* [OE-core][scarthgap 01/15] libpam: Update fix for CVE-2024-10041
2025-04-30 2:59 [OE-core][scarthgap 00/15] Patch review Steve Sakoman
@ 2025-04-30 2:59 ` Steve Sakoman
2025-04-30 2:59 ` [OE-core][scarthgap 02/15] ppp: patch CVE-2024-58250 Steve Sakoman
` (13 subsequent siblings)
14 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:59 UTC (permalink / raw)
To: openembedded-core
From: Shubham Kulkarni <skulkarni@mvista.com>
Initially, PAM community fixed CVE-2024-10041 in the version v1.6.0 via commit b3020da.
But not all cases were covered with this fix and issues were reported after the release.
In the v1.6.1 release, PAM community fixed these issues via commit b7b9636.
Backport this commit b7b9636, which
Fixes: b3020da ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
Backport from https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...024-10041.patch => CVE-2024-10041-1.patch} | 0
.../pam/libpam/CVE-2024-10041-2.patch | 77 +++++++++++++++++++
meta/recipes-extended/pam/libpam_1.5.3.bb | 3 +-
3 files changed, 79 insertions(+), 1 deletion(-)
rename meta/recipes-extended/pam/libpam/{CVE-2024-10041.patch => CVE-2024-10041-1.patch} (100%)
create mode 100644 meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch
diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch
similarity index 100%
rename from meta/recipes-extended/pam/libpam/CVE-2024-10041.patch
rename to meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch
diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch
new file mode 100644
index 0000000000..6070a26266
--- /dev/null
+++ b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch
@@ -0,0 +1,77 @@
+From b7b96362087414e52524d3d9d9b3faa21e1db620 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Wed, 24 Jan 2024 18:57:42 +0100
+Subject: [PATCH] pam_unix: try to set uid to 0 for unix_chkpwd
+
+The geteuid check does not cover all cases. If a program runs with
+elevated capabilities like CAP_SETUID then we can still check
+credentials of other users.
+
+Keep logging for future analysis though.
+
+Resolves: https://github.com/linux-pam/linux-pam/issues/747
+Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+
+Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620]
+CVE: CVE-2024-10041
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ modules/pam_unix/pam_unix_acct.c | 17 +++++++++--------
+ modules/pam_unix/support.c | 14 +++++++-------
+ 2 files changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
+index 8f5ed3e0df..7ffcb9e3f2 100644
+--- a/modules/pam_unix/pam_unix_acct.c
++++ b/modules/pam_unix/pam_unix_acct.c
+@@ -110,14 +110,15 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
+ _exit(PAM_AUTHINFO_UNAVAIL);
+ }
+
+- if (geteuid() == 0) {
+- /* must set the real uid to 0 so the helper will not error
+- out if pam is called from setuid binary (su, sudo...) */
+- if (setuid(0) == -1) {
+- pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
+- printf("-1\n");
+- fflush(stdout);
+- _exit(PAM_AUTHINFO_UNAVAIL);
++ /* must set the real uid to 0 so the helper will not error
++ out if pam is called from setuid binary (su, sudo...) */
++ if (setuid(0) == -1) {
++ uid_t euid = geteuid();
++ pam_syslog(pamh, euid == 0 ? LOG_ERR : LOG_DEBUG, "setuid failed: %m");
++ if (euid == 0) {
++ printf("-1\n");
++ fflush(stdout);
++ _exit(PAM_AUTHINFO_UNAVAIL);
+ }
+ }
+
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index d391973f95..69811048e6 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -562,13 +562,13 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ _exit(PAM_AUTHINFO_UNAVAIL);
+ }
+
+- if (geteuid() == 0) {
+- /* must set the real uid to 0 so the helper will not error
+- out if pam is called from setuid binary (su, sudo...) */
+- if (setuid(0) == -1) {
+- D(("setuid failed"));
+- _exit(PAM_AUTHINFO_UNAVAIL);
+- }
++ /* must set the real uid to 0 so the helper will not error
++ out if pam is called from setuid binary (su, sudo...) */
++ if (setuid(0) == -1) {
++ D(("setuid failed"));
++ if (geteuid() == 0) {
++ _exit(PAM_AUTHINFO_UNAVAIL);
++ }
+ }
+
+ /* exec binary helper */
diff --git a/meta/recipes-extended/pam/libpam_1.5.3.bb b/meta/recipes-extended/pam/libpam_1.5.3.bb
index 55b4dd7ee1..714cdb6552 100644
--- a/meta/recipes-extended/pam/libpam_1.5.3.bb
+++ b/meta/recipes-extended/pam/libpam_1.5.3.bb
@@ -27,7 +27,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-PAM-${PV}.tar.xz \
file://0001-pam_namespace-include-stdint-h.patch \
file://0001-pam_pwhistory-fix-passing-NULL-filename-argument-to-.patch \
file://CVE-2024-22365.patch \
- file://CVE-2024-10041.patch \
+ file://CVE-2024-10041-1.patch \
+ file://CVE-2024-10041-2.patch \
"
SRC_URI[sha256sum] = "7ac4b50feee004a9fa88f1dfd2d2fa738a82896763050cd773b3c54b0a818283"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread* [OE-core][scarthgap 02/15] ppp: patch CVE-2024-58250
2025-04-30 2:59 [OE-core][scarthgap 00/15] Patch review Steve Sakoman
2025-04-30 2:59 ` [OE-core][scarthgap 01/15] libpam: Update fix for CVE-2024-10041 Steve Sakoman
@ 2025-04-30 2:59 ` Steve Sakoman
2025-04-30 2:59 ` [OE-core][scarthgap 03/15] libxml2: patch CVE-2025-32414 Steve Sakoman
` (12 subsequent siblings)
14 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:59 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Backport patch to remove vulnerable component.
This is a breaking change, but there will be no other fix for this CVE
as upstream did the deletion without providing a fix first.
If someone really needs this feature, which the commit message describes
as deprecated, bbappend with patch removal is possible.
License-Update: passprompt plugin removed
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ppp/ppp/CVE-2024-58250.patch | 194 ++++++++++++++++++
meta/recipes-connectivity/ppp/ppp_2.5.0.bb | 2 +-
2 files changed, 195 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch
diff --git a/meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch b/meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch
new file mode 100644
index 0000000000..55d36c5baa
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch
@@ -0,0 +1,194 @@
+From 0a66ad22e54c72690ec2a29a019767c55c5281fc Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Fri, 18 Oct 2024 20:22:57 +1100
+Subject: [PATCH] pppd: Remove passprompt plugin
+
+This is prompted by a number of factors:
+
+* It was more useful back in the dial-up days, but no-one uses dial-up
+ any more
+
+* In many cases there will be no terminal accessible to the prompter
+ program at the point where the prompter is run
+
+* The passwordfd plugin does much the same thing but does it more
+ cleanly and securely
+
+* The handling of privileges and file descriptors needs to be audited
+ thoroughly.
+
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+
+CVE: CVE-2024-58250
+Upstream-Status: Backport [https://github.com/ppp-project/ppp/commit/0a66ad22e54c72690ec2a29a019767c55c5281fc]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pppd/plugins/Makefile.am | 6 +-
+ pppd/plugins/passprompt.c | 137 --------------------------------------
+ 2 files changed, 1 insertion(+), 142 deletions(-)
+ delete mode 100644 pppd/plugins/passprompt.c
+
+diff --git a/pppd/plugins/Makefile.am b/pppd/plugins/Makefile.am
+index 2826148..9480d51 100644
+--- a/pppd/plugins/Makefile.am
++++ b/pppd/plugins/Makefile.am
+@@ -1,4 +1,4 @@
+-pppd_plugin_LTLIBRARIES = minconn.la passprompt.la passwordfd.la winbind.la
++pppd_plugin_LTLIBRARIES = minconn.la passwordfd.la winbind.la
+ pppd_plugindir = $(PPPD_PLUGIN_DIR)
+
+ PLUGIN_CPPFLAGS = -I${top_srcdir}
+@@ -8,10 +8,6 @@ minconn_la_CPPFLAGS = $(PLUGIN_CPPFLAGS)
+ minconn_la_LDFLAGS = $(PLUGIN_LDFLAGS)
+ minconn_la_SOURCES = minconn.c
+
+-passprompt_la_CPPFLAGS = $(PLUGIN_CPPFLAGS)
+-passprompt_la_LDFLAGS = $(PLUGIN_LDFLAGS)
+-passprompt_la_SOURCES = passprompt.c
+-
+ passwordfd_la_CPPFLAGS = $(PLUGIN_CPPFLAGS)
+ passwordfd_la_LDFLAGS = $(PLUGIN_LDFLAGS)
+ passwordfd_la_SOURCES = passwordfd.c
+diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c
+deleted file mode 100644
+index 7779d51..0000000
+--- a/pppd/plugins/passprompt.c
++++ /dev/null
+@@ -1,137 +0,0 @@
+-/*
+- * passprompt.c - pppd plugin to invoke an external PAP password prompter
+- *
+- * Copyright 1999 Paul Mackerras, Alan Curry.
+- *
+- * This program is free software; you can redistribute it and/or
+- * modify it under the terms of the GNU General Public License
+- * as published by the Free Software Foundation; either version
+- * 2 of the License, or (at your option) any later version.
+- */
+-
+-#include <errno.h>
+-#include <unistd.h>
+-#include <sys/wait.h>
+-#include <sys/param.h>
+-#include <limits.h>
+-#include <stdio.h>
+-#include <syslog.h>
+-#include <stdarg.h>
+-#include <stdint.h>
+-#include <stdbool.h>
+-#include <string.h>
+-
+-#include <pppd/pppd.h>
+-#include <pppd/upap.h>
+-#include <pppd/eap.h>
+-#include <pppd/options.h>
+-
+-char pppd_version[] = PPPD_VERSION;
+-
+-static char promptprog[PATH_MAX+1];
+-static int promptprog_refused = 0;
+-
+-static struct option options[] = {
+- { "promptprog", o_string, promptprog,
+- "External PAP password prompting program",
+- OPT_STATIC, NULL, PATH_MAX },
+- { NULL }
+-};
+-
+-static int promptpass(char *user, char *passwd)
+-{
+- int p[2];
+- pid_t kid;
+- int readgood, wstat, ret;
+- ssize_t red;
+-
+- if (promptprog_refused || promptprog[0] == 0 || access(promptprog, X_OK) < 0)
+- return -1; /* sorry, can't help */
+-
+- if (!passwd)
+- return 1;
+-
+- if (pipe(p)) {
+- warn("Can't make a pipe for %s", promptprog);
+- return 0;
+- }
+- if ((kid = fork()) == (pid_t) -1) {
+- warn("Can't fork to run %s", promptprog);
+- close(p[0]);
+- close(p[1]);
+- return 0;
+- }
+- if (!kid) {
+- /* we are the child, exec the program */
+- char *argv[5], fdstr[32];
+- ppp_sys_close();
+- closelog();
+- close(p[0]);
+- ret = seteuid(getuid());
+- if (ret != 0) {
+- warn("Couldn't set effective user id");
+- }
+- ret = setegid(getgid());
+- if (ret != 0) {
+- warn("Couldn't set effective user id");
+- }
+- sprintf(fdstr, "%d", p[1]);
+- argv[0] = promptprog;
+- argv[1] = strdup(user);
+- argv[2] = strdup(ppp_remote_name());
+- argv[3] = fdstr;
+- argv[4] = 0;
+- execv(*argv, argv);
+- _exit(127);
+- }
+-
+- /* we are the parent, read the password from the pipe */
+- close(p[1]);
+- readgood = 0;
+- do {
+- red = read(p[0], passwd + readgood, MAXSECRETLEN-1 - readgood);
+- if (red == 0)
+- break;
+- if (red < 0) {
+- if (errno == EINTR && !ppp_signaled(SIGTERM))
+- continue;
+- error("Can't read secret from %s: %m", promptprog);
+- readgood = -1;
+- break;
+- }
+- readgood += red;
+- } while (readgood < MAXSECRETLEN - 1);
+- close(p[0]);
+-
+- /* now wait for child to exit */
+- while (waitpid(kid, &wstat, 0) < 0) {
+- if (errno != EINTR || ppp_signaled(SIGTERM)) {
+- warn("error waiting for %s: %m", promptprog);
+- break;
+- }
+- }
+-
+- if (readgood < 0)
+- return 0;
+- passwd[readgood] = 0;
+- if (!WIFEXITED(wstat))
+- warn("%s terminated abnormally", promptprog);
+- if (WEXITSTATUS(wstat)) {
+- warn("%s exited with code %d", promptprog, WEXITSTATUS(wstat));
+- /* code when cancel was hit in the prompt prog */
+- if (WEXITSTATUS(wstat) == 128) {
+- promptprog_refused = 1;
+- }
+- return -1;
+- }
+- return 1;
+-}
+-
+-void plugin_init(void)
+-{
+- ppp_add_options(options);
+- pap_passwd_hook = promptpass;
+-#ifdef PPP_WITH_EAPTLS
+- eaptls_passwd_hook = promptpass;
+-#endif
+-}
diff --git a/meta/recipes-connectivity/ppp/ppp_2.5.0.bb b/meta/recipes-connectivity/ppp/ppp_2.5.0.bb
index badf22db97..b50795109f 100644
--- a/meta/recipes-connectivity/ppp/ppp_2.5.0.bb
+++ b/meta/recipes-connectivity/ppp/ppp_2.5.0.bb
@@ -7,7 +7,6 @@ BUGTRACKER = "http://ppp.samba.org/cgi-bin/ppp-bugs"
DEPENDS = "libpcap openssl virtual/crypt"
LICENSE = "BSD-3-Clause & BSD-3-Clause-Attribution & GPL-2.0-or-later & LGPL-2.0-or-later & PD & RSA-MD"
LIC_FILES_CHKSUM = "file://pppd/ccp.c;beginline=1;endline=29;md5=e2c43fe6e81ff77d87dc9c290a424dea \
- file://pppd/plugins/passprompt.c;beginline=1;endline=10;md5=3bcbcdbf0e369c9a3e0b8c8275b065d8 \
file://pppd/tdb.c;beginline=1;endline=27;md5=4ca3a9991b011038d085d6675ae7c4e6 \
file://chat/chat.c;beginline=1;endline=15;md5=0d374b8545ee5c62d7aff1acbd38add2"
@@ -24,6 +23,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
file://provider \
file://ppp@.service \
file://0001-Revert-lock-path-to-var-lock-435.patch \
+ file://CVE-2024-58250.patch \
"
SRC_URI[sha256sum] = "5cae0e8075f8a1755f16ca290eb44e6b3545d3f292af4da65ecffe897de636ff"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread* [OE-core][scarthgap 03/15] libxml2: patch CVE-2025-32414
2025-04-30 2:59 [OE-core][scarthgap 00/15] Patch review Steve Sakoman
2025-04-30 2:59 ` [OE-core][scarthgap 01/15] libpam: Update fix for CVE-2024-10041 Steve Sakoman
2025-04-30 2:59 ` [OE-core][scarthgap 02/15] ppp: patch CVE-2024-58250 Steve Sakoman
@ 2025-04-30 2:59 ` Steve Sakoman
2025-04-30 2:59 ` [OE-core][scarthgap 04/15] libxml2: patch CVE-2025-32415 Steve Sakoman
` (11 subsequent siblings)
14 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:59 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commit which has been backported to 2.12 release branch.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libxml/libxml2/CVE-2025-32414.patch | 74 +++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.12.10.bb | 1 +
2 files changed, 75 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch
new file mode 100644
index 0000000000..97bf75f059
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch
@@ -0,0 +1,74 @@
+From d7657811964eac1cb9743bb98649278ad948f0d2 Mon Sep 17 00:00:00 2001
+From: Maks Verver <maks@verver.ch>
+Date: Tue, 8 Apr 2025 13:13:55 +0200
+Subject: [PATCH] [CVE-2025-32414] python: Read at most len/4 characters.
+
+Fixes #889 by reserving space in the buffer for UTF-8 encoding of text.
+
+CVE: CVE-2025-32414
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d7657811964eac1cb9743bb98649278ad948f0d2]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ python/libxml.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/python/libxml.c b/python/libxml.c
+index 1fe8d685..2bf14078 100644
+--- a/python/libxml.c
++++ b/python/libxml.c
+@@ -248,7 +248,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
+
+ file = (PyObject *) context;
+ if (file == NULL) return(-1);
+- ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len);
++ /* When read() returns a string, the length is in characters not bytes, so
++ request at most len / 4 characters to leave space for UTF-8 encoding. */
++ ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len / 4);
+ if (ret == NULL) {
+ printf("xmlPythonFileReadRaw: result is NULL\n");
+ return(-1);
+@@ -283,10 +285,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
+ Py_DECREF(ret);
+ return(-1);
+ }
+- if (lenread > len)
+- memcpy(buffer, data, len);
+- else
+- memcpy(buffer, data, lenread);
++ if (lenread < 0 || lenread > len) {
++ printf("xmlPythonFileReadRaw: invalid lenread\n");
++ Py_DECREF(ret);
++ return(-1);
++ }
++ memcpy(buffer, data, lenread);
+ Py_DECREF(ret);
+ return(lenread);
+ }
+@@ -310,7 +314,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
+
+ file = (PyObject *) context;
+ if (file == NULL) return(-1);
+- ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len);
++ /* When io_read() returns a string, the length is in characters not bytes, so
++ request at most len / 4 characters to leave space for UTF-8 encoding. */
++ ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4);
+ if (ret == NULL) {
+ printf("xmlPythonFileRead: result is NULL\n");
+ return(-1);
+@@ -345,10 +351,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
+ Py_DECREF(ret);
+ return(-1);
+ }
+- if (lenread > len)
+- memcpy(buffer, data, len);
+- else
+- memcpy(buffer, data, lenread);
++ if (lenread < 0 || lenread > len) {
++ printf("xmlPythonFileRead: invalid lenread\n");
++ Py_DECREF(ret);
++ return(-1);
++ }
++ memcpy(buffer, data, lenread);
+ Py_DECREF(ret);
+ return(lenread);
+ }
diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb
index c4f76c281d..42672e35bd 100644
--- a/meta/recipes-core/libxml/libxml2_2.12.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb
@@ -18,6 +18,7 @@ inherit gnomebase
SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testtar \
file://run-ptest \
file://install-tests.patch \
+ file://CVE-2025-32414.patch \
"
SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread* [OE-core][scarthgap 04/15] libxml2: patch CVE-2025-32415
2025-04-30 2:59 [OE-core][scarthgap 00/15] Patch review Steve Sakoman
` (2 preceding siblings ...)
2025-04-30 2:59 ` [OE-core][scarthgap 03/15] libxml2: patch CVE-2025-32414 Steve Sakoman
@ 2025-04-30 2:59 ` Steve Sakoman
2025-04-30 2:59 ` [OE-core][scarthgap 05/15] glib-2.0: patch CVE-2025-3360 Steve Sakoman
` (10 subsequent siblings)
14 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:59 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commit from 2.13 branch as 2.12 branch is unmaintained now.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libxml/libxml2/CVE-2025-32415.patch | 39 +++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.12.10.bb | 1 +
2 files changed, 40 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-32415.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-32415.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-32415.patch
new file mode 100644
index 0000000000..d8ff654a23
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-32415.patch
@@ -0,0 +1,39 @@
+From 384cc7c182fc00c6d5e2ab4b5e3671b2e3f93c84 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 6 Apr 2025 12:41:11 +0200
+Subject: [PATCH] [CVE-2025-32415] schemas: Fix heap buffer overflow in
+ xmlSchemaIDCFillNodeTables
+
+Don't use local variable which could contain a stale value.
+
+Fixes #890.
+
+CVE: CVE-2025-32415
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/384cc7c182fc00c6d5e2ab4b5e3671b2e3f93c84]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ xmlschemas.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 28b14bd4..428e3c82 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -23324,7 +23324,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt,
+ j++;
+ } while (j < nbDupls);
+ }
+- if (nbNodeTable) {
++ if (bind->nbNodes) {
+ j = 0;
+ do {
+ if (nbFields == 1) {
+@@ -23375,7 +23375,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt,
+
+ next_node_table_entry:
+ j++;
+- } while (j < nbNodeTable);
++ } while (j < bind->nbNodes);
+ }
+ /*
+ * If everything is fine, then add the IDC target-node to
diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb
index 42672e35bd..2eea65732b 100644
--- a/meta/recipes-core/libxml/libxml2_2.12.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb
@@ -19,6 +19,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
file://run-ptest \
file://install-tests.patch \
file://CVE-2025-32414.patch \
+ file://CVE-2025-32415.patch \
"
SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread* [OE-core][scarthgap 05/15] glib-2.0: patch CVE-2025-3360
2025-04-30 2:59 [OE-core][scarthgap 00/15] Patch review Steve Sakoman
` (3 preceding siblings ...)
2025-04-30 2:59 ` [OE-core][scarthgap 04/15] libxml2: patch CVE-2025-32415 Steve Sakoman
@ 2025-04-30 2:59 ` Steve Sakoman
2025-04-30 2:59 ` [OE-core][scarthgap 06/15] git: Upgrade 2.44.1 -> 2.44.3 Steve Sakoman
` (9 subsequent siblings)
14 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:59 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Backport commits from [1] fixing [2] for 2.82.x.
[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4499
[2] https://gitlab.gnome.org/GNOME/glib/-/issues/3647
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../glib-2.0/glib-2.0/CVE-2025-3360-01.patch | 57 ++++++++++++++
.../glib-2.0/glib-2.0/CVE-2025-3360-02.patch | 53 +++++++++++++
.../glib-2.0/glib-2.0/CVE-2025-3360-03.patch | 36 +++++++++
.../glib-2.0/glib-2.0/CVE-2025-3360-04.patch | 76 +++++++++++++++++++
.../glib-2.0/glib-2.0/CVE-2025-3360-05.patch | 57 ++++++++++++++
.../glib-2.0/glib-2.0/CVE-2025-3360-06.patch | 50 ++++++++++++
meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 8 +-
7 files changed, 336 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch
new file mode 100644
index 0000000000..b7b05b6595
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch
@@ -0,0 +1,57 @@
+From fe6af80931c35fafc6a2cd0651b6de052d1bffae Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 16:44:58 +0000
+Subject: [PATCH 1/6] gdatetime: Fix integer overflow when parsing very long
+ ISO8601 inputs
+
+This will only happen with invalid (or maliciously invalid) potential
+ISO8601 strings, but `g_date_time_new_from_iso8601()` needs to be robust
+against that.
+
+Prevent `length` overflowing by correctly defining it as a `size_t`.
+Similarly for `date_length`, but additionally track its validity in a
+boolean rather than as its sign.
+
+Spotted by chamalsl as #YWH-PGM9867-43.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/fe6af80931c35fafc6a2cd0651b6de052d1bffae]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gdatetime.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index ad9c190b6..b33db2c20 100644
+--- a/glib/gdatetime.c
++++ b/glib/gdatetime.c
+@@ -1497,7 +1497,8 @@ parse_iso8601_time (const gchar *text, gsize length,
+ GDateTime *
+ g_date_time_new_from_iso8601 (const gchar *text, GTimeZone *default_tz)
+ {
+- gint length, date_length = -1;
++ size_t length, date_length = 0;
++ gboolean date_length_set = FALSE;
+ gint hour = 0, minute = 0;
+ gdouble seconds = 0.0;
+ GTimeZone *tz = NULL;
+@@ -1508,11 +1509,14 @@ g_date_time_new_from_iso8601 (const gchar *text, GTimeZone *default_tz)
+ /* Count length of string and find date / time separator ('T', 't', or ' ') */
+ for (length = 0; text[length] != '\0'; length++)
+ {
+- if (date_length < 0 && (text[length] == 'T' || text[length] == 't' || text[length] == ' '))
+- date_length = length;
++ if (!date_length_set && (text[length] == 'T' || text[length] == 't' || text[length] == ' '))
++ {
++ date_length = length;
++ date_length_set = TRUE;
++ }
+ }
+
+- if (date_length < 0)
++ if (!date_length_set)
+ return NULL;
+
+ if (!parse_iso8601_time (text + date_length + 1, length - (date_length + 1),
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch
new file mode 100644
index 0000000000..55f3ab126e
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch
@@ -0,0 +1,53 @@
+From 495c85278f9638fdf3ebf002c759e1bdccebaf2f Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 16:51:36 +0000
+Subject: [PATCH 2/6] gdatetime: Fix potential integer overflow in timezone
+ offset handling
+
+This one is much harder to trigger than the one in the previous commit,
+but mixing `gssize` and `gsize` always runs the risk of the former
+overflowing for very (very very) long input strings.
+
+Avoid that possibility by not using the sign of the `tz_offset` to
+indicate its validity, and instead using the return value of the
+function.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/495c85278f9638fdf3ebf002c759e1bdccebaf2f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gdatetime.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index b33db2c20..792c2ed15 100644
+--- a/glib/gdatetime.c
++++ b/glib/gdatetime.c
+@@ -1346,8 +1346,10 @@ parse_iso8601_date (const gchar *text, gsize length,
+ return FALSE;
+ }
+
++/* Value returned in tz_offset is valid if and only if the function return value
++ * is non-NULL. */
+ static GTimeZone *
+-parse_iso8601_timezone (const gchar *text, gsize length, gssize *tz_offset)
++parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ {
+ gint i, tz_length, offset_hours, offset_minutes;
+ gint offset_sign = 1;
+@@ -1415,11 +1417,11 @@ static gboolean
+ parse_iso8601_time (const gchar *text, gsize length,
+ gint *hour, gint *minute, gdouble *seconds, GTimeZone **tz)
+ {
+- gssize tz_offset = -1;
++ size_t tz_offset = 0;
+
+ /* Check for timezone suffix */
+ *tz = parse_iso8601_timezone (text, length, &tz_offset);
+- if (tz_offset >= 0)
++ if (*tz != NULL)
+ length = tz_offset;
+
+ /* hh:mm:ss(.sss) */
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch
new file mode 100644
index 0000000000..fbefc262d4
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch
@@ -0,0 +1,36 @@
+From 5e8a3c19fcad2936dc5e070cf0767a5c5af907c5 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 16:55:18 +0000
+Subject: [PATCH 3/6] gdatetime: Track timezone length as an unsigned size_t
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It’s guaranteed to be in (0, length] by the calculations above.
+
+This avoids the possibility of integer overflow through `gssize` not
+being as big as `size_t`.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/5e8a3c19fcad2936dc5e070cf0767a5c5af907c5]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gdatetime.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index 792c2ed15..6335bcbe2 100644
+--- a/glib/gdatetime.c
++++ b/glib/gdatetime.c
+@@ -1351,7 +1351,8 @@ parse_iso8601_date (const gchar *text, gsize length,
+ static GTimeZone *
+ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ {
+- gint i, tz_length, offset_hours, offset_minutes;
++ size_t tz_length;
++ gint i, offset_hours, offset_minutes;
+ gint offset_sign = 1;
+ GTimeZone *tz;
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch
new file mode 100644
index 0000000000..ce4fa53f26
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch
@@ -0,0 +1,76 @@
+From 804a3957720449dcfac601da96bd5f5db2b71ef1 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 17:07:24 +0000
+Subject: [PATCH 4/6] gdatetime: Factor out some string pointer arithmetic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Makes the following code a little clearer, but doesn’t introduce any
+functional changes.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/804a3957720449dcfac601da96bd5f5db2b71ef1]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gdatetime.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index 6335bcbe2..de5dd7af0 100644
+--- a/glib/gdatetime.c
++++ b/glib/gdatetime.c
+@@ -1355,6 +1355,7 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ gint i, offset_hours, offset_minutes;
+ gint offset_sign = 1;
+ GTimeZone *tz;
++ const char *tz_start;
+
+ /* UTC uses Z suffix */
+ if (length > 0 && text[length - 1] == 'Z')
+@@ -1372,34 +1373,35 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ }
+ if (i < 0)
+ return NULL;
++ tz_start = text + i;
+ tz_length = length - i;
+
+ /* +hh:mm or -hh:mm */
+- if (tz_length == 6 && text[i+3] == ':')
++ if (tz_length == 6 && tz_start[3] == ':')
+ {
+- if (!get_iso8601_int (text + i + 1, 2, &offset_hours) ||
+- !get_iso8601_int (text + i + 4, 2, &offset_minutes))
++ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) ||
++ !get_iso8601_int (tz_start + 4, 2, &offset_minutes))
+ return NULL;
+ }
+ /* +hhmm or -hhmm */
+ else if (tz_length == 5)
+ {
+- if (!get_iso8601_int (text + i + 1, 2, &offset_hours) ||
+- !get_iso8601_int (text + i + 3, 2, &offset_minutes))
++ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) ||
++ !get_iso8601_int (tz_start + 3, 2, &offset_minutes))
+ return NULL;
+ }
+ /* +hh or -hh */
+ else if (tz_length == 3)
+ {
+- if (!get_iso8601_int (text + i + 1, 2, &offset_hours))
++ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours))
+ return NULL;
+ offset_minutes = 0;
+ }
+ else
+ return NULL;
+
+- *tz_offset = i;
+- tz = g_time_zone_new_identifier (text + i);
++ *tz_offset = tz_start - text;
++ tz = g_time_zone_new_identifier (tz_start);
+
+ /* Double-check that the GTimeZone matches our interpretation of the timezone.
+ * This can fail because our interpretation is less strict than (for example)
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch
new file mode 100644
index 0000000000..22415cc6a3
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch
@@ -0,0 +1,57 @@
+From 4c56ff80344e0d8796eb2307091f7b24ec198aa9 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 17:28:33 +0000
+Subject: [PATCH 5/6] gdatetime: Factor out an undersized variable
+
+For long input strings, it would have been possible for `i` to overflow.
+Avoid that problem by using the `tz_length` instead, so that we count up
+rather than down.
+
+This commit introduces no functional changes (outside of changing
+undefined behaviour), and can be verified using the identity
+`i === length - tz_length`.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/4c56ff80344e0d8796eb2307091f7b24ec198aa9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gdatetime.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/glib/gdatetime.c b/glib/gdatetime.c
+index de5dd7af0..2f8c864a1 100644
+--- a/glib/gdatetime.c
++++ b/glib/gdatetime.c
+@@ -1352,7 +1352,7 @@ static GTimeZone *
+ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ {
+ size_t tz_length;
+- gint i, offset_hours, offset_minutes;
++ gint offset_hours, offset_minutes;
+ gint offset_sign = 1;
+ GTimeZone *tz;
+ const char *tz_start;
+@@ -1365,16 +1365,15 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset)
+ }
+
+ /* Look for '+' or '-' of offset */
+- for (i = length - 1; i >= 0; i--)
+- if (text[i] == '+' || text[i] == '-')
++ for (tz_length = 1; tz_length <= length; tz_length++)
++ if (text[length - tz_length] == '+' || text[length - tz_length] == '-')
+ {
+- offset_sign = text[i] == '-' ? -1 : 1;
++ offset_sign = text[length - tz_length] == '-' ? -1 : 1;
+ break;
+ }
+- if (i < 0)
++ if (tz_length > length)
+ return NULL;
+- tz_start = text + i;
+- tz_length = length - i;
++ tz_start = text + length - tz_length;
+
+ /* +hh:mm or -hh:mm */
+ if (tz_length == 6 && tz_start[3] == ':')
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch
new file mode 100644
index 0000000000..249e09f0bc
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch
@@ -0,0 +1,50 @@
+From 7f6d81130ec05406a8820bc753ed03859e88daea Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 18 Feb 2025 18:20:56 +0000
+Subject: [PATCH 6/6] tests: Add some missing GDateTime ISO8601 parsing tests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This improves test coverage, adding coverage for some lines which I
+spotted were not covered while testing the preceding commits.
+
+It doesn’t directly test the preceding commits, though.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-3360
+Upstream-Status: Backport [https://github.com/GNOME/glib/commit/7f6d81130ec05406a8820bc753ed03859e88daea]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/tests/gdatetime.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/glib/tests/gdatetime.c b/glib/tests/gdatetime.c
+index 9e1acd097..94dd028a3 100644
+--- a/glib/tests/gdatetime.c
++++ b/glib/tests/gdatetime.c
+@@ -859,6 +859,23 @@ test_GDateTime_new_from_iso8601 (void)
+ * NaN */
+ dt = g_date_time_new_from_iso8601 ("0005306 000001,666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666600080000-00", NULL);
+ g_assert_null (dt);
++
++ /* Various invalid timezone offsets which look like they could be in
++ * `+hh:mm`, `-hh:mm`, `+hhmm`, `-hhmm`, `+hh` or `-hh` format */
++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+01:xx", NULL);
++ g_assert_null (dt);
++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx:00", NULL);
++ g_assert_null (dt);
++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx:xx", NULL);
++ g_assert_null (dt);
++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+01xx", NULL);
++ g_assert_null (dt);
++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx00", NULL);
++ g_assert_null (dt);
++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xxxx", NULL);
++ g_assert_null (dt);
++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx", NULL);
++ g_assert_null (dt);
+ }
+
+ typedef struct {
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
index ce7c57df9a..1a65f48399 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
@@ -21,8 +21,14 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://gdatetime-test-fail-0001.patch \
file://gdatetime-test-fail-0002.patch \
file://gdatetime-test-fail-0003.patch \
+ file://CVE-2025-3360-01.patch \
+ file://CVE-2025-3360-02.patch \
+ file://CVE-2025-3360-03.patch \
+ file://CVE-2025-3360-04.patch \
+ file://CVE-2025-3360-05.patch \
+ file://CVE-2025-3360-06.patch \
"
-SRC_URI:append:class-native = " file://relocate-modules.patch \
+SRC_URI:append:class-native = " file://relocate-modules.patch \
file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \
"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread* [OE-core][scarthgap 06/15] git: Upgrade 2.44.1 -> 2.44.3
2025-04-30 2:59 [OE-core][scarthgap 00/15] Patch review Steve Sakoman
` (4 preceding siblings ...)
2025-04-30 2:59 ` [OE-core][scarthgap 05/15] glib-2.0: patch CVE-2025-3360 Steve Sakoman
@ 2025-04-30 2:59 ` Steve Sakoman
2025-04-30 2:59 ` [OE-core][scarthgap 07/15] perlcross: update 1.5.2 -> 1.6 Steve Sakoman
` (8 subsequent siblings)
14 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:59 UTC (permalink / raw)
To: openembedded-core
From: Soumya Sambu <soumya.sambu@windriver.com>
Addresses the security issues - CVE-2024-50349 and CVE-2024-52006
Release Notes:
https://github.com/git/git/blob/v2.44.3/Documentation/RelNotes/2.44.3.txt
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/git/{git_2.44.1.bb => git_2.44.3.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-devtools/git/{git_2.44.1.bb => git_2.44.3.bb} (98%)
diff --git a/meta/recipes-devtools/git/git_2.44.1.bb b/meta/recipes-devtools/git/git_2.44.3.bb
similarity index 98%
rename from meta/recipes-devtools/git/git_2.44.1.bb
rename to meta/recipes-devtools/git/git_2.44.3.bb
index 53d67eb40a..a5afd36168 100644
--- a/meta/recipes-devtools/git/git_2.44.1.bb
+++ b/meta/recipes-devtools/git/git_2.44.3.bb
@@ -164,4 +164,4 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \
"
EXTRA_OEMAKE += "NO_GETTEXT=1"
-SRC_URI[tarball.sha256sum] = "118214bb8d7ba971a62741416e757562b8f5451cefc087a407e91857897c92cc"
+SRC_URI[tarball.sha256sum] = "4237c37cdf7b3d38102117b22993b2f761a4c02758dfbe33f7b7423c0b096ca9"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread* [OE-core][scarthgap 07/15] perlcross: update 1.5.2 -> 1.6
2025-04-30 2:59 [OE-core][scarthgap 00/15] Patch review Steve Sakoman
` (5 preceding siblings ...)
2025-04-30 2:59 ` [OE-core][scarthgap 06/15] git: Upgrade 2.44.1 -> 2.44.3 Steve Sakoman
@ 2025-04-30 2:59 ` Steve Sakoman
2025-04-30 2:59 ` [OE-core][scarthgap 08/15] perlcross: 1.6 -> 1.6.2 Steve Sakoman
` (7 subsequent siblings)
14 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:59 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex@linutronix.de>
(From OE-Core rev: dee97a3d3127eeba77bc6be05dea25f89aa734e5)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...ile-check-the-file-if-patched-or-not.patch | 3 +-
...oss-add-LDFLAGS-when-linking-libperl.patch | 9 ++--
.../perl-cross/files/determinism.patch | 41 +++++++++++--------
.../{perlcross_1.5.2.bb => perlcross_1.6.bb} | 2 +-
4 files changed, 29 insertions(+), 26 deletions(-)
rename meta/recipes-devtools/perl-cross/{perlcross_1.5.2.bb => perlcross_1.6.bb} (92%)
diff --git a/meta/recipes-devtools/perl-cross/files/0001-Makefile-check-the-file-if-patched-or-not.patch b/meta/recipes-devtools/perl-cross/files/0001-Makefile-check-the-file-if-patched-or-not.patch
index 4e9153ebf1..7efee733c6 100644
--- a/meta/recipes-devtools/perl-cross/files/0001-Makefile-check-the-file-if-patched-or-not.patch
+++ b/meta/recipes-devtools/perl-cross/files/0001-Makefile-check-the-file-if-patched-or-not.patch
@@ -1,4 +1,4 @@
-From 3eb33dce6e3c93e1b3efcc9649f871100adada30 Mon Sep 17 00:00:00 2001
+From d0292a4f91ca22f8919a0f13d8961f98743bdbf1 Mon Sep 17 00:00:00 2001
From: Mingli Yu <mingli.yu@windriver.com>
Date: Fri, 2 Jul 2021 09:08:21 +0000
Subject: [PATCH] Makefile: check the file if patched or not
@@ -9,7 +9,6 @@ one time.
Upstream-Status: Inappropriate (OE-specific)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
-
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/perl-cross/files/0001-perl-cross-add-LDFLAGS-when-linking-libperl.patch b/meta/recipes-devtools/perl-cross/files/0001-perl-cross-add-LDFLAGS-when-linking-libperl.patch
index 6c3f08c432..6d387fe66a 100644
--- a/meta/recipes-devtools/perl-cross/files/0001-perl-cross-add-LDFLAGS-when-linking-libperl.patch
+++ b/meta/recipes-devtools/perl-cross/files/0001-perl-cross-add-LDFLAGS-when-linking-libperl.patch
@@ -1,4 +1,4 @@
-From f824cbec9ac8f113a4ae35d57bd18625d415a71b Mon Sep 17 00:00:00 2001
+From c4ebb6d11d690185f66a3f0a591f193fd6611122 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Tue, 27 Nov 2018 15:37:40 +0100
Subject: [PATCH] perl-cross: add LDFLAGS when linking libperl
@@ -10,10 +10,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
-index 01644cd..be811a7 100644
+index 4b80079..c6d6042 100644
--- a/Makefile
+++ b/Makefile
-@@ -180,7 +180,7 @@ endif
+@@ -191,7 +191,7 @@ endif
ifeq ($(useshrplib),true)
$(LIBPERL):
@@ -22,6 +22,3 @@ index 01644cd..be811a7 100644
else
$(LIBPERL):
$(AR) cru $@ $(filter %$o,$^)
---
-2.17.1
-
diff --git a/meta/recipes-devtools/perl-cross/files/determinism.patch b/meta/recipes-devtools/perl-cross/files/determinism.patch
index e9bf752bcb..ef11b12a35 100644
--- a/meta/recipes-devtools/perl-cross/files/determinism.patch
+++ b/meta/recipes-devtools/perl-cross/files/determinism.patch
@@ -1,4 +1,7 @@
-Fixes to make the perl build reproducible:
+From 8fd84d6d760b21bad2c499b572951cc3f2235953 Mon Sep 17 00:00:00 2001
+From: Richard Purdie <richard.purdie@linuxfoundation.org>
+Date: Wed, 5 Feb 2020 23:54:02 +0000
+Subject: [PATCH] Fixes to make the perl build reproducible:
a) Remove the \n from configure_attr.sh since it gets quoted differently depending on
whether the shell is bash or dash which can cause the test result to be incorrect.
@@ -8,7 +11,7 @@ b) Sort the order of the module lists from configure_mods.sh since otherwise
the result isn't the same leading to makefile differences.
Reported upstream: https://github.com/arsv/perl-cross/issues/88
-c) Sort the Encode::Byte byte_t.fnm file output (and the makefile depends whilst
+c) Sort the Encode::Byte byte_t.fnm file output (and the makefile depends whilst
there for good measure)
This needs to go to upstream perl (not done)
@@ -20,12 +23,26 @@ RP 2020/2/7
Upstream-Status: Pending [75% submitted]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org
+---
+ cnf/configure | 2 +-
+ cnf/configure_mods.sh | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
-Index: perl-5.30.1/cnf/configure_mods.sh
-===================================================================
---- perl-5.30.1.orig/cnf/configure_mods.sh
-+++ perl-5.30.1/cnf/configure_mods.sh
-@@ -82,7 +82,7 @@ extonlyif() {
+diff --git a/cnf/configure b/cnf/configure
+index 2f451c6..86bc865 100755
+--- a/cnf/configure
++++ b/cnf/configure
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+
+ base=${0%/*}; test -z "$base" && base=.
+
+diff --git a/cnf/configure_mods.sh b/cnf/configure_mods.sh
+index d4ef5a7..8e88b48 100644
+--- a/cnf/configure_mods.sh
++++ b/cnf/configure_mods.sh
+@@ -108,7 +108,7 @@ extonlyif() {
}
definetrimspaces() {
@@ -34,13 +51,3 @@ Index: perl-5.30.1/cnf/configure_mods.sh
define $1 "$v"
}
-Index: perl-5.30.1/cnf/configure
-===================================================================
---- perl-5.30.1.orig/cnf/configure
-+++ perl-5.30.1/cnf/configure
-@@ -1,4 +1,4 @@
--#!/bin/sh
-+#!/bin/bash
-
- base=${0%/*}; test -z "$base" && base=.
-
diff --git a/meta/recipes-devtools/perl-cross/perlcross_1.5.2.bb b/meta/recipes-devtools/perl-cross/perlcross_1.6.bb
similarity index 92%
rename from meta/recipes-devtools/perl-cross/perlcross_1.5.2.bb
rename to meta/recipes-devtools/perl-cross/perlcross_1.6.bb
index b41c182fad..295dd0cfc1 100644
--- a/meta/recipes-devtools/perl-cross/perlcross_1.5.2.bb
+++ b/meta/recipes-devtools/perl-cross/perlcross_1.6.bb
@@ -18,7 +18,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/perl-cross-${PV}.tar.gz;name=perl-c
"
GITHUB_BASE_URI = "https://github.com/arsv/perl-cross/releases/"
-SRC_URI[perl-cross.sha256sum] = "584dc54c48dca25e032b676a15bef377c1fed9de318b4fc140292a5dbf326e90"
+SRC_URI[perl-cross.sha256sum] = "5abf198ee50ce9e69eb68fede68c87f65241caa744e4203e97490fa59b45ed69"
S = "${WORKDIR}/perl-cross-${PV}"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread* [OE-core][scarthgap 08/15] perlcross: 1.6 -> 1.6.2
2025-04-30 2:59 [OE-core][scarthgap 00/15] Patch review Steve Sakoman
` (6 preceding siblings ...)
2025-04-30 2:59 ` [OE-core][scarthgap 07/15] perlcross: update 1.5.2 -> 1.6 Steve Sakoman
@ 2025-04-30 2:59 ` Steve Sakoman
2025-04-30 2:59 ` [OE-core][scarthgap 09/15] perl: upgrade 5.38.2 -> 5.38.4 Steve Sakoman
` (6 subsequent siblings)
14 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:59 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
https://github.com/arsv/perl-cross/releases/tag/1.6.2
Provide support for Perl 5.38.4
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../perl-cross/{perlcross_1.6.bb => perlcross_1.6.2.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-devtools/perl-cross/{perlcross_1.6.bb => perlcross_1.6.2.bb} (92%)
diff --git a/meta/recipes-devtools/perl-cross/perlcross_1.6.bb b/meta/recipes-devtools/perl-cross/perlcross_1.6.2.bb
similarity index 92%
rename from meta/recipes-devtools/perl-cross/perlcross_1.6.bb
rename to meta/recipes-devtools/perl-cross/perlcross_1.6.2.bb
index 295dd0cfc1..e4bd90c572 100644
--- a/meta/recipes-devtools/perl-cross/perlcross_1.6.bb
+++ b/meta/recipes-devtools/perl-cross/perlcross_1.6.2.bb
@@ -18,7 +18,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/perl-cross-${PV}.tar.gz;name=perl-c
"
GITHUB_BASE_URI = "https://github.com/arsv/perl-cross/releases/"
-SRC_URI[perl-cross.sha256sum] = "5abf198ee50ce9e69eb68fede68c87f65241caa744e4203e97490fa59b45ed69"
+SRC_URI[perl-cross.sha256sum] = "131f7496152ee32067dbac2bc9b44b2f582fc778140e545701b3b2faee782f1d"
S = "${WORKDIR}/perl-cross-${PV}"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread* [OE-core][scarthgap 09/15] perl: upgrade 5.38.2 -> 5.38.4
2025-04-30 2:59 [OE-core][scarthgap 00/15] Patch review Steve Sakoman
` (7 preceding siblings ...)
2025-04-30 2:59 ` [OE-core][scarthgap 08/15] perlcross: 1.6 -> 1.6.2 Steve Sakoman
@ 2025-04-30 2:59 ` Steve Sakoman
2025-04-30 2:59 ` [OE-core][scarthgap 10/15] tzdata/tzcode-native: upgrade 2025a -> 2025b Steve Sakoman
` (5 subsequent siblings)
14 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:59 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
update include fix for CVE-2024-56406
https://perldoc.perl.org/5.38.4/perl5384delta
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/perl/{perl_5.38.2.bb => perl_5.38.4.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-devtools/perl/{perl_5.38.2.bb => perl_5.38.4.bb} (99%)
diff --git a/meta/recipes-devtools/perl/perl_5.38.2.bb b/meta/recipes-devtools/perl/perl_5.38.4.bb
similarity index 99%
rename from meta/recipes-devtools/perl/perl_5.38.2.bb
rename to meta/recipes-devtools/perl/perl_5.38.4.bb
index b6c9cda7ae..e59022e2bd 100644
--- a/meta/recipes-devtools/perl/perl_5.38.2.bb
+++ b/meta/recipes-devtools/perl/perl_5.38.4.bb
@@ -26,7 +26,7 @@ SRC_URI:append:class-target = " \
file://encodefix.patch \
"
-SRC_URI[perl.sha256sum] = "a0a31534451eb7b83c7d6594a497543a54d488bc90ca00f5e34762577f40655e"
+SRC_URI[perl.sha256sum] = "fb888accf8b50b5180e91166e5153608be294c57c19878e95f7659c1f1f12758"
B = "${WORKDIR}/perl-${PV}-build"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread* [OE-core][scarthgap 10/15] tzdata/tzcode-native: upgrade 2025a -> 2025b
2025-04-30 2:59 [OE-core][scarthgap 00/15] Patch review Steve Sakoman
` (8 preceding siblings ...)
2025-04-30 2:59 ` [OE-core][scarthgap 09/15] perl: upgrade 5.38.2 -> 5.38.4 Steve Sakoman
@ 2025-04-30 2:59 ` Steve Sakoman
2025-04-30 2:59 ` [OE-core][scarthgap 11/15] initscripts: add function log_success_msg/log_failure_msg/log_warning_msg Steve Sakoman
` (4 subsequent siblings)
14 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:59 UTC (permalink / raw)
To: openembedded-core
From: Priyal Doshi <pdoshi@mvista.com>
Signed-off-by: Priyal Doshi <pdoshi@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b1ff8b45da27b533477cf6d9ace7a47f7f3a28b1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-extended/timezone/timezone.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc
index f1dbd7ba81..f21bedf4fc 100644
--- a/meta/recipes-extended/timezone/timezone.inc
+++ b/meta/recipes-extended/timezone/timezone.inc
@@ -6,7 +6,7 @@ SECTION = "base"
LICENSE = "PD & BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
-PV = "2025a"
+PV = "2025b"
SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode;subdir=tz \
http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata;subdir=tz \
@@ -16,5 +16,5 @@ S = "${WORKDIR}/tz"
UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones"
-SRC_URI[tzcode.sha256sum] = "119679d59f76481eb5e03d3d2a47d7870d592f3999549af189dbd31f2ebf5061"
-SRC_URI[tzdata.sha256sum] = "4d5fcbc72c7c450ebfe0b659bd0f1c02fbf52fd7f517a9ea13fe71c21eb5f0d0"
+SRC_URI[tzcode.sha256sum] = "05f8fedb3525ee70d49c87d3fae78a8a0dbae4fe87aa565c65cda9948ae135ec"
+SRC_URI[tzdata.sha256sum] = "11810413345fc7805017e27ea9fa4885fd74cd61b2911711ad038f5d28d71474"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread* [OE-core][scarthgap 11/15] initscripts: add function log_success_msg/log_failure_msg/log_warning_msg
2025-04-30 2:59 [OE-core][scarthgap 00/15] Patch review Steve Sakoman
` (9 preceding siblings ...)
2025-04-30 2:59 ` [OE-core][scarthgap 10/15] tzdata/tzcode-native: upgrade 2025a -> 2025b Steve Sakoman
@ 2025-04-30 2:59 ` Steve Sakoman
2025-04-30 3:00 ` [OE-core][scarthgap 12/15] buildtools-tarball: move setting of envvars to respective envfile Steve Sakoman
` (3 subsequent siblings)
14 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-04-30 2:59 UTC (permalink / raw)
To: openembedded-core
From: Changqing Li <changqing.li@windriver.com>
* add function log_success_msg/log_failure_msg/log_warning_msg, some
packages still use these functions, like mariadb, refer [1], without
these function, with sysV init manager, mariadb will report error:
root@qemux86-64:~# /etc/init.d/mysqld status
/etc/init.d/mysqld: line 383: log_success_msg: command not found
* remove RCONFLICTS with lsbinitscripts, LSB support already remove in
[2]
[1] https://github.com/MariaDB/server/blob/main/support-files/mysql.server.sh#L104
[2] https://git.openembedded.org/openembedded-core/commit/?id=fb064356af615d67d85b65942103bf943d84d290
[3] https://refspecs.linuxbase.org/LSB_4.0.0/LSB-Core-generic/LSB-Core-generic/iniscrptfunc.html
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../initscripts/initscripts-1.0/functions | 21 +++++++++++++++++++
.../initscripts/initscripts_1.0.bb | 1 -
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-core/initscripts/initscripts-1.0/functions b/meta/recipes-core/initscripts/initscripts-1.0/functions
index 35aebd4a55..7fc19c808b 100755
--- a/meta/recipes-core/initscripts/initscripts-1.0/functions
+++ b/meta/recipes-core/initscripts/initscripts-1.0/functions
@@ -92,3 +92,24 @@ passed() {
echo -n -e "${BRACKET}[${SUCCESS} PASS ${BRACKET}]${NORMAL}"
return $rc
}
+
+log_success_msg()
+{
+ echo -n $@
+ success
+ echo
+}
+
+log_failure_msg()
+{
+ echo -n $@
+ failure
+ echo
+}
+
+log_warning_msg()
+{
+ echo -n $@
+ warning
+ echo
+}
diff --git a/meta/recipes-core/initscripts/initscripts_1.0.bb b/meta/recipes-core/initscripts/initscripts_1.0.bb
index e61ac554f3..56ee65ac5b 100644
--- a/meta/recipes-core/initscripts/initscripts_1.0.bb
+++ b/meta/recipes-core/initscripts/initscripts_1.0.bb
@@ -53,7 +53,6 @@ RDEPENDS:${PN} = "initd-functions \
# Recommend pn-functions so that it will be a preferred default provider for initd-functions
RRECOMMENDS:${PN} = "${PN}-functions"
RPROVIDES:${PN}-functions = "initd-functions"
-RCONFLICTS:${PN}-functions = "lsbinitscripts"
FILES:${PN}-functions = "${sysconfdir}/init.d/functions*"
FILES:${PN}-sushell = "${base_sbindir}/sushell"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread* [OE-core][scarthgap 12/15] buildtools-tarball: move setting of envvars to respective envfile
2025-04-30 2:59 [OE-core][scarthgap 00/15] Patch review Steve Sakoman
` (10 preceding siblings ...)
2025-04-30 2:59 ` [OE-core][scarthgap 11/15] initscripts: add function log_success_msg/log_failure_msg/log_warning_msg Steve Sakoman
@ 2025-04-30 3:00 ` Steve Sakoman
2025-04-30 3:00 ` [OE-core][scarthgap 13/15] buildtools-tarball: add envvars into BB_ENV_PASSTHROUGH_ADDITIONS Steve Sakoman
` (2 subsequent siblings)
14 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-04-30 3:00 UTC (permalink / raw)
To: openembedded-core
From: Changqing Li <changqing.li@windriver.com>
* make git,curl,python3-requests align with openssl, move the setting of
envvars into respective envfile
* for environment.d-openssl.sh, also check if ca-certificates.crt exist
before export envvars
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../openssl/files/environment.d-openssl.sh | 7 +++++--
meta/recipes-core/meta/buildtools-tarball.bb | 6 ------
meta/recipes-devtools/git/git/environment.d-git.sh | 3 +++
meta/recipes-devtools/git/git_2.44.3.bb | 8 ++++++++
.../environment.d-python3-requests.sh | 3 +++
.../python/python3-requests_2.32.3.bb | 11 +++++++++++
meta/recipes-support/curl/curl/environment.d-curl.sh | 3 +++
meta/recipes-support/curl/curl_8.7.1.bb | 9 +++++++++
8 files changed, 42 insertions(+), 8 deletions(-)
create mode 100644 meta/recipes-devtools/git/git/environment.d-git.sh
create mode 100644 meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh
create mode 100644 meta/recipes-support/curl/curl/environment.d-curl.sh
diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
index 6f23490c87..6cb82d7386 100644
--- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
+++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
@@ -1,5 +1,8 @@
export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf"
-export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs"
-export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt"
+if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+ export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs"
+ export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt"
+ export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} SSL_CERT_DIR SSL_CERT_FILE"
+fi
export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/"
export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3"
diff --git a/meta/recipes-core/meta/buildtools-tarball.bb b/meta/recipes-core/meta/buildtools-tarball.bb
index e2ce5b3ecf..414c266663 100644
--- a/meta/recipes-core/meta/buildtools-tarball.bb
+++ b/meta/recipes-core/meta/buildtools-tarball.bb
@@ -73,12 +73,6 @@ create_sdk_files:append () {
touch $script
echo 'export PATH="${SDKPATHNATIVE}${bindir_nativesdk}:${SDKPATHNATIVE}${sbindir_nativesdk}:${SDKPATHNATIVE}${base_bindir_nativesdk}:${SDKPATHNATIVE}${base_sbindir_nativesdk}:$PATH"' >> $script
echo 'export OECORE_NATIVE_SYSROOT="${SDKPATHNATIVE}"' >> $script
- if [ -e "${SDK_OUTPUT}${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt" ]; then
- echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
- echo 'export SSL_CERT_FILE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
- echo 'export REQUESTS_CA_BUNDLE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
- echo 'export CURL_CA_BUNDLE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
- fi
echo 'HOST_PKG_PATH=$(command -p pkg-config --variable=pc_path pkg-config 2>/dev/null)' >>$script
echo 'export PKG_CONFIG_LIBDIR=${SDKPATHNATIVE}/${libdir}/pkgconfig:${SDKPATHNATIVE}/${datadir}/pkgconfig:${HOST_PKG_PATH:-/usr/lib/pkgconfig:/usr/share/pkgconfig}' >>$script
echo 'unset HOST_PKG_PATH'
diff --git a/meta/recipes-devtools/git/git/environment.d-git.sh b/meta/recipes-devtools/git/git/environment.d-git.sh
new file mode 100644
index 0000000000..18104f0528
--- /dev/null
+++ b/meta/recipes-devtools/git/git/environment.d-git.sh
@@ -0,0 +1,3 @@
+if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+ export GIT_SSL_CAINFO="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
+fi
diff --git a/meta/recipes-devtools/git/git_2.44.3.bb b/meta/recipes-devtools/git/git_2.44.3.bb
index a5afd36168..7b33d6071e 100644
--- a/meta/recipes-devtools/git/git_2.44.3.bb
+++ b/meta/recipes-devtools/git/git_2.44.3.bb
@@ -13,6 +13,10 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
file://0001-config.mak.uname-do-not-force-RHEL-7-specific-build-.patch \
"
+SRC_URI:append:class-nativesdk = " \
+ file://environment.d-git.sh \
+ "
+
S = "${WORKDIR}/git-${PV}"
LIC_FILES_CHKSUM = "\
@@ -115,6 +119,9 @@ do_install:append:class-nativesdk() {
GIT_EXEC_PATH='`dirname $''realpath`'/${REL_GIT_EXEC_PATH} \
GIT_TEMPLATE_DIR='`dirname $''realpath`'/${REL_GIT_TEMPLATE_DIR}
perl_native_fixup
+
+ mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
+ install -m 644 ${WORKDIR}/environment.d-git.sh ${D}${SDKPATHNATIVE}/environment-setup.d/git.sh
}
FILES:${PN} += "${datadir}/git-core ${libexecdir}/git-core/"
@@ -155,6 +162,7 @@ FILES:${PN}-tk = " \
PACKAGES =+ "gitweb"
FILES:gitweb = "${datadir}/gitweb/"
+FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/git.sh"
RDEPENDS:gitweb = "perl"
BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh b/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh
new file mode 100644
index 0000000000..f2eee203ca
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh
@@ -0,0 +1,3 @@
+if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+ export REQUESTS_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
+fi
diff --git a/meta/recipes-devtools/python/python3-requests_2.32.3.bb b/meta/recipes-devtools/python/python3-requests_2.32.3.bb
index 4f0638b50c..36ff75f87d 100644
--- a/meta/recipes-devtools/python/python3-requests_2.32.3.bb
+++ b/meta/recipes-devtools/python/python3-requests_2.32.3.bb
@@ -3,10 +3,19 @@ HOMEPAGE = "https://requests.readthedocs.io"
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=34400b68072d710fecd0a2940a0d1658"
+SRC_URI:append:class-nativesdk = " \
+ file://environment.d-python3-requests.sh \
+"
+
SRC_URI[sha256sum] = "55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760"
inherit pypi python_setuptools_build_meta
+do_install:append:class-nativesdk() {
+ mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
+ install -m 644 ${WORKDIR}/environment.d-python3-requests.sh ${D}${SDKPATHNATIVE}/environment-setup.d/python3-requests.sh
+}
+
RDEPENDS:${PN} += " \
python3-certifi \
python3-email \
@@ -19,6 +28,8 @@ RDEPENDS:${PN} += " \
python3-compression \
"
+FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/python3-requests.sh"
+
CVE_PRODUCT = "requests"
BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/curl/curl/environment.d-curl.sh b/meta/recipes-support/curl/curl/environment.d-curl.sh
new file mode 100644
index 0000000000..0d53aabb8e
--- /dev/null
+++ b/meta/recipes-support/curl/curl/environment.d-curl.sh
@@ -0,0 +1,3 @@
+if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+ export CURL_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
+fi
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 8ce8caadf0..2f5bf8c8fd 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -25,6 +25,11 @@ SRC_URI = " \
file://CVE-2024-11053-0003.patch \
file://CVE-2025-0167.patch \
"
+
+SRC_URI:append:class-nativesdk = " \
+ file://environment.d-curl.sh \
+"
+
SRC_URI[sha256sum] = "6fea2aac6a4610fbd0400afb0bcddbe7258a64c63f1f68e5855ebc0c659710cd"
# Curl has used many names over the years...
@@ -108,6 +113,8 @@ do_install:append:class-target() {
do_install:append:class-nativesdk() {
fix_absolute_paths
+ mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
+ install -m 644 ${WORKDIR}/environment.d-curl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/curl.sh
}
do_compile_ptest() {
@@ -156,6 +163,8 @@ RRECOMMENDS:lib${BPN} += "ca-certificates"
FILES:${PN} += "${datadir}/zsh"
+FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/curl.sh"
+
inherit multilib_script
MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/curl-config"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread* [OE-core][scarthgap 13/15] buildtools-tarball: add envvars into BB_ENV_PASSTHROUGH_ADDITIONS
2025-04-30 2:59 [OE-core][scarthgap 00/15] Patch review Steve Sakoman
` (11 preceding siblings ...)
2025-04-30 3:00 ` [OE-core][scarthgap 12/15] buildtools-tarball: move setting of envvars to respective envfile Steve Sakoman
@ 2025-04-30 3:00 ` Steve Sakoman
2025-04-30 3:00 ` [OE-core][scarthgap 14/15] buildtools-tarball: Make buildtools respects host CA certificates Steve Sakoman
2025-04-30 3:00 ` [OE-core][scarthgap 15/15] Revert "cve-update-nvd2-native: Tweak to work better with NFS DL_DIR" Steve Sakoman
14 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-04-30 3:00 UTC (permalink / raw)
To: openembedded-core
From: Changqing Li <changqing.li@windriver.com>
Here is one testcase:
For recipe tensorflow-lite-host-tools_2.18.0.bb, refer [1],
do_configure[network] = "1"
and it will git clone some repos in CMakeLists.txt
When buildtools is used and nativesdk-git is installed into sdk,
do_configure failed with error:
[1/9] Performing download step (git clone) for 'protobuf-populate'
Cloning into 'protobuf'...
fatal: unable to access 'https://github.com/protocolbuffers/protobuf/': error setting certificate file: /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-wrlinuxsdk-linux/etc/ssl/certs/ca-certificates.crt
Fix by adding GIT_SSL_CAINFO in BB_ENV_PASSTHROUGH_ADDITIONS, so that
user can export GIT_SSL_CAINFO=${GIT_SSL_CAINFO} in their
do_configure:prepend() to fix above do_configure failure
CURL_CA_BUNDLE and REQUESTS_CA_BUNDLE is similar envvars, so all add
into BB_ENV_PASSTHROUGH_ADDITIONS
[1] https://github.com/nxp-imx/meta-imx/blob/styhead-6.12.3-1.0.0/meta-imx-ml/recipes-libraries/tensorflow-lite/tensorflow-lite-host-tools_2.18.0.bb
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/git/git/environment.d-git.sh | 1 +
.../python/python3-requests/environment.d-python3-requests.sh | 1 +
meta/recipes-support/curl/curl/environment.d-curl.sh | 1 +
3 files changed, 3 insertions(+)
diff --git a/meta/recipes-devtools/git/git/environment.d-git.sh b/meta/recipes-devtools/git/git/environment.d-git.sh
index 18104f0528..f8e3221510 100644
--- a/meta/recipes-devtools/git/git/environment.d-git.sh
+++ b/meta/recipes-devtools/git/git/environment.d-git.sh
@@ -1,3 +1,4 @@
if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
export GIT_SSL_CAINFO="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
+ export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} GIT_SSL_CAINFO"
fi
diff --git a/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh b/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh
index f2eee203ca..c7faec127d 100644
--- a/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh
+++ b/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh
@@ -1,3 +1,4 @@
if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
export REQUESTS_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
+ export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} REQUESTS_CA_BUNDLE"
fi
diff --git a/meta/recipes-support/curl/curl/environment.d-curl.sh b/meta/recipes-support/curl/curl/environment.d-curl.sh
index 0d53aabb8e..0ab83a267d 100644
--- a/meta/recipes-support/curl/curl/environment.d-curl.sh
+++ b/meta/recipes-support/curl/curl/environment.d-curl.sh
@@ -1,3 +1,4 @@
if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
export CURL_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
+ export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} CURL_CA_BUNDLE"
fi
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread* [OE-core][scarthgap 14/15] buildtools-tarball: Make buildtools respects host CA certificates
2025-04-30 2:59 [OE-core][scarthgap 00/15] Patch review Steve Sakoman
` (12 preceding siblings ...)
2025-04-30 3:00 ` [OE-core][scarthgap 13/15] buildtools-tarball: add envvars into BB_ENV_PASSTHROUGH_ADDITIONS Steve Sakoman
@ 2025-04-30 3:00 ` Steve Sakoman
2025-04-30 3:00 ` [OE-core][scarthgap 15/15] Revert "cve-update-nvd2-native: Tweak to work better with NFS DL_DIR" Steve Sakoman
14 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-04-30 3:00 UTC (permalink / raw)
To: openembedded-core
From: Changqing Li <changqing.li@windriver.com>
To adapt user network enviroment, buildtools should first try to use
the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these
envs is not set, then use the auto-detected ca file and ca path, and
finally use the CA certificates in buildtools.
nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work
nativesdk-curl don't set default ca file, need
SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work
nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO
also works
nativesdk-python3-requests will use cacert.pem under python module certifi by
default, need to set REQUESTS_CA_BUNDLE
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../openssl/files/environment.d-openssl.sh | 25 +++++++++++++++----
meta/recipes-core/meta/buildtools-tarball.bb | 23 ++++++++++++++++-
.../git/git/environment.d-git.sh | 21 +++++++++++++---
.../environment.d-python3-requests.sh | 13 +++++++---
.../curl/curl/environment.d-curl.sh | 21 +++++++++++++---
5 files changed, 88 insertions(+), 15 deletions(-)
diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
index 6cb82d7386..c635be8aca 100644
--- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
+++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
@@ -1,8 +1,23 @@
export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf"
-if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
- export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs"
- export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt"
- export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} SSL_CERT_DIR SSL_CERT_FILE"
-fi
export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/"
export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3"
+
+# Respect host env SSL_CERT_FILE/SSL_CERT_DIR first, then auto-detected host cert, then cert in buildtools
+# CAFILE/CAPATH is auto-deteced when source buildtools
+if [ -z "$SSL_CERT_FILE" ]; then
+ if [ -n "$CAFILE" ];then
+ export SSL_CERT_FILE="$CAFILE"
+ elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+ export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt"
+ fi
+fi
+
+if [ -z "$SSL_CERT_DIR" ]; then
+ if [ -n "$CAPATH" ];then
+ export SSL_CERT_DIR="$CAPATH"
+ elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+ export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs"
+ fi
+fi
+
+export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} SSL_CERT_DIR SSL_CERT_FILE"
diff --git a/meta/recipes-core/meta/buildtools-tarball.bb b/meta/recipes-core/meta/buildtools-tarball.bb
index 414c266663..8e78169e23 100644
--- a/meta/recipes-core/meta/buildtools-tarball.bb
+++ b/meta/recipes-core/meta/buildtools-tarball.bb
@@ -80,14 +80,35 @@ create_sdk_files:append () {
toolchain_create_sdk_version ${SDK_OUTPUT}/${SDKPATH}/version-${SDK_SYS}
cat >> $script <<EOF
+# Detect host ca file/path, export for envfile to use
+# /etc/ssl/certs/ca-certificates.crt Debian systems
+# /etc/pki/tls/certs/ca-bundle.crt Fedora systems
+# /etc/ssl/ca-bundle.pem Suse systems
+export CAFILE
+export CAPATH
+for a in /etc/ssl/certs/ca-certificates.crt \
+ /etc/pki/tls/certs/ca-bundle.crt \
+ /etc/ssl/ca-bundle.pem ; do
+ if test -f "\$a"; then
+ CAFILE="\$a"
+ break
+ fi
+done
+
+a="/etc/ssl/certs"
+if test -d "\$a" && ls "\$a"/[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].0 >/dev/null 2>/dev/null; then
+ CAPATH="\$a"
+fi
+
if [ -d "\$OECORE_NATIVE_SYSROOT/environment-setup.d" ]; then
for envfile in \$OECORE_NATIVE_SYSROOT/environment-setup.d/*.sh; do
. \$envfile
done
fi
+
# We have to unset this else it can confuse oe-selftest and other tools
# which may also use the overlapping namespace.
-unset OECORE_NATIVE_SYSROOT
+unset OECORE_NATIVE_SYSROOT CAFILE CAPATH
EOF
if [ "${SDKMACHINE}" = "i686" ]; then
diff --git a/meta/recipes-devtools/git/git/environment.d-git.sh b/meta/recipes-devtools/git/git/environment.d-git.sh
index f8e3221510..9c7b5a9251 100644
--- a/meta/recipes-devtools/git/git/environment.d-git.sh
+++ b/meta/recipes-devtools/git/git/environment.d-git.sh
@@ -1,4 +1,19 @@
-if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
- export GIT_SSL_CAINFO="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
- export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} GIT_SSL_CAINFO"
+# Respect host env GIT_SSL_CAINFO/GIT_SSL_CAPATH first, then auto-detected host cert, then cert in buildtools
+# CAFILE/CAPATH is auto-deteced when source buildtools
+if [ -z "$GIT_SSL_CAINFO" ]; then
+ if [ -n "$CAFILE" ];then
+ export GIT_SSL_CAINFO="$CAFILE"
+ elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+ export GIT_SSL_CAINFO="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
+ fi
fi
+
+if [ -z "$GIT_SSL_CAPATH" ]; then
+ if [ -n "$CAPATH" ];then
+ export GIT_SSL_CAPATH="$CAPATH"
+ elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+ export GIT_SSL_CAPATH="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs"
+ fi
+fi
+
+export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} GIT_SSL_CAINFO GIT_SSL_CAPATH"
diff --git a/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh b/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh
index c7faec127d..492177a9c3 100644
--- a/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh
+++ b/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh
@@ -1,4 +1,11 @@
-if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
- export REQUESTS_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
- export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} REQUESTS_CA_BUNDLE"
+# Respect host env REQUESTS_CA_BUNDLE first, then auto-detected host cert, then cert in buildtools
+# CAFILE/CAPATH is auto-deteced when source buildtools
+if [ -z "$REQUESTS_CA_BUNDLE" ]; then
+ if [ -n "$CAFILE" ];then
+ export REQUESTS_CA_BUNDLE="$CAFILE"
+ elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+ export REQUESTS_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
+ fi
fi
+
+export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} REQUESTS_CA_BUNDLE"
diff --git a/meta/recipes-support/curl/curl/environment.d-curl.sh b/meta/recipes-support/curl/curl/environment.d-curl.sh
index 0ab83a267d..7c2971b3da 100644
--- a/meta/recipes-support/curl/curl/environment.d-curl.sh
+++ b/meta/recipes-support/curl/curl/environment.d-curl.sh
@@ -1,4 +1,19 @@
-if [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
- export CURL_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
- export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} CURL_CA_BUNDLE"
+# Respect host env CURL_CA_BUNDLE/CURL_CA_PATH first, then auto-detected host cert, then cert in buildtools
+# CAFILE/CAPATH is auto-deteced when source buildtools
+if [ -z "$CURL_CA_PATH" ]; then
+ if [ -n "$CAFILE" ];then
+ export CURL_CA_BUNDLE="$CAFILE"
+ elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+ export CURL_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
+ fi
fi
+
+if [ -z "$CURL_CA_PATH" ]; then
+ if [ -n "$CAPATH" ];then
+ export CURL_CA_PATH="$CAPATH"
+ elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+ export CURL_CA_PATH="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs"
+ fi
+fi
+
+export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} CURL_CA_BUNDLE CURL_CA_PATH"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread* [OE-core][scarthgap 15/15] Revert "cve-update-nvd2-native: Tweak to work better with NFS DL_DIR"
2025-04-30 2:59 [OE-core][scarthgap 00/15] Patch review Steve Sakoman
` (13 preceding siblings ...)
2025-04-30 3:00 ` [OE-core][scarthgap 14/15] buildtools-tarball: Make buildtools respects host CA certificates Steve Sakoman
@ 2025-04-30 3:00 ` Steve Sakoman
14 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-04-30 3:00 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
This reverts commit 7adaec468d3a61d88c990b1b319b34850bee7e44.
It does not seem to fix the issue it was supposed to fix.
Additionally it breaks code which decides in full/partial update,
because it manipulates timestamp that code is relying on.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ebc65fdddd7ce51f0f1008baa30d0ae7918ae0bb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/meta/cve-update-nvd2-native.bb | 2 --
1 file changed, 2 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 74c780493d..945bd1d927 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -90,8 +90,6 @@ python do_fetch() {
if update_db_file(db_tmp_file, d, database_time) == True:
# Update downloaded correctly, can swap files
shutil.move(db_tmp_file, db_file)
- # Need to 'touch' the file to ensure NFS sees the data
- os.utime(db_file)
else:
# Update failed, do not modify the database
bb.warn("CVE database update failed")
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread