcasecompare(login, tok);
++ state_our_login = !Curl_timestrcmp(login, tok);
+ }
+- else if(!login || strcmp(login, tok)) {
++ else if(!login || Curl_timestrcmp(login, tok)) {
+ if(login_alloc) {
+ free(login);
+ login_alloc = FALSE;
+@@ -158,7 +158,7 @@ static int parsenetrc(const char *host,
+ }
+ else if(state_password) {
+ if((state_our_login || !specific_login)
+- && (!password || strcmp(password, tok))) {
++ && (!password || Curl_timestrcmp(password, tok))) {
+ if(password_alloc) {
+ free(password);
+ password_alloc = FALSE;
+diff --git a/lib/strcase.c b/lib/strcase.c
+index 692a3f1..be085b3 100644
+--- a/lib/strcase.c
++++ b/lib/strcase.c
+@@ -141,6 +141,28 @@ bool Curl_safecmp(char *a, char *b)
+ return !a && !b;
+ }
+
++/*
++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this
++ * function spends is a function of the shortest string, not of the contents.
++ */
++int Curl_timestrcmp(const char *a, const char *b)
++{
++ int match = 0;
++ int i = 0;
++
++ if(a && b) {
++ while(1) {
++ match |= a[i]^b[i];
++ if(!a[i] || !b[i])
++ break;
++ i++;
++ }
++ }
++ else
++ return a || b;
++ return match;
++}
++
+ /* --- public functions --- */
+
+ int curl_strequal(const char *first, const char *second)
+diff --git a/lib/strcase.h b/lib/strcase.h
+index 382b80a..c6979da 100644
+--- a/lib/strcase.h
++++ b/lib/strcase.h
+@@ -48,5 +48,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n);
+ void Curl_strntolower(char *dest, const char *src, size_t n);
+
+ bool Curl_safecmp(char *a, char *b);
++int Curl_timestrcmp(const char *first, const char *second);
+
+ #endif /* HEADER_CURL_STRCASE_H */
+diff --git a/lib/url.c b/lib/url.c
+index df4377d..c397b57 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -930,19 +930,10 @@ socks_proxy_info_matches(const struct proxy_info *data,
+ /* the user information is case-sensitive
+ or at least it is not defined as case-insensitive
+ see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */
+- if(!data->user != !needle->user)
+- return FALSE;
+- /* curl_strequal does a case insentive comparison, so do not use it here! */
+- if(data->user &&
+- needle->user &&
+- strcmp(data->user, needle->user) != 0)
+- return FALSE;
+- if(!data->passwd != !needle->passwd)
+- return FALSE;
++
+ /* curl_strequal does a case insentive comparison, so do not use it here! */
+- if(data->passwd &&
+- needle->passwd &&
+- strcmp(data->passwd, needle->passwd) != 0)
++ if(Curl_timestrcmp(data->user, needle->user) ||
++ Curl_timestrcmp(data->passwd, needle->passwd))
+ return FALSE;
+ return TRUE;
+ }
+@@ -1341,10 +1332,10 @@ ConnectionExists(struct Curl_easy *data,
+ if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
+ /* This protocol requires credentials per connection,
+ so verify that we're using the same name and password as well */
+- if(strcmp(needle->user, check->user) ||
+- strcmp(needle->passwd, check->passwd) ||
+- !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
+- !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
++ if(Curl_timestrcmp(needle->user, check->user) ||
++ Curl_timestrcmp(needle->passwd, check->passwd) ||
++ Curl_timestrcmp(needle->sasl_authzid, check->sasl_authzid) ||
++ Curl_timestrcmp(needle->oauth_bearer, check->oauth_bearer)) {
+ /* one of them was different */
+ continue;
+ }
+@@ -1420,8 +1411,8 @@ ConnectionExists(struct Curl_easy *data,
+ possible. (Especially we must not reuse the same connection if
+ partway through a handshake!) */
+ if(wantNTLMhttp) {
+- if(strcmp(needle->user, check->user) ||
+- strcmp(needle->passwd, check->passwd)) {
++ if(Curl_timestrcmp(needle->user, check->user) ||
++ Curl_timestrcmp(needle->passwd, check->passwd)) {
+
+ /* we prefer a credential match, but this is at least a connection
+ that can be reused and "upgraded" to NTLM */
+@@ -1443,8 +1434,10 @@ ConnectionExists(struct Curl_easy *data,
+ if(!check->http_proxy.user || !check->http_proxy.passwd)
+ continue;
+
+- if(strcmp(needle->http_proxy.user, check->http_proxy.user) ||
+- strcmp(needle->http_proxy.passwd, check->http_proxy.passwd))
++ if(Curl_timestrcmp(needle->http_proxy.user,
++ check->http_proxy.user) ||
++ Curl_timestrcmp(needle->http_proxy.passwd,
++ check->http_proxy.passwd))
+ continue;
+ }
+ else if(check->proxy_ntlm_state != NTLMSTATE_NONE) {
+diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c
+index 94f8f8c..a413419 100644
+--- a/lib/vauth/digest_sspi.c
++++ b/lib/vauth/digest_sspi.c
+@@ -429,8 +429,8 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
+ has changed then delete that context. */
+ if((userp && !digest->user) || (!userp && digest->user) ||
+ (passwdp && !digest->passwd) || (!passwdp && digest->passwd) ||
+- (userp && digest->user && strcmp(userp, digest->user)) ||
+- (passwdp && digest->passwd && strcmp(passwdp, digest->passwd))) {
++ (userp && digest->user && Curl_timestrcmp(userp, digest->user)) ||
++ (passwdp && digest->passwd && Curl_timestrcmp(passwdp, digest->passwd))) {
+ if(digest->http_context) {
+ s_pSecFn->DeleteSecurityContext(digest->http_context);
+ Curl_safefree(digest->http_context);
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index e2d3438..881c8d2 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -146,8 +146,8 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+ Curl_safecmp(data->random_file, needle->random_file) &&
+ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
+ #ifdef USE_TLS_SRP
+- Curl_safecmp(data->username, needle->username) &&
+- Curl_safecmp(data->password, needle->password) &&
++ !Curl_timestrcmp(data->username, needle->username) &&
++ !Curl_timestrcmp(data->password, needle->password) &&
+ (data->authtype == needle->authtype) &&
+ #endif
+ Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+--
+2.35.7
+
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch b/meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch
new file mode 100644
index 0000000000..4e701edfff
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch
@@ -0,0 +1,170 @@
+From 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Mar 2023 17:47:06 +0100
+Subject: [PATCH] ftp: add more conditions for connection reuse
+
+Reported-by: Harry Sintonen
+Closes #10730
+
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1, https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
+Comment: Backport for CVE-2023-27535 also fixes CVE-2023-27538 in the file "lib/url.c".
+CVE: CVE-2023-27535, CVE-2023-27538
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ lib/ftp.c | 28 ++++++++++++++++++++++++++--
+ lib/ftp.h | 5 +++++
+ lib/setopt.c | 2 +-
+ lib/url.c | 19 ++++++++++++++++---
+ lib/urldata.h | 4 ++--
+ 5 files changed, 50 insertions(+), 8 deletions(-)
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index c6efaed..93bbaeb 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -4097,6 +4097,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data,
+ }
+
+ freedirs(ftpc);
++ Curl_safefree(ftpc->account);
++ Curl_safefree(ftpc->alternative_to_user);
+ Curl_safefree(ftpc->prevpath);
+ Curl_safefree(ftpc->server_os);
+ Curl_pp_disconnect(pp);
+@@ -4364,11 +4366,31 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data,
+ {
+ char *type;
+ struct FTP *ftp;
++ struct ftp_conn *ftpc = &conn->proto.ftpc;
+
+- data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1);
++ ftp = calloc(sizeof(struct FTP), 1);
+ if(!ftp)
+ return CURLE_OUT_OF_MEMORY;
+
++ /* clone connection related data that is FTP specific */
++ if(data->set.str[STRING_FTP_ACCOUNT]) {
++ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]);
++ if(!ftpc->account) {
++ free(ftp);
++ return CURLE_OUT_OF_MEMORY;
++ }
++ }
++ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) {
++ ftpc->alternative_to_user =
++ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]);
++ if(!ftpc->alternative_to_user) {
++ Curl_safefree(ftpc->account);
++ free(ftp);
++ return CURLE_OUT_OF_MEMORY;
++ }
++ }
++ data->req.p.ftp = ftp;
++
+ ftp->path = &data->state.up.path[1]; /* don't include the initial slash */
+
+ /* FTP URLs support an extension like ";type=<typecode>" that
+@@ -4403,7 +4425,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data,
+ /* get some initial data into the ftp struct */
+ ftp->transfer = PPTRANSFER_BODY;
+ ftp->downloadsize = 0;
+- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */
++ ftpc->known_filesize = -1; /* unknown size for now */
++ ftpc->use_ssl = data->set.use_ssl;
++ ftpc->ccc = data->set.ftp_ccc;
+
+ return CURLE_OK;
+ }
+diff --git a/lib/ftp.h b/lib/ftp.h
+index 1cfdac0..afca25b 100644
+--- a/lib/ftp.h
++++ b/lib/ftp.h
+@@ -115,6 +115,8 @@ struct FTP {
+ struct */
+ struct ftp_conn {
+ struct pingpong pp;
++ char *account;
++ char *alternative_to_user;
+ char *entrypath; /* the PWD reply when we logged on */
+ char *file; /* url-decoded file name (or path) */
+ char **dirs; /* realloc()ed array for path components */
+@@ -144,6 +146,9 @@ struct ftp_conn {
+ ftpstate state; /* always use ftp.c:state() to change state! */
+ ftpstate state_saved; /* transfer type saved to be reloaded after
+ data connection is established */
++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or
++ IMAP or POP3 or others! (type: curl_usessl)*/
++ unsigned char ccc; /* ccc level for this connection */
+ curl_off_t retr_size_saved; /* Size of retrieved file saved */
+ char *server_os; /* The target server operating system. */
+ curl_off_t known_filesize; /* file size is different from -1, if wildcard
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 29a78a4..89d0150 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -2304,7 +2304,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ arg = va_arg(param, long);
+ if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST))
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+- data->set.use_ssl = (curl_usessl)arg;
++ data->set.use_ssl = (unsigned char)arg;
+ break;
+
+ case CURLOPT_SSL_OPTIONS:
+diff --git a/lib/url.c b/lib/url.c
+index c397b57..280171c 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1347,11 +1347,24 @@ ConnectionExists(struct Curl_easy *data,
+ (check->httpversion >= 20) &&
+ (data->state.httpwant < CURL_HTTP_VERSION_2_0))
+ continue;
+-
+- if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
+- if(!ssh_config_matches(needle, check))
++#ifdef USE_SSH
++ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
++ if(!ssh_config_matches(needle, check))
+ continue;
+ }
++#endif
++#ifndef CURL_DISABLE_FTP
++ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_FTP) {
++ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */
++ if(Curl_timestrcmp(needle->proto.ftpc.account,
++ check->proto.ftpc.account) ||
++ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user,
++ check->proto.ftpc.alternative_to_user) ||
++ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) ||
++ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc))
++ continue;
++ }
++#endif
+
+ if((needle->handler->flags&PROTOPT_SSL)
+ #ifndef CURL_DISABLE_PROXY
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 69eb2ee..6e6122a 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1748,8 +1748,6 @@ struct UserDefined {
+ enum CURL_NETRC_OPTION
+ use_netrc; /* defined in include/curl.h */
+ #endif
+- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or
+- IMAP or POP3 or others! */
+ long new_file_perms; /* Permissions to use when creating remote files */
+ long new_directory_perms; /* Permissions to use when creating remote dirs */
+ long ssh_auth_types; /* allowed SSH auth types */
+@@ -1877,6 +1875,8 @@ struct UserDefined {
+ BIT(http09_allowed); /* allow HTTP/0.9 responses */
+ BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some
+ recipients */
++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or
++ IMAP or POP3 or others! (type: curl_usessl)*/
+ };
+
+ struct Names {
+--
+2.35.7
+
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
new file mode 100644
index 0000000000..fb3ee6a14d
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
@@ -0,0 +1,52 @@
+From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Mar 2023 09:22:43 +0100
+Subject: [PATCH] url: only reuse connections with same GSS delegation
+
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
+CVE: CVE-2023-27536
+Signed-off-by: Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ lib/url.c | 6 ++++++
+ lib/urldata.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index 280171c..c6413a1 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1341,6 +1341,11 @@ ConnectionExists(struct Curl_easy *data,
+ }
+ }
+
++ /* GSS delegation differences do not actually affect every connection
++ and auth method, but this check takes precaution before efficiency */
++ if(needle->gssapi_delegation != check->gssapi_delegation)
++ continue;
++
+ /* If multiplexing isn't enabled on the h2 connection and h1 is
+ explicitly requested, handle it: */
+ if((needle->handler->protocol & PROTO_FAMILY_HTTP) &&
+@@ -1813,6 +1818,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+ conn->fclosesocket = data->set.fclosesocket;
+ conn->closesocket_client = data->set.closesocket_client;
+ conn->lastused = Curl_now(); /* used now */
++ conn->gssapi_delegation = data->set.gssapi_delegation;
+
+ return conn;
+ error:
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 6e6122a..602c735 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1131,6 +1131,7 @@ struct connectdata {
+ int socks5_gssapi_enctype;
+ #endif
+ unsigned short localport;
++ long gssapi_delegation; /* inherited from set.gssapi_delegation */
+ };
+
+ /* The end of connectdata. */
+--
+2.35.7
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 4c18afe293..70ceb9f370 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -42,6 +42,9 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2023-23916.patch \
file://CVE-2023-27533.patch \
file://CVE-2023-27534.patch \
+ file://CVE-2023-27535-pre1.patch \
+ file://CVE-2023-27535_and_CVE-2023-27538.patch \
+ file://CVE-2023-27536.patch \
"
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
--
2.34.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 3/8] cargo : non vulnerable cve-2022-46176 added to excluded list
2023-04-22 15:54 [OE-core][kirkstone 0/8] Patch review Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 1/8] ruby: CVE-2023-28756 ReDoS vulnerability in Time Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 2/8] curl: Security fix for CVE-2023-27535, CVE-2023-27536, CVE-2023-27538 Steve Sakoman
@ 2023-04-22 15:54 ` Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 4/8] go-runtime: Security fix for CVE-2022-41722 Steve Sakoman
` (4 subsequent siblings)
7 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2023-04-22 15:54 UTC (permalink / raw)
To: openembedded-core
From: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>
This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh.
Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh.
So, cargo-native also not vulnerable to this cve and so added to excluded list.
Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com>
Acked-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
| 5 +++++
1 file changed, 5 insertions(+)
--git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 8b5f8d49b8..cb2d920441 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -15,6 +15,11 @@
# the aim of sharing that work and ensuring we don't duplicate it.
#
+#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176
+#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
+#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve.
+#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list.
+CVE_CHECK_IGNORE += "CVE-2022-46176"
# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
# CVE is more than 20 years old with no resolution evident
--
2.34.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 4/8] go-runtime: Security fix for CVE-2022-41722
2023-04-22 15:54 [OE-core][kirkstone 0/8] Patch review Steve Sakoman
` (2 preceding siblings ...)
2023-04-22 15:54 ` [OE-core][kirkstone 3/8] cargo : non vulnerable cve-2022-46176 added to excluded list Steve Sakoman
@ 2023-04-22 15:54 ` Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 5/8] shadow: backport patch to fix CVE-2023-29383 Steve Sakoman
` (3 subsequent siblings)
7 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2023-04-22 15:54 UTC (permalink / raw)
To: openembedded-core
From: Shubham Kulkarni <skulkarni@mvista.com>
path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
Backport from https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.18/CVE-2022-41722.patch | 103 ++++++++++++++++++
2 files changed, 104 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 23380f04c3..15d19ed124 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -26,6 +26,7 @@ SRC_URI += "\
file://cve-2022-41724.patch \
file://add_godebug.patch \
file://cve-2022-41725.patch \
+ file://CVE-2022-41722.patch \
"
SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
new file mode 100644
index 0000000000..426a4f925f
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
@@ -0,0 +1,103 @@
+From a826b19625caebed6dd0f3fbd9d0111f6c83737c Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Mon, 12 Dec 2022 16:43:37 -0800
+Subject: [PATCH] path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
+
+Do not permit Clean to convert a relative path into one starting
+with a drive reference. This change causes Clean to insert a .
+path element at the start of a path when the original path does not
+start with a volume name, and the first path element would contain
+a colon.
+
+This may introduce a spurious but harmless . path element under
+some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`.
+
+This reverts CL 401595, since the change here supersedes the one
+in that CL.
+
+Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
+
+Updates #57274
+Fixes #57276
+Fixes CVE-2022-41722
+
+Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1675249
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+(cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728944
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/468119
+Reviewed-by: Than McIntosh <thanm@google.com>
+Run-TryBot: Michael Pratt <mpratt@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+
+CVE: CVE-2022-41722
+Upstream-Status: Backport from https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/path/filepath/path.go | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
+index 8300a32..94621a0 100644
+--- a/src/path/filepath/path.go
++++ b/src/path/filepath/path.go
+@@ -15,6 +15,7 @@ import (
+ "errors"
+ "io/fs"
+ "os"
++ "runtime"
+ "sort"
+ "strings"
+ )
+@@ -117,21 +118,9 @@ func Clean(path string) string {
+ case os.IsPathSeparator(path[r]):
+ // empty path element
+ r++
+- case path[r] == '.' && r+1 == n:
++ case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])):
+ // . element
+ r++
+- case path[r] == '.' && os.IsPathSeparator(path[r+1]):
+- // ./ element
+- r++
+-
+- for r < len(path) && os.IsPathSeparator(path[r]) {
+- r++
+- }
+- if out.w == 0 && volumeNameLen(path[r:]) > 0 {
+- // When joining prefix "." and an absolute path on Windows,
+- // the prefix should not be removed.
+- out.append('.')
+- }
+ case path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])):
+ // .. element: remove to last separator
+ r += 2
+@@ -157,6 +146,18 @@ func Clean(path string) string {
+ if rooted && out.w != 1 || !rooted && out.w != 0 {
+ out.append(Separator)
+ }
++ // If a ':' appears in the path element at the start of a Windows path,
++ // insert a .\ at the beginning to avoid converting relative paths
++ // like a/../c: into c:.
++ if runtime.GOOS == "windows" && out.w == 0 && out.volLen == 0 && r != 0 {
++ for i := r; i < n && !os.IsPathSeparator(path[i]); i++ {
++ if path[i] == ':' {
++ out.append('.')
++ out.append(Separator)
++ break
++ }
++ }
++ }
+ // copy element
+ for ; r < n && !os.IsPathSeparator(path[r]); r++ {
+ out.append(path[r])
+--
+2.7.4
--
2.34.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 5/8] shadow: backport patch to fix CVE-2023-29383
2023-04-22 15:54 [OE-core][kirkstone 0/8] Patch review Steve Sakoman
` (3 preceding siblings ...)
2023-04-22 15:54 ` [OE-core][kirkstone 4/8] go-runtime: Security fix for CVE-2022-41722 Steve Sakoman
@ 2023-04-22 15:54 ` Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 6/8] go: ignore CVE-2022-41716 Steve Sakoman
` (2 subsequent siblings)
7 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2023-04-22 15:54 UTC (permalink / raw)
To: openembedded-core
From: Xiangyu Chen <xiangyu.chen@windriver.com>
The fix of CVE-2023-29383.patch contains a bug that it rejects all
characters that are not control ones, so backup another patch named
"0001-Overhaul-valid_field.patch" from upstream to fix it.
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../files/0001-Overhaul-valid_field.patch | 65 +++++++++++++++++++
.../shadow/files/CVE-2023-29383.patch | 53 +++++++++++++++
meta/recipes-extended/shadow/shadow.inc | 2 +
3 files changed, 120 insertions(+)
create mode 100644 meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-29383.patch
diff --git a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
new file mode 100644
index 0000000000..ac08be515b
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
@@ -0,0 +1,65 @@
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+
+Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4]
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ lib/fields.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index fb51b582..53929248 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
+
+ /* For each character of field, search if it appears in the list
+ * of illegal characters. */
++ if (illegal && NULL != strpbrk (field, illegal)) {
++ return -1;
++ }
++
++ /* Search if there are non-printable or control characters */
+ for (cp = field; '\0' != *cp; cp++) {
+- if (strchr (illegal, *cp) != NULL) {
++ unsigned char c = *cp;
++ if (!isprint (c)) {
++ err = 1;
++ }
++ if (iscntrl (c)) {
+ err = -1;
+ break;
+ }
+ }
+
+- if (0 == err) {
+- /* Search if there are non-printable or control characters */
+- for (cp = field; '\0' != *cp; cp++) {
+- if (!isprint (*cp)) {
+- err = 1;
+- }
+- if (!iscntrl (*cp)) {
+- err = -1;
+- break;
+- }
+- }
+- }
+-
+ return err;
+ }
+
+--
+2.34.1
+
diff --git a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
new file mode 100644
index 0000000000..f53341d3fc
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
@@ -0,0 +1,53 @@
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +0000
+Subject: [PATCH] Added control character check
+
+Added control character check, returning -1 (to "err") if control characters are present.
+
+CVE: CVE-2023-29383
+Upstream-Status: Backport
+
+Reference to upstream:
+https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ lib/fields.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index 640be931..fb51b582 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -21,9 +21,9 @@
+ *
+ * The supplied field is scanned for non-printable and other illegal
+ * characters.
+- * + -1 is returned if an illegal character is present.
+- * + 1 is returned if no illegal characters are present, but the field
+- * contains a non-printable character.
++ * + -1 is returned if an illegal or control character is present.
++ * + 1 is returned if no illegal or control characters are present,
++ * but the field contains a non-printable character.
+ * + 0 is returned otherwise.
+ */
+ int valid_field (const char *field, const char *illegal)
+@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
+ }
+
+ if (0 == err) {
+- /* Search if there are some non-printable characters */
++ /* Search if there are non-printable or control characters */
+ for (cp = field; '\0' != *cp; cp++) {
+ if (!isprint (*cp)) {
+ err = 1;
++ }
++ if (!iscntrl (*cp)) {
++ err = -1;
+ break;
+ }
+ }
+--
+2.34.1
+
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 5106b95571..3c1dd2f98e 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -16,6 +16,8 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/v${PV}/${BP}
${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
file://shadow-relaxed-usernames.patch \
file://useradd \
+ file://CVE-2023-29383.patch \
+ file://0001-Overhaul-valid_field.patch \
"
SRC_URI:append:class-target = " \
--
2.34.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 6/8] go: ignore CVE-2022-41716
2023-04-22 15:54 [OE-core][kirkstone 0/8] Patch review Steve Sakoman
` (4 preceding siblings ...)
2023-04-22 15:54 ` [OE-core][kirkstone 5/8] shadow: backport patch to fix CVE-2023-29383 Steve Sakoman
@ 2023-04-22 15:54 ` Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 7/8] screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 8/8] go: fix CVE-2023-24537 Infinite loop in parsing Steve Sakoman
7 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2023-04-22 15:54 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
This CVE is specific to Microsoft Windows, ignore it.
Patch fixing it (https://go-review.googlesource.com/c/go/+/446916)
also adds a redundant check to generic os/exec which
could be backported but it should not be necessary as
backport always takes a small risk to break old code.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.17.13.inc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 15d19ed124..34d58aec2f 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -34,3 +34,6 @@ SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784
# fix in 1.17 onwards where we can drop this.
# https://github.com/golang/go/issues/30999#issuecomment-910470358
CVE_CHECK_IGNORE += "CVE-2021-29923"
+
+# This is specific to Microsoft Windows
+CVE_CHECK_IGNORE += "CVE-2022-41716"
--
2.34.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 7/8] screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs
2023-04-22 15:54 [OE-core][kirkstone 0/8] Patch review Steve Sakoman
` (5 preceding siblings ...)
2023-04-22 15:54 ` [OE-core][kirkstone 6/8] go: ignore CVE-2022-41716 Steve Sakoman
@ 2023-04-22 15:54 ` Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 8/8] go: fix CVE-2023-24537 Infinite loop in parsing Steve Sakoman
7 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2023-04-22 15:54 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../screen/screen/CVE-2023-24626.patch | 40 +++++++++++++++++++
meta/recipes-extended/screen/screen_4.9.0.bb | 1 +
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-extended/screen/screen/CVE-2023-24626.patch
diff --git a/meta/recipes-extended/screen/screen/CVE-2023-24626.patch b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch
new file mode 100644
index 0000000000..73caf9d81b
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch
@@ -0,0 +1,40 @@
+From e9ad41bfedb4537a6f0de20f00b27c7739f168f7 Mon Sep 17 00:00:00 2001
+From: Alexander Naumov <alexander_naumov@opensuse.org>
+Date: Mon, 30 Jan 2023 17:22:25 +0200
+Subject: fix: missing signal sending permission check on failed query messages
+
+Signed-off-by: Alexander Naumov <alexander_naumov@opensuse.org>
+
+CVE: CVE-2023-24626
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ socket.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/socket.c b/socket.c
+index bb68b35..9d87445 100644
+--- a/socket.c
++++ b/socket.c
+@@ -1285,11 +1285,16 @@ ReceiveMsg()
+ else
+ queryflag = -1;
+
+- Kill(m.m.command.apid,
++ if (CheckPid(m.m.command.apid)) {
++ Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid);
++ }
++ else {
++ Kill(m.m.command.apid,
+ (queryflag >= 0)
+ ? SIGCONT
+ : SIG_BYE); /* Send SIG_BYE if an error happened */
+- queryflag = -1;
++ queryflag = -1;
++ }
+ }
+ break;
+ case MSG_COMMAND:
+--
+2.25.1
+
diff --git a/meta/recipes-extended/screen/screen_4.9.0.bb b/meta/recipes-extended/screen/screen_4.9.0.bb
index b36173b8de..19070d87d8 100644
--- a/meta/recipes-extended/screen/screen_4.9.0.bb
+++ b/meta/recipes-extended/screen/screen_4.9.0.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
file://0002-comm.h-now-depends-on-term.h.patch \
file://0001-fix-for-multijob-build.patch \
file://0001-Remove-more-compatibility-stuff.patch \
+ file://CVE-2023-24626.patch \
"
SRC_URI[sha256sum] = "f9335281bb4d1538ed078df78a20c2f39d3af9a4e91c57d084271e0289c730f4"
--
2.34.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 8/8] go: fix CVE-2023-24537 Infinite loop in parsing
2023-04-22 15:54 [OE-core][kirkstone 0/8] Patch review Steve Sakoman
` (6 preceding siblings ...)
2023-04-22 15:54 ` [OE-core][kirkstone 7/8] screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs Steve Sakoman
@ 2023-04-22 15:54 ` Steve Sakoman
7 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2023-04-22 15:54 UTC (permalink / raw)
To: openembedded-core
From: Vivek Kumbhar <vkumbhar@mvista.com>
Setting a large line or column number using a //line directive can cause
integer overflow even in small source files.
Limit line and column numbers in //line directives to 2^30-1, which
is small enough to avoid int32 overflow on all reasonbly-sized files.
Fixes CVE-2023-24537
Fixes #59273
For #59180
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.18/CVE-2023-24537.patch | 75 +++++++++++++++++++
2 files changed, 76 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 34d58aec2f..cda9227042 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -27,6 +27,7 @@ SRC_URI += "\
file://add_godebug.patch \
file://cve-2022-41725.patch \
file://CVE-2022-41722.patch \
+ file://CVE-2023-24537.patch \
"
SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch
new file mode 100644
index 0000000000..4521f159ea
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch
@@ -0,0 +1,75 @@
+From bf8c7c575c8a552d9d79deb29e80854dc88528d0 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Mon, 20 Mar 2023 10:43:19 -0700
+Subject: [PATCH] [release-branch.go1.20] mime/multipart: limit parsed mime
+ message sizes
+
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802456
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802611
+Reviewed-by: Damien Neil <dneil@google.com>
+Change-Id: Ifdfa192d54f722d781a4d8c5f35b5fb72d122168
+Reviewed-on: https://go-review.googlesource.com/c/go/+/481986
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Michael Knyszek <mknyszek@google.com>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/126a1d02da82f93ede7ce0bd8d3c51ef627f2104]
+CVE: CVE-2023-24537
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/go/parser/parser_test.go | 16 ++++++++++++++++
+ src/go/scanner/scanner.go | 5 ++++-
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go
+index 1a46c87..993df63 100644
+--- a/src/go/parser/parser_test.go
++++ b/src/go/parser/parser_test.go
+@@ -746,3 +746,19 @@ func TestScopeDepthLimit(t *testing.T) {
+ }
+ }
+ }
++
++// TestIssue59180 tests that line number overflow doesn't cause an infinite loop.
++func TestIssue59180(t *testing.T) {
++ testcases := []string{
++ "package p\n//line :9223372036854775806\n\n//",
++ "package p\n//line :1:9223372036854775806\n\n//",
++ "package p\n//line file:9223372036854775806\n\n//",
++ }
++
++ for _, src := range testcases {
++ _, err := ParseFile(token.NewFileSet(), "", src, ParseComments)
++ if err == nil {
++ t.Errorf("ParseFile(%s) succeeded unexpectedly", src)
++ }
++ }
++}
+diff --git a/src/go/scanner/scanner.go b/src/go/scanner/scanner.go
+index f08e28c..ff847b5 100644
+--- a/src/go/scanner/scanner.go
++++ b/src/go/scanner/scanner.go
+@@ -251,13 +251,16 @@ func (s *Scanner) updateLineInfo(next, offs int, text []byte) {
+ return
+ }
+
++ // Put a cap on the maximum size of line and column numbers.
++ // 30 bits allows for some additional space before wrapping an int32.
++ const maxLineCol = 1<<30 - 1
+ var line, col int
+ i2, n2, ok2 := trailingDigits(text[:i-1])
+ if ok2 {
+ //line filename:line:col
+ i, i2 = i2, i
+ line, col = n2, n
+- if col == 0 {
++ if col == 0 || col > maxLineCol {
+ s.error(offs+i2, "invalid column number: "+string(text[i2:]))
+ return
+ }
+--
+2.25.1
--
2.34.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/8] Patch review
@ 2023-07-24 2:33 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2023-07-24 2:33 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5638
The following changes since commit d877d5f07772ec4a05332068ddc03cf387313036:
cmake: Fix CMAKE_SYSTEM_PROCESSOR setting for SDK (2023-07-17 04:45:01 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (1):
ghostscript: fix CVE-2023-36664
Bruce Ashfield (2):
linux-yocto/5.15: update to v5.15.119
linux-yocto/5.15: update to v5.15.120
Richard Purdie (1):
gcc-testsuite: Fix ppc cpu specification
Ross Burton (2):
gcc: don't pass --enable-standard-branch-protection
machine/arch-arm64: add -mbranch-protection=standard
Vijay Anusuri (1):
qemu: backport Debian patch to fix CVE-2023-0330
Xiangyu Chen (1):
package.bbclass: moving field data process before variable process in
process_pkgconfig
meta/classes/package.bbclass | 12 +-
meta/conf/machine/include/arm/arch-arm64.inc | 5 +
.../gcc/gcc-configure-common.inc | 1 -
meta/recipes-devtools/gcc/gcc-testsuite.inc | 5 +-
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2023-0330.patch | 75 +++++++++
.../ghostscript/CVE-2023-36664-0001.patch | 146 ++++++++++++++++++
.../ghostscript/CVE-2023-36664-0002.patch | 60 +++++++
.../ghostscript/ghostscript_9.55.0.bb | 2 +
.../linux/linux-yocto-rt_5.15.bb | 6 +-
.../linux/linux-yocto-tiny_5.15.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 ++--
12 files changed, 317 insertions(+), 28 deletions(-)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0002.patch
--
2.34.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/8] Patch review
@ 2023-08-27 20:52 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2023-08-27 20:52 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, August 29.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5789
The following changes since commit ea920e3c8075f3a1b79039341f8c889f6197a07f:
glibc-locale: use stricter matching for metapackages' runtime dependencies (2023-08-22 07:07:13 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Narpat Mali (2):
ffmpeg: add CVE_CHECK_IGNORE for CVE-2023-39018
python3-git: upgrade 3.1.27 -> 3.1.32
Ross Burton (3):
linux-yocto: add script to generate kernel CVE_CHECK_IGNORE entries
linux/cve-exclusion: add generated CVE_CHECK_IGNORES.
linux/cve-exclusion: remove obsolete manual entries
Siddharth (1):
Qemu: Resolve undefined reference issue in CVE-2023-2861
Soumya Sambu (1):
go: Fix CVE-2023-29409
Yogita Urade (1):
nghttp2: fix CVE-2023-35945
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.19/CVE-2023-29409.patch | 175 +
...-git-CVE-2022-24439-fix-from-PR-1518.patch | 97 -
...-git-CVE-2022-24439-fix-from-PR-1521.patch | 488 --
...n3-git_3.1.27.bb => python3-git_3.1.32.bb} | 6 +-
.../qemu/qemu/CVE-2023-2861.patch | 66 +-
meta/recipes-kernel/linux/cve-exclusion.inc | 869 --
.../linux/cve-exclusion_5.15.inc | 7193 +++++++++++++++++
.../linux/generate-cve-exclusions.py | 101 +
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 1 +
.../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 6 +
.../nghttp2/nghttp2/CVE-2023-35945.patch | 151 +
.../recipes-support/nghttp2/nghttp2_1.47.0.bb | 1 +
13 files changed, 7667 insertions(+), 1488 deletions(-)
create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-29409.patch
delete mode 100644 meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch
delete mode 100644 meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch
rename meta/recipes-devtools/python/{python3-git_3.1.27.bb => python3-git_3.1.32.bb} (80%)
create mode 100644 meta/recipes-kernel/linux/cve-exclusion_5.15.inc
create mode 100755 meta/recipes-kernel/linux/generate-cve-exclusions.py
create mode 100644 meta/recipes-support/nghttp2/nghttp2/CVE-2023-35945.patch
--
2.34.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/8] Patch review
@ 2023-09-13 14:30 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2023-09-13 14:30 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Friday, September 15.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5876
The following changes since commit 47a1dd7f389e3cf4ac2dc5fc21dccc870aafab4a:
sysklogd: fix integration with systemd-journald (2023-09-05 13:34:12 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Meenali Gupta (1):
flac: fix CVE-2020-22219
Michael Halstead (1):
yocto-uninative: Update to 4.3
Narpat Mali (1):
python3-pygments: Fix CVE-2022-40896
Siddharth Doshi (1):
gdb: Fix CVE-2023-39128
Soumya Sambu (1):
libxml2: Fix CVE-2023-39615
Yogita Urade (3):
dropbear: fix CVE-2023-36328
qemu: fix CVE-2021-3638
webkitgtk: fix CVE-2022-48503
meta/conf/distro/include/yocto-uninative.inc | 8 +-
meta/recipes-core/dropbear/dropbear.inc | 1 +
.../dropbear/dropbear/CVE-2023-36328.patch | 144 +++++++++++
.../libxml/libxml2/CVE-2023-39615-0001.patch | 37 +++
.../libxml/libxml2/CVE-2023-39615-0002.patch | 72 ++++++
meta/recipes-core/libxml/libxml2_2.9.14.bb | 2 +
meta/recipes-devtools/gdb/gdb.inc | 1 +
.../gdb/gdb/0011-CVE-2023-39128.patch | 75 ++++++
.../python3-pygments/CVE-2022-40896.patch | 124 ++++++++++
.../python/python3-pygments_2.11.2.bb | 2 +
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3638.patch | 88 +++++++
.../flac/files/CVE-2020-22219.patch | 197 +++++++++++++++
meta/recipes-multimedia/flac/flac_1.3.4.bb | 1 +
.../webkit/webkitgtk/CVE-2022-48503.patch | 225 ++++++++++++++++++
meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 +
16 files changed, 975 insertions(+), 4 deletions(-)
create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch
create mode 100644 meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch
create mode 100644 meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch
create mode 100644 meta/recipes-multimedia/flac/files/CVE-2020-22219.patch
create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch
--
2.34.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/8] Patch review
@ 2023-11-29 23:04 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2023-11-29 23:04 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Friday, December 1
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6260
The following changes since commit 8726ae02d760270f9e7fe7ef5715d8f7553371ce:
goarch: Move Go architecture mapping to a library (2023-11-21 05:32:39 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (2):
gstreamer1.0-plugins-bad: fix CVE-2023-44429
vim: Upgrade 9.0.2048 -> 9.0.2068
Hitendra Prajapati (1):
grub: fix CVE-2023-4693
Li Wang (1):
systemtap_git: fix used uninitialized error
Ninad Palsule (1):
kernel-fitImage: Strip path component from dtb
Richard Purdie (1):
vim: Improve locale handling
Steve Sakoman (1):
vim: use upstream generated .po files
Vivek Kumbhar (1):
openssl: fix CVE-2023-5678 Generating excessively long X9.42 DH keys
or checking excessively long X9.42 DH keys or parameters may be very
slow
meta/classes/kernel-fitimage.bbclass | 5 +
.../grub/files/CVE-2023-4693.patch | 62 ++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
.../openssl/openssl/CVE-2023-5678.patch | 180 ++++++++++++++++++
.../openssl/openssl_3.0.12.bb | 1 +
...x-Prevent-Werror-maybe-uninitialized.patch | 53 ++++++
.../recipes-kernel/systemtap/systemtap_git.bb | 1 +
.../CVE-2023-44429.patch | 38 ++++
.../gstreamer1.0-plugins-bad_1.20.7.bb | 1 +
meta/recipes-support/vim/vim.inc | 20 +-
10 files changed, 350 insertions(+), 12 deletions(-)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4693.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch
create mode 100644 meta/recipes-kernel/systemtap/systemtap/0001-bpf-translate.cxx-Prevent-Werror-maybe-uninitialized.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-44429.patch
--
2.34.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/8] Patch review
@ 2024-02-12 13:54 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2024-02-12 13:54 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, February 14
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6556
The following changes since commit 2bdae590ab20dc4518ba247c903060fa67ed0fc4:
openssl: Upgrade 3.0.12 -> 3.0.13 (2024-02-05 03:56:38 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (1):
curl: Fix CVE-2023-46219
Bruce Ashfield (1):
kernel: fix localversion in v6.3+
Jermain Horsman (1):
systemd: Only add myhostname to nsswitch.conf if in PACKAGECONFIG
Kai Kang (1):
ghostscript: correct LICENSE with AGPLv3
Narpat Mali (1):
python3-pycryptodome: Fix CVE-2023-52323
Soumya Sambu (2):
go: Fix CVE-2023-45285 and CVE-2023-45287
libgit2: Fix CVE-2024-24575 and CVE-2024-24577
Vijay Anusuri (1):
libxml2: Fix for CVE-2024-25062
meta/classes/kernel-arch.bbclass | 7 +
meta/classes/kernel.bbclass | 10 +-
.../libxml/libxml2/CVE-2024-25062.patch | 33 +
meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 +
meta/recipes-core/systemd/systemd_250.5.bb | 16 +-
meta/recipes-devtools/go/go-1.17.13.inc | 2 +
.../go/go-1.20/CVE-2023-45285.patch | 110 ++
.../go/go-1.20/CVE-2023-45287.patch | 1695 +++++++++++++++++
.../python3-pycryptodome/CVE-2023-52323.patch | 436 +++++
.../python/python3-pycryptodome_3.14.1.bb | 1 +
.../CVE-2023-52323.patch | 436 +++++
.../python/python3-pycryptodomex_3.14.1.bb | 2 +
.../ghostscript/ghostscript_9.55.0.bb | 2 +-
.../curl/curl/CVE-2023-46219-0001.patch | 42 +
.../curl/curl/CVE-2023-46219-0002.patch | 133 ++
.../curl/curl/CVE-2023-46219-0003.patch | 81 +
meta/recipes-support/curl/curl_7.82.0.bb | 3 +
.../libgit2/libgit2/CVE-2024-24575.patch | 56 +
.../libgit2/libgit2/CVE-2024-24577.patch | 52 +
meta/recipes-support/libgit2/libgit2_1.4.5.bb | 5 +-
20 files changed, 3113 insertions(+), 10 deletions(-)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch
create mode 100644 meta/recipes-devtools/go/go-1.20/CVE-2023-45285.patch
create mode 100644 meta/recipes-devtools/go/go-1.20/CVE-2023-45287.patch
create mode 100644 meta/recipes-devtools/python/python3-pycryptodome/CVE-2023-52323.patch
create mode 100644 meta/recipes-devtools/python/python3-pycryptodomex/CVE-2023-52323.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-46219-0001.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-46219-0002.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-46219-0003.patch
create mode 100644 meta/recipes-support/libgit2/libgit2/CVE-2024-24575.patch
create mode 100644 meta/recipes-support/libgit2/libgit2/CVE-2024-24577.patch
--
2.34.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/8] Patch review
@ 2024-03-12 13:53 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2024-03-12 13:53 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, March 13
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6670
The following changes since commit e5aae8a371717215a7d78459788ad67dfaefe37e:
golang: Fix CVE-2023-45289 & CVE-2023-45290 (2024-03-07 04:18:33 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Bruce Ashfield (6):
linux-yocto/5.15: update to v5.15.149
linux-yocto/5.15: update CVE exclusions
linux-yocto/5.10: update to v5.10.210
linux-yocto/5.15: update to v5.15.150
linux-yocto/5.15: update CVE exclusions (5.15.150)
linux-yocto/5.15: fix partion scanning
Nikhil R (1):
librsvg: Fix do_package_qa error for librsvg
Vivek Kumbhar (1):
go: Backport fix CVE-2024-24784 & CVE-2024-24785
meta/recipes-devtools/go/go-1.17.13.inc | 2 +
.../go/go-1.18/CVE-2024-24784.patch | 207 ++++++++++++++++++
.../go/go-1.18/CVE-2024-24785.patch | 196 +++++++++++++++++
meta/recipes-gnome/librsvg/librsvg_2.52.10.bb | 2 +
.../linux/cve-exclusion_5.15.inc | 197 ++++++++++++++++-
.../linux/linux-yocto-rt_5.10.bb | 4 +-
.../linux/linux-yocto-rt_5.15.bb | 6 +-
.../linux/linux-yocto-tiny_5.10.bb | 6 +-
.../linux/linux-yocto-tiny_5.15.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_5.10.bb | 22 +-
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +--
11 files changed, 632 insertions(+), 42 deletions(-)
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2024-24784.patch
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2024-24785.patch
--
2.34.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/8] Patch review
@ 2024-05-24 12:14 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2024-05-24 12:14 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, May 28
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6956
The following changes since commit f85d5dfc91d536a00669ca3148d8c3b2727b183d:
libpciaccess: Remove duplicated license entry (2024-05-10 05:05:54 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Bob Henz (1):
systemd-systemctl: Fix WantedBy processing
Colin McAllister (1):
initscripts: Add custom mount args for /var/lib
Dmitry Baryshkov (1):
go.bbclass: fix path to linker in native Go builds
Joerg Vehlow (1):
go: Always pass interpreter to linker
Peter Marko (1):
openssl: patch CVE-2024-4603
Stefan Herbrechtsmeier (1):
classes: go-mod: do not pack go mod cache
Vijay Anusuri (1):
binutils: Rename CVE-2022-38126 patch to CVE-2022-35205
Yogita Urade (1):
libarchive: fix CVE-2024-26256
meta/classes/go-mod.bbclass | 4 +
meta/classes/go.bbclass | 6 +-
.../openssl/openssl/CVE-2024-4603.patch | 180 ++++++++++++++++++
.../openssl/openssl_3.0.13.bb | 1 +
.../initscripts-1.0/read-only-rootfs-hook.sh | 4 +-
.../initscripts/initscripts_1.0.bb | 2 +
.../systemd/systemd-systemctl/systemctl | 11 ++
.../binutils/binutils-2.38.inc | 2 +-
...-38126.patch => 0016-CVE-2022-35205.patch} | 3 +-
.../libarchive/CVE-2024-26256.patch | 29 +++
.../libarchive/libarchive_3.6.2.bb | 5 +-
11 files changed, 240 insertions(+), 7 deletions(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
rename meta/recipes-devtools/binutils/binutils/{0016-CVE-2022-38126.patch => 0016-CVE-2022-35205.patch} (94%)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch
--
2.34.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/8] Patch review
@ 2024-08-04 17:08 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:08 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, August 6
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7206
The following changes since commit c6cafd2aa50357c80fbab79741d575ff567c5766:
gcc-runtime: remove bashism (2024-07-31 04:59:21 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Ashish Sharma (1):
gtk+3 : backport fix for CVE-2024-6655
Bruce Ashfield (5):
linux-yocto/5.15: update to v5.15.158
linux-yocto/5.15: update to v5.15.160
linux-yocto/5.15: update to v5.15.161
linux-yocto/5.15: update to v5.15.162
linux-yocto/5.15: update to v5.15.164
Siddharth Doshi (1):
lttng-modules: Upgrade 2.13.9 -> 2.13.14
Soumya Sambu (1):
go: Fix CVE-2024-24789
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.21/CVE-2024-24789.patch | 78 +++++++++++++++++++
.../gtk+/gtk+3/CVE-2024-6655.patch | 39 ++++++++++
meta/recipes-gnome/gtk+/gtk+3_3.24.34.bb | 1 +
.../linux/linux-yocto-rt_5.15.bb | 6 +-
.../linux/linux-yocto-tiny_5.15.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +++----
.../0009-Rename-genhd-wrapper-to-blkdev.patch | 19 +++--
...les_2.13.9.bb => lttng-modules_2.13.14.bb} | 4 +-
9 files changed, 151 insertions(+), 29 deletions(-)
create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch
create mode 100644 meta/recipes-gnome/gtk+/gtk+3/CVE-2024-6655.patch
rename meta/recipes-kernel/lttng/{lttng-modules_2.13.9.bb => lttng-modules_2.13.14.bb} (89%)
--
2.34.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/8] Patch review
@ 2025-04-01 22:36 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-04-01 22:36 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, April 3
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1311
The following changes since commit 453c5c8d9031be2b3a25e2a04e0f5f6325ef7298:
cve-update-nvd2-native: handle missing vulnStatus (2025-03-31 09:13:54 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Deepesh Varatharajan (1):
llvm : Fix CVE-2024-0151
Divya Chellam (1):
zlib: fix CVE-2014-9485
Guocai He (1):
mesa: Update SRC_URI
Haixiao Yan (1):
glibc: Add single-threaded fast path to rand()
Michael Halstead (1):
yocto-uninative: Update to 4.7 for glibc 2.41
Peter Marko (3):
libarchive: ignore CVE-2025-1632
perl: ignore CVE-2023-47038
freetype: patch CVE-2025-27363
meta/conf/distro/include/yocto-uninative.inc | 10 +-
...dd-single-threaded-fast-path-to-rand.patch | 47 +
meta/recipes-core/glibc/glibc_2.35.bb | 1 +
.../zlib/zlib/CVE-2014-9485.patch | 64 +
meta/recipes-core/zlib/zlib_1.2.11.bb | 1 +
.../llvm/llvm/CVE-2024-0151.patch | 1087 +++++++++++++++++
meta/recipes-devtools/llvm/llvm_git.bb | 1 +
meta/recipes-devtools/perl/perl_5.34.3.bb | 2 +
.../libarchive/libarchive_3.6.2.bb | 2 +
.../freetype/freetype/CVE-2025-27363.patch | 44 +
.../freetype/freetype_2.11.1.bb | 1 +
.../recipes-graphics/mesa/mesa-demos_8.4.0.bb | 2 +-
meta/recipes-graphics/mesa/mesa.inc | 2 +-
13 files changed, 1257 insertions(+), 7 deletions(-)
create mode 100644 meta/recipes-core/glibc/glibc/0001-stdlib-Add-single-threaded-fast-path-to-rand.patch
create mode 100644 meta/recipes-core/zlib/zlib/CVE-2014-9485.patch
create mode 100644 meta/recipes-devtools/llvm/llvm/CVE-2024-0151.patch
create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2025-27363.patch
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/8] Patch review
@ 2025-08-13 21:28 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-08-13 21:28 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Friday, August 15
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2196
The following changes since commit bd620eb14660075fd0f7476bbbb65d5da6293874:
build-appliance-image: Update to kirkstone head revision (2025-08-08 06:31:30 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Guocai He (1):
gnupg: disable tests to avoid running target binaries at build time
Hitendra Prajapati (1):
libxslt: fix CVE-2023-40403
Peter Marko (3):
python3: patch CVE-2025-8194
go: ignore CVE-2025-0913
libarchive: patch CVE-2025-5918
Quentin Schulz (1):
go-helloworld: fix license
Yogita Urade (2):
tiff: fix CVE-2025-8176
tiff: fix CVE-2025-8177
meta/recipes-devtools/go/go-1.17.13.inc | 2 +-
.../python/python3/CVE-2025-8194.patch | 219 +++++++++++
.../python/python3_3.10.18.bb | 7 +-
.../go-examples/go-helloworld_0.1.bb | 4 +-
.../0001-FILE-seeking-support-2539.patch | 190 ++++++++++
.../0001-Improve-lseek-handling-2564.patch | 320 ++++++++++++++++
.../libarchive/libarchive/CVE-2025-5918.patch | 217 +++++++++++
.../libarchive/libarchive_3.6.2.bb | 3 +
.../libtiff/tiff/CVE-2025-8176-0001.patch | 61 +++
.../libtiff/tiff/CVE-2025-8176-0002.patch | 31 ++
.../libtiff/tiff/CVE-2025-8176-0003.patch | 28 ++
.../libtiff/tiff/CVE-2025-8177.patch | 35 ++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 4 +
meta/recipes-support/gnupg/gnupg_2.3.7.bb | 1 +
.../libxslt/libxslt/CVE-2023-40403-001.patch | 257 +++++++++++++
.../libxslt/libxslt/CVE-2023-40403-002.patch | 147 ++++++++
.../libxslt/libxslt/CVE-2023-40403-003.patch | 231 ++++++++++++
.../libxslt/libxslt/CVE-2023-40403-004.patch | 349 ++++++++++++++++++
.../libxslt/libxslt/CVE-2023-40403-005.patch | 55 +++
.../recipes-support/libxslt/libxslt_1.1.35.bb | 5 +
20 files changed, 2160 insertions(+), 6 deletions(-)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-8194.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-FILE-seeking-support-2539.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Improve-lseek-handling-2564.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5918.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0001.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0002.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0003.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8177.patch
create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2023-40403-001.patch
create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2023-40403-002.patch
create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2023-40403-003.patch
create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2023-40403-004.patch
create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2023-40403-005.patch
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/8] Patch review
@ 2025-10-17 20:43 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-10-17 20:43 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, October 21
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2607
The following changes since commit 8f1000d9dad5e51f08a40b0f6650204425cc8efb:
glibc: : PTHREAD_COND_INITIALIZER compatibility with pre-2.41 versions (bug 32786) (2025-10-14 10:35:12 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Bruce Ashfield (4):
linux-yocto/5.15: update to v5.15.188
linux-yocto/5.15: update to v5.15.189
linux-yocto/5.15: update to v5.15.193
linux-yocto/5.15: update to v5.15.194
Peter Marko (1):
python3: upgrade 3.10.18 -> 3.10.19
Rajeshkumar Ramasamy (2):
glib-networking: fix CVE-2025-60018
glib-networking: fix CVE-2025-60019
Saravanan (1):
cmake: fix CVE-2025-9301
.../glib-networking/CVE-2025-60018.patch | 83 +++++++
.../glib-networking/CVE-2025-60019.patch | 137 +++++++++++
.../glib-networking/glib-networking_2.72.2.bb | 2 +
.../cmake/cmake/CVE-2025-9301.patch | 71 ++++++
meta/recipes-devtools/cmake/cmake_3.22.3.bb | 1 +
...e-treat-overflow-in-UID-GID-as-failu.patch | 2 +-
.../python/python3/CVE-2025-8194.patch | 219 ------------------
...{python3_3.10.18.bb => python3_3.10.19.bb} | 3 +-
.../linux/linux-yocto-rt_5.15.bb | 6 +-
.../linux/linux-yocto-tiny_5.15.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +--
11 files changed, 315 insertions(+), 241 deletions(-)
create mode 100644 meta/recipes-core/glib-networking/glib-networking/CVE-2025-60018.patch
create mode 100644 meta/recipes-core/glib-networking/glib-networking/CVE-2025-60019.patch
create mode 100644 meta/recipes-devtools/cmake/cmake/CVE-2025-9301.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2025-8194.patch
rename meta/recipes-devtools/python/{python3_3.10.18.bb => python3_3.10.19.bb} (99%)
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/8] Patch review
@ 2025-11-03 20:59 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-11-03 20:59 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, November 5
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2677
The following changes since commit 99204008786f659ab03538cd2ae2fd23ed4164c5:
build-appliance-image: Update to kirkstone head revision (2025-10-31 06:30:23 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (1):
openssh: fix CVE-2025-61985
Hitendra Prajapati (1):
go: fix CVE-2024-24783
Hongxu Jia (1):
u-boot: fix CVE-2024-42040
Jason Schonberg (1):
Don't use ftp.gnome.org
Peter Marko (3):
wpa-supplicant: patch CVE-2025-24912
binutils: patch CVE-2025-11412
binutils: patch CVE-2025-11413
Praveen Kumar (1):
bind: upgrade 9.18.33 -> 9.18.41
.../u-boot/files/CVE-2024-42040.patch | 56 +++++++++++++
meta/recipes-bsp/u-boot/u-boot-common.inc | 4 +-
.../bind/{bind_9.18.33.bb => bind_9.18.41.bb} | 2 +-
.../openssh/openssh/CVE-2025-61985.patch | 35 ++++++++
.../openssh/openssh_8.9p1.bb | 1 +
.../wpa-supplicant/CVE-2025-24912-01.patch | 79 ++++++++++++++++++
.../wpa-supplicant/CVE-2025-24912-02.patch | 70 ++++++++++++++++
.../wpa-supplicant/wpa-supplicant_2.10.bb | 2 +
.../binutils/binutils-2.38.inc | 2 +
.../binutils/binutils/CVE-2025-11412.patch | 35 ++++++++
.../binutils/binutils/CVE-2025-11413.patch | 38 +++++++++
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.21/CVE-2024-24783.patch | 83 +++++++++++++++++++
.../python/python3-pygobject_3.42.0.bb | 2 +-
meta/recipes-devtools/vala/vala.inc | 2 +-
meta/recipes-gnome/gtk+/gtk+3_3.24.34.bb | 2 +-
meta/recipes-gnome/libgudev/libgudev_237.bb | 2 +-
.../recipes-support/libxslt/libxslt_1.1.35.bb | 2 +-
18 files changed, 411 insertions(+), 7 deletions(-)
create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch
rename meta/recipes-connectivity/bind/{bind_9.18.33.bb => bind_9.18.41.bb} (97%)
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-61985.patch
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-01.patch
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-02.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch
create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-24783.patch
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2025-11-03 20:59 UTC | newest]
Thread overview: 24+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-22 15:54 [OE-core][kirkstone 0/8] Patch review Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 1/8] ruby: CVE-2023-28756 ReDoS vulnerability in Time Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 2/8] curl: Security fix for CVE-2023-27535, CVE-2023-27536, CVE-2023-27538 Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 3/8] cargo : non vulnerable cve-2022-46176 added to excluded list Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 4/8] go-runtime: Security fix for CVE-2022-41722 Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 5/8] shadow: backport patch to fix CVE-2023-29383 Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 6/8] go: ignore CVE-2022-41716 Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 7/8] screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs Steve Sakoman
2023-04-22 15:54 ` [OE-core][kirkstone 8/8] go: fix CVE-2023-24537 Infinite loop in parsing Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2025-11-03 20:59 [OE-core][kirkstone 0/8] Patch review Steve Sakoman
2025-10-17 20:43 Steve Sakoman
2025-08-13 21:28 Steve Sakoman
2025-04-01 22:36 Steve Sakoman
2024-08-04 17:08 Steve Sakoman
2024-05-24 12:14 Steve Sakoman
2024-03-12 13:53 Steve Sakoman
2024-02-12 13:54 Steve Sakoman
2023-11-29 23:04 Steve Sakoman
2023-09-13 14:30 Steve Sakoman
2023-08-27 20:52 Steve Sakoman
2023-07-24 2:33 Steve Sakoman
2022-10-27 2:36 Steve Sakoman
2022-10-28 2:07 ` Tim Orling
2022-08-09 21:27 Steve Sakoman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox