[OE-core][kirkstone 0/3] Patch review

[OE-core][kirkstone 0/3] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, October 2

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6124

The following changes since commit 56503e3e80603de3b69acef2f6d32836bc9e5e5d:

  linux-firmware: create separate packages (2023-10-29 06:30:03 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Peter Marko (1):
  libxml2: Patch CVE-2023-45322

Soumya Sambu (1):
  libwebp: Fix CVE-2023-4863

Vijay Anusuri (1):
  tiff: CVE patch correction for CVE-2023-3576

 .../libxml/libxml2/CVE-2023-45322-1.patch     | 49 ++++++++++++
 .../libxml/libxml2/CVE-2023-45322-2.patch     | 79 +++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.14.bb    |  2 +
 ...-2023-3618-1.patch => CVE-2023-3576.patch} |  3 +-
 ...-2023-3618-2.patch => CVE-2023-3618.patch} |  0
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |  4 +-
 .../webp/files/CVE-2023-4863.patch            | 53 +++++++++++++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
 8 files changed, 188 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
 rename meta/recipes-multimedia/libtiff/tiff/{CVE-2023-3618-1.patch => CVE-2023-3576.patch} (93%)
 rename meta/recipes-multimedia/libtiff/tiff/{CVE-2023-3618-2.patch => CVE-2023-3618.patch} (100%)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch

-- 
2.34.1

[OE-core][kirkstone 0/3] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, February 14

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1003

The following changes since commit bd12abeff6ee14385fba63fa5ba15d9fadec4d0e:

  cmake: apply parallel build settings to ptest tasks (2025-02-11 05:34:41 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Joshua Watt (2):
  lib/packagedata.py: Add API to iterate over rprovides
  classes-global/insane: Look up all runtime providers for file-rdeps

Peter Marko (1):
  openssl: upgrade 3.0.15 -> 3.0.16

 meta/classes/insane.bbclass                   |  30 ++-
 meta/lib/oe/packagedata.py                    |  15 ++
 .../openssl/openssl/CVE-2024-13176.patch      | 125 -----------
 .../openssl/openssl/CVE-2024-9143.patch       | 202 ------------------
 .../{openssl_3.0.15.bb => openssl_3.0.16.bb}  |   4 +-
 5 files changed, 28 insertions(+), 348 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
 delete mode 100755 meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
 rename meta/recipes-connectivity/openssl/{openssl_3.0.15.bb => openssl_3.0.16.bb} (98%)

-- 
2.43.0

[OE-core][kirkstone 0/3] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, September 18

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2381

The following changes since commit 3dd917c52ace30607800f0b70a52a52662dda731:

  wpa-supplicant: fix CVE-2022-37660 (2025-09-09 09:01:30 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Hitendra Prajapati (1):
  go: ignore CVE-2024-24790

Philip Lorenz (1):
  insane: Ensure that `src-uri-bad` fails correctly

Richard Purdie (1):
  insane: Improve patch warning/error handling

 meta/classes/insane.bbclass             | 24 ++++++++++++++++--------
 meta/recipes-devtools/go/go-1.17.13.inc |  3 ++-
 2 files changed, 18 insertions(+), 9 deletions(-)

-- 
2.43.0

[OE-core][kirkstone 1/3] go: ignore CVE-2024-24790

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

CVE-2024-24790:  net/netip module was introduced in go1.18beta1 via a59e33224e42d60a97fa720a45e1b74eb6aaa3d0

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/go/go-1.17.13.inc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 36356349d2..b17853035b 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -70,7 +70,8 @@ SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784
 # Upstream don't believe it is a signifiant real world issue and will only
 # fix in 1.17 onwards where we can drop this.
 # https://github.com/golang/go/issues/30999#issuecomment-910470358
-CVE_CHECK_IGNORE += "CVE-2021-29923"
+# CVE-2024-24790:  net/netip module was introduced in go1.18beta1 via a59e33224e42d60a97fa720a45e1b74eb6aaa3d0
+CVE_CHECK_IGNORE += "CVE-2021-29923 CVE-2024-24790"
 
 # This are specific to Microsoft Windows
 CVE_CHECK_IGNORE += "CVE-2022-41716 CVE-2023-45283 CVE-2023-45284 CVE-2025-0913"
-- 
2.43.0

[OE-core][kirkstone 2/3] insane: Improve patch warning/error handling

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Currently, whilst patch errors or warnings are shown, the errors don't stop builds.
The configuration isn't very configurable from WARN_QA and ERROR_QA either.

This patch:
 * Uses the standard mechanisms to handle the patch fuzz warnings/errors
 * Makes Upstream-Status checking configurable from WARN/ERROR_QA
 * Allows that checking to be used with non-core layers
 * Makes patch-fuzz an error by default

(From OE-Core rev: 76a685bfcf927593eac67157762a53259089ea8a)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3c3fd6a65e8103f74ae382d196d486b31a168b39)

The backported commit was modified to not mark "patch-fuzz" as an error
by default (which retains compatibility with kirkstone behaviour).

Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/insane.bbclass | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
index f4b4c05e3d..99340c1752 100644
--- a/meta/classes/insane.bbclass
+++ b/meta/classes/insane.bbclass
@@ -1182,24 +1182,27 @@ python do_qa_patch() {
             msg += "    devtool modify %s\n" % d.getVar('PN')
             msg += "    devtool finish --force-patch-refresh %s <layer_path>\n\n" % d.getVar('PN')
             msg += "Don't forget to review changes done by devtool!\n"
-            if bb.utils.filter('ERROR_QA', 'patch-fuzz', d):
-                bb.error(msg)
-            elif bb.utils.filter('WARN_QA', 'patch-fuzz', d):
-                bb.warn(msg)
-            msg = "Patch log indicates that patches do not apply cleanly."
+            msg += "\nPatch log indicates that patches do not apply cleanly."
             oe.qa.handle_error("patch-fuzz", msg, d)
 
     # Check if the patch contains a correctly formatted and spelled Upstream-Status
     import re
     from oe import patch
 
+    allpatches = False
+    if bb.utils.filter('ERROR_QA', 'patch-status-noncore', d) or bb.utils.filter('WARN_QA', 'patch-status-noncore', d):
+        allpatches = True
+
     coremeta_path = os.path.join(d.getVar('COREBASE'), 'meta', '')
     for url in patch.src_patches(d):
        (_, _, fullpath, _, _, _) = bb.fetch.decodeurl(url)
 
        # skip patches not in oe-core
+       patchtype = "patch-status-core"
        if not os.path.abspath(fullpath).startswith(coremeta_path):
-           continue
+           patchtype = "patch-status-noncore"
+           if not allpatches:
+               continue
 
        kinda_status_re = re.compile(r"^.*upstream.*status.*$", re.IGNORECASE | re.MULTILINE)
        strict_status_re = re.compile(r"^Upstream-Status: (Pending|Submitted|Denied|Accepted|Inappropriate|Backport|Inactive-Upstream)( .+)?$", re.MULTILINE)
@@ -1212,9 +1215,13 @@ python do_qa_patch() {
 
            if not match_strict:
                if match_kinda:
-                   bb.error("Malformed Upstream-Status in patch\n%s\nPlease correct according to %s :\n%s" % (fullpath, guidelines, match_kinda.group(0)))
+                   msg = "Malformed Upstream-Status in patch\n%s\nPlease correct according to %s :\n%s" % (fullpath, guidelines, match_kinda.group(0))
+                   oe.qa.handle_error(patchtype, msg, d)
                else:
-                   bb.error("Missing Upstream-Status in patch\n%s\nPlease add according to %s ." % (fullpath, guidelines))
+                   msg = "Missing Upstream-Status in patch\n%s\nPlease add according to %s ." % (fullpath, guidelines)
+                   oe.qa.handle_error(patchtype, msg, d)
+
+    oe.qa.exit_if_errors(d)
 }
 
 python do_qa_configure() {
-- 
2.43.0

[OE-core][kirkstone 3/3] insane: Ensure that `src-uri-bad` fails correctly

[Steve Sakoman]

From: Philip Lorenz <philip.lorenz@bmw.de>

`src-uri-bad` is missing the required call to `oe.qa.exit_if_errors` so
the corresponding task is not marked as failed when the QA check is
classified as an error.

This issue was fixed by the introduction of the do_recipe_qa task in
OE-core (e0c71367ab59021fc430ef215bbfc3b525036ba4) which is not part
of kirkstone yet.

Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/insane.bbclass | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
index 99340c1752..6b3cc5228a 100644
--- a/meta/classes/insane.bbclass
+++ b/meta/classes/insane.bbclass
@@ -1338,6 +1338,7 @@ python do_qa_unpack() {
         bb.warn('%s: the directory %s (%s) pointed to by the S variable doesn\'t exist - please set S within the recipe to point to where the source has been unpacked to' % (d.getVar('PN'), d.getVar('S', False), s_dir))
 
     unpack_check_src_uri(d.getVar('PN'), d)
+    oe.qa.exit_if_errors(d)
 }
 
 # The Staging Func, to check all staging
-- 
2.43.0