* [OE-core][kirkstone 01/14] sqlite3: patch CVE-2025-29088
2025-04-30 2:53 [OE-core][kirkstone 00/14] Patch review Steve Sakoman
@ 2025-04-30 2:53 ` Steve Sakoman
2025-04-30 2:53 ` [OE-core][kirkstone 02/14] libpam: Update fix for CVE-2024-10041 Steve Sakoman
` (12 subsequent siblings)
13 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:53 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commit [1] mentioned in [2].
[1] https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-29088
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../sqlite/files/CVE-2025-29088.patch | 179 ++++++++++++++++++
meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 1 +
2 files changed, 180 insertions(+)
create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-29088.patch
diff --git a/meta/recipes-support/sqlite/files/CVE-2025-29088.patch b/meta/recipes-support/sqlite/files/CVE-2025-29088.patch
new file mode 100644
index 0000000000..470ee9564c
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2025-29088.patch
@@ -0,0 +1,179 @@
+From 40f668e88d70d47b17652ca629d5f36fafaae0e8 Mon Sep 17 00:00:00 2001
+From: drh <>
+Date: Mon, 17 Feb 2025 14:16:49 +0000
+Subject: [PATCH] Harden the SQLITE_DBCONFIG_LOOKASIDE interface against
+ misuse, such as described in [forum:/forumpost/48f365daec|forum post
+ 48f365daec]. Enhancements to the SQLITE_DBCONFIG_LOOKASIDE documentation.
+ Test cases in TH3.
+
+FossilOrigin-Name: 1ec4c308c76c69fba031184254fc3340f07607cfbf8342b13713ab445563d377
+
+CVE: CVE-2025-29088
+Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ sqlite3.c | 42 +++++++++++++++++++++++---------------
+ sqlite3.h | 60 +++++++++++++++++++++++++++++++++++++------------------
+ 2 files changed, 67 insertions(+), 35 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 0b979f7a7d..27bea6f2e0 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -169267,17 +169267,22 @@ SQLITE_API int sqlite3_config(int op, ...){
+ ** If lookaside is already active, return SQLITE_BUSY.
+ **
+ ** The sz parameter is the number of bytes in each lookaside slot.
+-** The cnt parameter is the number of slots. If pStart is NULL the
+-** space for the lookaside memory is obtained from sqlite3_malloc().
+-** If pStart is not NULL then it is sz*cnt bytes of memory to use for
+-** the lookaside memory.
++** The cnt parameter is the number of slots. If pBuf is NULL the
++** space for the lookaside memory is obtained from sqlite3_malloc()
++** or similar. If pBuf is not NULL then it is sz*cnt bytes of memory
++** to use for the lookaside memory.
+ */
+-static int setupLookaside(sqlite3 *db, void *pBuf, int sz, int cnt){
++static int setupLookaside(
++ sqlite3 *db, /* Database connection being configured */
++ void *pBuf, /* Memory to use for lookaside. May be NULL */
++ int sz, /* Desired size of each lookaside memory slot */
++ int cnt /* Number of slots to allocate */
++){
+ #ifndef SQLITE_OMIT_LOOKASIDE
+- void *pStart;
+- sqlite3_int64 szAlloc = sz*(sqlite3_int64)cnt;
+- int nBig; /* Number of full-size slots */
+- int nSm; /* Number smaller LOOKASIDE_SMALL-byte slots */
++ void *pStart; /* Start of the lookaside buffer */
++ sqlite3_int64 szAlloc; /* Total space set aside for lookaside memory */
++ int nBig; /* Number of full-size slots */
++ int nSm; /* Number smaller LOOKASIDE_SMALL-byte slots */
+
+ if( sqlite3LookasideUsed(db,0)>0 ){
+ return SQLITE_BUSY;
+@@ -169290,17 +169295,22 @@ static int setupLookaside(sqlite3 *db, void *pBuf, int sz, int cnt){
+ sqlite3_free(db->lookaside.pStart);
+ }
+ /* The size of a lookaside slot after ROUNDDOWN8 needs to be larger
+- ** than a pointer to be useful.
++ ** than a pointer and small enough to fit in a u16.
+ */
+- sz = ROUNDDOWN8(sz); /* IMP: R-33038-09382 */
++ sz = ROUNDDOWN8(sz);
+ if( sz<=(int)sizeof(LookasideSlot*) ) sz = 0;
+- if( cnt<0 ) cnt = 0;
+- if( sz==0 || cnt==0 ){
++ if( sz>65528 ) sz = 65528;
++ /* Count must be at least 1 to be useful, but not so large as to use
++ ** more than 0x7fff0000 total bytes for lookaside. */
++ if( cnt<1 ) cnt = 0;
++ if( sz>0 && cnt>(0x7fff0000/sz) ) cnt = 0x7fff0000/sz;
++ szAlloc = (i64)sz*(i64)cnt;
++ if( szAlloc==0 ){
+ sz = 0;
+ pStart = 0;
+ }else if( pBuf==0 ){
+ sqlite3BeginBenignMalloc();
+- pStart = sqlite3Malloc( szAlloc ); /* IMP: R-61949-35727 */
++ pStart = sqlite3Malloc( szAlloc );
+ sqlite3EndBenignMalloc();
+ if( pStart ) szAlloc = sqlite3MallocSize(pStart);
+ }else{
+@@ -169309,10 +169319,10 @@ static int setupLookaside(sqlite3 *db, void *pBuf, int sz, int cnt){
+ #ifndef SQLITE_OMIT_TWOSIZE_LOOKASIDE
+ if( sz>=LOOKASIDE_SMALL*3 ){
+ nBig = szAlloc/(3*LOOKASIDE_SMALL+sz);
+- nSm = (szAlloc - sz*nBig)/LOOKASIDE_SMALL;
++ nSm = (szAlloc - (i64)sz*(i64)nBig)/LOOKASIDE_SMALL;
+ }else if( sz>=LOOKASIDE_SMALL*2 ){
+ nBig = szAlloc/(LOOKASIDE_SMALL+sz);
+- nSm = (szAlloc - sz*nBig)/LOOKASIDE_SMALL;
++ nSm = (szAlloc - (i64)sz*(i64)nBig)/LOOKASIDE_SMALL;
+ }else
+ #endif /* SQLITE_OMIT_TWOSIZE_LOOKASIDE */
+ if( sz>0 ){
+diff --git a/sqlite3.h b/sqlite3.h
+index de393da9dc..04e6b616d5 100644
+--- a/sqlite3.h
++++ b/sqlite3.h
+@@ -1914,13 +1914,16 @@ struct sqlite3_mem_methods {
+ **
+ ** [[SQLITE_CONFIG_LOOKASIDE]] <dt>SQLITE_CONFIG_LOOKASIDE</dt>
+ ** <dd> ^(The SQLITE_CONFIG_LOOKASIDE option takes two arguments that determine
+-** the default size of lookaside memory on each [database connection].
++** the default size of [lookaside memory] on each [database connection].
+ ** The first argument is the
+-** size of each lookaside buffer slot and the second is the number of
+-** slots allocated to each database connection.)^ ^(SQLITE_CONFIG_LOOKASIDE
+-** sets the <i>default</i> lookaside size. The [SQLITE_DBCONFIG_LOOKASIDE]
+-** option to [sqlite3_db_config()] can be used to change the lookaside
+-** configuration on individual connections.)^ </dd>
++** size of each lookaside buffer slot ("sz") and the second is the number of
++** slots allocated to each database connection ("cnt").)^
++** ^(SQLITE_CONFIG_LOOKASIDE sets the <i>default</i> lookaside size.
++** The [SQLITE_DBCONFIG_LOOKASIDE] option to [sqlite3_db_config()] can
++** be used to change the lookaside configuration on individual connections.)^
++** The [-DSQLITE_DEFAULT_LOOKASIDE] option can be used to change the
++** default lookaside configuration at compile-time.
++** </dd>
+ **
+ ** [[SQLITE_CONFIG_PCACHE2]] <dt>SQLITE_CONFIG_PCACHE2</dt>
+ ** <dd> ^(The SQLITE_CONFIG_PCACHE2 option takes a single argument which is
+@@ -2133,24 +2136,43 @@ struct sqlite3_mem_methods {
+ ** <dt>SQLITE_DBCONFIG_LOOKASIDE</dt>
+ ** <dd> ^This option takes three additional arguments that determine the
+ ** [lookaside memory allocator] configuration for the [database connection].
+-** ^The first argument (the third parameter to [sqlite3_db_config()] is a
++** <ol>
++** <li><p>The first argument ("buf") is a
+ ** pointer to a memory buffer to use for lookaside memory.
+-** ^The first argument after the SQLITE_DBCONFIG_LOOKASIDE verb
+-** may be NULL in which case SQLite will allocate the
+-** lookaside buffer itself using [sqlite3_malloc()]. ^The second argument is the
+-** size of each lookaside buffer slot. ^The third argument is the number of
+-** slots. The size of the buffer in the first argument must be greater than
+-** or equal to the product of the second and third arguments. The buffer
+-** must be aligned to an 8-byte boundary. ^If the second argument to
+-** SQLITE_DBCONFIG_LOOKASIDE is not a multiple of 8, it is internally
+-** rounded down to the next smaller multiple of 8. ^(The lookaside memory
++** The first argument may be NULL in which case SQLite will allocate the
++** lookaside buffer itself using [sqlite3_malloc()].
++** <li><P>The second argument ("sz") is the
++** size of each lookaside buffer slot. Lookaside is disabled if "sz"
++** is less than 8. The "sz" argument should be a multiple of 8 less than
++** 65536. If "sz" does not meet this constraint, it is reduced in size until
++** it does.
++** <li><p>The third argument ("cnt") is the number of slots. Lookaside is disabled
++** if "cnt"is less than 1. The "cnt" value will be reduced, if necessary, so
++** that the product of "sz" and "cnt" does not exceed 2,147,418,112. The "cnt"
++** parameter is usually chosen so that the product of "sz" and "cnt" is less
++** than 1,000,000.
++** </ol>
++** <p>If the "buf" argument is not NULL, then it must
++** point to a memory buffer with a size that is greater than
++** or equal to the product of "sz" and "cnt".
++** The buffer must be aligned to an 8-byte boundary.
++** The lookaside memory
+ ** configuration for a database connection can only be changed when that
+ ** connection is not currently using lookaside memory, or in other words
+-** when the "current value" returned by
+-** [sqlite3_db_status](D,[SQLITE_CONFIG_LOOKASIDE],...) is zero.
++** when the value returned by [SQLITE_DBSTATUS_LOOKASIDE_USED] is zero.
+ ** Any attempt to change the lookaside memory configuration when lookaside
+ ** memory is in use leaves the configuration unchanged and returns
+-** [SQLITE_BUSY].)^</dd>
++** [SQLITE_BUSY].
++** If the "buf" argument is NULL and an attempt
++** to allocate memory based on "sz" and "cnt" fails, then
++** lookaside is silently disabled.
++** <p>
++** The [SQLITE_CONFIG_LOOKASIDE] configuration option can be used to set the
++** default lookaside configuration at initialization. The
++** [-DSQLITE_DEFAULT_LOOKASIDE] option can be used to set the default lookaside
++** configuration at compile-time. Typical values for lookaside are 1200 for
++** "sz" and 40 to 100 for "cnt".
++** </dd>
+ **
+ ** [[SQLITE_DBCONFIG_ENABLE_FKEY]]
+ ** <dt>SQLITE_DBCONFIG_ENABLE_FKEY</dt>
diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
index 0a7a136c53..f47a9871e2 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
@@ -8,6 +8,7 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \
file://CVE-2022-46908.patch \
file://CVE-2023-36191.patch \
file://CVE-2023-7104.patch \
+ file://CVE-2025-29088.patch \
"
SRC_URI[sha256sum] = "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
--
2.43.0
^ permalink raw reply related [flat|nested] 20+ messages in thread* [OE-core][kirkstone 02/14] libpam: Update fix for CVE-2024-10041
2025-04-30 2:53 [OE-core][kirkstone 00/14] Patch review Steve Sakoman
2025-04-30 2:53 ` [OE-core][kirkstone 01/14] sqlite3: patch CVE-2025-29088 Steve Sakoman
@ 2025-04-30 2:53 ` Steve Sakoman
2025-04-30 2:53 ` [OE-core][kirkstone 03/14] ppp: patch CVE-2024-58250 Steve Sakoman
` (11 subsequent siblings)
13 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:53 UTC (permalink / raw)
To: openembedded-core
From: Shubham Kulkarni <skulkarni@mvista.com>
Initially, PAM community fixed CVE-2024-10041 in the version v1.6.0 via commit b3020da.
But not all cases were covered with this fix and issues were reported after the release.
In the v1.6.1 release, PAM community fixed these issues via commit b7b9636.
Backport this commit b7b9636, which
Fixes: b3020da ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
Backport from https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...024-10041.patch => CVE-2024-10041-1.patch} | 0
.../pam/libpam/CVE-2024-10041-2.patch | 77 +++++++++++++++++++
meta/recipes-extended/pam/libpam_1.5.2.bb | 3 +-
3 files changed, 79 insertions(+), 1 deletion(-)
rename meta/recipes-extended/pam/libpam/{CVE-2024-10041.patch => CVE-2024-10041-1.patch} (100%)
create mode 100644 meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch
diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch
similarity index 100%
rename from meta/recipes-extended/pam/libpam/CVE-2024-10041.patch
rename to meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch
diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch
new file mode 100644
index 0000000000..6070a26266
--- /dev/null
+++ b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch
@@ -0,0 +1,77 @@
+From b7b96362087414e52524d3d9d9b3faa21e1db620 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Wed, 24 Jan 2024 18:57:42 +0100
+Subject: [PATCH] pam_unix: try to set uid to 0 for unix_chkpwd
+
+The geteuid check does not cover all cases. If a program runs with
+elevated capabilities like CAP_SETUID then we can still check
+credentials of other users.
+
+Keep logging for future analysis though.
+
+Resolves: https://github.com/linux-pam/linux-pam/issues/747
+Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+
+Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620]
+CVE: CVE-2024-10041
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ modules/pam_unix/pam_unix_acct.c | 17 +++++++++--------
+ modules/pam_unix/support.c | 14 +++++++-------
+ 2 files changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
+index 8f5ed3e0df..7ffcb9e3f2 100644
+--- a/modules/pam_unix/pam_unix_acct.c
++++ b/modules/pam_unix/pam_unix_acct.c
+@@ -110,14 +110,15 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
+ _exit(PAM_AUTHINFO_UNAVAIL);
+ }
+
+- if (geteuid() == 0) {
+- /* must set the real uid to 0 so the helper will not error
+- out if pam is called from setuid binary (su, sudo...) */
+- if (setuid(0) == -1) {
+- pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
+- printf("-1\n");
+- fflush(stdout);
+- _exit(PAM_AUTHINFO_UNAVAIL);
++ /* must set the real uid to 0 so the helper will not error
++ out if pam is called from setuid binary (su, sudo...) */
++ if (setuid(0) == -1) {
++ uid_t euid = geteuid();
++ pam_syslog(pamh, euid == 0 ? LOG_ERR : LOG_DEBUG, "setuid failed: %m");
++ if (euid == 0) {
++ printf("-1\n");
++ fflush(stdout);
++ _exit(PAM_AUTHINFO_UNAVAIL);
+ }
+ }
+
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index d391973f95..69811048e6 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -562,13 +562,13 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ _exit(PAM_AUTHINFO_UNAVAIL);
+ }
+
+- if (geteuid() == 0) {
+- /* must set the real uid to 0 so the helper will not error
+- out if pam is called from setuid binary (su, sudo...) */
+- if (setuid(0) == -1) {
+- D(("setuid failed"));
+- _exit(PAM_AUTHINFO_UNAVAIL);
+- }
++ /* must set the real uid to 0 so the helper will not error
++ out if pam is called from setuid binary (su, sudo...) */
++ if (setuid(0) == -1) {
++ D(("setuid failed"));
++ if (geteuid() == 0) {
++ _exit(PAM_AUTHINFO_UNAVAIL);
++ }
+ }
+
+ /* exec binary helper */
diff --git a/meta/recipes-extended/pam/libpam_1.5.2.bb b/meta/recipes-extended/pam/libpam_1.5.2.bb
index 05fe232f6a..567f9741cb 100644
--- a/meta/recipes-extended/pam/libpam_1.5.2.bb
+++ b/meta/recipes-extended/pam/libpam_1.5.2.bb
@@ -27,7 +27,8 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux
file://CVE-2022-28321-0002.patch \
file://0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch \
file://CVE-2024-22365.patch \
- file://CVE-2024-10041.patch \
+ file://CVE-2024-10041-1.patch \
+ file://CVE-2024-10041-2.patch \
"
SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d"
--
2.43.0
^ permalink raw reply related [flat|nested] 20+ messages in thread* [OE-core][kirkstone 03/14] ppp: patch CVE-2024-58250
2025-04-30 2:53 [OE-core][kirkstone 00/14] Patch review Steve Sakoman
2025-04-30 2:53 ` [OE-core][kirkstone 01/14] sqlite3: patch CVE-2025-29088 Steve Sakoman
2025-04-30 2:53 ` [OE-core][kirkstone 02/14] libpam: Update fix for CVE-2024-10041 Steve Sakoman
@ 2025-04-30 2:53 ` Steve Sakoman
2025-04-30 2:53 ` [OE-core][kirkstone 04/14] ghostscript: ignore CVE-2025-27833 Steve Sakoman
` (10 subsequent siblings)
13 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:53 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Backport patch to remove vulnerable component.
This is a breaking change, but there will be no other fix for this CVE
as upstream did the deletion without providing a fix first.
If someone really needs this feature, which the commit message describes
as deprecated, bbappend with patch removal is possible.
License-Update: passprompt plugin removed
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ppp/ppp/CVE-2024-58250.patch | 185 ++++++++++++++++++
meta/recipes-connectivity/ppp/ppp_2.4.9.bb | 2 +-
2 files changed, 186 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch
diff --git a/meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch b/meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch
new file mode 100644
index 0000000000..b07d28253f
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch
@@ -0,0 +1,185 @@
+From 0a66ad22e54c72690ec2a29a019767c55c5281fc Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Fri, 18 Oct 2024 20:22:57 +1100
+Subject: [PATCH] pppd: Remove passprompt plugin
+
+This is prompted by a number of factors:
+
+* It was more useful back in the dial-up days, but no-one uses dial-up
+ any more
+
+* In many cases there will be no terminal accessible to the prompter
+ program at the point where the prompter is run
+
+* The passwordfd plugin does much the same thing but does it more
+ cleanly and securely
+
+* The handling of privileges and file descriptors needs to be audited
+ thoroughly.
+
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+
+CVE: CVE-2024-58250
+Upstream-Status: Backport [https://github.com/ppp-project/ppp/commit/0a66ad22e54c72690ec2a29a019767c55c5281fc]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pppd/plugins/Makefile.linux | 2 +-
+ pppd/plugins/Makefile.sol2 | 6 --
+ pppd/plugins/passprompt.c | 119 ------------------------------------
+ 3 files changed, 1 insertion(+), 126 deletions(-)
+ delete mode 100644 pppd/plugins/passprompt.c
+
+diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
+index 6403e3d..fcc36e4 100644
+--- a/pppd/plugins/Makefile.linux
++++ b/pppd/plugins/Makefile.linux
+@@ -17,7 +17,7 @@ CFLAGS += -DUSE_EAPTLS=1
+ SUBDIRS := pppoe pppoatm pppol2tp
+ # Uncomment the next line to include the radius authentication plugin
+ SUBDIRS += radius
+-PLUGINS := minconn.so passprompt.so passwordfd.so winbind.so
++PLUGINS := minconn.so passwordfd.so winbind.so
+
+ # This setting should match the one in ../Makefile.linux
+ MPPE=y
+diff --git a/pppd/plugins/Makefile.sol2 b/pppd/plugins/Makefile.sol2
+index bc7d85d..f77ea1d 100644
+--- a/pppd/plugins/Makefile.sol2
++++ b/pppd/plugins/Makefile.sol2
+@@ -17,11 +17,5 @@ minconn.so: minconn.o
+ minconn.o: minconn.c
+ $(CC) $(CFLAGS) -c $?
+
+-passprompt.so: passprompt.o
+- ld -o $@ $(LDFLAGS) -h $@ passprompt.o
+-
+-passprompt.o: passprompt.c
+- $(CC) $(CFLAGS) -c $?
+-
+ clean:
+ rm -f *.o *.so
+diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c
+deleted file mode 100644
+index 7779d51..0000000
+--- a/pppd/plugins/passprompt.c
++++ /dev/null
+@@ -1,119 +0,0 @@
+-/*
+- * passprompt.c - pppd plugin to invoke an external PAP password prompter
+- *
+- * Copyright 1999 Paul Mackerras, Alan Curry.
+- *
+- * This program is free software; you can redistribute it and/or
+- * modify it under the terms of the GNU General Public License
+- * as published by the Free Software Foundation; either version
+- * 2 of the License, or (at your option) any later version.
+- */
+-#include <errno.h>
+-#include <unistd.h>
+-#include <sys/wait.h>
+-#include <syslog.h>
+-#include "pppd.h"
+-
+-char pppd_version[] = VERSION;
+-
+-static char promptprog[PATH_MAX+1];
+-static int promptprog_refused = 0;
+-
+-static option_t options[] = {
+- { "promptprog", o_string, promptprog,
+- "External PAP password prompting program",
+- OPT_STATIC, NULL, PATH_MAX },
+- { NULL }
+-};
+-
+-static int promptpass(char *user, char *passwd)
+-{
+- int p[2];
+- pid_t kid;
+- int readgood, wstat;
+- ssize_t red;
+-
+- if (promptprog_refused || promptprog[0] == 0 || access(promptprog, X_OK) < 0)
+- return -1; /* sorry, can't help */
+-
+- if (!passwd)
+- return 1;
+-
+- if (pipe(p)) {
+- warn("Can't make a pipe for %s", promptprog);
+- return 0;
+- }
+- if ((kid = fork()) == (pid_t) -1) {
+- warn("Can't fork to run %s", promptprog);
+- close(p[0]);
+- close(p[1]);
+- return 0;
+- }
+- if (!kid) {
+- /* we are the child, exec the program */
+- char *argv[5], fdstr[32];
+- sys_close();
+- closelog();
+- close(p[0]);
+- seteuid(getuid());
+- setegid(getgid());
+- argv[0] = promptprog;
+- argv[1] = user;
+- argv[2] = remote_name;
+- sprintf(fdstr, "%d", p[1]);
+- argv[3] = fdstr;
+- argv[4] = 0;
+- execv(*argv, argv);
+- _exit(127);
+- }
+-
+- /* we are the parent, read the password from the pipe */
+- close(p[1]);
+- readgood = 0;
+- do {
+- red = read(p[0], passwd + readgood, MAXSECRETLEN-1 - readgood);
+- if (red == 0)
+- break;
+- if (red < 0) {
+- if (errno == EINTR && !got_sigterm)
+- continue;
+- error("Can't read secret from %s: %m", promptprog);
+- readgood = -1;
+- break;
+- }
+- readgood += red;
+- } while (readgood < MAXSECRETLEN - 1);
+- close(p[0]);
+-
+- /* now wait for child to exit */
+- while (waitpid(kid, &wstat, 0) < 0) {
+- if (errno != EINTR || got_sigterm) {
+- warn("error waiting for %s: %m", promptprog);
+- break;
+- }
+- }
+-
+- if (readgood < 0)
+- return 0;
+- passwd[readgood] = 0;
+- if (!WIFEXITED(wstat))
+- warn("%s terminated abnormally", promptprog);
+- if (WEXITSTATUS(wstat)) {
+- warn("%s exited with code %d", promptprog, WEXITSTATUS(wstat));
+- /* code when cancel was hit in the prompt prog */
+- if (WEXITSTATUS(wstat) == 128) {
+- promptprog_refused = 1;
+- }
+- return -1;
+- }
+- return 1;
+-}
+-
+-void plugin_init(void)
+-{
+- add_options(options);
+- pap_passwd_hook = promptpass;
+-#ifdef USE_EAPTLS
+- eaptls_passwd_hook = promptpass;
+-#endif
+-}
diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.9.bb b/meta/recipes-connectivity/ppp/ppp_2.4.9.bb
index b7f71b673d..e25929febf 100644
--- a/meta/recipes-connectivity/ppp/ppp_2.4.9.bb
+++ b/meta/recipes-connectivity/ppp/ppp_2.4.9.bb
@@ -7,7 +7,6 @@ BUGTRACKER = "http://ppp.samba.org/cgi-bin/ppp-bugs"
DEPENDS = "libpcap openssl virtual/crypt"
LICENSE = "BSD-3-Clause & BSD-3-Clause-Attribution & GPL-2.0-or-later & LGPL-2.0-or-later & PD & RSA-MD"
LIC_FILES_CHKSUM = "file://pppd/ccp.c;beginline=1;endline=29;md5=e2c43fe6e81ff77d87dc9c290a424dea \
- file://pppd/plugins/passprompt.c;beginline=1;endline=10;md5=3bcbcdbf0e369c9a3e0b8c8275b065d8 \
file://pppd/tdb.c;beginline=1;endline=27;md5=4ca3a9991b011038d085d6675ae7c4e6 \
file://chat/chat.c;beginline=1;endline=15;md5=0d374b8545ee5c62d7aff1acbd38add2"
@@ -26,6 +25,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
file://ppp@.service \
file://0001-ppp-fix-build-against-5.15-headers.patch \
file://CVE-2022-4603.patch \
+ file://CVE-2024-58250.patch \
"
SRC_URI[sha256sum] = "f938b35eccde533ea800b15a7445b2f1137da7f88e32a16898d02dee8adc058d"
--
2.43.0
^ permalink raw reply related [flat|nested] 20+ messages in thread* [OE-core][kirkstone 04/14] ghostscript: ignore CVE-2025-27833
2025-04-30 2:53 [OE-core][kirkstone 00/14] Patch review Steve Sakoman
` (2 preceding siblings ...)
2025-04-30 2:53 ` [OE-core][kirkstone 03/14] ppp: patch CVE-2024-58250 Steve Sakoman
@ 2025-04-30 2:53 ` Steve Sakoman
2025-04-30 2:53 ` [OE-core][kirkstone 05/14] libarchive: ignore CVE-2024-48615 Steve Sakoman
` (9 subsequent siblings)
13 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:53 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Vulnerable code was introduced in 9.56.0, so 9.55.0 is not affected yet
Commit introducing vulnerable feature:
* https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/pdf/pdf_fmap.c?id=0a1d08d91a95746f41e8c1d578a4e4af81ee5949
Commit fixing the vulnerability:
* https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=477e36cfa1faa0037069a22eeeb4fc750733f120
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 8499bb3676..3d4ac77cfa 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -22,9 +22,10 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar"
# As of ghostscript 9.54.0 the jpeg issue in the CVE is present in the gs jpeg sources
# however we use an external jpeg which doesn't have the issue.
CVE_CHECK_IGNORE += "CVE-2013-6629"
-
# Issue in the GhostPCL. GhostPCL not part of this GhostScript recipe.
CVE_CHECK_IGNORE += "CVE-2023-38560 CVE-2024-46954"
+# Vulnerable code was introduced in 9.56.0, so 9.55.0 is not affected yet
+CVE_CHECK_IGNORE += "CVE-2025-27833"
def gs_verdir(v):
return "".join(v.split("."))
--
2.43.0
^ permalink raw reply related [flat|nested] 20+ messages in thread* [OE-core][kirkstone 05/14] libarchive: ignore CVE-2024-48615
2025-04-30 2:53 [OE-core][kirkstone 00/14] Patch review Steve Sakoman
` (3 preceding siblings ...)
2025-04-30 2:53 ` [OE-core][kirkstone 04/14] ghostscript: ignore CVE-2025-27833 Steve Sakoman
@ 2025-04-30 2:53 ` Steve Sakoman
2025-04-30 2:53 ` [OE-core][kirkstone 06/14] libxml2: patch CVE-2025-32414 Steve Sakoman
` (8 subsequent siblings)
13 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:53 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Fix for this CVE [1] is patchong code introduced by [2] in v3.7.5.
So v3.6.2 is not affected yet and the CVE can be safely ignored.
Also Debian tracker [3] contains this statement.
[1] https://github.com/libarchive/libarchive/commit/565b5aea491671ae33df1ca63697c10d54c00165
[2] https://github.com/libarchive/libarchive/commit/2d8a5760c5ec553283a95a1aaca746f6eb472d0f
[3] https://security-tracker.debian.org/tracker/CVE-2024-48615
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-extended/libarchive/libarchive_3.6.2.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
index f7e576b688..87d3794ab7 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
@@ -46,6 +46,8 @@ CVE_CHECK_IGNORE += "CVE-2023-30571"
CVE_CHECK_IGNORE += "CVE-2024-37407"
# cpe-incorrect: bsdtar was introduced in v3.7.0, so 3.6.2 is not affected yet
CVE_CHECK_IGNORE += "CVE-2025-1632"
+# cpe-incorrect: vulnerable code introduced in v3.7.5, so 3.6.2 is not affected yet
+CVE_CHECK_IGNORE += "CVE-2024-48615"
inherit autotools update-alternatives pkgconfig
--
2.43.0
^ permalink raw reply related [flat|nested] 20+ messages in thread* [OE-core][kirkstone 06/14] libxml2: patch CVE-2025-32414
2025-04-30 2:53 [OE-core][kirkstone 00/14] Patch review Steve Sakoman
` (4 preceding siblings ...)
2025-04-30 2:53 ` [OE-core][kirkstone 05/14] libarchive: ignore CVE-2024-48615 Steve Sakoman
@ 2025-04-30 2:53 ` Steve Sakoman
2025-04-30 2:53 ` [OE-core][kirkstone 07/14] libxml2: patch CVE-2025-32415 Steve Sakoman
` (7 subsequent siblings)
13 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:53 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commit from 2.12 branch as 2.9 branch is unmaintained now.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libxml/libxml2/CVE-2025-32414.patch | 74 +++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 +
2 files changed, 75 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch
new file mode 100644
index 0000000000..23a2316672
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch
@@ -0,0 +1,74 @@
+From d7657811964eac1cb9743bb98649278ad948f0d2 Mon Sep 17 00:00:00 2001
+From: Maks Verver <maks@verver.ch>
+Date: Tue, 8 Apr 2025 13:13:55 +0200
+Subject: [PATCH] [CVE-2025-32414] python: Read at most len/4 characters.
+
+Fixes #889 by reserving space in the buffer for UTF-8 encoding of text.
+
+CVE: CVE-2025-32414
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d7657811964eac1cb9743bb98649278ad948f0d2]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ python/libxml.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/python/libxml.c b/python/libxml.c
+index 1fe8d685..2bf14078 100644
+--- a/python/libxml.c
++++ b/python/libxml.c
+@@ -287,7 +287,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
+ #endif
+ file = (PyObject *) context;
+ if (file == NULL) return(-1);
+- ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len);
++ /* When read() returns a string, the length is in characters not bytes, so
++ request at most len / 4 characters to leave space for UTF-8 encoding. */
++ ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len / 4);
+ if (ret == NULL) {
+ printf("xmlPythonFileReadRaw: result is NULL\n");
+ return(-1);
+@@ -322,10 +324,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
+ Py_DECREF(ret);
+ return(-1);
+ }
+- if (lenread > len)
+- memcpy(buffer, data, len);
+- else
+- memcpy(buffer, data, lenread);
++ if (lenread < 0 || lenread > len) {
++ printf("xmlPythonFileReadRaw: invalid lenread\n");
++ Py_DECREF(ret);
++ return(-1);
++ }
++ memcpy(buffer, data, lenread);
+ Py_DECREF(ret);
+ return(lenread);
+ }
+@@ -352,7 +356,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
+ #endif
+ file = (PyObject *) context;
+ if (file == NULL) return(-1);
+- ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len);
++ /* When io_read() returns a string, the length is in characters not bytes, so
++ request at most len / 4 characters to leave space for UTF-8 encoding. */
++ ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4);
+ if (ret == NULL) {
+ printf("xmlPythonFileRead: result is NULL\n");
+ return(-1);
+@@ -387,10 +393,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
+ Py_DECREF(ret);
+ return(-1);
+ }
+- if (lenread > len)
+- memcpy(buffer, data, len);
+- else
+- memcpy(buffer, data, lenread);
++ if (lenread < 0 || lenread > len) {
++ printf("xmlPythonFileRead: invalid lenread\n");
++ Py_DECREF(ret);
++ return(-1);
++ }
++ memcpy(buffer, data, lenread);
+ Py_DECREF(ret);
+ return(lenread);
+ }
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index 1cbd620b34..e281a39fd4 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -37,6 +37,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
file://CVE-2025-27113.patch \
file://CVE-2024-56171.patch \
file://CVE-2025-24928.patch \
+ file://CVE-2025-32414.patch \
"
SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
--
2.43.0
^ permalink raw reply related [flat|nested] 20+ messages in thread* [OE-core][kirkstone 07/14] libxml2: patch CVE-2025-32415
2025-04-30 2:53 [OE-core][kirkstone 00/14] Patch review Steve Sakoman
` (5 preceding siblings ...)
2025-04-30 2:53 ` [OE-core][kirkstone 06/14] libxml2: patch CVE-2025-32414 Steve Sakoman
@ 2025-04-30 2:53 ` Steve Sakoman
2025-04-30 2:53 ` [OE-core][kirkstone 08/14] glib-2.0: patch CVE-2025-3360 Steve Sakoman
` (6 subsequent siblings)
13 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:53 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commit from 2.13 branch as 2.9 branch is unmaintained now.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libxml/libxml2/CVE-2025-32415.patch | 39 +++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 +
2 files changed, 40 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-32415.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-32415.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-32415.patch
new file mode 100644
index 0000000000..4f39bb824b
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-32415.patch
@@ -0,0 +1,39 @@
+From 384cc7c182fc00c6d5e2ab4b5e3671b2e3f93c84 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 6 Apr 2025 12:41:11 +0200
+Subject: [PATCH] [CVE-2025-32415] schemas: Fix heap buffer overflow in
+ xmlSchemaIDCFillNodeTables
+
+Don't use local variable which could contain a stale value.
+
+Fixes #890.
+
+CVE: CVE-2025-32415
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/384cc7c182fc00c6d5e2ab4b5e3671b2e3f93c84]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ xmlschemas.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 28b14bd4..428e3c82 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -23607,7 +23607,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt,
+ j++;
+ } while (j < nbDupls);
+ }
+- if (nbNodeTable) {
++ if (bind->nbNodes) {
+ j = 0;
+ do {
+ if (nbFields == 1) {
+@@ -23657,7 +23657,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt,
+
+ next_node_table_entry:
+ j++;
+- } while (j < nbNodeTable);
++ } while (j < bind->nbNodes);
+ }
+ /*
+ * If everything is fine, then add the IDC target-node to
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index e281a39fd4..bd6dd88dee 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -38,6 +38,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
file://CVE-2024-56171.patch \
file://CVE-2025-24928.patch \
file://CVE-2025-32414.patch \
+ file://CVE-2025-32415.patch \
"
SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
--
2.43.0
^ permalink raw reply related [flat|nested] 20+ messages in thread* [OE-core][kirkstone 08/14] glib-2.0: patch CVE-2025-3360
2025-04-30 2:53 [OE-core][kirkstone 00/14] Patch review Steve Sakoman
` (6 preceding siblings ...)
2025-04-30 2:53 ` [OE-core][kirkstone 07/14] libxml2: patch CVE-2025-32415 Steve Sakoman
@ 2025-04-30 2:53 ` Steve Sakoman
2025-04-30 2:53 ` [OE-core][kirkstone 09/14] binutils: Fix CVE-2025-1178 Steve Sakoman
` (5 subsequent siblings)
13 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:53 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Backport commits from [1] fixing [2] for 2.82.x.
[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4499
[2] https://gitlab.gnome.org/GNOME/glib/-/issues/3647x
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../glib-2.0/glib-2.0/CVE-2025-3360-01.patch | 57 ++++++++++++++
.../glib-2.0/glib-2.0/CVE-2025-3360-02.patch | 53 +++++++++++++
.../glib-2.0/glib-2.0/CVE-2025-3360-03.patch | 36 +++++++++
.../glib-2.0/glib-2.0/CVE-2025-3360-04.patch | 76 +++++++++++++++++++
.../glib-2.0/glib-2.0/CVE-2025-3360-05.patch | 57 ++++++++++++++
.../glib-2.0/glib-2.0/CVE-2025-3360-06.patch | 50 ++++++++++++
meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 6 ++
7 files changed, 335 insertions(+)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch
new file mode 100644
index 0000000000..91ea6c3748
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch
@@ -0,0 +1,57 @@
+From fe6af80931c35fafc6a2cd0651b6de052d1bffae Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 16:44:58 +0000
+Subject: [PATCH 1/6] gdatetime: Fix integer overflow when parsing very long
+ ISO8601 inputs
+
+This will only happen with invalid (or maliciously invalid) potential
+ISO8601 strings, but `g_date_time_new_from_iso8601()` needs to be robust
+against that.
+
+Prevent `length` overflowing by correctly defining it as a `size_t`.
+Similarly for `date_length`, but additionally track its validity in a
+boolean rather than as its sign.
+
+Spotted by chamalsl as #YWH-PGM9867-43.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/fe6af80931c35fafc6a2cd0651b6de052d1bffae]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gdatetime.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index ad9c190b6..b33db2c20 100644
+--- a/glib/gdatetime.c
++++ b/glib/gdatetime.c
+@@ -1493,7 +1493,8 @@ parse_iso8601_time (const gchar *text, gsize length,
+ GDateTime *
+ g_date_time_new_from_iso8601 (const gchar *text, GTimeZone *default_tz)
+ {
+- gint length, date_length = -1;
++ size_t length, date_length = 0;
++ gboolean date_length_set = FALSE;
+ gint hour = 0, minute = 0;
+ gdouble seconds = 0.0;
+ GTimeZone *tz = NULL;
+@@ -1504,11 +1505,14 @@ g_date_time_new_from_iso8601 (const gchar *text, GTimeZone *default_tz)
+ /* Count length of string and find date / time separator ('T', 't', or ' ') */
+ for (length = 0; text[length] != '\0'; length++)
+ {
+- if (date_length < 0 && (text[length] == 'T' || text[length] == 't' || text[length] == ' '))
+- date_length = length;
++ if (!date_length_set && (text[length] == 'T' || text[length] == 't' || text[length] == ' '))
++ {
++ date_length = length;
++ date_length_set = TRUE;
++ }
+ }
+
+- if (date_length < 0)
++ if (!date_length_set)
+ return NULL;
+
+ if (!parse_iso8601_time (text + date_length + 1, length - (date_length + 1),
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch
new file mode 100644
index 0000000000..ca5ae2866c
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch
@@ -0,0 +1,53 @@
+From 495c85278f9638fdf3ebf002c759e1bdccebaf2f Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 16:51:36 +0000
+Subject: [PATCH 2/6] gdatetime: Fix potential integer overflow in timezone
+ offset handling
+
+This one is much harder to trigger than the one in the previous commit,
+but mixing `gssize` and `gsize` always runs the risk of the former
+overflowing for very (very very) long input strings.
+
+Avoid that possibility by not using the sign of the `tz_offset` to
+indicate its validity, and instead using the return value of the
+function.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/495c85278f9638fdf3ebf002c759e1bdccebaf2f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gdatetime.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index b33db2c20..792c2ed15 100644
+--- a/glib/gdatetime.c
++++ b/glib/gdatetime.c
+@@ -1342,8 +1342,10 @@ parse_iso8601_date (const gchar *text, gsize length,
+ return FALSE;
+ }
+
++/* Value returned in tz_offset is valid if and only if the function return value
++ * is non-NULL. */
+ static GTimeZone *
+-parse_iso8601_timezone (const gchar *text, gsize length, gssize *tz_offset)
++parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ {
+ gint i, tz_length, offset_hours, offset_minutes;
+ gint offset_sign = 1;
+@@ -1411,11 +1413,11 @@ static gboolean
+ parse_iso8601_time (const gchar *text, gsize length,
+ gint *hour, gint *minute, gdouble *seconds, GTimeZone **tz)
+ {
+- gssize tz_offset = -1;
++ size_t tz_offset = 0;
+
+ /* Check for timezone suffix */
+ *tz = parse_iso8601_timezone (text, length, &tz_offset);
+- if (tz_offset >= 0)
++ if (*tz != NULL)
+ length = tz_offset;
+
+ /* hh:mm:ss(.sss) */
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch
new file mode 100644
index 0000000000..25eb0c6fdd
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch
@@ -0,0 +1,36 @@
+From 5e8a3c19fcad2936dc5e070cf0767a5c5af907c5 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 16:55:18 +0000
+Subject: [PATCH 3/6] gdatetime: Track timezone length as an unsigned size_t
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It’s guaranteed to be in (0, length] by the calculations above.
+
+This avoids the possibility of integer overflow through `gssize` not
+being as big as `size_t`.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/5e8a3c19fcad2936dc5e070cf0767a5c5af907c5]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gdatetime.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index 792c2ed15..6335bcbe2 100644
+--- a/glib/gdatetime.c
++++ b/glib/gdatetime.c
+@@ -1347,7 +1347,8 @@ parse_iso8601_date (const gchar *text, gsize length,
+ static GTimeZone *
+ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ {
+- gint i, tz_length, offset_hours, offset_minutes;
++ size_t tz_length;
++ gint i, offset_hours, offset_minutes;
+ gint offset_sign = 1;
+ GTimeZone *tz;
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch
new file mode 100644
index 0000000000..e62604d600
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch
@@ -0,0 +1,76 @@
+From 804a3957720449dcfac601da96bd5f5db2b71ef1 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 17:07:24 +0000
+Subject: [PATCH 4/6] gdatetime: Factor out some string pointer arithmetic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Makes the following code a little clearer, but doesn’t introduce any
+functional changes.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/804a3957720449dcfac601da96bd5f5db2b71ef1]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gdatetime.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index 6335bcbe2..de5dd7af0 100644
+--- a/glib/gdatetime.c
++++ b/glib/gdatetime.c
+@@ -1351,6 +1351,7 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ gint i, offset_hours, offset_minutes;
+ gint offset_sign = 1;
+ GTimeZone *tz;
++ const char *tz_start;
+
+ /* UTC uses Z suffix */
+ if (length > 0 && text[length - 1] == 'Z')
+@@ -1368,34 +1369,35 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ }
+ if (i < 0)
+ return NULL;
++ tz_start = text + i;
+ tz_length = length - i;
+
+ /* +hh:mm or -hh:mm */
+- if (tz_length == 6 && text[i+3] == ':')
++ if (tz_length == 6 && tz_start[3] == ':')
+ {
+- if (!get_iso8601_int (text + i + 1, 2, &offset_hours) ||
+- !get_iso8601_int (text + i + 4, 2, &offset_minutes))
++ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) ||
++ !get_iso8601_int (tz_start + 4, 2, &offset_minutes))
+ return NULL;
+ }
+ /* +hhmm or -hhmm */
+ else if (tz_length == 5)
+ {
+- if (!get_iso8601_int (text + i + 1, 2, &offset_hours) ||
+- !get_iso8601_int (text + i + 3, 2, &offset_minutes))
++ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) ||
++ !get_iso8601_int (tz_start + 3, 2, &offset_minutes))
+ return NULL;
+ }
+ /* +hh or -hh */
+ else if (tz_length == 3)
+ {
+- if (!get_iso8601_int (text + i + 1, 2, &offset_hours))
++ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours))
+ return NULL;
+ offset_minutes = 0;
+ }
+ else
+ return NULL;
+
+- *tz_offset = i;
+- tz = g_time_zone_new_identifier (text + i);
++ *tz_offset = tz_start - text;
++ tz = g_time_zone_new_identifier (tz_start);
+
+ /* Double-check that the GTimeZone matches our interpretation of the timezone.
+ * This can fail because our interpretation is less strict than (for example)
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch
new file mode 100644
index 0000000000..4d633aaba0
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch
@@ -0,0 +1,57 @@
+From 4c56ff80344e0d8796eb2307091f7b24ec198aa9 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 17:28:33 +0000
+Subject: [PATCH 5/6] gdatetime: Factor out an undersized variable
+
+For long input strings, it would have been possible for `i` to overflow.
+Avoid that problem by using the `tz_length` instead, so that we count up
+rather than down.
+
+This commit introduces no functional changes (outside of changing
+undefined behaviour), and can be verified using the identity
+`i === length - tz_length`.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/4c56ff80344e0d8796eb2307091f7b24ec198aa9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gdatetime.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index de5dd7af0..2f8c864a1 100644
+--- a/glib/gdatetime.c
++++ b/glib/gdatetime.c
+@@ -1348,7 +1348,7 @@ static GTimeZone *
+ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ {
+ size_t tz_length;
+- gint i, offset_hours, offset_minutes;
++ gint offset_hours, offset_minutes;
+ gint offset_sign = 1;
+ GTimeZone *tz;
+ const char *tz_start;
+@@ -1361,16 +1361,15 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ }
+
+ /* Look for '+' or '-' of offset */
+- for (i = length - 1; i >= 0; i--)
+- if (text[i] == '+' || text[i] == '-')
++ for (tz_length = 1; tz_length <= length; tz_length++)
++ if (text[length - tz_length] == '+' || text[length - tz_length] == '-')
+ {
+- offset_sign = text[i] == '-' ? -1 : 1;
++ offset_sign = text[length - tz_length] == '-' ? -1 : 1;
+ break;
+ }
+- if (i < 0)
++ if (tz_length > length)
+ return NULL;
+- tz_start = text + i;
+- tz_length = length - i;
++ tz_start = text + length - tz_length;
+
+ /* +hh:mm or -hh:mm */
+ if (tz_length == 6 && tz_start[3] == ':')
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch
new file mode 100644
index 0000000000..2452b69e2e
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch
@@ -0,0 +1,50 @@
+From 7f6d81130ec05406a8820bc753ed03859e88daea Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 18:20:56 +0000
+Subject: [PATCH 6/6] tests: Add some missing GDateTime ISO8601 parsing tests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This improves test coverage, adding coverage for some lines which I
+spotted were not covered while testing the preceding commits.
+
+It doesn’t directly test the preceding commits, though.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/7f6d81130ec05406a8820bc753ed03859e88daea]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/tests/gdatetime.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/glib/tests/gdatetime.c b/glib/tests/gdatetime.c
+index 9e1acd097..94dd028a3 100644
+--- a/glib/tests/gdatetime.c
++++ b/glib/tests/gdatetime.c
+@@ -857,6 +857,23 @@ test_GDateTime_new_from_iso8601 (void)
+ * NaN */
+ dt = g_date_time_new_from_iso8601 ("0005306 000001,666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666600080000-00", NULL);
+ g_assert_null (dt);
++
++ /* Various invalid timezone offsets which look like they could be in
++ * `+hh:mm`, `-hh:mm`, `+hhmm`, `-hhmm`, `+hh` or `-hh` format */
++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+01:xx", NULL);
++ g_assert_null (dt);
++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx:00", NULL);
++ g_assert_null (dt);
++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx:xx", NULL);
++ g_assert_null (dt);
++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+01xx", NULL);
++ g_assert_null (dt);
++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx00", NULL);
++ g_assert_null (dt);
++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xxxx", NULL);
++ g_assert_null (dt);
++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx", NULL);
++ g_assert_null (dt);
+ }
+
+ typedef struct {
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
index b8c75eaa49..cebd84dd50 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -54,6 +54,12 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://gdatetime-test-fail-0001.patch \
file://gdatetime-test-fail-0002.patch \
file://gdatetime-test-fail-0003.patch \
+ file://CVE-2025-3360-01.patch \
+ file://CVE-2025-3360-02.patch \
+ file://CVE-2025-3360-03.patch \
+ file://CVE-2025-3360-04.patch \
+ file://CVE-2025-3360-05.patch \
+ file://CVE-2025-3360-06.patch \
"
SRC_URI:append:class-native = " file://relocate-modules.patch"
--
2.43.0
^ permalink raw reply related [flat|nested] 20+ messages in thread* [OE-core][kirkstone 09/14] binutils: Fix CVE-2025-1178
2025-04-30 2:53 [OE-core][kirkstone 00/14] Patch review Steve Sakoman
` (7 preceding siblings ...)
2025-04-30 2:53 ` [OE-core][kirkstone 08/14] glib-2.0: patch CVE-2025-3360 Steve Sakoman
@ 2025-04-30 2:53 ` Steve Sakoman
2025-04-30 2:53 ` [OE-core][kirkstone 10/14] python3-setuptools: Fix CVE-2024-6345 Steve Sakoman
` (4 subsequent siblings)
13 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:53 UTC (permalink / raw)
To: openembedded-core
From: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Prevent an abort in the bfd linker when attempting to
generate dynamic relocs for a corrupt input file.
PR 32638
Backport a patch from upstream to fix CVE-2025-1178
Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=75086e9de1707281172cc77f178e7949a4414ed0]
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../binutils/binutils-2.38.inc | 1 +
.../binutils/0039-CVE-2025-1178.patch | 33 +++++++++++++++++++
2 files changed, 34 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/0039-CVE-2025-1178.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index 26d0b570f3..82dd5c9eb6 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -73,5 +73,6 @@ SRC_URI = "\
file://0036-CVE-2023-39130.patch \
file://0037-CVE-2024-53589.patch \
file://0038-CVE-2025-0840.patch \
+ file://0039-CVE-2025-1178.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0039-CVE-2025-1178.patch b/meta/recipes-devtools/binutils/binutils/0039-CVE-2025-1178.patch
new file mode 100644
index 0000000000..9d2054abab
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0039-CVE-2025-1178.patch
@@ -0,0 +1,33 @@
+From 75086e9de1707281172cc77f178e7949a4414ed0 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 5 Feb 2025 13:26:51 +0000
+Subject: [PATCH] Prevent an abort in the bfd linker when attempting to
+ generate dynamic relocs for a corrupt input file.
+
+PR 32638
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=75086e9de1707281172cc77f178e7949a4414ed0]
+CVE: CVE-2025-1178
+
+Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
+
+diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
+index 970379de..cbd16abc 100644
+--- a/bfd/elf64-x86-64.c
++++ b/bfd/elf64-x86-64.c
+@@ -4575,6 +4575,15 @@ elf_x86_64_finish_dynamic_symbol (bfd *output_bfd,
+
+ if (generate_dynamic_reloc)
+ {
++ /* If the relgot section has not been created, then
++ generate an error instead of a reloc. cf PR 32638. */
++ if (relgot == NULL || relgot->size == 0)
++ {
++ info->callbacks->einfo (_("%F%pB: Unable to generate dynamic relocs because a suitable section does not exist\n"),
++ output_bfd);
++ return false;
++ }
++
+ if (relative_reloc_name != NULL
+ && htab->params->report_relative_reloc)
+ _bfd_x86_elf_link_report_relative_reloc
--
2.43.0
^ permalink raw reply related [flat|nested] 20+ messages in thread* [OE-core][kirkstone 10/14] python3-setuptools: Fix CVE-2024-6345
2025-04-30 2:53 [OE-core][kirkstone 00/14] Patch review Steve Sakoman
` (8 preceding siblings ...)
2025-04-30 2:53 ` [OE-core][kirkstone 09/14] binutils: Fix CVE-2025-1178 Steve Sakoman
@ 2025-04-30 2:53 ` Steve Sakoman
2025-04-30 2:53 ` [OE-core][kirkstone 11/14] tzdata/tzcode-native: upgrade 2025a -> 2025b Steve Sakoman
` (3 subsequent siblings)
13 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:53 UTC (permalink / raw)
To: openembedded-core
From: Soumya Sambu <soumya.sambu@windriver.com>
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1
allows for remote code execution via its download functions. These functions, which
are used to download packages from URLs provided by users or retrieved from package
index servers, are susceptible to code injection. If these functions are exposed to
user-controlled inputs, such as package URLs, they can execute arbitrary commands on
the system. The issue is fixed in version 70.0.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-6345
https://ubuntu.com/security/CVE-2024-6345
Upstream patch:
https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../python3-setuptools/CVE-2024-6345.patch | 353 ++++++++++++++++++
.../python/python3-setuptools_59.5.0.bb | 1 +
2 files changed, 354 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch
diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch
new file mode 100644
index 0000000000..958ddf559b
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch
@@ -0,0 +1,353 @@
+From 88807c7062788254f654ea8c03427adc859321f0 Mon Sep 17 00:00:00 2001
+From: Jason R. Coombs <jaraco@jaraco.com>
+Date: Mon Apr 29 20:01:38 2024 -0400
+Subject: [PATCH] Merge pull request #4332 from pypa/debt/package-index-vcs
+
+Modernize package_index VCS handling
+
+Source: https://git.launchpad.net/ubuntu/+source/setuptools/tree/debian/patches/CVE-2024-6345.patch?h=applied/ubuntu/jammy-devel
+
+CVE: CVE-2024-6345
+
+Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0]
+
+Note: Cannot do exact upstream patch backport as the code changed.
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ setup.cfg | 1 +
+ setuptools/package_index.py | 145 +++++++++++++++-----------
+ setuptools/tests/test_packageindex.py | 78 +++++++-------
+ 3 files changed, 123 insertions(+), 101 deletions(-)
+
+diff --git a/setup.cfg b/setup.cfg
+index 0bc0101..b8585d7 100644
+--- a/setup.cfg
++++ b/setup.cfg
+@@ -56,6 +56,7 @@ testing =
+ jaraco.envs>=2.2
+ pytest-xdist
+ sphinx
++ pytest-subprocess
+ jaraco.path>=3.2.0
+ docs =
+ sphinx
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index e93fcc6..3a893df 100644
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -1,5 +1,6 @@
+ """PyPI and direct package downloading"""
+ import sys
++import subprocess
+ import os
+ import re
+ import io
+@@ -566,7 +567,7 @@ class PackageIndex(Environment):
+ scheme = URL_SCHEME(spec)
+ if scheme:
+ # It's a url, download it to tmpdir
+- found = self._download_url(scheme.group(1), spec, tmpdir)
++ found = self._download_url(spec, tmpdir)
+ base, fragment = egg_info_for_url(spec)
+ if base.endswith('.py'):
+ found = self.gen_setup(found, fragment, tmpdir)
+@@ -785,7 +786,7 @@ class PackageIndex(Environment):
+ raise DistutilsError("Download error for %s: %s"
+ % (url, v)) from v
+
+- def _download_url(self, scheme, url, tmpdir):
++ def _download_url(self, url, tmpdir):
+ # Determine download filename
+ #
+ name, fragment = egg_info_for_url(url)
+@@ -800,19 +801,57 @@ class PackageIndex(Environment):
+
+ filename = os.path.join(tmpdir, name)
+
+- # Download the file
+- #
+- if scheme == 'svn' or scheme.startswith('svn+'):
+- return self._download_svn(url, filename)
+- elif scheme == 'git' or scheme.startswith('git+'):
+- return self._download_git(url, filename)
+- elif scheme.startswith('hg+'):
+- return self._download_hg(url, filename)
+- elif scheme == 'file':
+- return urllib.request.url2pathname(urllib.parse.urlparse(url)[2])
+- else:
+- self.url_ok(url, True) # raises error if not allowed
+- return self._attempt_download(url, filename)
++ return self._download_vcs(url, filename) or self._download_other(url, filename)
++
++ @staticmethod
++ def _resolve_vcs(url):
++ """
++ >>> rvcs = PackageIndex._resolve_vcs
++ >>> rvcs('git+http://foo/bar')
++ 'git'
++ >>> rvcs('hg+https://foo/bar')
++ 'hg'
++ >>> rvcs('git:myhost')
++ 'git'
++ >>> rvcs('hg:myhost')
++ >>> rvcs('http://foo/bar')
++ """
++ scheme = urllib.parse.urlsplit(url).scheme
++ pre, sep, post = scheme.partition('+')
++ # svn and git have their own protocol; hg does not
++ allowed = set(['svn', 'git'] + ['hg'] * bool(sep))
++ return next(iter({pre} & allowed), None)
++
++ def _download_vcs(self, url, spec_filename):
++ vcs = self._resolve_vcs(url)
++ if not vcs:
++ return
++ if vcs == 'svn':
++ return self._download_svn(url, spec_filename)
++
++ filename, _, _ = spec_filename.partition('#')
++ url, rev = self._vcs_split_rev_from_url(url)
++
++ self.info(f"Doing {vcs} clone from {url} to {filename}")
++ subprocess.check_call([vcs, 'clone', '--quiet', url, filename])
++
++ co_commands = dict(
++ git=[vcs, '-C', filename, 'checkout', '--quiet', rev],
++ hg=[vcs, '--cwd', filename, 'up', '-C', '-r', rev, '-q'],
++ )
++ if rev is not None:
++ self.info(f"Checking out {rev}")
++ subprocess.check_call(co_commands[vcs])
++
++ return filename
++
++ def _download_other(self, url, filename):
++ scheme = urllib.parse.urlsplit(url).scheme
++ if scheme == 'file': # pragma: no cover
++ return urllib.request.url2pathname(urllib.parse.urlparse(url).path)
++ # raise error if not allowed
++ self.url_ok(url, True)
++ return self._attempt_download(url, filename)
+
+ def scan_url(self, url):
+ self.process_url(url, True)
+@@ -842,7 +881,7 @@ class PackageIndex(Environment):
+ def _download_svn(self, url, filename):
+ warnings.warn("SVN download support is deprecated", UserWarning)
+ url = url.split('#', 1)[0] # remove any fragment for svn's sake
+- creds = ''
++ creds = []
+ if url.lower().startswith('svn:') and '@' in url:
+ scheme, netloc, path, p, q, f = urllib.parse.urlparse(url)
+ if not netloc and path.startswith('//') and '/' in path[2:]:
+@@ -851,65 +890,49 @@ class PackageIndex(Environment):
+ if auth:
+ if ':' in auth:
+ user, pw = auth.split(':', 1)
+- creds = " --username=%s --password=%s" % (user, pw)
++ creds.extend(["--username", user, "--password", pw])
+ else:
+- creds = " --username=" + auth
++ creds.extend(["--username", auth])
+ netloc = host
+ parts = scheme, netloc, url, p, q, f
+ url = urllib.parse.urlunparse(parts)
+ self.info("Doing subversion checkout from %s to %s", url, filename)
+- os.system("svn checkout%s -q %s %s" % (creds, url, filename))
++ cmd = ["svn", "checkout", "-q"] + creds + [url, filename]
++ subprocess.check_call(cmd)
++
+ return filename
+
+ @staticmethod
+- def _vcs_split_rev_from_url(url, pop_prefix=False):
+- scheme, netloc, path, query, frag = urllib.parse.urlsplit(url)
++ def _vcs_split_rev_from_url(url):
++ """
++ Given a possible VCS URL, return a clean URL and resolved revision if any.
++
++ >>> vsrfu = PackageIndex._vcs_split_rev_from_url
++ >>> vsrfu('git+https://github.com/pypa/setuptools@v69.0.0#egg-info=setuptools')
++ ('https://github.com/pypa/setuptools', 'v69.0.0')
++ >>> vsrfu('git+https://github.com/pypa/setuptools#egg-info=setuptools')
++ ('https://github.com/pypa/setuptools', None)
++ >>> vsrfu('http://foo/bar')
++ ('http://foo/bar', None)
++ """
++ parts = urllib.parse.urlsplit(url)
+
+- scheme = scheme.split('+', 1)[-1]
++ clean_scheme = parts.scheme.split('+', 1)[-1]
+
+ # Some fragment identification fails
+- path = path.split('#', 1)[0]
+-
+- rev = None
+- if '@' in path:
+- path, rev = path.rsplit('@', 1)
++ no_fragment_path, _, _ = parts.path.partition('#')
+
+- # Also, discard fragment
+- url = urllib.parse.urlunsplit((scheme, netloc, path, query, ''))
++ pre, sep, post = no_fragment_path.rpartition('@')
++ clean_path, rev = (pre, post) if sep else (post, None)
+
+- return url, rev
+-
+- def _download_git(self, url, filename):
+- filename = filename.split('#', 1)[0]
+- url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
+-
+- self.info("Doing git clone from %s to %s", url, filename)
+- os.system("git clone --quiet %s %s" % (url, filename))
+-
+- if rev is not None:
+- self.info("Checking out %s", rev)
+- os.system("git -C %s checkout --quiet %s" % (
+- filename,
+- rev,
+- ))
++ resolved = parts._replace(
++ scheme=clean_scheme,
++ path=clean_path,
++ # discard the fragment
++ fragment='',
++ ).geturl()
+
+- return filename
+-
+- def _download_hg(self, url, filename):
+- filename = filename.split('#', 1)[0]
+- url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
+-
+- self.info("Doing hg clone from %s to %s", url, filename)
+- os.system("hg clone --quiet %s %s" % (url, filename))
+-
+- if rev is not None:
+- self.info("Updating to %s", rev)
+- os.system("hg --cwd %s up -C -r %s -q" % (
+- filename,
+- rev,
+- ))
+-
+- return filename
++ return resolved, rev
+
+ def debug(self, msg, *args):
+ log.debug(msg, *args)
+diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
+index 8e9435e..cc7e86c 100644
+--- a/setuptools/tests/test_packageindex.py
++++ b/setuptools/tests/test_packageindex.py
+@@ -6,7 +6,6 @@ import urllib.request
+ import urllib.error
+ import http.client
+
+-import mock
+ import pytest
+
+ import setuptools.package_index
+@@ -193,61 +192,60 @@ class TestPackageIndex:
+ assert dists[0].version == ''
+ assert dists[1].version == vc
+
+- def test_download_git_with_rev(self, tmpdir):
++ def test_download_git_with_rev(self, tmp_path, fp):
+ url = 'git+https://github.example/group/project@master#egg=foo'
+ index = setuptools.package_index.PackageIndex()
+
+- with mock.patch("os.system") as os_system_mock:
+- result = index.download(url, str(tmpdir))
++ expected_dir = tmp_path / 'project@master'
++ fp.register([
++ 'git',
++ 'clone',
++ '--quiet',
++ 'https://github.example/group/project',
++ expected_dir,
++ ])
++ fp.register(['git', '-C', expected_dir, 'checkout', '--quiet', 'master'])
+
+- os_system_mock.assert_called()
++ result = index.download(url, tmp_path)
+
+- expected_dir = str(tmpdir / 'project@master')
+- expected = (
+- 'git clone --quiet '
+- 'https://github.example/group/project {expected_dir}'
+- ).format(**locals())
+- first_call_args = os_system_mock.call_args_list[0][0]
+- assert first_call_args == (expected,)
++ assert result == str(expected_dir)
++ assert len(fp.calls) == 2
+
+- tmpl = 'git -C {expected_dir} checkout --quiet master'
+- expected = tmpl.format(**locals())
+- assert os_system_mock.call_args_list[1][0] == (expected,)
+- assert result == expected_dir
+-
+- def test_download_git_no_rev(self, tmpdir):
++ def test_download_git_no_rev(self, tmp_path, fp):
+ url = 'git+https://github.example/group/project#egg=foo'
+ index = setuptools.package_index.PackageIndex()
+
+- with mock.patch("os.system") as os_system_mock:
+- result = index.download(url, str(tmpdir))
+-
+- os_system_mock.assert_called()
++ expected_dir = tmp_path / 'project'
++ fp.register([
++ 'git',
++ 'clone',
++ '--quiet',
++ 'https://github.example/group/project',
++ expected_dir,
++ ])
++ result = index.download(url, tmp_path)
+
+- expected_dir = str(tmpdir / 'project')
+- expected = (
+- 'git clone --quiet '
+- 'https://github.example/group/project {expected_dir}'
+- ).format(**locals())
+- os_system_mock.assert_called_once_with(expected)
++ assert result == str(expected_dir)
++ assert len(fp.calls) == 1
+
+- def test_download_svn(self, tmpdir):
++ def test_download_svn(self, tmp_path, fp):
+ url = 'svn+https://svn.example/project#egg=foo'
+ index = setuptools.package_index.PackageIndex()
+
+- with pytest.warns(UserWarning):
+- with mock.patch("os.system") as os_system_mock:
+- result = index.download(url, str(tmpdir))
+-
+- os_system_mock.assert_called()
++ expected_dir = tmp_path / 'project'
++ fp.register([
++ 'svn',
++ 'checkout',
++ '-q',
++ 'svn+https://svn.example/project',
++ expected_dir,
++ ])
+
+- expected_dir = str(tmpdir / 'project')
+- expected = (
+- 'svn checkout -q '
+- 'svn+https://svn.example/project {expected_dir}'
+- ).format(**locals())
+- os_system_mock.assert_called_once_with(expected)
++ with pytest.warns(UserWarning, match="SVN download support is deprecated"):
++ result = index.download(url, tmp_path)
+
++ assert result == str(expected_dir)
++ assert len(fp.calls) == 1
+
+ class TestContentCheckers:
+ def test_md5(self):
+--
+2.40.0
+
diff --git a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb
index 5f2676a04a..0c0f1e9d81 100644
--- a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb
+++ b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb
@@ -12,6 +12,7 @@ SRC_URI += "\
file://0001-change-shebang-to-python3.patch \
file://0001-_distutils-sysconfig-append-STAGING_LIBDIR-python-sy.patch \
file://0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch \
+ file://CVE-2024-6345.patch \
"
SRC_URI[sha256sum] = "d144f85102f999444d06f9c0e8c737fd0194f10f2f7e5fdb77573f6e2fa4fad0"
--
2.43.0
^ permalink raw reply related [flat|nested] 20+ messages in thread* [OE-core][kirkstone 11/14] tzdata/tzcode-native: upgrade 2025a -> 2025b
2025-04-30 2:53 [OE-core][kirkstone 00/14] Patch review Steve Sakoman
` (9 preceding siblings ...)
2025-04-30 2:53 ` [OE-core][kirkstone 10/14] python3-setuptools: Fix CVE-2024-6345 Steve Sakoman
@ 2025-04-30 2:53 ` Steve Sakoman
2025-04-30 2:53 ` [OE-core][kirkstone 12/14] systemd: backport patch to fix journal issue Steve Sakoman
` (2 subsequent siblings)
13 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:53 UTC (permalink / raw)
To: openembedded-core
From: Priyal Doshi <pdoshi@mvista.com>
Signed-off-by: Priyal Doshi <pdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-extended/timezone/timezone.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc
index 3fe6c3142b..bb81d77ccc 100644
--- a/meta/recipes-extended/timezone/timezone.inc
+++ b/meta/recipes-extended/timezone/timezone.inc
@@ -6,7 +6,7 @@ SECTION = "base"
LICENSE = "PD & BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
-PV = "2025a"
+PV = "2025b"
SRC_URI =" https://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode;subdir=tz \
https://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata;subdir=tz \
@@ -16,5 +16,5 @@ S = "${WORKDIR}/tz"
UPSTREAM_CHECK_URI = "https://www.iana.org/time-zones"
-SRC_URI[tzcode.sha256sum] = "119679d59f76481eb5e03d3d2a47d7870d592f3999549af189dbd31f2ebf5061"
-SRC_URI[tzdata.sha256sum] = "4d5fcbc72c7c450ebfe0b659bd0f1c02fbf52fd7f517a9ea13fe71c21eb5f0d0"
+SRC_URI[tzcode.sha256sum] = "05f8fedb3525ee70d49c87d3fae78a8a0dbae4fe87aa565c65cda9948ae135ec"
+SRC_URI[tzdata.sha256sum] = "11810413345fc7805017e27ea9fa4885fd74cd61b2911711ad038f5d28d71474"
--
2.43.0
^ permalink raw reply related [flat|nested] 20+ messages in thread* [OE-core][kirkstone 12/14] systemd: backport patch to fix journal issue
2025-04-30 2:53 [OE-core][kirkstone 00/14] Patch review Steve Sakoman
` (10 preceding siblings ...)
2025-04-30 2:53 ` [OE-core][kirkstone 11/14] tzdata/tzcode-native: upgrade 2025a -> 2025b Steve Sakoman
@ 2025-04-30 2:53 ` Steve Sakoman
2025-04-30 2:53 ` [OE-core][kirkstone 13/14] systemd: systemd-journald fails to setup LogNamespace Steve Sakoman
2025-04-30 2:53 ` [OE-core][kirkstone 14/14] Revert "cve-update-nvd2-native: Tweak to work better with NFS DL_DIR" Steve Sakoman
13 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:53 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
Backport a patch to fix systemd journal issue about
sd_journal_next not behaving correctly after sd_journal_seek_tail.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...journal_previous-next-return-0-at-HE.patch | 87 +++++++++++++++++++
meta/recipes-core/systemd/systemd_250.14.bb | 1 +
2 files changed, 88 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/0001-journal-Make-sd_journal_previous-next-return-0-at-HE.patch
diff --git a/meta/recipes-core/systemd/systemd/0001-journal-Make-sd_journal_previous-next-return-0-at-HE.patch b/meta/recipes-core/systemd/systemd/0001-journal-Make-sd_journal_previous-next-return-0-at-HE.patch
new file mode 100644
index 0000000000..17e83448e3
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-journal-Make-sd_journal_previous-next-return-0-at-HE.patch
@@ -0,0 +1,87 @@
+From e8d0681eb49697d91f277e2f9f4cff32a30b316c Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Tue, 5 Jul 2022 15:22:01 +0200
+Subject: [PATCH] journal: Make sd_journal_previous/next() return 0 at
+ HEAD/TAIL
+
+Currently, both these functions don't return 0 if we're at HEAD/TAIL
+and move in the corresponding direction. Let's fix that.
+
+Replaces #23480
+
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/977ad21b5b8f6323515297bd8995dcaaca0905df]
+
+[Rebased for v250]
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/journal/test-journal-interleaving.c | 4 ++++
+ src/libsystemd/sd-journal/sd-journal.c | 8 ++++----
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/journal/test-journal-interleaving.c b/src/journal/test-journal-interleaving.c
+index c543b87b69..f0ed1b4c74 100644
+--- a/src/journal/test-journal-interleaving.c
++++ b/src/journal/test-journal-interleaving.c
+@@ -158,6 +158,7 @@ static void test_skip(void (*setup)(void)) {
+ */
+ assert_ret(sd_journal_open_directory(&j, t, 0));
+ assert_ret(sd_journal_seek_head(j));
++ assert_ret(sd_journal_previous(j) == 0);
+ assert_ret(sd_journal_next(j));
+ test_check_numbers_down(j, 4);
+ sd_journal_close(j);
+@@ -166,6 +167,7 @@ static void test_skip(void (*setup)(void)) {
+ */
+ assert_ret(sd_journal_open_directory(&j, t, 0));
+ assert_ret(sd_journal_seek_tail(j));
++ assert_ret(sd_journal_next(j) == 0);
+ assert_ret(sd_journal_previous(j));
+ test_check_numbers_up(j, 4);
+ sd_journal_close(j);
+@@ -174,6 +176,7 @@ static void test_skip(void (*setup)(void)) {
+ */
+ assert_ret(sd_journal_open_directory(&j, t, 0));
+ assert_ret(sd_journal_seek_tail(j));
++ assert_ret(sd_journal_next(j) == 0);
+ assert_ret(r = sd_journal_previous_skip(j, 4));
+ assert_se(r == 4);
+ test_check_numbers_down(j, 4);
+@@ -183,6 +186,7 @@ static void test_skip(void (*setup)(void)) {
+ */
+ assert_ret(sd_journal_open_directory(&j, t, 0));
+ assert_ret(sd_journal_seek_head(j));
++ assert_ret(sd_journal_previous(j) == 0);
+ assert_ret(r = sd_journal_next_skip(j, 4));
+ assert_se(r == 4);
+ test_check_numbers_up(j, 4);
+diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c
+index 7a6cc4aca3..04cafdf1c8 100644
+--- a/src/libsystemd/sd-journal/sd-journal.c
++++ b/src/libsystemd/sd-journal/sd-journal.c
+@@ -611,9 +611,9 @@ static int find_location_for_match(
+ /* FIXME: missing: find by monotonic */
+
+ if (j->current_location.type == LOCATION_HEAD)
+- return journal_file_next_entry_for_data(f, dp, DIRECTION_DOWN, ret, offset);
++ return direction == DIRECTION_DOWN ? journal_file_next_entry_for_data(f, dp, DIRECTION_DOWN, ret, offset) : 0;
+ if (j->current_location.type == LOCATION_TAIL)
+- return journal_file_next_entry_for_data(f, dp, DIRECTION_UP, ret, offset);
++ return direction == DIRECTION_UP ? journal_file_next_entry_for_data(f, dp, DIRECTION_UP, ret, offset) : 0;
+ if (j->current_location.seqnum_set && sd_id128_equal(j->current_location.seqnum_id, f->header->seqnum_id))
+ return journal_file_move_to_entry_by_seqnum_for_data(f, dp, j->current_location.seqnum, direction, ret, offset);
+ if (j->current_location.monotonic_set) {
+@@ -704,9 +704,9 @@ static int find_location_with_matches(
+ /* No matches is simple */
+
+ if (j->current_location.type == LOCATION_HEAD)
+- return journal_file_next_entry(f, 0, DIRECTION_DOWN, ret, offset);
++ return direction == DIRECTION_DOWN ? journal_file_next_entry(f, 0, DIRECTION_DOWN, ret, offset) : 0;
+ if (j->current_location.type == LOCATION_TAIL)
+- return journal_file_next_entry(f, 0, DIRECTION_UP, ret, offset);
++ return direction == DIRECTION_UP ? journal_file_next_entry(f, 0, DIRECTION_UP, ret, offset) : 0;
+ if (j->current_location.seqnum_set && sd_id128_equal(j->current_location.seqnum_id, f->header->seqnum_id))
+ return journal_file_move_to_entry_by_seqnum(f, j->current_location.seqnum, direction, ret, offset);
+ if (j->current_location.monotonic_set) {
+--
+2.17.1
+
diff --git a/meta/recipes-core/systemd/systemd_250.14.bb b/meta/recipes-core/systemd/systemd_250.14.bb
index ef0476fad9..b79284d79c 100644
--- a/meta/recipes-core/systemd/systemd_250.14.bb
+++ b/meta/recipes-core/systemd/systemd_250.14.bb
@@ -29,6 +29,7 @@ SRC_URI += "file://touchscreen.rules \
file://0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch \
file://fix-vlan-qos-mapping.patch \
file://0001-core-fix-build-when-seccomp-is-off.patch \
+ file://0001-journal-Make-sd_journal_previous-next-return-0-at-HE.patch \
"
# patches needed by musl
--
2.43.0
^ permalink raw reply related [flat|nested] 20+ messages in thread* [OE-core][kirkstone 13/14] systemd: systemd-journald fails to setup LogNamespace
2025-04-30 2:53 [OE-core][kirkstone 00/14] Patch review Steve Sakoman
` (11 preceding siblings ...)
2025-04-30 2:53 ` [OE-core][kirkstone 12/14] systemd: backport patch to fix journal issue Steve Sakoman
@ 2025-04-30 2:53 ` Steve Sakoman
2025-04-30 2:53 ` [OE-core][kirkstone 14/14] Revert "cve-update-nvd2-native: Tweak to work better with NFS DL_DIR" Steve Sakoman
13 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:53 UTC (permalink / raw)
To: openembedded-core
From: Haitao Liu <haitao.liu@windriver.com>
A LogNamespace error for systemd v250:
"""
Apr 28 17:44:00 a-rinline2b systemd[467]:
systemd-journald@tester.service: Failed to set up special execution
directory in /var/log: Not a directory
Apr 28 17:44:00 a-rinline2b systemd[467]:
systemd-journald@tester.service: Failed at step LOGS_DIRECTORY spawning
/lib/systemd/systemd-journald: Not a directory
"""
That's because that "/var/log/journal" couldn't be created during
program runtime.
Signed-off-by: Haitao Liu <haitao.liu@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...n-in-mkdir_p-when-parent-directory-e.patch | 78 +++++++++++++++++++
meta/recipes-core/systemd/systemd_250.14.bb | 1 +
2 files changed, 79 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/0001-basic-do-not-warn-in-mkdir_p-when-parent-directory-e.patch
diff --git a/meta/recipes-core/systemd/systemd/0001-basic-do-not-warn-in-mkdir_p-when-parent-directory-e.patch b/meta/recipes-core/systemd/systemd/0001-basic-do-not-warn-in-mkdir_p-when-parent-directory-e.patch
new file mode 100644
index 0000000000..723b8ca4f7
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-basic-do-not-warn-in-mkdir_p-when-parent-directory-e.patch
@@ -0,0 +1,78 @@
+From e01e68e70ae1db9fe61adec3e7bdcced7adc1930 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Thu, 10 Feb 2022 08:30:08 +0100
+Subject: [PATCH] basic: do not warn in mkdir_p() when parent directory exists
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This effectively disables warnings about type/mode/ownership of existing
+directories when recursively creating parent directories. (Or files. If there's
+a file in a place we expect a directory, the code will later try to create
+a file and fail. This follows the general pattern where we do (void)mkdir()
+if the mkdir() is immediately followed by opening of a file.)
+
+I was recently debugging an issue with the fstab-generator [1], and it says:
+'Directory "/tmp" already exists, but has mode 0777 that is too permissive (0644 was requested), refusing.'
+which is very specific but totally wrong in this context.
+This output was added in 37c1d5e97dbc869edd8fc178427714e2d9428d2b, and I still
+think it is worth to do it, because if you actually *do* want the directory, if
+there's something wrong, the precise error message will make it much easier to
+diagnose. And we can't easily pass the information what failed up the call chain
+because there are multiple things we check (ownership, permission mask, type)…
+So passing a param whether to warn or not down into the library code seems like
+the best solution, despite not being very elegant.
+
+[1] https://bugzilla.redhat.com/show_bug.cgi?id=2051285
+
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/e01e68e70ae1db9fe61adec3e7bdcced7adc1930]
+
+Signed-off-by: Haitao Liu <haitao.liu@windriver.com>
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ src/basic/mkdir.c | 5 ++++-
+ src/basic/mkdir.h | 5 +++--
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/basic/mkdir.c b/src/basic/mkdir.c
+index 27144dd45a..cf7cf4a357 100644
+--- a/src/basic/mkdir.c
++++ b/src/basic/mkdir.c
+@@ -55,6 +55,9 @@ int mkdir_safe_internal(
+ return -errno;
+ }
+
++ if (flags & MKDIR_IGNORE_EXISTING)
++ return 0;
++
+ if (!S_ISDIR(st.st_mode))
+ return log_full_errno(flags & MKDIR_WARN_MODE ? LOG_WARNING : LOG_DEBUG, SYNTHETIC_ERRNO(ENOTDIR),
+ "Path \"%s\" already exists and is not a directory, refusing.", path);
+@@ -142,7 +145,7 @@ int mkdir_parents_internal(const char *prefix, const char *path, mode_t mode, ui
+ s[n] = '\0';
+
+ if (!prefix || !path_startswith_full(prefix, path, /* accept_dot_dot= */ false)) {
+- r = mkdir_safe_internal(path, mode, uid, gid, flags, _mkdirat);
++ r = mkdir_safe_internal(path, mode, uid, gid, flags | MKDIR_IGNORE_EXISTING, _mkdirat);
+ if (r < 0 && r != -EEXIST)
+ return r;
+ }
+diff --git a/src/basic/mkdir.h b/src/basic/mkdir.h
+index 34a5227577..c0c0ea6c4f 100644
+--- a/src/basic/mkdir.h
++++ b/src/basic/mkdir.h
+@@ -4,8 +4,9 @@
+ #include <sys/types.h>
+
+ typedef enum MkdirFlags {
+- MKDIR_FOLLOW_SYMLINK = 1 << 0,
+- MKDIR_WARN_MODE = 1 << 1,
++ MKDIR_FOLLOW_SYMLINK = 1 << 0,
++ MKDIR_IGNORE_EXISTING = 1 << 1, /* Quietly accept a preexisting directory (or file) */
++ MKDIR_WARN_MODE = 1 << 2, /* Log at LOG_WARNING when mode doesn't match */
+ } MkdirFlags;
+
+ int mkdirat_errno_wrapper(int dirfd, const char *pathname, mode_t mode);
+--
+2.25.1
+
diff --git a/meta/recipes-core/systemd/systemd_250.14.bb b/meta/recipes-core/systemd/systemd_250.14.bb
index b79284d79c..b3e31e1f23 100644
--- a/meta/recipes-core/systemd/systemd_250.14.bb
+++ b/meta/recipes-core/systemd/systemd_250.14.bb
@@ -30,6 +30,7 @@ SRC_URI += "file://touchscreen.rules \
file://fix-vlan-qos-mapping.patch \
file://0001-core-fix-build-when-seccomp-is-off.patch \
file://0001-journal-Make-sd_journal_previous-next-return-0-at-HE.patch \
+ file://0001-basic-do-not-warn-in-mkdir_p-when-parent-directory-e.patch \
"
# patches needed by musl
--
2.43.0
^ permalink raw reply related [flat|nested] 20+ messages in thread* [OE-core][kirkstone 14/14] Revert "cve-update-nvd2-native: Tweak to work better with NFS DL_DIR"
2025-04-30 2:53 [OE-core][kirkstone 00/14] Patch review Steve Sakoman
` (12 preceding siblings ...)
2025-04-30 2:53 ` [OE-core][kirkstone 13/14] systemd: systemd-journald fails to setup LogNamespace Steve Sakoman
@ 2025-04-30 2:53 ` Steve Sakoman
13 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:53 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
This reverts commit 7adaec468d3a61d88c990b1b319b34850bee7e44.
It does not seem to fix the issue it was supposed to fix.
Additionally it breaks code which decides in full/partial update,
because it manipulates timestamp that code is relying on.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ebc65fdddd7ce51f0f1008baa30d0ae7918ae0bb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/meta/cve-update-nvd2-native.bb | 2 --
1 file changed, 2 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 9808120cab..d50d9a2cea 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -85,8 +85,6 @@ python do_fetch() {
if update_db_file(db_tmp_file, d, database_time) == True:
# Update downloaded correctly, can swap files
shutil.move(db_tmp_file, db_file)
- # Need to 'touch' the file to ensure NFS sees the data
- os.utime(db_file)
else:
# Update failed, do not modify the database
bb.warn("CVE database update failed")
--
2.43.0
^ permalink raw reply related [flat|nested] 20+ messages in thread