* [OE-core][kirkstone 00/15] Patch review
@ 2022-06-19 19:30 Steve Sakoman
0 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2022-06-19 19:30 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3799
The following changes since commit 0f7a8359ba370c7f5d5153453ed699e9566f5b1d:
rootfs.py: close kernel_abi_ver_file (2022-06-10 05:13:53 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Jack Mitchell (1):
meson.bbclass: add cython binary to cross/native toolchain config
Jose Quaresma (2):
archiver: use bb.note instead of echo
archiver: don't use machine variables in shared recipes
Kai Kang (1):
xxhash: fix build with gcc 12
Mingli Yu (1):
oescripts: change compare logic in OEListPackageconfigTests
Pavel Zhukov (1):
systemd: update 0008-add-missing-FTW_-macros-for-musl.patch
Rasmus Villemoes (1):
e2fsprogs: add alternatives handling of lsattr as well
Richard Purdie (5):
vim: Upgrade 8.2.5034 -> 8.2.5083
uboot-sign: Fix potential index error issues
selftest/multiconfig: Test that multiconfigs in separate layers works
gcc-source: Fix incorrect task dependencies from ${B}
liberror-perl: Update sstate/equiv versions to clean cache
Xiaobing Luo (1):
devtool: Fix _copy_file() TypeError
Yi Zhao (2):
popt: fix override syntax in RDEPENDS
git: fix override syntax in RDEPENDS
meta-selftest/conf/multiconfig/muslmc.conf | 2 ++
meta/classes/archiver.bbclass | 11 ++++++++---
meta/classes/meson.bbclass | 2 ++
meta/classes/uboot-sign.bbclass | 2 ++
meta/lib/oeqa/selftest/cases/multiconfig.py | 13 +++++++++++++
meta/lib/oeqa/selftest/cases/oescripts.py | 3 ++-
.../0008-add-missing-FTW_-macros-for-musl.patch | 8 ++++----
meta/recipes-devtools/e2fsprogs/e2fsprogs_1.46.5.bb | 5 ++++-
meta/recipes-devtools/gcc/gcc-common.inc | 2 +-
meta/recipes-devtools/gcc/gcc-source.inc | 1 +
meta/recipes-devtools/git/git_2.35.3.bb | 2 +-
meta/recipes-devtools/perl/liberror-perl_0.17029.bb | 4 ++++
meta/recipes-support/popt/popt_1.18.bb | 2 +-
meta/recipes-support/vim/vim.inc | 4 ++--
meta/recipes-support/xxhash/xxhash_0.8.1.bb | 2 ++
scripts/lib/devtool/standard.py | 2 +-
16 files changed, 50 insertions(+), 15 deletions(-)
create mode 100644 meta-selftest/conf/multiconfig/muslmc.conf
--
2.25.1
^ permalink raw reply [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 00/15] Patch review
@ 2022-07-27 0:40 Steve Sakoman
0 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2022-07-27 0:40 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by
end of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3979
The following changes since commit f1c2e21a28f8ad5dc6ff7b0db877aa22e01a9e00:
pulseaudio: add m4-native to DEPENDS (2022-07-17 16:59:57 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Kanavin (1):
gnupg: update 2.3.4 -> 2.3.6
Joshua Watt (1):
sstatesig: Include all dependencies in SPDX task signatures
Khem Raj (2):
lua: Backport fix for CVE-2022-33099
gcc-runtime: Pass -nostartfiles when building dummy libstdc++.so
Ming Liu (1):
rootfs-postcommands.bbclass: move host-user-contaminated.txt to ${S}
Naveen (1):
gcc: Backport a fix for gcc bug 105039
Richard Purdie (1):
vim: Upgrade 9.0.0021 -> 9.0.0063
Sakib Sajal (3):
dpkg: fix CVE-2022-1664
go: update v1.17.10 -> v1.17.12
git: upgrade v2.35.3 -> v2.35.4
Tom Hochstein (1):
gobject-introspection-data: Disable cache for g-ir-scanner
Yi Zhao (1):
tiff: Security fixes CVE-2022-1354 and CVE-2022-1355
Yue Tao (1):
gnupg: upgrade to 2.3.7 to fix CVE-2022-34903
wangmy (2):
bind: upgrade 9.18.2 -> 9.18.3
bind: upgrade 9.18.3 -> 9.18.4
.../gobject-introspection-data.bbclass | 5 +
meta/classes/rootfs-postcommands.bbclass | 2 +-
meta/lib/oe/sstatesig.py | 9 +
...1-avoid-start-failure-with-bind-user.patch | 0
...d-V-and-start-log-hide-build-options.patch | 0
...ching-for-json-headers-searches-sysr.patch | 0
.../bind/{bind-9.18.2 => bind-9.18.4}/bind9 | 0
.../{bind-9.18.2 => bind-9.18.4}/conf.patch | 0
.../generate-rndc-key.sh | 0
...t.d-add-support-for-read-only-rootfs.patch | 0
.../make-etc-initd-bind-stop-work.patch | 0
.../named.service | 0
.../bind/{bind_9.18.2.bb => bind_9.18.4.bb} | 2 +-
...ive-Prevent-directory-traversal-for-.patch | 328 ++++++++++++++++++
meta/recipes-devtools/dpkg/dpkg_1.21.4.bb | 1 +
meta/recipes-devtools/gcc/gcc-11.3.inc | 2 +-
meta/recipes-devtools/gcc/gcc-runtime.inc | 3 +-
.../gcc/gcc/0030-rust-recursion-limit.patch | 92 +++++
.../git/{git_2.35.3.bb => git_2.35.4.bb} | 2 +-
.../go/{go-1.17.10.inc => go-1.17.12.inc} | 2 +-
...1.17.10.bb => go-binary-native_1.17.12.bb} | 4 +-
....17.10.bb => go-cross-canadian_1.17.12.bb} | 0
...o-cross_1.17.10.bb => go-cross_1.17.12.bb} | 0
...ssdk_1.17.10.bb => go-crosssdk_1.17.12.bb} | 0
...native_1.17.10.bb => go-native_1.17.12.bb} | 0
...ntime_1.17.10.bb => go-runtime_1.17.12.bb} | 0
.../go/{go_1.17.10.bb => go_1.17.12.bb} | 0
.../lua/lua/CVE-2022-33099.patch | 61 ++++
meta/recipes-devtools/lua/lua_5.4.4.bb | 1 +
.../gobject-introspection_1.72.0.bb | 3 -
.../libtiff/tiff/CVE-2022-1354.patch | 212 +++++++++++
.../libtiff/tiff/CVE-2022-1355.patch | 62 ++++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 2 +
...-a-custom-value-for-the-location-of-.patch | 6 +-
.../0003-dirmngr-uses-libgpg-error.patch | 29 --
.../gnupg/gnupg/relocate.patch | 18 +-
.../gnupg/{gnupg_2.3.4.bb => gnupg_2.3.7.bb} | 3 +-
.../vim/files/crosscompile.patch | 51 +++
meta/recipes-support/vim/files/racefix.patch | 12 +-
meta/recipes-support/vim/vim.inc | 9 +-
40 files changed, 860 insertions(+), 61 deletions(-)
rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/0001-avoid-start-failure-with-bind-user.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/0001-named-lwresd-V-and-start-log-hide-build-options.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/bind-ensure-searching-for-json-headers-searches-sysr.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/bind9 (100%)
rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/conf.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/generate-rndc-key.sh (100%)
rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/init.d-add-support-for-read-only-rootfs.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/make-etc-initd-bind-stop-work.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.18.2 => bind-9.18.4}/named.service (100%)
rename meta/recipes-connectivity/bind/{bind_9.18.2.bb => bind_9.18.4.bb} (98%)
create mode 100644 meta/recipes-devtools/dpkg/dpkg/0001-Dpkg-Source-Archive-Prevent-directory-traversal-for-.patch
create mode 100644 meta/recipes-devtools/gcc/gcc/0030-rust-recursion-limit.patch
rename meta/recipes-devtools/git/{git_2.35.3.bb => git_2.35.4.bb} (98%)
rename meta/recipes-devtools/go/{go-1.17.10.inc => go-1.17.12.inc} (92%)
rename meta/recipes-devtools/go/{go-binary-native_1.17.10.bb => go-binary-native_1.17.12.bb} (83%)
rename meta/recipes-devtools/go/{go-cross-canadian_1.17.10.bb => go-cross-canadian_1.17.12.bb} (100%)
rename meta/recipes-devtools/go/{go-cross_1.17.10.bb => go-cross_1.17.12.bb} (100%)
rename meta/recipes-devtools/go/{go-crosssdk_1.17.10.bb => go-crosssdk_1.17.12.bb} (100%)
rename meta/recipes-devtools/go/{go-native_1.17.10.bb => go-native_1.17.12.bb} (100%)
rename meta/recipes-devtools/go/{go-runtime_1.17.10.bb => go-runtime_1.17.12.bb} (100%)
rename meta/recipes-devtools/go/{go_1.17.10.bb => go_1.17.12.bb} (100%)
create mode 100644 meta/recipes-devtools/lua/lua/CVE-2022-33099.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
delete mode 100644 meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch
rename meta/recipes-support/gnupg/{gnupg_2.3.4.bb => gnupg_2.3.7.bb} (95%)
create mode 100644 meta/recipes-support/vim/files/crosscompile.patch
--
2.25.1
^ permalink raw reply [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 00/15] Patch review
@ 2023-05-06 15:24 Steve Sakoman
0 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2023-05-06 15:24 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5269
The following changes since commit 2d67702bdfc64358d364dd6484ae41842ee7c52f:
glibc: stable 2.35 branch updates. (2023-04-28 03:55:33 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Arturo Buzarra (1):
run-postinsts: Set dependency for ldconfig to avoid boot issues
Deepthi Hemraj (4):
binutils : Fix CVE-2023-25584
binutils : Fix CVE-2023-25585
binutils : Fix CVE-2023-1972
binutils : Fix CVE-2023-25588
Hitendra Prajapati (1):
connman: fix CVE-2023-28488 DoS in client.c
Kai Kang (1):
webkitgtk: fix CVE-2022-32888 & CVE-2022-32923
Narpat Mali (2):
ffmpeg: fix for CVE-2022-48434
python3-cryptography: fix for CVE-2023-23931
Randolph Sapp (2):
wic/bootimg-efi: if fixed-size is set then use that for mkdosfs
kernel-devicetree: allow specification of dtb directory
Ranjitsinh Rathod (1):
libbsd: Add correct license for all packages
Shubham Kulkarni (1):
go: Security fix for CVE-2023-24538
Vivek Kumbhar (2):
freetype: fix CVE-2023-2004 integer overflowin in
tt_hvadvance_adjust() in src/truetype/ttgxvar.c
go: fix CVE-2023-24534 denial of service from excessive memory
allocation
meta/classes/kernel-devicetree.bbclass | 22 +-
meta/classes/kernel.bbclass | 2 +
.../connman/connman/CVE-2023-28488.patch | 60 ++
.../connman/connman_1.41.bb | 1 +
.../binutils/binutils-2.38.inc | 6 +
.../binutils/0022-CVE-2023-25584-1.patch | 56 ++
.../binutils/0022-CVE-2023-25584-2.patch | 38 ++
.../binutils/0022-CVE-2023-25584-3.patch | 534 ++++++++++++++++++
.../binutils/0023-CVE-2023-25585.patch | 54 ++
.../binutils/0025-CVE-2023-25588.patch | 147 +++++
.../binutils/0026-CVE-2023-1972.patch | 41 ++
meta/recipes-devtools/go/go-1.17.13.inc | 2 +
.../go/go-1.18/CVE-2023-24534.patch | 200 +++++++
.../go/go-1.18/CVE-2023-24538.patch | 208 +++++++
.../python3-cryptography/CVE-2023-23931.patch | 49 ++
.../python/python3-cryptography_36.0.2.bb | 1 +
.../run-postinsts/run-postinsts.service | 2 +-
.../freetype/freetype/CVE-2023-2004.patch | 41 ++
.../freetype/freetype_2.11.1.bb | 1 +
.../ffmpeg/ffmpeg/CVE-2022-48434.patch | 130 +++++
.../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 3 +-
.../webkit/webkitgtk/CVE-2022-32888.patch | 41 ++
.../webkit/webkitgtk/CVE-2022-32923.patch | 435 ++++++++++++++
meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 2 +
meta/recipes-support/libbsd/libbsd_0.11.5.bb | 7 +
scripts/lib/wic/plugins/source/bootimg-efi.py | 7 +
26 files changed, 2083 insertions(+), 7 deletions(-)
create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch
create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch
create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-32888.patch
create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch
--
2.34.1
^ permalink raw reply [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 00/15] Patch review
@ 2023-05-09 22:32 Steve Sakoman
0 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2023-05-09 22:32 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by
end of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5285
The following changes since commit 5fca673d8fe0ee97dc37ed2c9941696842cd667a:
run-postinsts: Set dependency for ldconfig to avoid boot issues (2023-05-08 04:15:11 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (2):
git: fix CVE-2023-29007
git: fix CVE-2023-25652
Bruce Ashfield (1):
kernel: improve initramfs bundle processing time
Dmitry Baryshkov (1):
linux-firmware: upgrade 20230210 -> 20230404
Martin Jansa (1):
populate_sdk_ext.bbclass: set METADATA_REVISION with an DISTRO
override
Peter Bergin (1):
update-alternatives.bbclass: fix old override syntax
Peter Marko (1):
libxml2: patch CVE-2023-28484 and CVE-2023-29469
Piotr Łobacz (1):
libarchive: Enable acls, xattr for native as well as target
Steve Sakoman (1):
Revert "xserver-xorg: backport fix for CVE-2023-1393"
Thomas Roos (1):
oeqa/utils/metadata.py: Fix running oe-selftest running with no distro
set
Wang Mingyu (2):
wpebackend-fdo: upgrade 1.14.0 -> 1.14.2
xserver-xorg: upgrade 21.1.7 -> 21.1.8
Yoann Congal (1):
linux-yocto: Exclude 121 CVEs already fixed upstream
Zhixiong Chi (1):
libpam: Fix the xtests/tst-pam_motd[1|3] failures
bkylerussell@gmail.com (1):
kernel-devsrc: depend on python3-core instead of python3
meta/classes/kernel.bbclass | 2 +-
meta/classes/populate_sdk_ext.bbclass | 3 +-
meta/classes/update-alternatives.bbclass | 4 +-
meta/lib/oeqa/utils/metadata.py | 6 +-
.../libxml/libxml2/CVE-2023-28484.patch | 79 ++
.../libxml/libxml2/CVE-2023-29469.patch | 42 +
meta/recipes-core/libxml/libxml2_2.9.14.bb | 2 +
.../git/git/CVE-2023-25652.patch | 94 ++
.../git/git/CVE-2023-29007.patch | 162 ++++
meta/recipes-devtools/git/git_2.35.7.bb | 2 +
.../libarchive/libarchive_3.6.2.bb | 6 +-
...rely-on-all-filesystems-providing-a-.patch | 108 +++
meta/recipes-extended/pam/libpam_1.5.2.bb | 1 +
...posite-Fix-use-after-free-of-the-COW.patch | 46 -
...-xorg_21.1.7.bb => xserver-xorg_21.1.8.bb} | 5 +-
...20230210.bb => linux-firmware_20230404.bb} | 6 +-
meta/recipes-kernel/linux/cve-exclusion.inc | 875 ++++++++++++++++++
meta/recipes-kernel/linux/kernel-devsrc.bb | 2 +-
meta/recipes-kernel/linux/linux-yocto.inc | 3 +
...fdo_1.14.0.bb => wpebackend-fdo_1.14.2.bb} | 2 +-
20 files changed, 1384 insertions(+), 66 deletions(-)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
create mode 100644 meta/recipes-devtools/git/git/CVE-2023-25652.patch
create mode 100644 meta/recipes-devtools/git/git/CVE-2023-29007.patch
create mode 100644 meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch
delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
rename meta/recipes-graphics/xorg-xserver/{xserver-xorg_21.1.7.bb => xserver-xorg_21.1.8.bb} (80%)
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230210.bb => linux-firmware_20230404.bb} (99%)
create mode 100644 meta/recipes-kernel/linux/cve-exclusion.inc
rename meta/recipes-sato/webkit/{wpebackend-fdo_1.14.0.bb => wpebackend-fdo_1.14.2.bb} (90%)
--
2.34.1
^ permalink raw reply [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 00/15] Patch review
@ 2023-12-08 2:33 Steve Sakoman
0 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2023-12-08 2:33 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Monday, December 11
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6300
The following changes since commit 11da43b58e19583a9bc16044309610cfb2e86469:
systemtap_git: fix used uninitialized error (2023-11-28 05:11:52 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Bruce Ashfield (3):
linux-yocto/5.10: update to v5.10.198
linux-yocto/5.10: update to v5.10.200
linux-yocto/5.10: update to v5.10.202
Lee Chee Yang (1):
xwayland: fix CVE-2023-5367
Narpat Mali (1):
python3-cryptography: fix CVE-2023-49083
Niko Mauno (1):
rust-llvm: Allow overriding LLVM target archs
Richard Purdie (5):
rust-common: Set llvm-target correctly for cross SDK targets
rust-cross-canadian: Fix ordering of target json config generation
rust-cross/rust-common: Merge arm target handling code to fix
cross-canadian
rust-cross: Simplfy the rust_gen_target calls
native: Clear TUNE_FEATURES/ABIEXTENSION
Steve Sakoman (1):
cve-exclusion_5.10.inc: update for 5.10.202
Tim Orling (1):
vim: upgrade 9.0.2068 -> 9.0.2130
Vivek Kumbhar (1):
libsndfile: fix CVE-2022-33065 Signed integer overflow in src/mat4.c
Wenlin Kang (1):
bash: changes to SIGINT handler while waiting for a child
meta/classes/native.bbclass | 2 +
.../python3-cryptography/CVE-2023-49083.patch | 53 ++++
.../python/python3-cryptography_36.0.2.bb | 1 +
meta/recipes-devtools/rust/rust-common.inc | 24 +-
.../rust/rust-cross-canadian-common.inc | 5 +-
meta/recipes-devtools/rust/rust-cross.inc | 21 +-
meta/recipes-devtools/rust/rust-llvm.inc | 4 +-
...T-handler-while-waiting-for-a-child-.patch | 229 ++++++++++++++++++
meta/recipes-extended/bash/bash_5.1.16.bb | 1 +
.../xwayland/xwayland/CVE-2023-5367.patch | 85 +++++++
.../xwayland/xwayland_22.1.8.bb | 4 +-
.../linux/cve-exclusion_5.10.inc | 92 +++++--
.../linux/linux-yocto-rt_5.10.bb | 6 +-
.../linux/linux-yocto-tiny_5.10.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +-
.../libsndfile1/CVE-2022-33065.patch | 46 ++++
.../libsndfile/libsndfile1_1.0.31.bb | 1 +
meta/recipes-support/vim/vim.inc | 4 +-
18 files changed, 542 insertions(+), 68 deletions(-)
create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch
create mode 100644 meta/recipes-extended/bash/bash/0001-changes-to-SIGINT-handler-while-waiting-for-a-child-.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-5367.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch
--
2.34.1
^ permalink raw reply [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 00/15] Patch review
@ 2024-03-20 16:09 Steve Sakoman
0 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2024-03-20 16:09 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Friday, March 22
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6699
The following changes since commit 2501534c9581c6c3439f525d630be11554a57d24:
build-appliance-image: Update to kirkstone head revision (2024-03-13 07:39:46 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alex Kiernan (1):
wireless-regdb: Upgrade 2023.09.01 -> 2024.01.23
Alexander Kanavin (1):
linux-firmware: upgrade 20231211 -> 20240220
Haitao Liu (1):
glibc: Fix subscript typos for get_nscd_addresses
Martin Jansa (1):
stress-ng: avoid calling sync during do_compile
Meenali Gupta (1):
expat: fix CVE-2023-52426
Michael Halstead (1):
yocto-uninative: Update to 4.4 for glibc 2.39
Peter Marko (1):
expat: patch CVE-2024-28757
Vijay Anusuri (1):
python3-cryptography: Backport fix for CVE-2024-26130
Wang Mingyu (1):
wireless-regdb: upgrade 2023.05.03 -> 2023.09.01
Yoann Congal (6):
cve-update-nvd2-native: Fix typo in comment
cve-update-nvd2-native: Add an age threshold for incremental update
cve-update-nvd2-native: Remove duplicated CVE_CHECK_DB_FILE definition
cve-update-nvd2-native: nvd_request_next: Improve comment
cve-update-nvd2-native: Fix CVE configuration update
cve-update-nvd2-native: Remove rejected CVE from database
meta/conf/distro/include/yocto-uninative.inc | 10 +-
.../expat/expat/CVE-2023-52426-001.patch | 35 ++
.../expat/expat/CVE-2023-52426-002.patch | 72 +++
.../expat/expat/CVE-2023-52426-003.patch | 28 ++
.../expat/expat/CVE-2023-52426-004.patch | 429 ++++++++++++++++++
.../expat/expat/CVE-2023-52426-005.patch | 34 ++
.../expat/expat/CVE-2023-52426-006.patch | 174 +++++++
.../expat/expat/CVE-2023-52426-007.patch | 53 +++
.../expat/expat/CVE-2023-52426-008.patch | 37 ++
.../expat/expat/CVE-2023-52426-009.patch | 354 +++++++++++++++
.../expat/expat/CVE-2023-52426-010.patch | 50 ++
.../expat/expat/CVE-2023-52426-011.patch | 45 ++
.../expat/expat/CVE-2024-28757.patch | 58 +++
meta/recipes-core/expat/expat_2.5.0.bb | 12 +
...dresses-Fix-subscript-typos-BZ-29605.patch | 40 ++
meta/recipes-core/glibc/glibc_2.35.bb | 1 +
.../meta/cve-update-nvd2-native.bb | 35 +-
.../python3-cryptography/CVE-2024-26130.patch | 66 +++
.../python/python3-cryptography_36.0.2.bb | 1 +
.../0001-Makefile-avoid-calling-sync.patch | 35 ++
.../stress-ng/stress-ng_0.13.12.bb | 1 +
...20231211.bb => linux-firmware_20240220.bb} | 6 +-
....05.03.bb => wireless-regdb_2024.01.23.bb} | 4 +-
23 files changed, 1562 insertions(+), 18 deletions(-)
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-001.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-002.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-003.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-004.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-005.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-006.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-007.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-008.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-009.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-010.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-011.patch
create mode 100755 meta/recipes-core/expat/expat/CVE-2024-28757.patch
create mode 100644 meta/recipes-core/glibc/glibc/0002-get_nscd_addresses-Fix-subscript-typos-BZ-29605.patch
create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch
create mode 100644 meta/recipes-extended/stress-ng/stress-ng-0.13.12/0001-Makefile-avoid-calling-sync.patch
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20231211.bb => linux-firmware_20240220.bb} (99%)
rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2023.05.03.bb => wireless-regdb_2024.01.23.bb} (88%)
--
2.34.1
^ permalink raw reply [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 00/15] Patch review
@ 2024-09-23 13:13 Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 01/15] libpcap: Security fix for CVE-2023-7256 & CVE-2024-8006 Steve Sakoman
` (14 more replies)
0 siblings, 15 replies; 26+ messages in thread
From: Steve Sakoman @ 2024-09-23 13:13 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, September 24
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7353
The following changes since commit 88630352d6d1cfee06787fa84b73ca8ad335cb08:
libedit: Make docs generation deterministic (2024-09-11 05:03:48 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Colin McAllister (2):
busybox: Fix cut with "-s" flag
udev-extraconf: Add collect flag to mount
Divya Chellam (1):
python3: Upgrade 3.10.14 -> 3.10.15
Konrad Weihmann (3):
runqemu: keep generating tap devices
testimage: fallback for empty IMAGE_LINK_NAME
testexport: fallback for empty IMAGE_LINK_NAME
Michael Halstead (2):
yocto-uninative: Update to 4.5 for gcc 14
yocto-uninative: Update to 4.6 for glibc 2.40
Pedro Ferreira (2):
buildhistory: Fix intermittent package file list creation
buildhistory: Restoring files from preserve list
Richard Purdie (1):
buildhistory: Simplify intercept call sites and drop
SSTATEPOSTINSTFUNC usage
Rohini Sangam (1):
cups: Security fix for CVE-2024-35235
Ross Burton (1):
lib/oeqa: rename assertRaisesRegexp to assertRaisesRegex
Vijay Anusuri (1):
libpcap: Security fix for CVE-2023-7256 & CVE-2024-8006
Vivek Kumbhar (1):
webkitgtk: Security fix CVE-2024-40779
meta/classes/buildhistory.bbclass | 71 ++-
meta/classes/sstate.bbclass | 5 +-
meta/classes/testexport.bbclass | 2 +-
meta/classes/testimage.bbclass | 4 +-
meta/conf/distro/include/yocto-uninative.inc | 10 +-
meta/lib/oeqa/selftest/cases/runcmd.py | 4 +-
.../libpcap/libpcap/CVE-2023-7256-pre1.patch | 99 ++++
.../libpcap/libpcap/CVE-2023-7256-pre2.patch | 131 +++++
.../libpcap/libpcap/CVE-2023-7256-pre3.patch | 67 +++
.../libpcap/libpcap/CVE-2023-7256-pre4.patch | 37 ++
.../libpcap/libpcap/CVE-2023-7256.patch | 368 +++++++++++++
.../libpcap/libpcap/CVE-2024-8006.patch | 42 ++
.../libpcap/libpcap_1.10.1.bb | 10 +-
...1-cut-Fix-s-flag-to-omit-blank-lines.patch | 66 +++
meta/recipes-core/busybox/busybox_1.35.0.bb | 1 +
.../recipes-core/udev/udev-extraconf/mount.sh | 2 +-
.../python/python3/CVE-2023-27043.patch | 510 ------------------
.../python/python3/CVE-2024-6232.patch | 251 ---------
.../python/python3/CVE-2024-7592.patch | 140 -----
.../python/python3/CVE-2024-8088.patch | 124 -----
...{python3_3.10.14.bb => python3_3.10.15.bb} | 6 +-
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2024-35235.patch | 121 +++++
.../webkit/webkitgtk/CVE-2024-40779.patch | 91 ++++
meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 +
scripts/runqemu | 24 +-
26 files changed, 1109 insertions(+), 1079 deletions(-)
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre2.patch
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre3.patch
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre4.patch
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch
create mode 100644 meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2023-27043.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-6232.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-7592.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-8088.patch
rename meta/recipes-devtools/python/{python3_3.10.14.bb => python3_3.10.15.bb} (98%)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2024-35235.patch
create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2024-40779.patch
--
2.34.1
^ permalink raw reply [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 01/15] libpcap: Security fix for CVE-2023-7256 & CVE-2024-8006
2024-09-23 13:13 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
@ 2024-09-23 13:13 ` Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 02/15] webkitgtk: Security fix CVE-2024-40779 Steve Sakoman
` (13 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2024-09-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Reference:
https://security-tracker.debian.org/tracker/CVE-2023-7256
https://security-tracker.debian.org/tracker/CVE-2024-8006
Upstream commits:
https://github.com/the-tcpdump-group/libpcap/commit/ba493d37d418b126d7357df553bd065cbc99384e
https://github.com/the-tcpdump-group/libpcap/commit/f72f48a26abdd2eb11a4a8fb3596ee67b8f8cbe6
https://github.com/the-tcpdump-group/libpcap/commit/c1ceab8f191031a81996035af20685e6f9b7f1b7
https://github.com/the-tcpdump-group/libpcap/commit/73da0d4d65ef0925772b7b7f82a5fbb3ff2c5e4f
https://github.com/the-tcpdump-group/libpcap/commit/2aa69b04d8173b18a0e3492e0c8f2f7fabdf642d
https://github.com/the-tcpdump-group/libpcap/commit/8a633ee5b9ecd9d38a587ac9b204e2380713b0d6
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libpcap/libpcap/CVE-2023-7256-pre1.patch | 99 +++++
.../libpcap/libpcap/CVE-2023-7256-pre2.patch | 131 +++++++
.../libpcap/libpcap/CVE-2023-7256-pre3.patch | 67 ++++
.../libpcap/libpcap/CVE-2023-7256-pre4.patch | 37 ++
.../libpcap/libpcap/CVE-2023-7256.patch | 368 ++++++++++++++++++
.../libpcap/libpcap/CVE-2024-8006.patch | 42 ++
.../libpcap/libpcap_1.10.1.bb | 10 +-
7 files changed, 753 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre2.patch
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre3.patch
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre4.patch
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch
diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch
new file mode 100644
index 0000000000..6965034656
--- /dev/null
+++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch
@@ -0,0 +1,99 @@
+From f72f48a26abdd2eb11a4a8fb3596ee67b8f8cbe6 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Wed, 21 Jul 2021 23:50:32 -0700
+Subject: [PATCH] rpcap: don't do pointless integer->string and then
+ string->integer conversions.
+
+The string->integer conversion was also broken, as it passed a pointer
+to a 16-bit integer to a sscanf() call that used %d rather than %hd.
+It'd overwrite 2 bytes past the 16-bit integer; it may set the integer
+"correctly" on a little-endian, but wouldn't even do *that* on a
+big-endian machine.
+
+(cherry picked from commit efaddfe8eae4dab252bb2d35e004a40e4b72db24)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/f72f48a26abdd2eb11a4a8fb3596ee67b8f8cbe6]
+CVE: CVE-2023-7256 #Dependency Patch1
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pcap-rpcap.c | 34 ++++++++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/pcap-rpcap.c b/pcap-rpcap.c
+index 225b420904..f5c126dbc1 100644
+--- a/pcap-rpcap.c
++++ b/pcap-rpcap.c
+@@ -1060,7 +1060,7 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
+ char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */
+ int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
+- char portdata[PCAP_BUF_SIZE]; /* temp variable needed to keep the network port for the data connection */
++ uint16 portdata = 0; /* temp variable needed to keep the network port for the data connection */
+ uint32 plen;
+ int active = 0; /* '1' if we're in active mode */
+ struct activehosts *temp; /* temp var needed to scan the host list chain, to detect if we're in active mode */
+@@ -1073,6 +1073,8 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ struct sockaddr_storage saddr; /* temp, needed to retrieve the network data port chosen on the local machine */
+ socklen_t saddrlen; /* temp, needed to retrieve the network data port chosen on the local machine */
+ int ai_family; /* temp, keeps the address family used by the control connection */
++ struct sockaddr_in *sin4;
++ struct sockaddr_in6 *sin6;
+
+ /* RPCAP-related variables*/
+ struct rpcap_header header; /* header of the RPCAP packet */
+@@ -1171,11 +1173,22 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ goto error_nodiscard;
+ }
+
+- /* Get the local port the system picked up */
+- if (getnameinfo((struct sockaddr *) &saddr, saddrlen, NULL,
+- 0, portdata, sizeof(portdata), NI_NUMERICSERV))
+- {
+- sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
++ switch (saddr.ss_family) {
++
++ case AF_INET:
++ sin4 = (struct sockaddr_in *)&saddr;
++ portdata = sin4->sin_port;
++ break;
++
++ case AF_INET6:
++ sin6 = (struct sockaddr_in6 *)&saddr;
++ portdata = sin6->sin6_port;
++ break;
++
++ default:
++ snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
++ "Local address has unknown address family %u",
++ saddr.ss_family);
+ goto error_nodiscard;
+ }
+ }
+@@ -1208,8 +1221,7 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ /* portdata on the openreq is meaningful only if we're in active mode */
+ if ((active) || (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
+ {
+- sscanf(portdata, "%d", (int *)&(startcapreq->portdata)); /* cast to avoid a compiler warning */
+- startcapreq->portdata = htons(startcapreq->portdata);
++ startcapreq->portdata = portdata;
+ }
+
+ startcapreq->snaplen = htonl(fp->snapshot);
+@@ -1258,13 +1270,15 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ {
+ if (!active)
+ {
++ char portstring[PCAP_BUF_SIZE];
++
+ memset(&hints, 0, sizeof(struct addrinfo));
+ hints.ai_family = ai_family; /* Use the same address family of the control socket */
+ hints.ai_socktype = (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) ? SOCK_DGRAM : SOCK_STREAM;
+- snprintf(portdata, PCAP_BUF_SIZE, "%d", ntohs(startcapreply.portdata));
++ snprintf(portstring, PCAP_BUF_SIZE, "%d", ntohs(startcapreply.portdata));
+
+ /* Let's the server pick up a free network port for us */
+- if (sock_initaddress(host, portdata, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
++ if (sock_initaddress(host, portstring, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
+ goto error;
+
+ if ((sockdata = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre2.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre2.patch
new file mode 100644
index 0000000000..618480f10e
--- /dev/null
+++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre2.patch
@@ -0,0 +1,131 @@
+From ba493d37d418b126d7357df553bd065cbc99384e Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Sun, 31 Jul 2022 11:30:43 -0700
+Subject: [PATCH] rpcap: improve error messages for host and port resolution
+ errors.
+
+If we don't want a particular port nuber in a sock_initaddress() call,
+pass NULL rather than "0". If the service name parameter passsed to
+sock_initaddress() is NULL, pass "0" as the service name parameter to
+getaddrinfo().
+
+Have get_gai_errstring() precede the host/port name information with an
+indication as to whethe it's a host name, port name, or host name and
+port name. Don't say "host name" for EAI_NONAME; rely on the
+description get_gai_errstring() provides. If there's only a port
+number, don't preceded it with ":" in get_gai_errstring().
+
+This makes the error message reported if a host and port are provided
+not say that the host name couldn't be resolved, because it could be a
+problem with the port name (sadly, getaddinfo() doesn't indicate which
+is the one with the problem).
+
+It also makes the error message reported if only a port is provided not
+say that it's a problem with the host name or show the "host name" as
+":<port>".
+
+(cherry picked from commit 33cf6fb70a13a982d70f6a5e5e63aa765073c8e8)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/ba493d37d418b126d7357df553bd065cbc99384e]
+CVE: CVE-2023-7256 #Dependency Patch2
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pcap-rpcap.c | 6 +++---
+ rpcapd/daemon.c | 4 ++--
+ sockutils.c | 19 ++++++++++++++-----
+ 3 files changed, 19 insertions(+), 10 deletions(-)
+
+diff --git a/pcap-rpcap.c b/pcap-rpcap.c
+index 889ade32f6..b68af65d52 100644
+--- a/pcap-rpcap.c
++++ b/pcap-rpcap.c
+@@ -1020,7 +1020,7 @@ rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
+ hints.ai_family = PF_UNSPEC;
+ hints.ai_socktype = SOCK_STREAM;
+
+- retval = sock_initaddress(host, "0", &hints, &addrinfo, errbuf,
++ retval = sock_initaddress(host, NULL, &hints, &addrinfo, errbuf,
+ PCAP_ERRBUF_SIZE);
+ if (retval != 0)
+ {
+@@ -1172,7 +1172,7 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ hints.ai_flags = AI_PASSIVE; /* Data connection is opened by the server toward the client */
+
+ /* Let's the server pick up a free network port for us */
+- if (sock_initaddress(NULL, "0", &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
++ if (sock_initaddress(NULL, NULL, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
+ goto error_nodiscard;
+
+ if ((sockdata = sock_open(addrinfo, SOCKOPEN_SERVER,
+@@ -3024,7 +3024,7 @@ int pcap_remoteact_close(const char *host, char *errbuf)
+ hints.ai_family = PF_UNSPEC;
+ hints.ai_socktype = SOCK_STREAM;
+
+- retval = sock_initaddress(host, "0", &hints, &addrinfo, errbuf,
++ retval = sock_initaddress(host, NULL, &hints, &addrinfo, errbuf,
+ PCAP_ERRBUF_SIZE);
+ if (retval != 0)
+ {
+diff --git a/rpcapd/daemon.c b/rpcapd/daemon.c
+index 362f4b9bb0..4b91a43242 100644
+--- a/rpcapd/daemon.c
++++ b/rpcapd/daemon.c
+@@ -2085,8 +2085,8 @@ daemon_msg_startcap_req(uint8 ver, struct daemon_slpars *pars, uint32 plen,
+ {
+ hints.ai_flags = AI_PASSIVE;
+
+- // Let's the server socket pick up a free network port for us
+- if (sock_initaddress(NULL, "0", &hints, &addrinfo, errmsgbuf, PCAP_ERRBUF_SIZE) == -1)
++ // Make the server socket pick up a free network port for us
++ if (sock_initaddress(NULL, NULL, &hints, &addrinfo, errmsgbuf, PCAP_ERRBUF_SIZE) == -1)
+ goto error;
+
+ if ((session->sockdata = sock_open(addrinfo, SOCKOPEN_SERVER, 1 /* max 1 connection in queue */, errmsgbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+diff --git a/sockutils.c b/sockutils.c
+index a34f0d1738..ca5b683720 100644
+--- a/sockutils.c
++++ b/sockutils.c
+@@ -548,13 +548,13 @@ get_gai_errstring(char *errbuf, int errbuflen, const char *prefix, int err,
+ char hostport[PCAP_ERRBUF_SIZE];
+
+ if (hostname != NULL && portname != NULL)
+- snprintf(hostport, PCAP_ERRBUF_SIZE, "%s:%s",
++ snprintf(hostport, PCAP_ERRBUF_SIZE, "host and port %s:%s",
+ hostname, portname);
+ else if (hostname != NULL)
+- snprintf(hostport, PCAP_ERRBUF_SIZE, "%s",
++ snprintf(hostport, PCAP_ERRBUF_SIZE, "host %s",
+ hostname);
+ else if (portname != NULL)
+- snprintf(hostport, PCAP_ERRBUF_SIZE, ":%s",
++ snprintf(hostport, PCAP_ERRBUF_SIZE, "port %s",
+ portname);
+ else
+ snprintf(hostport, PCAP_ERRBUF_SIZE, "<no host or port!>");
+@@ -618,7 +618,7 @@ get_gai_errstring(char *errbuf, int errbuflen, const char *prefix, int err,
+
+ case EAI_NONAME:
+ snprintf(errbuf, errbuflen,
+- "%sThe host name %s couldn't be resolved",
++ "%sThe %s couldn't be resolved",
+ prefix, hostport);
+ break;
+
+@@ -720,7 +720,16 @@ int sock_initaddress(const char *host, const char *port,
+ {
+ int retval;
+
+- retval = getaddrinfo(host, port, hints, addrinfo);
++ /*
++ * We allow both the host and port to be null, but getaddrinfo()
++ * is not guaranteed to do so; to handle that, if port is null,
++ * we provide "0" as the port number.
++ *
++ * This results in better error messages from get_gai_errstring(),
++ * as those messages won't talk about a problem with the port if
++ * no port was specified.
++ */
++ retval = getaddrinfo(host, port == NULL ? "0" : port, hints, addrinfo);
+ if (retval != 0)
+ {
+ if (errbuf)
diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre3.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre3.patch
new file mode 100644
index 0000000000..12d42fb252
--- /dev/null
+++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre3.patch
@@ -0,0 +1,67 @@
+From c1ceab8f191031a81996035af20685e6f9b7f1b7 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Sun, 31 Jul 2022 11:54:22 -0700
+Subject: [PATCH] rpcap: try to distringuish between host and port errors.
+
+getaddrinfo() won't do it for us, so do it ourselves.
+
+(cherry picked from commit a83992a1bec91661b2f0e1a6fc910343793a97f1)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/c1ceab8f191031a81996035af20685e6f9b7f1b7]
+CVE: CVE-2023-7256 #Dependency Patch3
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ sockutils.c | 40 ++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 38 insertions(+), 2 deletions(-)
+
+diff --git a/sockutils.c b/sockutils.c
+index ca5b683720..84024ac67d 100644
+--- a/sockutils.c
++++ b/sockutils.c
+@@ -734,8 +734,44 @@ int sock_initaddress(const char *host, const char *port,
+ {
+ if (errbuf)
+ {
+- get_gai_errstring(errbuf, errbuflen, "", retval,
+- host, port);
++ if (host != NULL && port != NULL) {
++ /*
++ * Try with just a host, to distinguish
++ * between "host is bad" and "port is
++ * bad".
++ */
++ int try_retval;
++
++ try_retval = getaddrinfo(host, NULL, hints,
++ addrinfo);
++ if (try_retval == 0) {
++ /*
++ * Worked with just the host,
++ * so assume the problem is
++ * with the port.
++ *
++ * Free up the addres info first.
++ */
++ freeaddrinfo(*addrinfo);
++ get_gai_errstring(errbuf, errbuflen,
++ "", retval, NULL, port);
++ } else {
++ /*
++ * Didn't work with just the host,
++ * so assume the problem is
++ * with the host.
++ */
++ get_gai_errstring(errbuf, errbuflen,
++ "", retval, host, NULL);
++ }
++ } else {
++ /*
++ * Either the host or port was null, so
++ * there's nothing to determine.
++ */
++ get_gai_errstring(errbuf, errbuflen, "",
++ retval, host, port);
++ }
+ }
+ return -1;
+ }
diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre4.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre4.patch
new file mode 100644
index 0000000000..dcf203f754
--- /dev/null
+++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre4.patch
@@ -0,0 +1,37 @@
+From 73da0d4d65ef0925772b7b7f82a5fbb3ff2c5e4f Mon Sep 17 00:00:00 2001
+From: Rose <83477269+AtariDreams@users.noreply.github.com>
+Date: Tue, 16 May 2023 12:37:11 -0400
+Subject: [PATCH] Remove unused variable retval in sock_present2network
+
+This quiets the compiler since it is not even returned anyway, and is a misleading variable name.
+
+(cherry picked from commit c7b90298984c46d820d3cee79a96d24870b5f200)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/73da0d4d65ef0925772b7b7f82a5fbb3ff2c5e4f]
+CVE: CVE-2023-7256 #Dependency Patch4
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ sockutils.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/sockutils.c b/sockutils.c
+index 1c07f76fd1..6752f296af 100644
+--- a/sockutils.c
++++ b/sockutils.c
+@@ -2082,7 +2082,6 @@ int sock_getascii_addrport(const struct sockaddr_storage *sockaddr, char *addres
+ */
+ int sock_present2network(const char *address, struct sockaddr_storage *sockaddr, int addr_family, char *errbuf, int errbuflen)
+ {
+- int retval;
+ struct addrinfo *addrinfo;
+ struct addrinfo hints;
+
+@@ -2090,7 +2089,7 @@ int sock_present2network(const char *address, struct sockaddr_storage *sockaddr,
+
+ hints.ai_family = addr_family;
+
+- if ((retval = sock_initaddress(address, "22222" /* fake port */, &hints, &addrinfo, errbuf, errbuflen)) == -1)
++ if (sock_initaddress(address, "22222" /* fake port */, &hints, &addrinfo, errbuf, errbuflen) == -1)
+ return 0;
+
+ if (addrinfo->ai_family == PF_INET)
diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch
new file mode 100644
index 0000000000..2b6c6476a9
--- /dev/null
+++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch
@@ -0,0 +1,368 @@
+From 2aa69b04d8173b18a0e3492e0c8f2f7fabdf642d Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Thu, 28 Sep 2023 00:37:57 -0700
+Subject: [PATCH] Have sock_initaddress() return the list of addrinfo
+ structures or NULL.
+
+Its return address is currently 0 for success and -1 for failure, with a
+pointer to the first element of the list of struct addrinfos returned
+through a pointer on success; change it to return that pointer on
+success and NULL on failure.
+
+That way, we don't have to worry about what happens to the pointer
+pointeed to by the argument in question on failure; we know that we got
+NULL back if no struct addrinfos were found because getaddrinfo()
+failed. Thus, we know that we have something to free iff
+sock_initaddress() returned a pointer to that something rather than
+returning NULL.
+
+This avoids a double-free in some cases.
+
+This is apparently CVE-2023-40400.
+
+(backported from commit 262e4f34979872d822ccedf9f318ed89c4d31c03)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/2aa69b04d8173b18a0e3492e0c8f2f7fabdf642d]
+CVE: CVE-2023-7256
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pcap-rpcap.c | 48 ++++++++++++++++++++--------------------
+ rpcapd/daemon.c | 8 +++++--
+ rpcapd/rpcapd.c | 8 +++++--
+ sockutils.c | 58 ++++++++++++++++++++++++++++---------------------
+ sockutils.h | 5 ++---
+ 5 files changed, 72 insertions(+), 55 deletions(-)
+
+diff --git a/pcap-rpcap.c b/pcap-rpcap.c
+index 91f8557..733077b 100644
+--- a/pcap-rpcap.c
++++ b/pcap-rpcap.c
+@@ -995,7 +995,6 @@ rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
+ {
+ struct activehosts *temp; /* temp var needed to scan the host list chain */
+ struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */
+- int retval;
+
+ /* retrieve the network address corresponding to 'host' */
+ addrinfo = NULL;
+@@ -1003,9 +1002,9 @@ rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
+ hints.ai_family = PF_UNSPEC;
+ hints.ai_socktype = SOCK_STREAM;
+
+- retval = sock_initaddress(host, NULL, &hints, &addrinfo, errbuf,
++ addrinfo = sock_initaddress(host, NULL, &hints, errbuf,
+ PCAP_ERRBUF_SIZE);
+- if (retval != 0)
++ if (addrinfo == NULL)
+ {
+ *error = 1;
+ return NULL;
+@@ -1153,7 +1152,9 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ hints.ai_flags = AI_PASSIVE; /* Data connection is opened by the server toward the client */
+
+ /* Let's the server pick up a free network port for us */
+- if (sock_initaddress(NULL, NULL, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
++ addrinfo = sock_initaddress(NULL, NULL, &hints, fp->errbuf,
++ PCAP_ERRBUF_SIZE);
++ if (addrinfo == NULL)
+ goto error_nodiscard;
+
+ if ((sockdata = sock_open(addrinfo, SOCKOPEN_SERVER,
+@@ -1277,7 +1278,9 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ snprintf(portstring, PCAP_BUF_SIZE, "%d", ntohs(startcapreply.portdata));
+
+ /* Let's the server pick up a free network port for us */
+- if (sock_initaddress(host, portstring, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
++ addrinfo = sock_initaddress(host, portstring, &hints,
++ fp->errbuf, PCAP_ERRBUF_SIZE);
++ if (addrinfo == NULL)
+ goto error;
+
+ if ((sockdata = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+@@ -2220,16 +2223,16 @@ rpcap_setup_session(const char *source, struct pcap_rmtauth *auth,
+ if (port[0] == 0)
+ {
+ /* the user chose not to specify the port */
+- if (sock_initaddress(host, RPCAP_DEFAULT_NETPORT,
+- &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
+- return -1;
++ addrinfo = sock_initaddress(host, RPCAP_DEFAULT_NETPORT,
++ &hints, errbuf, PCAP_ERRBUF_SIZE);
+ }
+ else
+ {
+- if (sock_initaddress(host, port, &hints, &addrinfo,
+- errbuf, PCAP_ERRBUF_SIZE) == -1)
+- return -1;
++ addrinfo = sock_initaddress(host, port, &hints,
++ errbuf, PCAP_ERRBUF_SIZE);
+ }
++ if (addrinfo == NULL)
++ return -1;
+
+ if ((*sockctrlp = sock_open(addrinfo, SOCKOPEN_CLIENT, 0,
+ errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+@@ -2825,19 +2828,19 @@ SOCKET pcap_remoteact_accept_ex(const char *address, const char *port, const cha
+ /* Do the work */
+ if ((port == NULL) || (port[0] == 0))
+ {
+- if (sock_initaddress(address, RPCAP_DEFAULT_NETPORT_ACTIVE, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
+- {
+- return (SOCKET)-2;
+- }
++ addrinfo = sock_initaddress(address,
++ RPCAP_DEFAULT_NETPORT_ACTIVE, &hints, errbuf,
++ PCAP_ERRBUF_SIZE);
+ }
+ else
+ {
+- if (sock_initaddress(address, port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
+- {
+- return (SOCKET)-2;
+- }
++ addrinfo = sock_initaddress(address, port, &hints, errbuf,
++ PCAP_ERRBUF_SIZE);
++ }
++ if (addrinfo == NULL)
++ {
++ return (SOCKET)-2;
+ }
+-
+
+ if ((sockmain = sock_open(addrinfo, SOCKOPEN_SERVER, 1, errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+ {
+@@ -2994,7 +2997,6 @@ int pcap_remoteact_close(const char *host, char *errbuf)
+ {
+ struct activehosts *temp, *prev; /* temp var needed to scan the host list chain */
+ struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */
+- int retval;
+
+ temp = activeHosts;
+ prev = NULL;
+@@ -3005,9 +3007,9 @@ int pcap_remoteact_close(const char *host, char *errbuf)
+ hints.ai_family = PF_UNSPEC;
+ hints.ai_socktype = SOCK_STREAM;
+
+- retval = sock_initaddress(host, NULL, &hints, &addrinfo, errbuf,
++ addrinfo = sock_initaddress(host, NULL, &hints, errbuf,
+ PCAP_ERRBUF_SIZE);
+- if (retval != 0)
++ if (addrinfo == NULL)
+ {
+ return -1;
+ }
+diff --git a/rpcapd/daemon.c b/rpcapd/daemon.c
+index 8f50899..925d381 100644
+--- a/rpcapd/daemon.c
++++ b/rpcapd/daemon.c
+@@ -2065,7 +2065,9 @@ daemon_msg_startcap_req(uint8 ver, struct daemon_slpars *pars, uint32 plen,
+ goto error;
+ }
+
+- if (sock_initaddress(peerhost, portdata, &hints, &addrinfo, errmsgbuf, PCAP_ERRBUF_SIZE) == -1)
++ addrinfo = sock_initaddress(peerhost, portdata, &hints,
++ errmsgbuf, PCAP_ERRBUF_SIZE);
++ if (addrinfo == NULL)
+ goto error;
+
+ if ((session->sockdata = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, errmsgbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+@@ -2076,7 +2078,9 @@ daemon_msg_startcap_req(uint8 ver, struct daemon_slpars *pars, uint32 plen,
+ hints.ai_flags = AI_PASSIVE;
+
+ // Make the server socket pick up a free network port for us
+- if (sock_initaddress(NULL, NULL, &hints, &addrinfo, errmsgbuf, PCAP_ERRBUF_SIZE) == -1)
++ addrinfo = sock_initaddress(NULL, NULL, &hints, errmsgbuf,
++ PCAP_ERRBUF_SIZE);
++ if (addrinfo == NULL)
+ goto error;
+
+ if ((session->sockdata = sock_open(addrinfo, SOCKOPEN_SERVER, 1 /* max 1 connection in queue */, errmsgbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+diff --git a/rpcapd/rpcapd.c b/rpcapd/rpcapd.c
+index b91a401..74c138b 100644
+--- a/rpcapd/rpcapd.c
++++ b/rpcapd/rpcapd.c
+@@ -610,7 +610,9 @@ void main_startup(void)
+ //
+ // Get a list of sockets on which to listen.
+ //
+- if (sock_initaddress((address[0]) ? address : NULL, port, &mainhints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
++ addrinfo = sock_initaddress((address[0]) ? address : NULL,
++ port, &mainhints, errbuf, PCAP_ERRBUF_SIZE);
++ if (addrinfo == NULL)
+ {
+ rpcapd_log(LOGPRIO_DEBUG, "%s", errbuf);
+ return;
+@@ -1347,7 +1349,9 @@ main_active(void *ptr)
+ memset(errbuf, 0, sizeof(errbuf));
+
+ // Do the work
+- if (sock_initaddress(activepars->address, activepars->port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
++ addrinfo = sock_initaddress(activepars->address, activepars->port,
++ &hints, errbuf, PCAP_ERRBUF_SIZE);
++ if (addrinfo == NULL)
+ {
+ rpcapd_log(LOGPRIO_DEBUG, "%s", errbuf);
+ return 0;
+diff --git a/sockutils.c b/sockutils.c
+index 0b0bcee..4d02d96 100644
+--- a/sockutils.c
++++ b/sockutils.c
+@@ -704,20 +704,21 @@ get_gai_errstring(char *errbuf, int errbuflen, const char *prefix, int err,
+ * \param errbuflen: length of the buffer that will contains the error. The error message cannot be
+ * larger than 'errbuflen - 1' because the last char is reserved for the string terminator.
+ *
+- * \return '0' if everything is fine, '-1' if some errors occurred. The error message is returned
+- * in the 'errbuf' variable. The addrinfo variable that has to be used in the following sockets calls is
+- * returned into the addrinfo parameter.
++ * \return a pointer to the first element in a list of addrinfo structures
++ * if everything is fine, NULL if some errors occurred. The error message
++ * is returned in the 'errbuf' variable.
+ *
+- * \warning The 'addrinfo' variable has to be deleted by the programmer by calling freeaddrinfo() when
+- * it is no longer needed.
++ * \warning The list of addrinfo structures returned has to be deleted by
++ * the programmer by calling freeaddrinfo() when it is no longer needed.
+ *
+ * \warning This function requires the 'hints' variable as parameter. The semantic of this variable is the same
+ * of the one of the corresponding variable used into the standard getaddrinfo() socket function. We suggest
+ * the programmer to look at that function in order to set the 'hints' variable appropriately.
+ */
+-int sock_initaddress(const char *host, const char *port,
+- struct addrinfo *hints, struct addrinfo **addrinfo, char *errbuf, int errbuflen)
++struct addrinfo *sock_initaddress(const char *host, const char *port,
++ struct addrinfo *hints, char *errbuf, int errbuflen)
+ {
++ struct addrinfo *addrinfo;
+ int retval;
+
+ /*
+@@ -729,9 +730,13 @@ int sock_initaddress(const char *host, const char *port,
+ * as those messages won't talk about a problem with the port if
+ * no port was specified.
+ */
+- retval = getaddrinfo(host, port == NULL ? "0" : port, hints, addrinfo);
++ retval = getaddrinfo(host, port == NULL ? "0" : port, hints, &addrinfo);
+ if (retval != 0)
+ {
++ /*
++ * That call failed.
++ * Determine whether the problem is that the host is bad.
++ */
+ if (errbuf)
+ {
+ if (host != NULL && port != NULL) {
+@@ -743,7 +748,7 @@ int sock_initaddress(const char *host, const char *port,
+ int try_retval;
+
+ try_retval = getaddrinfo(host, NULL, hints,
+- addrinfo);
++ &addrinfo);
+ if (try_retval == 0) {
+ /*
+ * Worked with just the host,
+@@ -752,14 +757,16 @@ int sock_initaddress(const char *host, const char *port,
+ *
+ * Free up the addres info first.
+ */
+- freeaddrinfo(*addrinfo);
++ freeaddrinfo(addrinfo);
+ get_gai_errstring(errbuf, errbuflen,
+ "", retval, NULL, port);
+ } else {
+ /*
+ * Didn't work with just the host,
+ * so assume the problem is
+- * with the host.
++ * with the host; we assume
++ * the original error indicates
++ * the underlying problem.
+ */
+ get_gai_errstring(errbuf, errbuflen,
+ "", retval, host, NULL);
+@@ -767,13 +774,14 @@ int sock_initaddress(const char *host, const char *port,
+ } else {
+ /*
+ * Either the host or port was null, so
+- * there's nothing to determine.
++ * there's nothing to determine; report
++ * the error from the original call.
+ */
+ get_gai_errstring(errbuf, errbuflen, "",
+ retval, host, port);
+ }
+ }
+- return -1;
++ return NULL;
+ }
+ /*
+ * \warning SOCKET: I should check all the accept() in order to bind to all addresses in case
+@@ -788,30 +796,28 @@ int sock_initaddress(const char *host, const char *port,
+ * ignore all addresses that are neither? (What, no IPX
+ * support? :-))
+ */
+- if (((*addrinfo)->ai_family != PF_INET) &&
+- ((*addrinfo)->ai_family != PF_INET6))
++ if ((addrinfo->ai_family != PF_INET) &&
++ (addrinfo->ai_family != PF_INET6))
+ {
+ if (errbuf)
+ snprintf(errbuf, errbuflen, "getaddrinfo(): socket type not supported");
+- freeaddrinfo(*addrinfo);
+- *addrinfo = NULL;
+- return -1;
++ freeaddrinfo(addrinfo);
++ return NULL;
+ }
+
+ /*
+ * You can't do multicast (or broadcast) TCP.
+ */
+- if (((*addrinfo)->ai_socktype == SOCK_STREAM) &&
+- (sock_ismcastaddr((*addrinfo)->ai_addr) == 0))
++ if ((addrinfo->ai_socktype == SOCK_STREAM) &&
++ (sock_ismcastaddr(addrinfo->ai_addr) == 0))
+ {
+ if (errbuf)
+ snprintf(errbuf, errbuflen, "getaddrinfo(): multicast addresses are not valid when using TCP streams");
+- freeaddrinfo(*addrinfo);
+- *addrinfo = NULL;
+- return -1;
++ freeaddrinfo(addrinfo);
++ return NULL;
+ }
+
+- return 0;
++ return addrinfo;
+ }
+
+ /*
+@@ -1720,7 +1726,9 @@ int sock_present2network(const char *address, struct sockaddr_storage *sockaddr,
+
+ hints.ai_family = addr_family;
+
+- if (sock_initaddress(address, "22222" /* fake port */, &hints, &addrinfo, errbuf, errbuflen) == -1)
++ addrinfo = sock_initaddress(address, "22222" /* fake port */, &hints,
++ errbuf, errbuflen);
++ if (addrinfo == NULL)
+ return 0;
+
+ if (addrinfo->ai_family == PF_INET)
+diff --git a/sockutils.h b/sockutils.h
+index e748662..ede86a1 100644
+--- a/sockutils.h
++++ b/sockutils.h
+@@ -129,9 +129,8 @@ int sock_init(char *errbuf, int errbuflen);
+ void sock_cleanup(void);
+ void sock_fmterror(const char *caller, int errcode, char *errbuf, int errbuflen);
+ void sock_geterror(const char *caller, char *errbuf, int errbufsize);
+-int sock_initaddress(const char *address, const char *port,
+- struct addrinfo *hints, struct addrinfo **addrinfo,
+- char *errbuf, int errbuflen);
++struct addrinfo *sock_initaddress(const char *address, const char *port,
++ struct addrinfo *hints, char *errbuf, int errbuflen);
+ int sock_recv(SOCKET sock, SSL *, void *buffer, size_t size, int receiveall,
+ char *errbuf, int errbuflen);
+ int sock_recv_dgram(SOCKET sock, SSL *, void *buffer, size_t size,
+--
+2.25.1
+
diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch
new file mode 100644
index 0000000000..987d6d51b3
--- /dev/null
+++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch
@@ -0,0 +1,42 @@
+From 8a633ee5b9ecd9d38a587ac9b204e2380713b0d6 Mon Sep 17 00:00:00 2001
+From: Nicolas Badoux <n.badoux@hotmail.com>
+Date: Mon, 19 Aug 2024 12:31:53 +0200
+Subject: [PATCH] makes pcap_findalldevs_ex errors out if the directory does
+ not exist
+
+(backported from commit 0f8a103469ce87d2b8d68c5130a46ddb7fb5eb29)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/8a633ee5b9ecd9d38a587ac9b204e2380713b0d6]
+CVE: CVE-2024-8006
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pcap-new.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/pcap-new.c b/pcap-new.c
+index 7c00659..ac88065 100644
+--- a/pcap-new.c
++++ b/pcap-new.c
+@@ -231,13 +231,18 @@ int pcap_findalldevs_ex(const char *source, struct pcap_rmtauth *auth, pcap_if_t
+ #else
+ /* opening the folder */
+ unixdir= opendir(path);
++ if (unixdir == NULL) {
++ snprintf(errbuf, PCAP_ERRBUF_SIZE,
++ "Error when listing files: does folder '%s' exist?", path);
++ return -1;
++ }
+
+ /* get the first file into it */
+ filedata= readdir(unixdir);
+
+ if (filedata == NULL)
+ {
+- snprintf(errbuf, PCAP_ERRBUF_SIZE, "Error when listing files: does folder '%s' exist?", path);
++ snprintf(errbuf, PCAP_ERRBUF_SIZE, "Error when listing files: does folder '%s' contain files?", path);
+ return -1;
+ }
+ #endif
+--
+2.25.1
+
diff --git a/meta/recipes-connectivity/libpcap/libpcap_1.10.1.bb b/meta/recipes-connectivity/libpcap/libpcap_1.10.1.bb
index dbe2fd8157..584e98c76d 100644
--- a/meta/recipes-connectivity/libpcap/libpcap_1.10.1.bb
+++ b/meta/recipes-connectivity/libpcap/libpcap_1.10.1.bb
@@ -10,7 +10,15 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5eb289217c160e2920d2e35bddc36453 \
file://pcap.h;beginline=1;endline=32;md5=39af3510e011f34b8872f120b1dc31d2"
DEPENDS = "flex-native bison-native"
-SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz"
+SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz \
+ file://CVE-2023-7256-pre1.patch \
+ file://CVE-2023-7256-pre2.patch \
+ file://CVE-2023-7256-pre3.patch \
+ file://CVE-2023-7256-pre4.patch \
+ file://CVE-2023-7256.patch \
+ file://CVE-2024-8006.patch \
+ "
+
SRC_URI[sha256sum] = "ed285f4accaf05344f90975757b3dbfe772ba41d1c401c2648b7fa45b711bdd4"
inherit autotools binconfig-disabled pkgconfig
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 02/15] webkitgtk: Security fix CVE-2024-40779
2024-09-23 13:13 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 01/15] libpcap: Security fix for CVE-2023-7256 & CVE-2024-8006 Steve Sakoman
@ 2024-09-23 13:13 ` Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 03/15] cups: Security fix for CVE-2024-35235 Steve Sakoman
` (12 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2024-09-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Vivek Kumbhar <vkumbhar@mvista.com>
Upstream-Status: Backport from [https://github.com/WebKit/WebKit/commit/2fe5ae29a5f6434ef456afe9673a4f400ec63848]
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../webkit/webkitgtk/CVE-2024-40779.patch | 91 +++++++++++++++++++
meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 +
2 files changed, 92 insertions(+)
create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2024-40779.patch
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40779.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40779.patch
new file mode 100644
index 0000000000..6fac907256
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40779.patch
@@ -0,0 +1,91 @@
+From 2fe5ae29a5f6434ef456afe9673a4f400ec63848 Mon Sep 17 00:00:00 2001
+From: Jean-Yves Avenard <jya@apple.com>
+Date: Fri, 14 Jun 2024 16:08:19 -0700
+Subject: [PATCH] Cherry-pick 272448.1085@safari-7618.3.10-branch
+ (ff52ff7cb64e). https://bugs.webkit.org/show_bug.cgi?id=275431
+
+HeapBufferOverflow in computeSampleUsingLinearInterpolation
+https://bugs.webkit.org/show_bug.cgi?id=275431
+rdar://125617812
+
+Reviewed by Youenn Fablet.
+
+Add boundary check.
+This is a copy of blink code for that same function.
+https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/modules/webaudio/audio_buffer_source_handler.cc;l=336-341
+
+* LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt: Added.
+* LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html: Added.
+* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
+(WebCore::AudioBufferSourceNode::renderFromBuffer):
+
+Canonical link: https://commits.webkit.org/274313.347@webkitglib/2.44
+
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/2fe5ae29a5f6434ef456afe9673a4f400ec63848]
+CVE: CVE-2024-40779
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ ...er-sourcenode-resampler-crash-expected.txt | 1 +
+ ...udiobuffer-sourcenode-resampler-crash.html | 25 +++++++++++++++++++
+ .../webaudio/AudioBufferSourceNode.cpp | 6 +++++
+ 3 files changed, 32 insertions(+)
+ create mode 100644 LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt
+ create mode 100644 LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html
+
+diff --git a/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt b/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt
+new file mode 100644
+index 00000000..654ddf7f
+--- /dev/null
++++ b/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt
+@@ -0,0 +1 @@
++This test passes if it does not crash.
+diff --git a/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html b/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html
+new file mode 100644
+index 00000000..5fb2dd8c
+--- /dev/null
++++ b/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html
+@@ -0,0 +1,25 @@
++<html>
++<head>
++ <script>
++ async function main() {
++ var ctx = new AudioContext();
++ var src = new AudioBufferSourceNode(ctx);
++ src.buffer = ctx.createBuffer(1, 8192, 44100);
++ src.start(undefined, 0.5);
++ src.playbackRate.value = -1;
++ src.connect(ctx.destination, 0, 0);
++ if (window.testRunner)
++ testRunner.notifyDone();
++ }
++ </script>
++</head>
++<body onload="main()">
++ <p>This test passes if it does not crash.</p>
++ <script>
++ if (window.testRunner) {
++ testRunner.waitUntilDone();
++ testRunner.dumpAsText();
++ }
++ </script>
++</body>
++</html>
+diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+index 35b8c818..689d37a1 100644
+--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
++++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+@@ -342,6 +342,12 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
+ if (readIndex2 >= maxFrame)
+ readIndex2 = m_isLooping ? minFrame : readIndex;
+
++ // Final sanity check on buffer access.
++ // FIXME: as an optimization, try to get rid of this inner-loop check and
++ // put assertions and guards before the loop.
++ if (readIndex >= bufferLength || readIndex2 >= bufferLength)
++ break;
++
+ // Linear interpolation.
+ for (unsigned i = 0; i < numberOfChannels; ++i) {
+ float* destination = destinationChannels[i];
+--
+2.34.1
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index f4b8456749..a2d455ab92 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
file://CVE-2023-23529.patch \
file://CVE-2022-48503.patch \
file://CVE-2023-32439.patch \
+ file://CVE-2024-40779.patch \
"
SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 03/15] cups: Security fix for CVE-2024-35235
2024-09-23 13:13 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 01/15] libpcap: Security fix for CVE-2023-7256 & CVE-2024-8006 Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 02/15] webkitgtk: Security fix CVE-2024-40779 Steve Sakoman
@ 2024-09-23 13:13 ` Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 04/15] yocto-uninative: Update to 4.5 for gcc 14 Steve Sakoman
` (11 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2024-09-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Rohini Sangam <rsangam@mvista.com>
CVE fixed:
- CVE-2024-35235: cups: Cupsd Listen arbitrary chmod 0140777
Upstream-Status: Backport from https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2, https://github.com/OpenPrinting/cups/commit/e3952d3ecd231588bb382529281a294124db9348#diff-6fc0a5ba57f83c8177d28f44729276fe35fcaaceae8b774481e6973fcbdf733d
Signed-off-by: Rohini Sangam <rsangam@mvista.com>
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2024-35235.patch | 121 ++++++++++++++++++
2 files changed, 122 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2024-35235.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 047ab33898..6d5cf3b588 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -19,6 +19,7 @@ SRC_URI = "https://github.com/OpenPrinting/cups/releases/download/v${PV}/cups-${
file://CVE-2023-34241.patch \
file://CVE-2023-32360.patch \
file://CVE-2023-4504.patch \
+ file://CVE-2024-35235.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2024-35235.patch b/meta/recipes-extended/cups/cups/CVE-2024-35235.patch
new file mode 100644
index 0000000000..d7a2d426af
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2024-35235.patch
@@ -0,0 +1,121 @@
+From a436956f374b0fd7f5da9df482e4f5840fa1c0d2 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Mon, 3 Jun 2024 18:53:58 +0200
+Subject: [PATCH] CVE-2024-35235: Fix domain socket handling
+
+- Check status of unlink and bind system calls.
+- Don't allow extra domain sockets when running from launchd/systemd.
+- Validate length of domain socket path (< sizeof(sun_path))
+
+Upstream-Status: Backport from https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2, https://github.com/OpenPrinting/cups/commit/e3952d3ecd231588bb382529281a294124db9348#diff-6fc0a5ba57f83c8177d28f44729276fe35fcaaceae8b774481e6973fcbdf733d
+CVE: CVE-2024-35235
+
+Signed-off-by: Rohini Sangam <rsangam@mvista.com>
+---
+ cups/debug-internal.h | 4 +--
+ cups/http-addr.c | 36 ++++++++++---------
+ scheduler/conf.c | 20 +++++++++++
+ 3 files changed, 41 insertions(+), 19 deletions(-)
+
+diff --git a/cups/debug-internal.h b/cups/debug-internal.h
+index 2b57854..2e1a56a 100644
+--- a/cups/debug-internal.h
++++ b/cups/debug-internal.h
+@@ -59,10 +59,10 @@ extern "C" {
+
+ # ifdef DEBUG
+ # define DEBUG_puts(x) _cups_debug_puts(x)
+-# define DEBUG_printf(x) _cups_debug_printf x
++# define DEBUG_printf(...) _cups_debug_printf(__VA_ARGS__)
+ # else
+ # define DEBUG_puts(x)
+-# define DEBUG_printf(x)
++# define DEBUG_printf(...)
+ # endif /* DEBUG */
+
+
+diff --git a/cups/http-addr.c b/cups/http-addr.c
+index 114a644..610e9db 100644
+--- a/cups/http-addr.c
++++ b/cups/http-addr.c
+@@ -206,27 +206,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */
+ * Remove any existing domain socket file...
+ */
+
+- unlink(addr->un.sun_path);
+-
+- /*
+- * Save the current umask and set it to 0 so that all users can access
+- * the domain socket...
+- */
+-
+- mask = umask(0);
++ if ((status = unlink(addr->un.sun_path)) < 0)
++ {
++ DEBUG_printf("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno));
+
+- /*
+- * Bind the domain socket...
+- */
++ if (errno == ENOENT)
++ status = 0;
++ }
+
+- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
++ if (!status)
++ {
++ // Save the current umask and set it to 0 so that all users can access
++ // the domain socket...
++ mask = umask(0);
+
+- /*
+- * Restore the umask and fix permissions...
+- */
++ // Bind the domain socket...
++ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
++ {
++ DEBUG_printf("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno));
++ }
+
+- umask(mask);
+- chmod(addr->un.sun_path, 0140777);
++ // Restore the umask...
++ umask(mask);
++ }
+ }
+ else
+ #endif /* AF_LOCAL */
+diff --git a/scheduler/conf.c b/scheduler/conf.c
+index 535d40f..3a2eec2 100644
+--- a/scheduler/conf.c
++++ b/scheduler/conf.c
+@@ -3074,6 +3074,26 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
+ cupsd_listener_t *lis; /* New listeners array */
+
+
++ /*
++ * If we are launched on-demand, do not use domain sockets from the config
++ * file. Also check that the domain socket path is not too long...
++ */
++
++#ifdef HAVE_ONDEMAND
++ if (*value == '/' && OnDemand)
++ {
++ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
++ continue;
++ }
++#endif // HAVE_ONDEMAND
++
++ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
++ {
++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
++ continue;
++ }
++
+ /*
+ * Get the address list...
+ */
+--
+2.35.7
+
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 04/15] yocto-uninative: Update to 4.5 for gcc 14
2024-09-23 13:13 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (2 preceding siblings ...)
2024-09-23 13:13 ` [OE-core][kirkstone 03/15] cups: Security fix for CVE-2024-35235 Steve Sakoman
@ 2024-09-23 13:13 ` Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 05/15] yocto-uninative: Update to 4.6 for glibc 2.40 Steve Sakoman
` (10 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2024-09-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f5638681cef7e250ac64832dbe791418d97f05ba)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/conf/distro/include/yocto-uninative.inc | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 4ac66fd506..657c1032f9 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -7,9 +7,9 @@
#
UNINATIVE_MAXGLIBCVERSION = "2.39"
-UNINATIVE_VERSION = "4.4"
+UNINATIVE_VERSION = "4.5"
UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "b61876130f494f75092f21086b4a64ea5fb064045769bf1d32e9cb6af17ea8ec"
-UNINATIVE_CHECKSUM[i686] ?= "9f28627828f0082cc0344eede4d9a861a9a064bfa8f36e072e46212f0fe45fcc"
-UNINATIVE_CHECKSUM[x86_64] ?= "d81c54284be2bb886931fc87281d58177a2cd381cf99d1981f8923039a72a302"
+UNINATIVE_CHECKSUM[aarch64] ?= "df2e29e2e6feb187a3499abf3b1322a3b251da819c77a7b19d4fe952351365ab"
+UNINATIVE_CHECKSUM[i686] ?= "8ef3eda53428b484c20157f6ec3c130b03080b3d4b3889067e0e184e05102d35"
+UNINATIVE_CHECKSUM[x86_64] ?= "43ee6a25bcf5fce16ea87076d6a96e79ead6ced90690a058d07432f902773473"
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 05/15] yocto-uninative: Update to 4.6 for glibc 2.40
2024-09-23 13:13 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (3 preceding siblings ...)
2024-09-23 13:13 ` [OE-core][kirkstone 04/15] yocto-uninative: Update to 4.5 for gcc 14 Steve Sakoman
@ 2024-09-23 13:13 ` Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 06/15] python3: Upgrade 3.10.14 -> 3.10.15 Steve Sakoman
` (9 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2024-09-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b29bfd333dffe635ab67475dcd8d22ad8b114c84)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/conf/distro/include/yocto-uninative.inc | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 657c1032f9..a6f7107dfe 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,10 +6,10 @@
# to the distro running on the build machine.
#
-UNINATIVE_MAXGLIBCVERSION = "2.39"
-UNINATIVE_VERSION = "4.5"
+UNINATIVE_MAXGLIBCVERSION = "2.40"
+UNINATIVE_VERSION = "4.6"
UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "df2e29e2e6feb187a3499abf3b1322a3b251da819c77a7b19d4fe952351365ab"
-UNINATIVE_CHECKSUM[i686] ?= "8ef3eda53428b484c20157f6ec3c130b03080b3d4b3889067e0e184e05102d35"
-UNINATIVE_CHECKSUM[x86_64] ?= "43ee6a25bcf5fce16ea87076d6a96e79ead6ced90690a058d07432f902773473"
+UNINATIVE_CHECKSUM[aarch64] ?= "c2d36338272eba101580f648dd8dff5352cdb4c1809db7dedf8fc4d7e7df716c"
+UNINATIVE_CHECKSUM[i686] ?= "0041584678109c18deca48fb59eaf14cf725cf024a170ab537b354b63240c504"
+UNINATIVE_CHECKSUM[x86_64] ?= "6bf00154c5a7bc48adbf63fd17684bb87eb07f4814fbb482a3fbd817c1ccf4c5"
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 06/15] python3: Upgrade 3.10.14 -> 3.10.15
2024-09-23 13:13 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (4 preceding siblings ...)
2024-09-23 13:13 ` [OE-core][kirkstone 05/15] yocto-uninative: Update to 4.6 for glibc 2.40 Steve Sakoman
@ 2024-09-23 13:13 ` Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 07/15] busybox: Fix cut with "-s" flag Steve Sakoman
` (8 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2024-09-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Divya Chellam <divya.chellam@windriver.com>
Includes security fixes for CVE-2024-4030, CVE-2024-7592, CVE-2024-4032, CVE-2024-8088
CVE-2024-6232, CVE-2024-6923, CVE-2023-27043 and other bug fixes.
Removed below patches, as the fixes included in 3.10.15 upgrade:
1. CVE-2023-27043.patch
2. CVE-2024-6232.patch
3. CVE-2024-7592.patch
4. CVE-2024-8088.patch
Release Notes:
https://www.python.org/downloads/release/python-31015/
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../python/python3/CVE-2023-27043.patch | 510 ------------------
.../python/python3/CVE-2024-6232.patch | 251 ---------
.../python/python3/CVE-2024-7592.patch | 140 -----
.../python/python3/CVE-2024-8088.patch | 124 -----
...{python3_3.10.14.bb => python3_3.10.15.bb} | 6 +-
5 files changed, 1 insertion(+), 1030 deletions(-)
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2023-27043.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-6232.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-7592.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-8088.patch
rename meta/recipes-devtools/python/{python3_3.10.14.bb => python3_3.10.15.bb} (98%)
diff --git a/meta/recipes-devtools/python/python3/CVE-2023-27043.patch b/meta/recipes-devtools/python/python3/CVE-2023-27043.patch
deleted file mode 100644
index d27afc41a9..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2023-27043.patch
+++ /dev/null
@@ -1,510 +0,0 @@
-From 2a9273a0e4466e2f057f9ce6fe98cd8ce570331b Mon Sep 17 00:00:00 2001
-From: Petr Viktorin <encukou@gmail.com>
-Date: Fri, 6 Sep 2024 13:14:22 +0200
-Subject: [PATCH] [3.10] [CVE-2023-27043] gh-102988: Reject malformed addresses
- in email.parseaddr() (GH-111116) (#123768)
-
-Detect email address parsing errors and return empty tuple to
-indicate the parsing error (old API). Add an optional 'strict'
-parameter to getaddresses() and parseaddr() functions. Patch by
-Thomas Dwyer.
-
-(cherry picked from commit 4a153a1d3b18803a684cd1bcc2cdf3ede3dbae19)
-
-Co-authored-by: Victor Stinner <vstinner@python.org>
-Co-Authored-By: Thomas Dwyer <github@tomd.tel>
-
-Upstream-Status: Backport [https://github.com/python/cpython/commit/2a9273a0e4466e2f057f9ce6fe98cd8ce570331b]
-CVE: CVE-2023-27043
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- Doc/library/email.utils.rst | 19 +-
- Lib/email/utils.py | 151 ++++++++++++-
- Lib/test/test_email/test_email.py | 204 +++++++++++++++++-
- ...-10-20-15-28-08.gh-issue-102988.dStNO7.rst | 8 +
- 4 files changed, 361 insertions(+), 21 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
-
-diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst
-index 0e266b6..65948fb 100644
---- a/Doc/library/email.utils.rst
-+++ b/Doc/library/email.utils.rst
-@@ -60,13 +60,18 @@ of the new API.
- begins with angle brackets, they are stripped off.
-
-
--.. function:: parseaddr(address)
-+.. function:: parseaddr(address, *, strict=True)
-
- Parse address -- which should be the value of some address-containing field such
- as :mailheader:`To` or :mailheader:`Cc` -- into its constituent *realname* and
- *email address* parts. Returns a tuple of that information, unless the parse
- fails, in which case a 2-tuple of ``('', '')`` is returned.
-
-+ If *strict* is true, use a strict parser which rejects malformed inputs.
-+
-+ .. versionchanged:: 3.10.15
-+ Add *strict* optional parameter and reject malformed inputs by default.
-+
-
- .. function:: formataddr(pair, charset='utf-8')
-
-@@ -84,12 +89,15 @@ of the new API.
- Added the *charset* option.
-
-
--.. function:: getaddresses(fieldvalues)
-+.. function:: getaddresses(fieldvalues, *, strict=True)
-
- This method returns a list of 2-tuples of the form returned by ``parseaddr()``.
- *fieldvalues* is a sequence of header field values as might be returned by
-- :meth:`Message.get_all <email.message.Message.get_all>`. Here's a simple
-- example that gets all the recipients of a message::
-+ :meth:`Message.get_all <email.message.Message.get_all>`.
-+
-+ If *strict* is true, use a strict parser which rejects malformed inputs.
-+
-+ Here's a simple example that gets all the recipients of a message::
-
- from email.utils import getaddresses
-
-@@ -99,6 +107,9 @@ of the new API.
- resent_ccs = msg.get_all('resent-cc', [])
- all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs)
-
-+ .. versionchanged:: 3.10.15
-+ Add *strict* optional parameter and reject malformed inputs by default.
-+
-
- .. function:: parsedate(date)
-
-diff --git a/Lib/email/utils.py b/Lib/email/utils.py
-index cfdfeb3..9522341 100644
---- a/Lib/email/utils.py
-+++ b/Lib/email/utils.py
-@@ -48,6 +48,7 @@ TICK = "'"
- specialsre = re.compile(r'[][\\()<>@,:;".]')
- escapesre = re.compile(r'[\\"]')
-
-+
- def _has_surrogates(s):
- """Return True if s contains surrogate-escaped binary data."""
- # This check is based on the fact that unless there are surrogates, utf8
-@@ -106,12 +107,127 @@ def formataddr(pair, charset='utf-8'):
- return address
-
-
-+def _iter_escaped_chars(addr):
-+ pos = 0
-+ escape = False
-+ for pos, ch in enumerate(addr):
-+ if escape:
-+ yield (pos, '\\' + ch)
-+ escape = False
-+ elif ch == '\\':
-+ escape = True
-+ else:
-+ yield (pos, ch)
-+ if escape:
-+ yield (pos, '\\')
-+
-+
-+def _strip_quoted_realnames(addr):
-+ """Strip real names between quotes."""
-+ if '"' not in addr:
-+ # Fast path
-+ return addr
-+
-+ start = 0
-+ open_pos = None
-+ result = []
-+ for pos, ch in _iter_escaped_chars(addr):
-+ if ch == '"':
-+ if open_pos is None:
-+ open_pos = pos
-+ else:
-+ if start != open_pos:
-+ result.append(addr[start:open_pos])
-+ start = pos + 1
-+ open_pos = None
-+
-+ if start < len(addr):
-+ result.append(addr[start:])
-+
-+ return ''.join(result)
-
--def getaddresses(fieldvalues):
-- """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
-- all = COMMASPACE.join(str(v) for v in fieldvalues)
-- a = _AddressList(all)
-- return a.addresslist
-+
-+supports_strict_parsing = True
-+
-+def getaddresses(fieldvalues, *, strict=True):
-+ """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
-+
-+ When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
-+ its place.
-+
-+ If strict is true, use a strict parser which rejects malformed inputs.
-+ """
-+
-+ # If strict is true, if the resulting list of parsed addresses is greater
-+ # than the number of fieldvalues in the input list, a parsing error has
-+ # occurred and consequently a list containing a single empty 2-tuple [('',
-+ # '')] is returned in its place. This is done to avoid invalid output.
-+ #
-+ # Malformed input: getaddresses(['alice@example.com <bob@example.com>'])
-+ # Invalid output: [('', 'alice@example.com'), ('', 'bob@example.com')]
-+ # Safe output: [('', '')]
-+
-+ if not strict:
-+ all = COMMASPACE.join(str(v) for v in fieldvalues)
-+ a = _AddressList(all)
-+ return a.addresslist
-+
-+ fieldvalues = [str(v) for v in fieldvalues]
-+ fieldvalues = _pre_parse_validation(fieldvalues)
-+ addr = COMMASPACE.join(fieldvalues)
-+ a = _AddressList(addr)
-+ result = _post_parse_validation(a.addresslist)
-+
-+ # Treat output as invalid if the number of addresses is not equal to the
-+ # expected number of addresses.
-+ n = 0
-+ for v in fieldvalues:
-+ # When a comma is used in the Real Name part it is not a deliminator.
-+ # So strip those out before counting the commas.
-+ v = _strip_quoted_realnames(v)
-+ # Expected number of addresses: 1 + number of commas
-+ n += 1 + v.count(',')
-+ if len(result) != n:
-+ return [('', '')]
-+
-+ return result
-+
-+
-+def _check_parenthesis(addr):
-+ # Ignore parenthesis in quoted real names.
-+ addr = _strip_quoted_realnames(addr)
-+
-+ opens = 0
-+ for pos, ch in _iter_escaped_chars(addr):
-+ if ch == '(':
-+ opens += 1
-+ elif ch == ')':
-+ opens -= 1
-+ if opens < 0:
-+ return False
-+ return (opens == 0)
-+
-+
-+def _pre_parse_validation(email_header_fields):
-+ accepted_values = []
-+ for v in email_header_fields:
-+ if not _check_parenthesis(v):
-+ v = "('', '')"
-+ accepted_values.append(v)
-+
-+ return accepted_values
-+
-+
-+def _post_parse_validation(parsed_email_header_tuples):
-+ accepted_values = []
-+ # The parser would have parsed a correctly formatted domain-literal
-+ # The existence of an [ after parsing indicates a parsing failure
-+ for v in parsed_email_header_tuples:
-+ if '[' in v[1]:
-+ v = ('', '')
-+ accepted_values.append(v)
-+
-+ return accepted_values
-
-
- def _format_timetuple_and_zone(timetuple, zone):
-@@ -205,16 +321,33 @@ def parsedate_to_datetime(data):
- tzinfo=datetime.timezone(datetime.timedelta(seconds=tz)))
-
-
--def parseaddr(addr):
-+def parseaddr(addr, *, strict=True):
- """
- Parse addr into its constituent realname and email address parts.
-
- Return a tuple of realname and email address, unless the parse fails, in
- which case return a 2-tuple of ('', '').
-+
-+ If strict is True, use a strict parser which rejects malformed inputs.
- """
-- addrs = _AddressList(addr).addresslist
-- if not addrs:
-- return '', ''
-+ if not strict:
-+ addrs = _AddressList(addr).addresslist
-+ if not addrs:
-+ return ('', '')
-+ return addrs[0]
-+
-+ if isinstance(addr, list):
-+ addr = addr[0]
-+
-+ if not isinstance(addr, str):
-+ return ('', '')
-+
-+ addr = _pre_parse_validation([addr])[0]
-+ addrs = _post_parse_validation(_AddressList(addr).addresslist)
-+
-+ if not addrs or len(addrs) > 1:
-+ return ('', '')
-+
- return addrs[0]
-
-
-diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
-index 8b16cca..5b19bb3 100644
---- a/Lib/test/test_email/test_email.py
-+++ b/Lib/test/test_email/test_email.py
-@@ -16,6 +16,7 @@ from unittest.mock import patch
-
- import email
- import email.policy
-+import email.utils
-
- from email.charset import Charset
- from email.generator import Generator, DecodedGenerator, BytesGenerator
-@@ -3288,15 +3289,154 @@ Foo
- [('Al Person', 'aperson@dom.ain'),
- ('Bud Person', 'bperson@dom.ain')])
-
-+ def test_getaddresses_comma_in_name(self):
-+ """GH-106669 regression test."""
-+ self.assertEqual(
-+ utils.getaddresses(
-+ [
-+ '"Bud, Person" <bperson@dom.ain>',
-+ 'aperson@dom.ain (Al Person)',
-+ '"Mariusz Felisiak" <to@example.com>',
-+ ]
-+ ),
-+ [
-+ ('Bud, Person', 'bperson@dom.ain'),
-+ ('Al Person', 'aperson@dom.ain'),
-+ ('Mariusz Felisiak', 'to@example.com'),
-+ ],
-+ )
-+
-+ def test_parsing_errors(self):
-+ """Test for parsing errors from CVE-2023-27043 and CVE-2019-16056"""
-+ alice = 'alice@example.org'
-+ bob = 'bob@example.com'
-+ empty = ('', '')
-+
-+ # Test utils.getaddresses() and utils.parseaddr() on malformed email
-+ # addresses: default behavior (strict=True) rejects malformed address,
-+ # and strict=False which tolerates malformed address.
-+ for invalid_separator, expected_non_strict in (
-+ ('(', [(f'<{bob}>', alice)]),
-+ (')', [('', alice), empty, ('', bob)]),
-+ ('<', [('', alice), empty, ('', bob), empty]),
-+ ('>', [('', alice), empty, ('', bob)]),
-+ ('[', [('', f'{alice}[<{bob}>]')]),
-+ (']', [('', alice), empty, ('', bob)]),
-+ ('@', [empty, empty, ('', bob)]),
-+ (';', [('', alice), empty, ('', bob)]),
-+ (':', [('', alice), ('', bob)]),
-+ ('.', [('', alice + '.'), ('', bob)]),
-+ ('"', [('', alice), ('', f'<{bob}>')]),
-+ ):
-+ address = f'{alice}{invalid_separator}<{bob}>'
-+ with self.subTest(address=address):
-+ self.assertEqual(utils.getaddresses([address]),
-+ [empty])
-+ self.assertEqual(utils.getaddresses([address], strict=False),
-+ expected_non_strict)
-+
-+ self.assertEqual(utils.parseaddr([address]),
-+ empty)
-+ self.assertEqual(utils.parseaddr([address], strict=False),
-+ ('', address))
-+
-+ # Comma (',') is treated differently depending on strict parameter.
-+ # Comma without quotes.
-+ address = f'{alice},<{bob}>'
-+ self.assertEqual(utils.getaddresses([address]),
-+ [('', alice), ('', bob)])
-+ self.assertEqual(utils.getaddresses([address], strict=False),
-+ [('', alice), ('', bob)])
-+ self.assertEqual(utils.parseaddr([address]),
-+ empty)
-+ self.assertEqual(utils.parseaddr([address], strict=False),
-+ ('', address))
-+
-+ # Real name between quotes containing comma.
-+ address = '"Alice, alice@example.org" <bob@example.com>'
-+ expected_strict = ('Alice, alice@example.org', 'bob@example.com')
-+ self.assertEqual(utils.getaddresses([address]), [expected_strict])
-+ self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict])
-+ self.assertEqual(utils.parseaddr([address]), expected_strict)
-+ self.assertEqual(utils.parseaddr([address], strict=False),
-+ ('', address))
-+
-+ # Valid parenthesis in comments.
-+ address = 'alice@example.org (Alice)'
-+ expected_strict = ('Alice', 'alice@example.org')
-+ self.assertEqual(utils.getaddresses([address]), [expected_strict])
-+ self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict])
-+ self.assertEqual(utils.parseaddr([address]), expected_strict)
-+ self.assertEqual(utils.parseaddr([address], strict=False),
-+ ('', address))
-+
-+ # Invalid parenthesis in comments.
-+ address = 'alice@example.org )Alice('
-+ self.assertEqual(utils.getaddresses([address]), [empty])
-+ self.assertEqual(utils.getaddresses([address], strict=False),
-+ [('', 'alice@example.org'), ('', ''), ('', 'Alice')])
-+ self.assertEqual(utils.parseaddr([address]), empty)
-+ self.assertEqual(utils.parseaddr([address], strict=False),
-+ ('', address))
-+
-+ # Two addresses with quotes separated by comma.
-+ address = '"Jane Doe" <jane@example.net>, "John Doe" <john@example.net>'
-+ self.assertEqual(utils.getaddresses([address]),
-+ [('Jane Doe', 'jane@example.net'),
-+ ('John Doe', 'john@example.net')])
-+ self.assertEqual(utils.getaddresses([address], strict=False),
-+ [('Jane Doe', 'jane@example.net'),
-+ ('John Doe', 'john@example.net')])
-+ self.assertEqual(utils.parseaddr([address]), empty)
-+ self.assertEqual(utils.parseaddr([address], strict=False),
-+ ('', address))
-+
-+ # Test email.utils.supports_strict_parsing attribute
-+ self.assertEqual(email.utils.supports_strict_parsing, True)
-+
- def test_getaddresses_nasty(self):
-- eq = self.assertEqual
-- eq(utils.getaddresses(['foo: ;']), [('', '')])
-- eq(utils.getaddresses(
-- ['[]*-- =~$']),
-- [('', ''), ('', ''), ('', '*--')])
-- eq(utils.getaddresses(
-- ['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>']),
-- [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')])
-+ for addresses, expected in (
-+ (['"Sürname, Firstname" <to@example.com>'],
-+ [('Sürname, Firstname', 'to@example.com')]),
-+
-+ (['foo: ;'],
-+ [('', '')]),
-+
-+ (['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>'],
-+ [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')]),
-+
-+ ([r'Pete(A nice \) chap) <pete(his account)@silly.test(his host)>'],
-+ [('Pete (A nice ) chap his account his host)', 'pete@silly.test')]),
-+
-+ (['(Empty list)(start)Undisclosed recipients :(nobody(I know))'],
-+ [('', '')]),
-+
-+ (['Mary <@machine.tld:mary@example.net>, , jdoe@test . example'],
-+ [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')]),
-+
-+ (['John Doe <jdoe@machine(comment). example>'],
-+ [('John Doe (comment)', 'jdoe@machine.example')]),
-+
-+ (['"Mary Smith: Personal Account" <smith@home.example>'],
-+ [('Mary Smith: Personal Account', 'smith@home.example')]),
-+
-+ (['Undisclosed recipients:;'],
-+ [('', '')]),
-+
-+ ([r'<boss@nil.test>, "Giant; \"Big\" Box" <bob@example.net>'],
-+ [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')]),
-+ ):
-+ with self.subTest(addresses=addresses):
-+ self.assertEqual(utils.getaddresses(addresses),
-+ expected)
-+ self.assertEqual(utils.getaddresses(addresses, strict=False),
-+ expected)
-+
-+ addresses = ['[]*-- =~$']
-+ self.assertEqual(utils.getaddresses(addresses),
-+ [('', '')])
-+ self.assertEqual(utils.getaddresses(addresses, strict=False),
-+ [('', ''), ('', ''), ('', '*--')])
-
- def test_getaddresses_embedded_comment(self):
- """Test proper handling of a nested comment"""
-@@ -3485,6 +3625,54 @@ multipart/report
- m = cls(*constructor, policy=email.policy.default)
- self.assertIs(m.policy, email.policy.default)
-
-+ def test_iter_escaped_chars(self):
-+ self.assertEqual(list(utils._iter_escaped_chars(r'a\\b\"c\\"d')),
-+ [(0, 'a'),
-+ (2, '\\\\'),
-+ (3, 'b'),
-+ (5, '\\"'),
-+ (6, 'c'),
-+ (8, '\\\\'),
-+ (9, '"'),
-+ (10, 'd')])
-+ self.assertEqual(list(utils._iter_escaped_chars('a\\')),
-+ [(0, 'a'), (1, '\\')])
-+
-+ def test_strip_quoted_realnames(self):
-+ def check(addr, expected):
-+ self.assertEqual(utils._strip_quoted_realnames(addr), expected)
-+
-+ check('"Jane Doe" <jane@example.net>, "John Doe" <john@example.net>',
-+ ' <jane@example.net>, <john@example.net>')
-+ check(r'"Jane \"Doe\"." <jane@example.net>',
-+ ' <jane@example.net>')
-+
-+ # special cases
-+ check(r'before"name"after', 'beforeafter')
-+ check(r'before"name"', 'before')
-+ check(r'b"name"', 'b') # single char
-+ check(r'"name"after', 'after')
-+ check(r'"name"a', 'a') # single char
-+ check(r'"name"', '')
-+
-+ # no change
-+ for addr in (
-+ 'Jane Doe <jane@example.net>, John Doe <john@example.net>',
-+ 'lone " quote',
-+ ):
-+ self.assertEqual(utils._strip_quoted_realnames(addr), addr)
-+
-+
-+ def test_check_parenthesis(self):
-+ addr = 'alice@example.net'
-+ self.assertTrue(utils._check_parenthesis(f'{addr} (Alice)'))
-+ self.assertFalse(utils._check_parenthesis(f'{addr} )Alice('))
-+ self.assertFalse(utils._check_parenthesis(f'{addr} (Alice))'))
-+ self.assertFalse(utils._check_parenthesis(f'{addr} ((Alice)'))
-+
-+ # Ignore real name between quotes
-+ self.assertTrue(utils._check_parenthesis(f'")Alice((" {addr}'))
-+
-
- # Test the iterator/generators
- class TestIterators(TestEmailBase):
-diff --git a/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst b/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
-new file mode 100644
-index 0000000..3d0e9e4
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
-@@ -0,0 +1,8 @@
-+:func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now
-+return ``('', '')`` 2-tuples in more situations where invalid email
-+addresses are encountered instead of potentially inaccurate values. Add
-+optional *strict* parameter to these two functions: use ``strict=False`` to
-+get the old behavior, accept malformed inputs.
-+``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check
-+if the *strict* paramater is available. Patch by Thomas Dwyer and Victor
-+Stinner to improve the CVE-2023-27043 fix.
---
-2.25.1
-
diff --git a/meta/recipes-devtools/python/python3/CVE-2024-6232.patch b/meta/recipes-devtools/python/python3/CVE-2024-6232.patch
deleted file mode 100644
index 874cbfe40c..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2024-6232.patch
+++ /dev/null
@@ -1,251 +0,0 @@
-From 3a22dc1079be5a75750d24dc6992956e7b84b5a0 Mon Sep 17 00:00:00 2001
-From: Seth Michael Larson <seth@python.org>
-Date: Tue, 3 Sep 2024 10:07:53 -0500
-Subject: [PATCH 2/2] [3.10] gh-121285: Remove backtracking when parsing
- tarfile headers (GH-121286) (#123640)
-
-* Remove backtracking when parsing tarfile headers
-* Rewrite PAX header parsing to be stricter
-* Optimize parsing of GNU extended sparse headers v0.0
-
-(cherry picked from commit 34ddb64d088dd7ccc321f6103d23153256caa5d4)
-
-Upstream-Status: Backport from https://github.com/python/cpython/commit/743acbe872485dc18df4d8ab2dc7895187f062c4
-CVE: CVE-2024-6232
-
-Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
-Co-authored-by: Gregory P. Smith <greg@krypto.org>
-Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
----
- Lib/tarfile.py | 105 +++++++++++-------
- Lib/test/test_tarfile.py | 42 +++++++
- ...-07-02-13-39-20.gh-issue-121285.hrl-yI.rst | 2 +
- 3 files changed, 111 insertions(+), 38 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2024-07-02-13-39-20.gh-issue-121285.hrl-yI.rst
-
-diff --git a/Lib/tarfile.py b/Lib/tarfile.py
-index 495349f08f9..3ab6811d633 100755
---- a/Lib/tarfile.py
-+++ b/Lib/tarfile.py
-@@ -841,6 +841,9 @@ def data_filter(member, dest_path):
- # Sentinel for replace() defaults, meaning "don't change the attribute"
- _KEEP = object()
-
-+# Header length is digits followed by a space.
-+_header_length_prefix_re = re.compile(br"([0-9]{1,20}) ")
-+
- class TarInfo(object):
- """Informational class which holds the details about an
- archive member given by a tar header block.
-@@ -1410,41 +1413,59 @@ def _proc_pax(self, tarfile):
- else:
- pax_headers = tarfile.pax_headers.copy()
-
-- # Check if the pax header contains a hdrcharset field. This tells us
-- # the encoding of the path, linkpath, uname and gname fields. Normally,
-- # these fields are UTF-8 encoded but since POSIX.1-2008 tar
-- # implementations are allowed to store them as raw binary strings if
-- # the translation to UTF-8 fails.
-- match = re.search(br"\d+ hdrcharset=([^\n]+)\n", buf)
-- if match is not None:
-- pax_headers["hdrcharset"] = match.group(1).decode("utf-8")
--
-- # For the time being, we don't care about anything other than "BINARY".
-- # The only other value that is currently allowed by the standard is
-- # "ISO-IR 10646 2000 UTF-8" in other words UTF-8.
-- hdrcharset = pax_headers.get("hdrcharset")
-- if hdrcharset == "BINARY":
-- encoding = tarfile.encoding
-- else:
-- encoding = "utf-8"
--
- # Parse pax header information. A record looks like that:
- # "%d %s=%s\n" % (length, keyword, value). length is the size
- # of the complete record including the length field itself and
-- # the newline. keyword and value are both UTF-8 encoded strings.
-- regex = re.compile(br"(\d+) ([^=]+)=")
-+ # the newline.
- pos = 0
-- while True:
-- match = regex.match(buf, pos)
-- if not match:
-- break
-+ encoding = None
-+ raw_headers = []
-+ while len(buf) > pos and buf[pos] != 0x00:
-+ if not (match := _header_length_prefix_re.match(buf, pos)):
-+ raise InvalidHeaderError("invalid header")
-+ try:
-+ length = int(match.group(1))
-+ except ValueError:
-+ raise InvalidHeaderError("invalid header")
-+ # Headers must be at least 5 bytes, shortest being '5 x=\n'.
-+ # Value is allowed to be empty.
-+ if length < 5:
-+ raise InvalidHeaderError("invalid header")
-+ if pos + length > len(buf):
-+ raise InvalidHeaderError("invalid header")
-
-- length, keyword = match.groups()
-- length = int(length)
-- if length == 0:
-+ header_value_end_offset = match.start(1) + length - 1 # Last byte of the header
-+ keyword_and_value = buf[match.end(1) + 1:header_value_end_offset]
-+ raw_keyword, equals, raw_value = keyword_and_value.partition(b"=")
-+
-+ # Check the framing of the header. The last character must be '\n' (0x0A)
-+ if not raw_keyword or equals != b"=" or buf[header_value_end_offset] != 0x0A:
- raise InvalidHeaderError("invalid header")
-- value = buf[match.end(2) + 1:match.start(1) + length - 1]
-+ raw_headers.append((length, raw_keyword, raw_value))
-+
-+ # Check if the pax header contains a hdrcharset field. This tells us
-+ # the encoding of the path, linkpath, uname and gname fields. Normally,
-+ # these fields are UTF-8 encoded but since POSIX.1-2008 tar
-+ # implementations are allowed to store them as raw binary strings if
-+ # the translation to UTF-8 fails. For the time being, we don't care about
-+ # anything other than "BINARY". The only other value that is currently
-+ # allowed by the standard is "ISO-IR 10646 2000 UTF-8" in other words UTF-8.
-+ # Note that we only follow the initial 'hdrcharset' setting to preserve
-+ # the initial behavior of the 'tarfile' module.
-+ if raw_keyword == b"hdrcharset" and encoding is None:
-+ if raw_value == b"BINARY":
-+ encoding = tarfile.encoding
-+ else: # This branch ensures only the first 'hdrcharset' header is used.
-+ encoding = "utf-8"
-+
-+ pos += length
-
-+ # If no explicit hdrcharset is set, we use UTF-8 as a default.
-+ if encoding is None:
-+ encoding = "utf-8"
-+
-+ # After parsing the raw headers we can decode them to text.
-+ for length, raw_keyword, raw_value in raw_headers:
- # Normally, we could just use "utf-8" as the encoding and "strict"
- # as the error handler, but we better not take the risk. For
- # example, GNU tar <= 1.23 is known to store filenames it cannot
-@@ -1452,17 +1473,16 @@ def _proc_pax(self, tarfile):
- # hdrcharset=BINARY header).
- # We first try the strict standard encoding, and if that fails we
- # fall back on the user's encoding and error handler.
-- keyword = self._decode_pax_field(keyword, "utf-8", "utf-8",
-+ keyword = self._decode_pax_field(raw_keyword, "utf-8", "utf-8",
- tarfile.errors)
- if keyword in PAX_NAME_FIELDS:
-- value = self._decode_pax_field(value, encoding, tarfile.encoding,
-+ value = self._decode_pax_field(raw_value, encoding, tarfile.encoding,
- tarfile.errors)
- else:
-- value = self._decode_pax_field(value, "utf-8", "utf-8",
-+ value = self._decode_pax_field(raw_value, "utf-8", "utf-8",
- tarfile.errors)
-
- pax_headers[keyword] = value
-- pos += length
-
- # Fetch the next header.
- try:
-@@ -1477,7 +1497,7 @@ def _proc_pax(self, tarfile):
-
- elif "GNU.sparse.size" in pax_headers:
- # GNU extended sparse format version 0.0.
-- self._proc_gnusparse_00(next, pax_headers, buf)
-+ self._proc_gnusparse_00(next, raw_headers)
-
- elif pax_headers.get("GNU.sparse.major") == "1" and pax_headers.get("GNU.sparse.minor") == "0":
- # GNU extended sparse format version 1.0.
-@@ -1499,15 +1519,24 @@ def _proc_pax(self, tarfile):
-
- return next
-
-- def _proc_gnusparse_00(self, next, pax_headers, buf):
-+ def _proc_gnusparse_00(self, next, raw_headers):
- """Process a GNU tar extended sparse header, version 0.0.
- """
- offsets = []
-- for match in re.finditer(br"\d+ GNU.sparse.offset=(\d+)\n", buf):
-- offsets.append(int(match.group(1)))
- numbytes = []
-- for match in re.finditer(br"\d+ GNU.sparse.numbytes=(\d+)\n", buf):
-- numbytes.append(int(match.group(1)))
-+ for _, keyword, value in raw_headers:
-+ if keyword == b"GNU.sparse.offset":
-+ try:
-+ offsets.append(int(value.decode()))
-+ except ValueError:
-+ raise InvalidHeaderError("invalid header")
-+
-+ elif keyword == b"GNU.sparse.numbytes":
-+ try:
-+ numbytes.append(int(value.decode()))
-+ except ValueError:
-+ raise InvalidHeaderError("invalid header")
-+
- next.sparse = list(zip(offsets, numbytes))
-
- def _proc_gnusparse_01(self, next, pax_headers):
-diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
-index cfc13bccb20..007c3e94acb 100644
---- a/Lib/test/test_tarfile.py
-+++ b/Lib/test/test_tarfile.py
-@@ -1139,6 +1139,48 @@ def test_pax_number_fields(self):
- finally:
- tar.close()
-
-+ def test_pax_header_bad_formats(self):
-+ # The fields from the pax header have priority over the
-+ # TarInfo.
-+ pax_header_replacements = (
-+ b" foo=bar\n",
-+ b"0 \n",
-+ b"1 \n",
-+ b"2 \n",
-+ b"3 =\n",
-+ b"4 =a\n",
-+ b"1000000 foo=bar\n",
-+ b"0 foo=bar\n",
-+ b"-12 foo=bar\n",
-+ b"000000000000000000000000036 foo=bar\n",
-+ )
-+ pax_headers = {"foo": "bar"}
-+
-+ for replacement in pax_header_replacements:
-+ with self.subTest(header=replacement):
-+ tar = tarfile.open(tmpname, "w", format=tarfile.PAX_FORMAT,
-+ encoding="iso8859-1")
-+ try:
-+ t = tarfile.TarInfo()
-+ t.name = "pax" # non-ASCII
-+ t.uid = 1
-+ t.pax_headers = pax_headers
-+ tar.addfile(t)
-+ finally:
-+ tar.close()
-+
-+ with open(tmpname, "rb") as f:
-+ data = f.read()
-+ self.assertIn(b"11 foo=bar\n", data)
-+ data = data.replace(b"11 foo=bar\n", replacement)
-+
-+ with open(tmpname, "wb") as f:
-+ f.truncate()
-+ f.write(data)
-+
-+ with self.assertRaisesRegex(tarfile.ReadError, r"method tar: ReadError\('invalid header'\)"):
-+ tarfile.open(tmpname, encoding="iso8859-1")
-+
-
- class WriteTestBase(TarTest):
- # Put all write tests in here that are supposed to be tested
-diff --git a/Misc/NEWS.d/next/Security/2024-07-02-13-39-20.gh-issue-121285.hrl-yI.rst b/Misc/NEWS.d/next/Security/2024-07-02-13-39-20.gh-issue-121285.hrl-yI.rst
-new file mode 100644
-index 00000000000..81f918bfe2b
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2024-07-02-13-39-20.gh-issue-121285.hrl-yI.rst
-@@ -0,0 +1,2 @@
-+Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and
-+GNU sparse headers.
---
-2.46.0
-
diff --git a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch b/meta/recipes-devtools/python/python3/CVE-2024-7592.patch
deleted file mode 100644
index 7303a41e20..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch
+++ /dev/null
@@ -1,140 +0,0 @@
-From 3c15b8437f57fe1027171b34af88bf791cf1868c Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Wed, 4 Sep 2024 17:50:36 +0200
-Subject: [PATCH 1/2] [3.10] gh-123067: Fix quadratic complexity in parsing
- "-quoted cookie values with backslashes (GH-123075) (#123106)
-
-This fixes CVE-2024-7592.
-(cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef)
-
-Upstream-Status: Backport from https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a
-CVE: CVE-2024-7592
-
-Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
-Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
----
- Lib/http/cookies.py | 34 ++++-------------
- Lib/test/test_http_cookies.py | 38 +++++++++++++++++++
- ...-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | 1 +
- 3 files changed, 47 insertions(+), 26 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-
-diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
-index 35ac2dc6ae2..2c1f021d0ab 100644
---- a/Lib/http/cookies.py
-+++ b/Lib/http/cookies.py
-@@ -184,8 +184,13 @@ def _quote(str):
- return '"' + str.translate(_Translator) + '"'
-
-
--_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
--_QuotePatt = re.compile(r"[\\].")
-+_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub
-+
-+def _unquote_replace(m):
-+ if m[1]:
-+ return chr(int(m[1], 8))
-+ else:
-+ return m[2]
-
- def _unquote(str):
- # If there aren't any doublequotes,
-@@ -205,30 +210,7 @@ def _unquote(str):
- # \012 --> \n
- # \" --> "
- #
-- i = 0
-- n = len(str)
-- res = []
-- while 0 <= i < n:
-- o_match = _OctalPatt.search(str, i)
-- q_match = _QuotePatt.search(str, i)
-- if not o_match and not q_match: # Neither matched
-- res.append(str[i:])
-- break
-- # else:
-- j = k = -1
-- if o_match:
-- j = o_match.start(0)
-- if q_match:
-- k = q_match.start(0)
-- if q_match and (not o_match or k < j): # QuotePatt matched
-- res.append(str[i:k])
-- res.append(str[k+1])
-- i = k + 2
-- else: # OctalPatt matched
-- res.append(str[i:j])
-- res.append(chr(int(str[j+1:j+4], 8)))
-- i = j + 4
-- return _nulljoin(res)
-+ return _unquote_sub(_unquote_replace, str)
-
- # The _getdate() routine is used to set the expiration time in the cookie's HTTP
- # header. By default, _getdate() returns the current time in the appropriate
-diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
-index 6072c7e15e9..644e75cd5b7 100644
---- a/Lib/test/test_http_cookies.py
-+++ b/Lib/test/test_http_cookies.py
-@@ -5,6 +5,7 @@
- import unittest
- from http import cookies
- import pickle
-+from test import support
-
-
- class CookieTests(unittest.TestCase):
-@@ -58,6 +59,43 @@ def test_basic(self):
- for k, v in sorted(case['dict'].items()):
- self.assertEqual(C[k].value, v)
-
-+ def test_unquote(self):
-+ cases = [
-+ (r'a="b=\""', 'b="'),
-+ (r'a="b=\\"', 'b=\\'),
-+ (r'a="b=\="', 'b=='),
-+ (r'a="b=\n"', 'b=n'),
-+ (r'a="b=\042"', 'b="'),
-+ (r'a="b=\134"', 'b=\\'),
-+ (r'a="b=\377"', 'b=\xff'),
-+ (r'a="b=\400"', 'b=400'),
-+ (r'a="b=\42"', 'b=42'),
-+ (r'a="b=\\042"', 'b=\\042'),
-+ (r'a="b=\\134"', 'b=\\134'),
-+ (r'a="b=\\\""', 'b=\\"'),
-+ (r'a="b=\\\042"', 'b=\\"'),
-+ (r'a="b=\134\""', 'b=\\"'),
-+ (r'a="b=\134\042"', 'b=\\"'),
-+ ]
-+ for encoded, decoded in cases:
-+ with self.subTest(encoded):
-+ C = cookies.SimpleCookie()
-+ C.load(encoded)
-+ self.assertEqual(C['a'].value, decoded)
-+
-+ @support.requires_resource('cpu')
-+ def test_unquote_large(self):
-+ n = 10**6
-+ for encoded in r'\\', r'\134':
-+ with self.subTest(encoded):
-+ data = 'a="b=' + encoded*n + ';"'
-+ C = cookies.SimpleCookie()
-+ C.load(data)
-+ value = C['a'].value
-+ self.assertEqual(value[:3], 'b=\\')
-+ self.assertEqual(value[-2:], '\\;')
-+ self.assertEqual(len(value), n + 3)
-+
- def test_load(self):
- C = cookies.SimpleCookie()
- C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
-diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-new file mode 100644
-index 00000000000..6a234561fe3
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-@@ -0,0 +1 @@
-+Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`.
---
-2.46.0
-
diff --git a/meta/recipes-devtools/python/python3/CVE-2024-8088.patch b/meta/recipes-devtools/python/python3/CVE-2024-8088.patch
deleted file mode 100644
index 10d28a9e65..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2024-8088.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From e0264a61119d551658d9445af38323ba94fc16db Mon Sep 17 00:00:00 2001
-From: "Jason R. Coombs" <jaraco@jaraco.com>
-Date: Thu, 22 Aug 2024 19:24:33 -0400
-Subject: [PATCH] CVE-2024-8088: Sanitize names in zipfile.Path. (GH-122906)
-
-Upstream-Status: Backport from https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db
-CVE: CVE-2024-8088
-
-Signed-off-by: Rohini Sangam <rsangam@mvista.com>
----
- Lib/test/test_zipfile.py | 17 ++++++
- Lib/zipfile.py | 61 ++++++++++++++++++-
- 2 files changed, 77 insertions(+), 1 deletion(-)
-
-diff --git a/Lib/test/test_zipfile.py b/Lib/test/test_zipfile.py
-index 32c0170..a60dc11 100644
---- a/Lib/test/test_zipfile.py
-+++ b/Lib/test/test_zipfile.py
-@@ -3280,6 +3280,23 @@ with zipfile.ZipFile(io.BytesIO(), "w") as zf:
- zipfile.Path(zf)
- zf.extractall(source_path.parent)
-
-+ def test_malformed_paths(self):
-+ """
-+ Path should handle malformed paths.
-+ """
-+ data = io.BytesIO()
-+ zf = zipfile.ZipFile(data, "w")
-+ zf.writestr("/one-slash.txt", b"content")
-+ zf.writestr("//two-slash.txt", b"content")
-+ zf.writestr("../parent.txt", b"content")
-+ zf.filename = ''
-+ root = zipfile.Path(zf)
-+ assert list(map(str, root.iterdir())) == [
-+ 'one-slash.txt',
-+ 'two-slash.txt',
-+ 'parent.txt',
-+ ]
-+
-
- class StripExtraTests(unittest.TestCase):
- # Note: all of the "z" characters are technically invalid, but up
-diff --git a/Lib/zipfile.py b/Lib/zipfile.py
-index 7d18bc2..cbac8d9 100644
---- a/Lib/zipfile.py
-+++ b/Lib/zipfile.py
-@@ -9,6 +9,7 @@ import io
- import itertools
- import os
- import posixpath
-+import re
- import shutil
- import stat
- import struct
-@@ -2182,7 +2183,65 @@ def _difference(minuend, subtrahend):
- return itertools.filterfalse(set(subtrahend).__contains__, minuend)
-
-
--class CompleteDirs(ZipFile):
-+class SanitizedNames:
-+ """
-+ ZipFile mix-in to ensure names are sanitized.
-+ """
-+
-+ def namelist(self):
-+ return list(map(self._sanitize, super().namelist()))
-+
-+ @staticmethod
-+ def _sanitize(name):
-+ r"""
-+ Ensure a relative path with posix separators and no dot names.
-+ Modeled after
-+ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
-+ but provides consistent cross-platform behavior.
-+ >>> san = SanitizedNames._sanitize
-+ >>> san('/foo/bar')
-+ 'foo/bar'
-+ >>> san('//foo.txt')
-+ 'foo.txt'
-+ >>> san('foo/.././bar.txt')
-+ 'foo/bar.txt'
-+ >>> san('foo../.bar.txt')
-+ 'foo../.bar.txt'
-+ >>> san('\\foo\\bar.txt')
-+ 'foo/bar.txt'
-+ >>> san('D:\\foo.txt')
-+ 'D/foo.txt'
-+ >>> san('\\\\server\\share\\file.txt')
-+ 'server/share/file.txt'
-+ >>> san('\\\\?\\GLOBALROOT\\Volume3')
-+ '?/GLOBALROOT/Volume3'
-+ >>> san('\\\\.\\PhysicalDrive1\\root')
-+ 'PhysicalDrive1/root'
-+ Retain any trailing slash.
-+ >>> san('abc/')
-+ 'abc/'
-+ Raises a ValueError if the result is empty.
-+ >>> san('../..')
-+ Traceback (most recent call last):
-+ ...
-+ ValueError: Empty filename
-+ """
-+
-+ def allowed(part):
-+ return part and part not in {'..', '.'}
-+
-+ # Remove the drive letter.
-+ # Don't use ntpath.splitdrive, because that also strips UNC paths
-+ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
-+ clean = bare.replace('\\', '/')
-+ parts = clean.split('/')
-+ joined = '/'.join(filter(allowed, parts))
-+ if not joined:
-+ raise ValueError("Empty filename")
-+ return joined + '/' * name.endswith('/')
-+
-+
-+class CompleteDirs(SanitizedNames, ZipFile):
- """
- A ZipFile subclass that ensures that implied directories
- are always included in the namelist.
---
-2.35.7
-
diff --git a/meta/recipes-devtools/python/python3_3.10.14.bb b/meta/recipes-devtools/python/python3_3.10.15.bb
similarity index 98%
rename from meta/recipes-devtools/python/python3_3.10.14.bb
rename to meta/recipes-devtools/python/python3_3.10.15.bb
index 8f6a15701f..4157b8cb83 100644
--- a/meta/recipes-devtools/python/python3_3.10.14.bb
+++ b/meta/recipes-devtools/python/python3_3.10.15.bb
@@ -36,10 +36,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://deterministic_imports.patch \
file://0001-Avoid-shebang-overflow-on-python-config.py.patch \
file://0001-test_storlines-skip-due-to-load-variability.patch \
- file://CVE-2024-8088.patch \
- file://CVE-2024-7592.patch \
- file://CVE-2024-6232.patch \
- file://CVE-2023-27043.patch \
"
SRC_URI:append:class-native = " \
@@ -48,7 +44,7 @@ SRC_URI:append:class-native = " \
file://12-distutils-prefix-is-inside-staging-area.patch \
file://0001-Don-t-search-system-for-headers-libraries.patch \
"
-SRC_URI[sha256sum] = "9c50481faa8c2832329ba0fc8868d0a606a680fc4f60ec48d26ce8e076751fda"
+SRC_URI[sha256sum] = "aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79"
# exclude pre-releases for both python 2.x and 3.x
UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 07/15] busybox: Fix cut with "-s" flag
2024-09-23 13:13 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (5 preceding siblings ...)
2024-09-23 13:13 ` [OE-core][kirkstone 06/15] python3: Upgrade 3.10.14 -> 3.10.15 Steve Sakoman
@ 2024-09-23 13:13 ` Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 08/15] udev-extraconf: Add collect flag to mount Steve Sakoman
` (7 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2024-09-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Colin McAllister <colinmca242@gmail.com>
This fixes and issue that allows blank lines to be incorrectly output
when the "-s" flag is included. This issue propogates into the
populate-volatile.sh script in initscripts. If a volatiles drop file
contains blank lines, a blank line will be included in combined users,
which will incorrectly result in a difference in the number of combined
users versus defined users. If this happens, the volatiles file will not
be executed.
(From OE-Core rev: dfbcf0581ab3dd47037726a7b8aa06f777792473)
Signed-off-by: Colin McAllister <colinmca242@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...1-cut-Fix-s-flag-to-omit-blank-lines.patch | 66 +++++++++++++++++++
meta/recipes-core/busybox/busybox_1.35.0.bb | 1 +
2 files changed, 67 insertions(+)
create mode 100644 meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch
diff --git a/meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch b/meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch
new file mode 100644
index 0000000000..a0a8607b23
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch
@@ -0,0 +1,66 @@
+From 199606e960942c29fd8085be812edd3d3697825c Mon Sep 17 00:00:00 2001
+From: Colin McAllister <colinmca242@gmail.com>
+Date: Wed, 17 Jul 2024 07:58:52 -0500
+Subject: [PATCH 1/1] cut: Fix "-s" flag to omit blank lines
+
+Using cut with the delimiter flag ("-d") with the "-s" flag to only
+output lines containing the delimiter will print blank lines. This is
+deviant behavior from cut provided by GNU Coreutils. Blank lines should
+be omitted if "-s" is used with "-d".
+
+This change introduces a somewhat naiive, yet efficient solution, where
+line length is checked before looping though bytes. If line length is
+zero and the "-s" flag is used, the code will jump to parsing the next
+line to avoid printing a newline character.
+
+In addition, a test to cut.tests has been added to ensure that this
+regression is fixed and will not happen again in the future.
+
+Upstream-Status: Submitted [http://lists.busybox.net/pipermail/busybox/2024-July/090834.html]
+
+Signed-off-by: Colin McAllister <colinmca242@gmail.com>
+---
+ coreutils/cut.c | 6 ++++++
+ testsuite/cut.tests | 9 +++++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/coreutils/cut.c b/coreutils/cut.c
+index 55bdd9386..b7f986f26 100644
+--- a/coreutils/cut.c
++++ b/coreutils/cut.c
+@@ -152,6 +152,12 @@ static void cut_file(FILE *file, const char *delim, const char *odelim,
+ unsigned uu = 0, start = 0, end = 0, out = 0;
+ int dcount = 0;
+
++ /* Blank line? */
++ if (!linelen) {
++ if (option_mask32 & CUT_OPT_SUPPRESS_FLGS)
++ goto next_line;
++ }
++
+ /* Loop through bytes, finding next delimiter */
+ for (;;) {
+ /* End of current range? */
+diff --git a/testsuite/cut.tests b/testsuite/cut.tests
+index 2458c019c..0b401bc00 100755
+--- a/testsuite/cut.tests
++++ b/testsuite/cut.tests
+@@ -65,6 +65,15 @@ testing "cut with -d -f( ) -s" "cut -d' ' -f3 -s input && echo yes" "yes\n" "$in
+ testing "cut with -d -f(a) -s" "cut -da -f3 -s input" "n\nsium:Jim\n\ncion:Ed\n" "$input" ""
+ testing "cut with -d -f(a) -s -n" "cut -da -f3 -s -n input" "n\nsium:Jim\n\ncion:Ed\n" "$input" ""
+
++input="\
++
++foo bar baz
++
++bing bong boop
++
++"
++testing "cut with -d -s omits blank lines" "cut -d' ' -f2 -s input" "bar\nbong\n" "$input" ""
++
+ # substitute for awk
+ optional FEATURE_CUT_REGEX
+ testing "cut -DF" "cut -DF 2,7,5" \
+--
+2.43.0
+
diff --git a/meta/recipes-core/busybox/busybox_1.35.0.bb b/meta/recipes-core/busybox/busybox_1.35.0.bb
index dbcefbb274..6bffbbb5a8 100644
--- a/meta/recipes-core/busybox/busybox_1.35.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.35.0.bb
@@ -57,6 +57,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://CVE-2023-42364_42365-1.patch \
file://CVE-2023-42364_42365-2.patch \
file://CVE-2023-42366.patch \
+ file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \
"
SRC_URI:append:libc-musl = " file://musl.cfg "
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 08/15] udev-extraconf: Add collect flag to mount
2024-09-23 13:13 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (6 preceding siblings ...)
2024-09-23 13:13 ` [OE-core][kirkstone 07/15] busybox: Fix cut with "-s" flag Steve Sakoman
@ 2024-09-23 13:13 ` Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 09/15] buildhistory: Fix intermittent package file list creation Steve Sakoman
` (6 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2024-09-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Colin McAllister <colinmca242@gmail.com>
Adds extra "--collect" flag to the mount command within
automount_systemd. This is intended to fix an observed deadlock after
rapidly inserting and removing external media. This is because if the
mount command fails, the transient mount will enter a failed state. The
next time the media is inserted, automount_systemd bails because the
first consition finds that the file path for the failed transient mount
still exists. This leaves the external media unmounted and cannot be
mounted until the mount is fixed via systemctl or the device is
rebooted.
Adding "--collect" ensures that the transient mount is cleaned up after
entering a failed state, which ensures that the media can still be
mounted when it's re-inserted.
(From OE-Core rev: f0cda74d73eb8c14cd6f695f514108f1e94984a6)
Signed-off-by: Colin McAllister <colinmca242@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
| 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--git a/meta/recipes-core/udev/udev-extraconf/mount.sh b/meta/recipes-core/udev/udev-extraconf/mount.sh
index b7e86dbc0e..a87619b181 100644
--- a/meta/recipes-core/udev/udev-extraconf/mount.sh
+++ b/meta/recipes-core/udev/udev-extraconf/mount.sh
@@ -83,7 +83,7 @@ automount_systemd() {
;;
esac
- if ! $MOUNT --no-block -t auto $DEVNAME "$MOUNT_BASE/$name"
+ if ! $MOUNT --collect --no-block -t auto $DEVNAME "$MOUNT_BASE/$name"
then
#logger "mount.sh/automount" "$MOUNT -t auto $DEVNAME \"$MOUNT_BASE/$name\" failed!"
rm_dir "$MOUNT_BASE/$name"
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 09/15] buildhistory: Fix intermittent package file list creation
2024-09-23 13:13 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (7 preceding siblings ...)
2024-09-23 13:13 ` [OE-core][kirkstone 08/15] udev-extraconf: Add collect flag to mount Steve Sakoman
@ 2024-09-23 13:13 ` Steve Sakoman
2024-09-27 23:03 ` [kirkstone " atharvanandanwar
2024-09-23 13:13 ` [OE-core][kirkstone 10/15] buildhistory: Restoring files from preserve list Steve Sakoman
` (5 subsequent siblings)
14 siblings, 1 reply; 26+ messages in thread
From: Steve Sakoman @ 2024-09-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Pedro Ferreira <pedro.silva.ferreira@criticaltechworks.com>
The directory that buildhistory_list_pkg_files writes to during do_package
is created by do_packagedata so a clean buildhistory doesn't have
files-in-package written during the first build since packagedata happens
after do_package.
Ensure the output package folder is created to avoid missing
files-in-package.txt files.
Also it ensures that in case of `find` fails we leave with
a hard error instead of hiding the error on the for loop.
Signed-off-by: Pedro Silva Ferreira <Pedro.Silva.Ferreira@criticaltechworks.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8de9b8c1e199896b9a7bc5ed64967c6bfbf84bea)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/buildhistory.bbclass | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass
index 4345ffc693..b35508db27 100644
--- a/meta/classes/buildhistory.bbclass
+++ b/meta/classes/buildhistory.bbclass
@@ -597,15 +597,12 @@ buildhistory_list_files_no_owners() {
buildhistory_list_pkg_files() {
# Create individual files-in-package for each recipe's package
- for pkgdir in $(find ${PKGDEST}/* -maxdepth 0 -type d); do
+ pkgdirlist=$(find ${PKGDEST}/* -maxdepth 0 -type d)
+ for pkgdir in $pkgdirlist; do
pkgname=$(basename $pkgdir)
outfolder="${BUILDHISTORY_DIR_PACKAGE}/$pkgname"
outfile="$outfolder/files-in-package.txt"
- # Make sure the output folder exists so we can create the file
- if [ ! -d $outfolder ] ; then
- bbdebug 2 "Folder $outfolder does not exist, file $outfile not created"
- continue
- fi
+ mkdir -p $outfolder
buildhistory_list_files $pkgdir $outfile fakeroot
done
}
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 10/15] buildhistory: Restoring files from preserve list
2024-09-23 13:13 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (8 preceding siblings ...)
2024-09-23 13:13 ` [OE-core][kirkstone 09/15] buildhistory: Fix intermittent package file list creation Steve Sakoman
@ 2024-09-23 13:13 ` Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 11/15] buildhistory: Simplify intercept call sites and drop SSTATEPOSTINSTFUNC usage Steve Sakoman
` (4 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2024-09-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Pedro Ferreira <pedro.silva.ferreira@criticaltechworks.com>
This fix will ensure that, when we activate feature
`BUILDHISTORY_RESET`, files marked to keep on feature
`BUILDHISTORY_PRESERVE` will indeed exist is buildhistory
final path since they are moved to buildhistory/old but
not restored at any point.
Signed-off-by: Pedro Ferreira <Pedro.Silva.Ferreira@criticaltechworks.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9f68a45aa238ae5fcdfaca71ba0e7015e9cb720e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/buildhistory.bbclass | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass
index b35508db27..8adb44eba5 100644
--- a/meta/classes/buildhistory.bbclass
+++ b/meta/classes/buildhistory.bbclass
@@ -108,6 +108,7 @@ python buildhistory_emit_pkghistory() {
import json
import shlex
import errno
+ import shutil
pkghistdir = d.getVar('BUILDHISTORY_DIR_PACKAGE')
oldpkghistdir = d.getVar('BUILDHISTORY_OLD_DIR_PACKAGE')
@@ -221,6 +222,20 @@ python buildhistory_emit_pkghistory() {
items.sort()
return ' '.join(items)
+ def preservebuildhistoryfiles(pkg, preserve):
+ if os.path.exists(os.path.join(oldpkghistdir, pkg)):
+ listofobjs = os.listdir(os.path.join(oldpkghistdir, pkg))
+ for obj in listofobjs:
+ if obj not in preserve:
+ continue
+ try:
+ bb.utils.mkdirhier(os.path.join(pkghistdir, pkg))
+ shutil.copyfile(os.path.join(oldpkghistdir, pkg, obj), os.path.join(pkghistdir, pkg, obj))
+ except IOError as e:
+ bb.note("Unable to copy file. %s" % e)
+ except EnvironmentError as e:
+ bb.note("Unable to copy file. %s" % e)
+
pn = d.getVar('PN')
pe = d.getVar('PE') or "0"
pv = d.getVar('PV')
@@ -248,6 +263,14 @@ python buildhistory_emit_pkghistory() {
if not os.path.exists(pkghistdir):
bb.utils.mkdirhier(pkghistdir)
else:
+ # We need to make sure that all files kept in
+ # buildhistory/old are restored successfully
+ # otherwise next block of code wont have files to
+ # check and purge
+ if d.getVar("BUILDHISTORY_RESET"):
+ for pkg in packagelist:
+ preservebuildhistoryfiles(pkg, preserve)
+
# Remove files for packages that no longer exist
for item in os.listdir(pkghistdir):
if item not in preserve:
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 11/15] buildhistory: Simplify intercept call sites and drop SSTATEPOSTINSTFUNC usage
2024-09-23 13:13 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (9 preceding siblings ...)
2024-09-23 13:13 ` [OE-core][kirkstone 10/15] buildhistory: Restoring files from preserve list Steve Sakoman
@ 2024-09-23 13:13 ` Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 12/15] runqemu: keep generating tap devices Steve Sakoman
` (3 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2024-09-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
We planned to drop SSTATEPOSTINSTFUNC some time ago with the introduction of
postfuncs. Finally get around to doing that which should make the buildhistory
code a little more readable.
Unfortunately ordering the buildhistory function calls after the sstate ones is
difficult without coding that into the sstate class. This patch does that to
ensure everything functions as expected until we can find a better way. This is
still likely preferable than the generic sstate postfuncs support since the function
flow is much more readable.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c9e2a8fa2f0305ef1247ec405555612326f798f8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/buildhistory.bbclass | 39 +++++++++++++++----------------
meta/classes/sstate.bbclass | 5 +++-
2 files changed, 23 insertions(+), 21 deletions(-)
diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass
index 8adb44eba5..83993f5752 100644
--- a/meta/classes/buildhistory.bbclass
+++ b/meta/classes/buildhistory.bbclass
@@ -45,11 +45,18 @@ BUILDHISTORY_PUSH_REPO ?= ""
BUILDHISTORY_TAG ?= "build"
BUILDHISTORY_PATH_PREFIX_STRIP ?= ""
-SSTATEPOSTINSTFUNCS:append = " buildhistory_emit_pkghistory"
-# We want to avoid influencing the signatures of sstate tasks - first the function itself:
-sstate_install[vardepsexclude] += "buildhistory_emit_pkghistory"
-# then the value added to SSTATEPOSTINSTFUNCS:
-SSTATEPOSTINSTFUNCS[vardepvalueexclude] .= "| buildhistory_emit_pkghistory"
+# We want to avoid influencing the signatures of the task so use vardepsexclude
+do_populate_sysroot[postfuncs] += "buildhistory_emit_sysroot"
+do_populate_sysroot_setscene[postfuncs] += "buildhistory_emit_sysroot"
+do_populate_sysroot[vardepsexclude] += "buildhistory_emit_sysroot"
+
+do_package[postfuncs] += "buildhistory_list_pkg_files"
+do_package_setscene[postfuncs] += "buildhistory_list_pkg_files"
+do_package[vardepsexclude] += "buildhistory_list_pkg_files"
+
+do_packagedata[postfuncs] += "buildhistory_emit_pkghistory"
+do_packagedata_setscene[postfuncs] += "buildhistory_emit_pkghistory"
+do_packagedata[vardepsexclude] += "buildhistory_emit_pkghistory"
# Similarly for our function that gets the output signatures
SSTATEPOSTUNPACKFUNCS:append = " buildhistory_emit_outputsigs"
@@ -89,27 +96,15 @@ buildhistory_emit_sysroot() {
# Write out metadata about this package for comparison when writing future packages
#
python buildhistory_emit_pkghistory() {
- if d.getVar('BB_CURRENTTASK') in ['populate_sysroot', 'populate_sysroot_setscene']:
- bb.build.exec_func("buildhistory_emit_sysroot", d)
- return 0
-
- if not "package" in (d.getVar('BUILDHISTORY_FEATURES') or "").split():
- return 0
-
- if d.getVar('BB_CURRENTTASK') in ['package', 'package_setscene']:
- # Create files-in-<package-name>.txt files containing a list of files of each recipe's package
- bb.build.exec_func("buildhistory_list_pkg_files", d)
- return 0
-
- if not d.getVar('BB_CURRENTTASK') in ['packagedata', 'packagedata_setscene']:
- return 0
-
import re
import json
import shlex
import errno
import shutil
+ if not "package" in (d.getVar('BUILDHISTORY_FEATURES') or "").split():
+ return 0
+
pkghistdir = d.getVar('BUILDHISTORY_DIR_PACKAGE')
oldpkghistdir = d.getVar('BUILDHISTORY_OLD_DIR_PACKAGE')
@@ -619,6 +614,10 @@ buildhistory_list_files_no_owners() {
}
buildhistory_list_pkg_files() {
+ if [ "${@bb.utils.contains('BUILDHISTORY_FEATURES', 'package', '1', '0', d)}" = "0" ] ; then
+ return
+ fi
+
# Create individual files-in-package for each recipe's package
pkgdirlist=$(find ${PKGDEST}/* -maxdepth 0 -type d)
for pkgdir in $pkgdirlist; do
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index dd6cf12920..91d42665c1 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -156,7 +156,10 @@ python () {
d.setVar('SSTATETASKS', " ".join(unique_tasks))
for task in unique_tasks:
d.prependVarFlag(task, 'prefuncs', "sstate_task_prefunc ")
- d.appendVarFlag(task, 'postfuncs', " sstate_task_postfunc")
+ # Generally sstate should be last, execpt for buildhistory functions
+ postfuncs = (d.getVarFlag(task, 'postfuncs') or "").split()
+ newpostfuncs = [p for p in postfuncs if "buildhistory" not in p] + ["sstate_task_postfunc"] + [p for p in postfuncs if "buildhistory" in p]
+ d.setVarFlag(task, 'postfuncs', " ".join(newpostfuncs))
d.setVarFlag(task, 'network', '1')
d.setVarFlag(task + "_setscene", 'network', '1')
}
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 12/15] runqemu: keep generating tap devices
2024-09-23 13:13 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (10 preceding siblings ...)
2024-09-23 13:13 ` [OE-core][kirkstone 11/15] buildhistory: Simplify intercept call sites and drop SSTATEPOSTINSTFUNC usage Steve Sakoman
@ 2024-09-23 13:13 ` Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 13/15] testimage: fallback for empty IMAGE_LINK_NAME Steve Sakoman
` (2 subsequent siblings)
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2024-09-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Konrad Weihmann <kweihmann@outlook.com>
in case there is no tap device the script tries to
generate a new one.
The new device is then unguarded for a moment, so
the newly generated device could be acquired
by a different instance or user, before it is locked to
the instance with acquire_taplock.
To fix that keep generating new tap devices in case
the lock can't be acquired up to 5 times.
If no tap device can be locked it fails in the existing
error handling
(From OE-Core rev: 23876576d054ebbab9b02c0012782aa56feda123)
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
scripts/runqemu | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/scripts/runqemu b/scripts/runqemu
index ba7c1b2461..8a417a7c24 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -1150,16 +1150,20 @@ to your build configuration.
uid = os.getuid()
logger.info("Setting up tap interface under sudo")
cmd = ('sudo', self.qemuifup, str(uid), str(gid), self.bindir_native)
- try:
- tap = subprocess.check_output(cmd).decode('utf-8').strip()
- except subprocess.CalledProcessError as e:
- logger.error('Setting up tap device failed:\n%s\nRun runqemu-gen-tapdevs to manually create one.' % str(e))
- sys.exit(1)
- lockfile = os.path.join(lockdir, tap)
- self.taplock = lockfile + '.lock'
- self.acquire_taplock()
- self.cleantap = True
- logger.debug('Created tap: %s' % tap)
+ for _ in range(5):
+ try:
+ tap = subprocess.check_output(cmd).decode('utf-8').strip()
+ except subprocess.CalledProcessError as e:
+ logger.error('Setting up tap device failed:\n%s\nRun runqemu-gen-tapdevs to manually create one.' % str(e))
+ sys.exit(1)
+ lockfile = os.path.join(lockdir, tap)
+ self.taplock = lockfile + '.lock'
+ if self.acquire_taplock():
+ self.cleantap = True
+ logger.debug('Created tap: %s' % tap)
+ break
+ else:
+ tap = None
if not tap:
logger.error("Failed to setup tap device. Run runqemu-gen-tapdevs to manually create.")
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 13/15] testimage: fallback for empty IMAGE_LINK_NAME
2024-09-23 13:13 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (11 preceding siblings ...)
2024-09-23 13:13 ` [OE-core][kirkstone 12/15] runqemu: keep generating tap devices Steve Sakoman
@ 2024-09-23 13:13 ` Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 14/15] testexport: " Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 15/15] lib/oeqa: rename assertRaisesRegexp to assertRaisesRegex Steve Sakoman
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2024-09-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Konrad Weihmann <kweihmann@outlook.com>
if IMAGE_LINK_NAME is set empty to disable the symlinking
for image artifacts in deploy, testimage fails, as the path assembly
is incorrect.
In that case fallback to IMAGE_NAME
(From OE-Core rev: c7a4e7e294992acc589c62adcaf6cd32659f2f9b)
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/testimage.bbclass | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/classes/testimage.bbclass b/meta/classes/testimage.bbclass
index 0241f29dfb..a91cdb9a1f 100644
--- a/meta/classes/testimage.bbclass
+++ b/meta/classes/testimage.bbclass
@@ -98,7 +98,7 @@ TESTIMAGELOCK:qemuall = ""
TESTIMAGE_DUMP_DIR ?= "${LOG_DIR}/runtime-hostdump/"
-TESTIMAGE_UPDATE_VARS ?= "DL_DIR WORKDIR DEPLOY_DIR"
+TESTIMAGE_UPDATE_VARS ?= "DL_DIR WORKDIR DEPLOY_DIR IMAGE_LINK_NAME"
testimage_dump_target () {
}
@@ -209,7 +209,7 @@ def testimage_main(d):
bb.utils.mkdirhier(d.getVar("TEST_LOG_DIR"))
image_name = ("%s/%s" % (d.getVar('DEPLOY_DIR_IMAGE'),
- d.getVar('IMAGE_LINK_NAME')))
+ d.getVar('IMAGE_LINK_NAME') or d.getVar('IMAGE_NAME')))
tdname = "%s.testdata.json" % image_name
try:
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 14/15] testexport: fallback for empty IMAGE_LINK_NAME
2024-09-23 13:13 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (12 preceding siblings ...)
2024-09-23 13:13 ` [OE-core][kirkstone 13/15] testimage: fallback for empty IMAGE_LINK_NAME Steve Sakoman
@ 2024-09-23 13:13 ` Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 15/15] lib/oeqa: rename assertRaisesRegexp to assertRaisesRegex Steve Sakoman
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2024-09-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Konrad Weihmann <kweihmann@outlook.com>
if IMAGE_LINK_NAME is set empty to disable the symlinking
for image artifacts in deploy, testexport fails, as the path assembly
is incorrect.
In that case fallback to IMAGE_NAME
(From OE-Core rev: 0c1d098e6dd08fa3a5aafca656457ac6badcef89)
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/testexport.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/testexport.bbclass b/meta/classes/testexport.bbclass
index 1b0fb44a4a..deb68ec6ce 100644
--- a/meta/classes/testexport.bbclass
+++ b/meta/classes/testexport.bbclass
@@ -50,7 +50,7 @@ def testexport_main(d):
from oeqa.runtime.context import OERuntimeTestContextExecutor
image_name = ("%s/%s" % (d.getVar('DEPLOY_DIR_IMAGE'),
- d.getVar('IMAGE_LINK_NAME')))
+ d.getVar('IMAGE_LINK_NAME') or d.getVar('IMAGE_NAME')))
tdname = "%s.testdata.json" % image_name
td = json.load(open(tdname, "r"))
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 15/15] lib/oeqa: rename assertRaisesRegexp to assertRaisesRegex
2024-09-23 13:13 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (13 preceding siblings ...)
2024-09-23 13:13 ` [OE-core][kirkstone 14/15] testexport: " Steve Sakoman
@ 2024-09-23 13:13 ` Steve Sakoman
14 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2024-09-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@arm.com>
TestCase.assertRaisesRegexp was renamed to assertRaisesRegex in Python
3.2, so rename to fix a warning during test execution.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6df44a4b29487bf8ef51bb5ba6467a4056b749cc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/selftest/cases/runcmd.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/runcmd.py b/meta/lib/oeqa/selftest/cases/runcmd.py
index e9612389fe..e423fe3d3e 100644
--- a/meta/lib/oeqa/selftest/cases/runcmd.py
+++ b/meta/lib/oeqa/selftest/cases/runcmd.py
@@ -56,11 +56,11 @@ class RunCmdTests(OESelftestTestCase):
self.assertEqual(result.status, 0)
def test_result_assertion(self):
- self.assertRaisesRegexp(AssertionError, "Command 'echo .* false' returned non-zero exit status 1:\nfoobar",
+ self.assertRaisesRegex(AssertionError, "Command 'echo .* false' returned non-zero exit status 1:\nfoobar",
runCmd, "echo foobar >&2; false", shell=True)
def test_result_exception(self):
- self.assertRaisesRegexp(CommandError, "Command 'echo .* false' returned non-zero exit status 1 with output: foobar",
+ self.assertRaisesRegex(CommandError, "Command 'echo .* false' returned non-zero exit status 1 with output: foobar",
runCmd, "echo foobar >&2; false", shell=True, assert_error=False)
def test_output(self):
--
2.34.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* Re: [kirkstone 09/15] buildhistory: Fix intermittent package file list creation
2024-09-23 13:13 ` [OE-core][kirkstone 09/15] buildhistory: Fix intermittent package file list creation Steve Sakoman
@ 2024-09-27 23:03 ` atharvanandanwar
0 siblings, 0 replies; 26+ messages in thread
From: atharvanandanwar @ 2024-09-27 23:03 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 551 bytes --]
Hello,
This patch has introduced an issue while building recipes without any files installed or packaged. Prime example for this is meta-toolchain [1]. As, previously the error was hidden in the for loop - an explicit failure is causing an issue while building meta-toolchain et al. I believe the fix is either to `inherit nopackages` for meta-toolchain like recipes or modify the previously submitted patch to not hard-fail.
1: https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/meta/meta-toolchain.bb
Thanks,
--Atharva
[-- Attachment #2: Type: text/html, Size: 810 bytes --]
^ permalink raw reply [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 00/15] Patch review
@ 2025-02-27 17:39 Steve Sakoman
0 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2025-02-27 17:39 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Monday, March 3
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1094
The following changes since commit 73b5570a16708d1e749b1ec525299d10557cbf56:
vim: Upgrade 9.1.0764 -> 9.1.1043 (2025-02-24 06:54:05 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Guocai He (2):
tzcode: Update SRC_URI
xz: Update SRC_URI
Jiaying Song (1):
boost: fix do_fetch error
Libo Chen (1):
virglrenderer: fix do_fetch error
Moritz Haase (1):
meta: Enable '-o pipefail' for the SDK installer
Narpat Mali (1):
systemd: upgrade 250.5 -> 250.14
Vijay Anusuri (9):
xserver-xorg: Fix for CVE-2025-26594
xserver-xorg: Fix for CVE-2025-26595
xserver-xorg: Fix for CVE-2025-26596
xserver-xorg: Fix for CVE-2025-26597
xserver-xorg: Fix for CVE-2025-26598
xserver-xorg: Fix for CVE-2025-26599
xserver-xorg: Fix for CVE-2025-26600
xserver-xorg: Fix for CVE-2025-26601
bind: Upgrade 9.18.28 -> 9.18.33
meta/files/toolchain-shar-extract.sh | 5 +
.../bind/{bind_9.18.28.bb => bind_9.18.33.bb} | 2 +-
...d-boot_250.5.bb => systemd-boot_250.14.bb} | 0
meta/recipes-core/systemd/systemd.inc | 2 +-
.../0001-Adjust-for-musl-headers.patch | 20 +-
...sysctl.d-binfmt.d-modules-load.d-to-.patch | 18 +-
...1-core-fix-build-when-seccomp-is-off.patch | 41 ++
...ass-correct-parameters-to-getdents64.patch | 49 ++-
...w-json_variant_dump-to-return-an-err.patch | 60 ---
.../0002-Add-sys-stat.h-for-S_IFDIR.patch | 6 +-
...3-missing_type.h-add-comparison_fn_t.patch | 6 +-
...k-parse_printf_format-implementation.patch | 6 +-
...missing.h-check-for-missing-strndupa.patch | 62 ++-
...OB_BRACE-and-GLOB_ALTDIRFUNC-is-not-.patch | 8 +-
...008-add-missing-FTW_-macros-for-musl.patch | 4 +-
..._register_atfork-for-non-glibc-build.patch | 6 +-
...10-Use-uintmax_t-for-handling-rlim_t.patch | 6 +-
...sable-tests-for-missing-typedefs-in-.patch | 2 +-
...T_SYMLINK_NOFOLLOW-flag-to-faccessat.patch | 4 +-
...patible-basename-for-non-glibc-syste.patch | 2 +-
...uffering-when-writing-to-oom_score_a.patch | 6 +-
...compliant-strerror_r-from-GNU-specif.patch | 2 +-
...definition-of-prctl_mm_map-structure.patch | 2 +-
.../0021-test-json.c-define-M_PIl.patch | 4 +-
...-not-disable-buffer-in-writing-files.patch | 38 +-
.../0025-Handle-__cpu_mask-usage.patch | 2 +-
.../systemd/0026-Handle-missing-gshadow.patch | 4 +-
...l.h-Define-MIPS-ABI-defines-for-musl.patch | 4 +-
.../systemd/systemd/CVE-2022-3821.patch | 45 --
.../systemd/systemd/CVE-2022-4415-1.patch | 109 -----
.../systemd/systemd/CVE-2022-4415-2.patch | 391 ------------------
.../systemd/systemd/CVE-2022-45873.patch | 124 ------
.../systemd/systemd/CVE-2023-7008.patch | 40 --
.../{systemd_250.5.bb => systemd_250.14.bb} | 7 +-
meta/recipes-extended/timezone/timezone.inc | 8 +-
meta/recipes-extended/xz/xz_5.2.6.bb | 2 +-
.../virglrenderer/virglrenderer_0.9.1.bb | 2 +-
.../xserver-xorg/CVE-2025-26594-1.patch | 54 +++
.../xserver-xorg/CVE-2025-26594-2.patch | 51 +++
.../xserver-xorg/CVE-2025-26595.patch | 65 +++
.../xserver-xorg/CVE-2025-26596.patch | 49 +++
.../xserver-xorg/CVE-2025-26597.patch | 46 +++
.../xserver-xorg/CVE-2025-26598.patch | 120 ++++++
.../xserver-xorg/CVE-2025-26599-1.patch | 66 +++
.../xserver-xorg/CVE-2025-26599-2.patch | 129 ++++++
.../xserver-xorg/CVE-2025-26600.patch | 68 +++
.../xserver-xorg/CVE-2025-26601-1.patch | 71 ++++
.../xserver-xorg/CVE-2025-26601-2.patch | 85 ++++
.../xserver-xorg/CVE-2025-26601-3.patch | 52 +++
.../xserver-xorg/CVE-2025-26601-4.patch | 132 ++++++
.../xorg-xserver/xserver-xorg_21.1.8.bb | 13 +
meta/recipes-support/boost/boost-1.78.0.inc | 2 +-
52 files changed, 1201 insertions(+), 901 deletions(-)
rename meta/recipes-connectivity/bind/{bind_9.18.28.bb => bind_9.18.33.bb} (97%)
rename meta/recipes-core/systemd/{systemd-boot_250.5.bb => systemd-boot_250.14.bb} (100%)
create mode 100644 meta/recipes-core/systemd/systemd/0001-core-fix-build-when-seccomp-is-off.patch
delete mode 100644 meta/recipes-core/systemd/systemd/0001-shared-json-allow-json_variant_dump-to-return-an-err.patch
delete mode 100644 meta/recipes-core/systemd/systemd/CVE-2022-3821.patch
delete mode 100644 meta/recipes-core/systemd/systemd/CVE-2022-4415-1.patch
delete mode 100644 meta/recipes-core/systemd/systemd/CVE-2022-4415-2.patch
delete mode 100644 meta/recipes-core/systemd/systemd/CVE-2022-45873.patch
delete mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-7008.patch
rename meta/recipes-core/systemd/{systemd_250.5.bb => systemd_250.14.bb} (99%)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-1.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26594-2.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26595.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26596.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26597.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26598.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26599-1.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26599-2.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26600.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-1.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-2.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-3.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26601-4.patch
--
2.43.0
^ permalink raw reply [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 00/15] Patch review
@ 2025-05-13 19:07 Steve Sakoman
0 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2025-05-13 19:07 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, May 15
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1582
The following changes since commit 00f7a2f60dd6de95a1a47fa642978613ce76dc56:
glibc: Add single-threaded fast path to rand() (2025-05-09 09:01:16 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Aleksandar Nikolic (1):
scripts/install-buildtools: Update to 4.0.26
Alexander Kanavin (1):
perl: enable _GNU_SOURCE define via d_gnulibc
Alon Bar-Lev (1):
module.bbclass: add KBUILD_EXTRA_SYMBOLS to install
Deepesh Varatharajan (1):
glibc: stable 2.35 branch updates
Peter Marko (1):
perl: patch CVE-2024-56406
Vijay Anusuri (10):
libsoup-2.4: Update fix CVE-2024-52532
libsoup-2.4: Fix CVE-2025-32906
libsoup-2.4: Fix CVE-2025-32909
libsoup: update fix CVE-2024-52532
libsoup: Fix CVE-2025-32906
libsoup: Fix CVE-2025-32909
libsoup: Fix CVE-2025-32910
libsoup: Fix CVE-2025-32911 & CVE-2025-32913
libsoup: Fix CVE-2025-32912
libsoup: Fix CVE-2025-32914
meta/classes/module.bbclass | 1 +
meta/recipes-core/glibc/glibc-version.inc | 2 +-
...4-56406-Heap-buffer-overflow-with-tr.patch | 30 ++++
meta/recipes-devtools/perl/perl_5.34.3.bb | 2 +
.../libsoup-2.4/CVE-2024-52532-3.patch | 46 ++++++
.../libsoup-2.4/CVE-2025-32906-1.patch | 61 +++++++
.../libsoup-2.4/CVE-2025-32906-2.patch | 83 ++++++++++
.../libsoup/libsoup-2.4/CVE-2025-32909.patch | 36 +++++
.../libsoup/libsoup-2.4_2.74.2.bb | 4 +
.../libsoup/libsoup/CVE-2024-52532-3.patch | 46 ++++++
.../libsoup/libsoup/CVE-2025-32906-1.patch | 61 +++++++
.../libsoup/libsoup/CVE-2025-32906-2.patch | 83 ++++++++++
.../libsoup/libsoup/CVE-2025-32909.patch | 36 +++++
.../libsoup/libsoup/CVE-2025-32910-1.patch | 98 ++++++++++++
.../libsoup/libsoup/CVE-2025-32910-2.patch | 149 ++++++++++++++++++
.../libsoup/libsoup/CVE-2025-32910-3.patch | 27 ++++
.../CVE-2025-32911_CVE-2025-32913-1.patch | 72 +++++++++
.../CVE-2025-32911_CVE-2025-32913-2.patch | 44 ++++++
.../libsoup/libsoup/CVE-2025-32912-1.patch | 41 +++++
.../libsoup/libsoup/CVE-2025-32912-2.patch | 30 ++++
.../libsoup/libsoup/CVE-2025-32914.patch | 111 +++++++++++++
meta/recipes-support/libsoup/libsoup_3.0.7.bb | 12 ++
scripts/install-buildtools | 4 +-
23 files changed, 1076 insertions(+), 3 deletions(-)
create mode 100644 meta/recipes-devtools/perl/files/0001-CVE-2024-56406-Heap-buffer-overflow-with-tr.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2024-52532-3.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32906-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32906-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32909.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32910-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32910-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32910-3.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32911_CVE-2025-32913-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32911_CVE-2025-32913-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32912-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32912-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32914.patch
--
2.43.0
^ permalink raw reply [flat|nested] 26+ messages in thread
* [OE-core][kirkstone 00/15] Patch review
@ 2025-06-10 19:38 Steve Sakoman
0 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2025-06-10 19:38 UTC (permalink / raw)
To: openembedded-core
Please review this set of hcanges for kirkstone and have comments back by
end of day Thursday, June 12
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1770
The following changes since commit 415e73d53e5342f3f6ff6acd521ded2df3fbca1f:
nfs-utils: don't use signals to shut down nfs server. (2025-05-29 08:22:59 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (4):
ghostscript: fix CVE-2025-48708
ffmpeg: upgrade 5.0.1 -> 5.0.3
ffmpeg: fix CVE-2025-22919
ffmpeg: fix CVE-2025-22921
Deepesh Varatharajan (1):
binutils: Fix CVE-2025-5244 & CVE-2025-5245
Divya Chellam (2):
screen: fix CVE-2025-46802
screen: fix CVE-2025-46804
Harish Sadineni (1):
binutils: add CVE-2025-1182 patch file to SRC_URI
Hitendra Prajapati (1):
icu: fix CVE-2025-5222
Jiaying Song (1):
taglib: fix CVE-2023-47466
Martin Jansa (1):
kernel.bbclass: add original package name to RPROVIDES for -image and
-base
Peter Marko (1):
python3: upgrade 3.10.16 -> 3.10.18
Vijay Anusuri (3):
libsoup-2.4: Backport auth tests for CVE-2025-32910
python3-setuptools: Fix CVE-2025-47273
git: Fix CVE-2024-50349 and CVE-2024-52006
meta/classes/kernel.bbclass | 3 +-
.../binutils/binutils-2.38.inc | 3 +
.../binutils/0040-CVE-2025-1182.patch | 18 +-
.../binutils/0041-CVE-2025-5244.patch | 25 ++
.../binutils/0042-CVE-2025-5245.patch | 38 +++
.../git/git/CVE-2024-50349-0001.patch | 100 ++++++
.../git/git/CVE-2024-50349-0002.patch | 321 ++++++++++++++++++
.../git/git/CVE-2024-52006.patch | 165 +++++++++
meta/recipes-devtools/git/git_2.35.7.bb | 3 +
.../CVE-2025-47273-pre1.patch | 54 +++
.../python3-setuptools/CVE-2025-47273.patch | 59 ++++
.../python/python3-setuptools_59.5.0.bb | 2 +
...ib-termcap-to-linker-flags-to-avoid-.patch | 2 +-
...hell-version-of-python-config-that-w.patch | 2 +-
...file-do-not-compile-.pyc-in-parallel.patch | 2 +-
...sts-due-to-load-variability-on-YP-AB.patch | 6 +-
...e-treat-overflow-in-UID-GID-as-failu.patch | 2 +-
...asename-to-replace-CC-for-checking-c.patch | 16 +-
...detect-multiarch-paths-when-cross-co.patch | 2 +-
...orlines-skip-due-to-load-variability.patch | 2 +-
...report-missing-dependencies-for-disa.patch | 2 +-
...up.py-do-not-add-a-curses-include-pa.patch | 4 +-
.../python/python3/CVE-2025-0938.patch | 131 -------
.../python3/avoid_warning_about_tkinter.patch | 2 +-
.../python/python3/makerace.patch | 2 +-
...{python3_3.10.16.bb => python3_3.10.18.bb} | 3 +-
.../ghostscript/CVE-2025-48708.patch | 46 +++
.../ghostscript/ghostscript_9.55.0.bb | 1 +
.../screen/screen/CVE-2025-46802.patch | 146 ++++++++
.../screen/screen/CVE-2025-46804.patch | 131 +++++++
meta/recipes-extended/screen/screen_4.9.0.bb | 2 +
.../ffmpeg/ffmpeg/CVE-2024-36613.patch | 18 +-
.../ffmpeg/ffmpeg/CVE-2025-22919.patch | 41 +++
.../ffmpeg/ffmpeg/CVE-2025-22921.patch | 34 ++
.../{ffmpeg_5.0.1.bb => ffmpeg_5.0.3.bb} | 9 +-
.../icu/icu/CVE-2025-5222.patch | 164 +++++++++
meta/recipes-support/icu/icu_70.1.bb | 1 +
...ckport-auth-tests-for-CVE-2025-32910.patch | 76 +++++
.../libsoup/libsoup-2.4_2.74.2.bb | 1 +
.../taglib/files/CVE-2023-47466.patch | 38 +++
meta/recipes-support/taglib/taglib_1.12.bb | 4 +-
41 files changed, 1500 insertions(+), 181 deletions(-)
create mode 100644 meta/recipes-devtools/binutils/binutils/0041-CVE-2025-5244.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0042-CVE-2025-5245.patch
create mode 100644 meta/recipes-devtools/git/git/CVE-2024-50349-0001.patch
create mode 100644 meta/recipes-devtools/git/git/CVE-2024-50349-0002.patch
create mode 100644 meta/recipes-devtools/git/git/CVE-2024-52006.patch
create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch
create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2025-0938.patch
rename meta/recipes-devtools/python/{python3_3.10.16.bb => python3_3.10.18.bb} (99%)
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-48708.patch
create mode 100644 meta/recipes-extended/screen/screen/CVE-2025-46802.patch
create mode 100644 meta/recipes-extended/screen/screen/CVE-2025-46804.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22919.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22921.patch
rename meta/recipes-multimedia/ffmpeg/{ffmpeg_5.0.1.bb => ffmpeg_5.0.3.bb} (96%)
create mode 100644 meta/recipes-support/icu/icu/CVE-2025-5222.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/Backport-auth-tests-for-CVE-2025-32910.patch
create mode 100644 meta/recipes-support/taglib/files/CVE-2023-47466.patch
--
2.43.0
^ permalink raw reply [flat|nested] 26+ messages in thread
end of thread, other threads:[~2025-06-10 19:38 UTC | newest]
Thread overview: 26+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-23 13:13 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 01/15] libpcap: Security fix for CVE-2023-7256 & CVE-2024-8006 Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 02/15] webkitgtk: Security fix CVE-2024-40779 Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 03/15] cups: Security fix for CVE-2024-35235 Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 04/15] yocto-uninative: Update to 4.5 for gcc 14 Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 05/15] yocto-uninative: Update to 4.6 for glibc 2.40 Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 06/15] python3: Upgrade 3.10.14 -> 3.10.15 Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 07/15] busybox: Fix cut with "-s" flag Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 08/15] udev-extraconf: Add collect flag to mount Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 09/15] buildhistory: Fix intermittent package file list creation Steve Sakoman
2024-09-27 23:03 ` [kirkstone " atharvanandanwar
2024-09-23 13:13 ` [OE-core][kirkstone 10/15] buildhistory: Restoring files from preserve list Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 11/15] buildhistory: Simplify intercept call sites and drop SSTATEPOSTINSTFUNC usage Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 12/15] runqemu: keep generating tap devices Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 13/15] testimage: fallback for empty IMAGE_LINK_NAME Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 14/15] testexport: " Steve Sakoman
2024-09-23 13:13 ` [OE-core][kirkstone 15/15] lib/oeqa: rename assertRaisesRegexp to assertRaisesRegex Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2025-06-10 19:38 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
2025-05-13 19:07 Steve Sakoman
2025-02-27 17:39 Steve Sakoman
2024-03-20 16:09 Steve Sakoman
2023-12-08 2:33 Steve Sakoman
2023-05-09 22:32 Steve Sakoman
2023-05-06 15:24 Steve Sakoman
2022-07-27 0:40 Steve Sakoman
2022-06-19 19:30 Steve Sakoman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox