* [OE-core][kirkstone 0/3] Patch review
@ 2025-09-16 14:17 Steve Sakoman
2025-09-16 14:17 ` [OE-core][kirkstone 1/3] go: ignore CVE-2024-24790 Steve Sakoman
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Steve Sakoman @ 2025-09-16 14:17 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, September 18
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2381
The following changes since commit 3dd917c52ace30607800f0b70a52a52662dda731:
wpa-supplicant: fix CVE-2022-37660 (2025-09-09 09:01:30 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Hitendra Prajapati (1):
go: ignore CVE-2024-24790
Philip Lorenz (1):
insane: Ensure that `src-uri-bad` fails correctly
Richard Purdie (1):
insane: Improve patch warning/error handling
meta/classes/insane.bbclass | 24 ++++++++++++++++--------
meta/recipes-devtools/go/go-1.17.13.inc | 3 ++-
2 files changed, 18 insertions(+), 9 deletions(-)
--
2.43.0
^ permalink raw reply [flat|nested] 6+ messages in thread* [OE-core][kirkstone 1/3] go: ignore CVE-2024-24790 2025-09-16 14:17 [OE-core][kirkstone 0/3] Patch review Steve Sakoman @ 2025-09-16 14:17 ` Steve Sakoman 2025-09-16 14:17 ` [OE-core][kirkstone 2/3] insane: Improve patch warning/error handling Steve Sakoman 2025-09-16 14:17 ` [OE-core][kirkstone 3/3] insane: Ensure that `src-uri-bad` fails correctly Steve Sakoman 2 siblings, 0 replies; 6+ messages in thread From: Steve Sakoman @ 2025-09-16 14:17 UTC (permalink / raw) To: openembedded-core From: Hitendra Prajapati <hprajapati@mvista.com> CVE-2024-24790: net/netip module was introduced in go1.18beta1 via a59e33224e42d60a97fa720a45e1b74eb6aaa3d0 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/recipes-devtools/go/go-1.17.13.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 36356349d2..b17853035b 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -70,7 +70,8 @@ SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784 # Upstream don't believe it is a signifiant real world issue and will only # fix in 1.17 onwards where we can drop this. # https://github.com/golang/go/issues/30999#issuecomment-910470358 -CVE_CHECK_IGNORE += "CVE-2021-29923" +# CVE-2024-24790: net/netip module was introduced in go1.18beta1 via a59e33224e42d60a97fa720a45e1b74eb6aaa3d0 +CVE_CHECK_IGNORE += "CVE-2021-29923 CVE-2024-24790" # This are specific to Microsoft Windows CVE_CHECK_IGNORE += "CVE-2022-41716 CVE-2023-45283 CVE-2023-45284 CVE-2025-0913" -- 2.43.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [OE-core][kirkstone 2/3] insane: Improve patch warning/error handling 2025-09-16 14:17 [OE-core][kirkstone 0/3] Patch review Steve Sakoman 2025-09-16 14:17 ` [OE-core][kirkstone 1/3] go: ignore CVE-2024-24790 Steve Sakoman @ 2025-09-16 14:17 ` Steve Sakoman 2025-09-16 14:17 ` [OE-core][kirkstone 3/3] insane: Ensure that `src-uri-bad` fails correctly Steve Sakoman 2 siblings, 0 replies; 6+ messages in thread From: Steve Sakoman @ 2025-09-16 14:17 UTC (permalink / raw) To: openembedded-core From: Richard Purdie <richard.purdie@linuxfoundation.org> Currently, whilst patch errors or warnings are shown, the errors don't stop builds. The configuration isn't very configurable from WARN_QA and ERROR_QA either. This patch: * Uses the standard mechanisms to handle the patch fuzz warnings/errors * Makes Upstream-Status checking configurable from WARN/ERROR_QA * Allows that checking to be used with non-core layers * Makes patch-fuzz an error by default (From OE-Core rev: 76a685bfcf927593eac67157762a53259089ea8a) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 3c3fd6a65e8103f74ae382d196d486b31a168b39) The backported commit was modified to not mark "patch-fuzz" as an error by default (which retains compatibility with kirkstone behaviour). Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/classes/insane.bbclass | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass index f4b4c05e3d..99340c1752 100644 --- a/meta/classes/insane.bbclass +++ b/meta/classes/insane.bbclass @@ -1182,24 +1182,27 @@ python do_qa_patch() { msg += " devtool modify %s\n" % d.getVar('PN') msg += " devtool finish --force-patch-refresh %s <layer_path>\n\n" % d.getVar('PN') msg += "Don't forget to review changes done by devtool!\n" - if bb.utils.filter('ERROR_QA', 'patch-fuzz', d): - bb.error(msg) - elif bb.utils.filter('WARN_QA', 'patch-fuzz', d): - bb.warn(msg) - msg = "Patch log indicates that patches do not apply cleanly." + msg += "\nPatch log indicates that patches do not apply cleanly." oe.qa.handle_error("patch-fuzz", msg, d) # Check if the patch contains a correctly formatted and spelled Upstream-Status import re from oe import patch + allpatches = False + if bb.utils.filter('ERROR_QA', 'patch-status-noncore', d) or bb.utils.filter('WARN_QA', 'patch-status-noncore', d): + allpatches = True + coremeta_path = os.path.join(d.getVar('COREBASE'), 'meta', '') for url in patch.src_patches(d): (_, _, fullpath, _, _, _) = bb.fetch.decodeurl(url) # skip patches not in oe-core + patchtype = "patch-status-core" if not os.path.abspath(fullpath).startswith(coremeta_path): - continue + patchtype = "patch-status-noncore" + if not allpatches: + continue kinda_status_re = re.compile(r"^.*upstream.*status.*$", re.IGNORECASE | re.MULTILINE) strict_status_re = re.compile(r"^Upstream-Status: (Pending|Submitted|Denied|Accepted|Inappropriate|Backport|Inactive-Upstream)( .+)?$", re.MULTILINE) @@ -1212,9 +1215,13 @@ python do_qa_patch() { if not match_strict: if match_kinda: - bb.error("Malformed Upstream-Status in patch\n%s\nPlease correct according to %s :\n%s" % (fullpath, guidelines, match_kinda.group(0))) + msg = "Malformed Upstream-Status in patch\n%s\nPlease correct according to %s :\n%s" % (fullpath, guidelines, match_kinda.group(0)) + oe.qa.handle_error(patchtype, msg, d) else: - bb.error("Missing Upstream-Status in patch\n%s\nPlease add according to %s ." % (fullpath, guidelines)) + msg = "Missing Upstream-Status in patch\n%s\nPlease add according to %s ." % (fullpath, guidelines) + oe.qa.handle_error(patchtype, msg, d) + + oe.qa.exit_if_errors(d) } python do_qa_configure() { -- 2.43.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [OE-core][kirkstone 3/3] insane: Ensure that `src-uri-bad` fails correctly 2025-09-16 14:17 [OE-core][kirkstone 0/3] Patch review Steve Sakoman 2025-09-16 14:17 ` [OE-core][kirkstone 1/3] go: ignore CVE-2024-24790 Steve Sakoman 2025-09-16 14:17 ` [OE-core][kirkstone 2/3] insane: Improve patch warning/error handling Steve Sakoman @ 2025-09-16 14:17 ` Steve Sakoman 2 siblings, 0 replies; 6+ messages in thread From: Steve Sakoman @ 2025-09-16 14:17 UTC (permalink / raw) To: openembedded-core From: Philip Lorenz <philip.lorenz@bmw.de> `src-uri-bad` is missing the required call to `oe.qa.exit_if_errors` so the corresponding task is not marked as failed when the QA check is classified as an error. This issue was fixed by the introduction of the do_recipe_qa task in OE-core (e0c71367ab59021fc430ef215bbfc3b525036ba4) which is not part of kirkstone yet. Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/classes/insane.bbclass | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass index 99340c1752..6b3cc5228a 100644 --- a/meta/classes/insane.bbclass +++ b/meta/classes/insane.bbclass @@ -1338,6 +1338,7 @@ python do_qa_unpack() { bb.warn('%s: the directory %s (%s) pointed to by the S variable doesn\'t exist - please set S within the recipe to point to where the source has been unpacked to' % (d.getVar('PN'), d.getVar('S', False), s_dir)) unpack_check_src_uri(d.getVar('PN'), d) + oe.qa.exit_if_errors(d) } # The Staging Func, to check all staging -- 2.43.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [OE-core][kirkstone 0/3] Patch review
@ 2025-02-13 14:26 Steve Sakoman
0 siblings, 0 replies; 6+ messages in thread
From: Steve Sakoman @ 2025-02-13 14:26 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Friday, February 14
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1003
The following changes since commit bd12abeff6ee14385fba63fa5ba15d9fadec4d0e:
cmake: apply parallel build settings to ptest tasks (2025-02-11 05:34:41 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Joshua Watt (2):
lib/packagedata.py: Add API to iterate over rprovides
classes-global/insane: Look up all runtime providers for file-rdeps
Peter Marko (1):
openssl: upgrade 3.0.15 -> 3.0.16
meta/classes/insane.bbclass | 30 ++-
meta/lib/oe/packagedata.py | 15 ++
.../openssl/openssl/CVE-2024-13176.patch | 125 -----------
.../openssl/openssl/CVE-2024-9143.patch | 202 ------------------
.../{openssl_3.0.15.bb => openssl_3.0.16.bb} | 4 +-
5 files changed, 28 insertions(+), 348 deletions(-)
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
delete mode 100755 meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
rename meta/recipes-connectivity/openssl/{openssl_3.0.15.bb => openssl_3.0.16.bb} (98%)
--
2.43.0
^ permalink raw reply [flat|nested] 6+ messages in thread* [OE-core][kirkstone 0/3] Patch review
@ 2023-10-31 22:05 Steve Sakoman
0 siblings, 0 replies; 6+ messages in thread
From: Steve Sakoman @ 2023-10-31 22:05 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, October 2
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6124
The following changes since commit 56503e3e80603de3b69acef2f6d32836bc9e5e5d:
linux-firmware: create separate packages (2023-10-29 06:30:03 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Peter Marko (1):
libxml2: Patch CVE-2023-45322
Soumya Sambu (1):
libwebp: Fix CVE-2023-4863
Vijay Anusuri (1):
tiff: CVE patch correction for CVE-2023-3576
.../libxml/libxml2/CVE-2023-45322-1.patch | 49 ++++++++++++
.../libxml/libxml2/CVE-2023-45322-2.patch | 79 +++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.14.bb | 2 +
...-2023-3618-1.patch => CVE-2023-3576.patch} | 3 +-
...-2023-3618-2.patch => CVE-2023-3618.patch} | 0
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 4 +-
.../webp/files/CVE-2023-4863.patch | 53 +++++++++++++
meta/recipes-multimedia/webp/libwebp_1.2.4.bb | 1 +
8 files changed, 188 insertions(+), 3 deletions(-)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
rename meta/recipes-multimedia/libtiff/tiff/{CVE-2023-3618-1.patch => CVE-2023-3576.patch} (93%)
rename meta/recipes-multimedia/libtiff/tiff/{CVE-2023-3618-2.patch => CVE-2023-3618.patch} (100%)
create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
--
2.34.1
^ permalink raw reply [flat|nested] 6+ messages in threadend of thread, other threads:[~2025-09-16 14:18 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-09-16 14:17 [OE-core][kirkstone 0/3] Patch review Steve Sakoman 2025-09-16 14:17 ` [OE-core][kirkstone 1/3] go: ignore CVE-2024-24790 Steve Sakoman 2025-09-16 14:17 ` [OE-core][kirkstone 2/3] insane: Improve patch warning/error handling Steve Sakoman 2025-09-16 14:17 ` [OE-core][kirkstone 3/3] insane: Ensure that `src-uri-bad` fails correctly Steve Sakoman -- strict thread matches above, loose matches on Subject: below -- 2025-02-13 14:26 [OE-core][kirkstone 0/3] Patch review Steve Sakoman 2023-10-31 22:05 Steve Sakoman
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox