diff options
author | Andrew Geissler <geissonator@yahoo.com> | 2021-09-25 00:47:35 +0300 |
---|---|---|
committer | Andrew Geissler <geissonator@yahoo.com> | 2021-10-05 22:27:21 +0300 |
commit | 5199d831602da71945df7cef62eb3c01183cf20e (patch) | |
tree | 0e4c75d4ac0f346489cb92fa4ccccf0a0aa56fe1 /meta-security | |
parent | e9e982486160a1d724bf30f21167d72dfbcb84ce (diff) | |
download | openbmc-5199d831602da71945df7cef62eb3c01183cf20e.tar.xz |
subtree updates
meta-security: 1f18c623e9..de6712a806:
Armin Kuster (8):
cryfs: drop recipe
trousers: set precise BSD license
ibmtpm2tss: set precise BSD license
ibmswtpm2: set precise BSD license
opendnssec: set precise BSD license
checksec: set precise BSD license
isic: set precise BSD license
tpm-quote-tools: Update SRC_URI
Christer Fletcher (1):
dm-verity-img.bbclass: Expose --data-block-size for configuration
Kai Kang (1):
sssd: 2.5.1 -> 2.5.2
meta-raspberrypi: a6fa6b3aec..9eb4879cf4:
Andrew Penner (1):
rpi-cmdline: Support ethernet over USB
Khem Raj (2):
linux-raspberrypi: Update to 5.10.63
raspberrypi-firmware: Update to latest
meta-openembedded: e4a3c66505..cff8331f96:
Armin Kuster (21):
python3-cycler: set precise BSD license
python3-dill: set precise BSD license
python3-ipython-genutils: set precise BSD license
python3-traitlets: set precise BSD license
python3-parallax: set precise BSD license
python3-ipython:set precise BSD license
python3-mpmath: set precise BSD license
python3-sympy: set precise BSD license
python3-sqlparse: set precise BSD license
python3-webencodings: set precise BSD license
python3-pyperclip:set precise BSD license
python3-geojson: set precise BSD license
python3-aenum: set precise BSD license
python3-gnupg: set precise BSD license
python3-kiwisolver: set precise BSD license
python3-jdcal: set precise BSD license
python3-send2trash: set precise BSD license
python3-flask-bootstrap: Update LICENSES
autossh: set precise BSD licenses
jemalloc: set precise BSD license
gpsd-machine-conf: set precise BSD license
Bruce Ashfield (1):
vboxguestdrivers: fix build against 5.14+
Ed Tanous (1):
Boost-url Move to latest version
Khem Raj (57):
gdm: Add polkit to required distro features
python3-lxml: Inherit pkgconfig
python3-icu: Inherit pkgconfig
python3-h5py: Inherit pkgconfig
python3-pyparted: Inherit pkgconfig
python3-systemd: Inherit pkgconfig
rp-pppoe: Add configure cached variable via recipe
site: Remove local site files
postfix: Inherit pkgconfig
emacs: Inherit pkgconfig
libgnt: Inherit pkgconfig
libgnt: Inherit pkgconfig
portaudio-v19: Inherit pkgconfig
sshfs-fuse: Inherit pkgconfig
appstream-glib: Inherit pkgconfig
volume-key: Inherit pkgconfig
kronosnet: Inherit pkgconfig
rrdtool: Inherit pkgconfig
libbytesize: Inherit pkgconfig
dlt-daemon: Inherit pkgconfig
libmypaint: Inherit pkgconfig
libubox: Inherit pkgconfig
xfsprogs: Inherit pkgconfig
pavucontrol: Inherit pkgconfig
blueman: Inherit pkgconfig
mimic: Inherit pkgconfig
libchamplain: Inherit pkgconfig
gst-shark: Inherit pkgconfig
zchunk: Inherit pkgconfig
libvdpau: Inherit pkgconfig
tigervnc: Inherit pkgconfig
mpc: Inherit pkgconfig
avro-c: Inherit pkgconfig
udevil: Inherit pkgconfig
remmina: Inherit pkgconfig
transmission: Inherit pkgconfig
libuvc: Inherit pkgconfig
crda: Inherit pkgconfig
wxwidgets: Inherit pkgconfig
mdbus2: Inherit pkgconfig
firewalld: Inherit pkgconfig
renderdoc: Inherit pkgconfig
fetchmail: Inherit pkgconfig
ncmpc: Inherit pkgconfig
yad: Inherit pkgconfig
mscgen: Inherit pkgconfig
libldb: Inherit pkgconfig
pahole: Inherit missing pkgconfig
gerbera: Inherit pkgconfig
xfce4-datetime-setter: Inherit pkgconfig
libblockdev: Inherit pkgconfig
ntopng: Inherit pkgconfig
mosquitto: Inherit pkgconfig
samba: Inherit pkgconfig
fio: Upgrade to 3.28
rdma-core: Inherit pkgconfig
postfix: Add missing dependency on m4
Marek Vasut (1):
dstat: Add missing python-six runtime dependency
Matteo Croce (1):
pahole: call python via env in the shebang
Pascal Bach (1):
poco: update to 1.11.0
Peter Kjellerstedt (1):
libiio: Make libiio-python3 depend on python3-core
Pierre-Jean Texier (1):
cppzmq: upgrade 4.8.0 -> 4.8.1
Sakib Sajal (3):
bats: source files from correct directory
gd: upgrade 2.3.2 -> 2.3.3
lmdb: replace tag with commit id in SRCREV
Trevor Woerner (2):
vk-gl-cts: allow the user to specify the target
vk-gl-cts: fix soname linking
Yi Zhao (2):
samba: upgrade 4.14.5 -> 4.14.7
net-snmp: remove perllocal.pod when enable packageconfig[perl]
jan (1):
netdata: Fixed the recipe.
wangmy (3):
byacc: upgrade 20200910 -> 20210808
nghttp2: upgrade 1.44.0 -> 1.45.1
apache2: upgrade 2.4.48 -> 2.4.49
zangrc (5):
python3-beautifulsoup4: upgrade 4.9.3 -> 4.10.0
python3-bitarray: upgrade 2.3.3 -> 2.3.4
python3-decorator: upgrade 5.0.9 -> 5.1.0
python3-grpcio-tools: upgrade 1.39.0 -> 1.40.0
python3-grpcio: upgrade 1.39.0 -> 1.40.0
zhengruoqin (5):
python3-openpyxl: upgrade 3.0.7 -> 3.0.8
python3-pandas: upgrade 1.3.2 -> 1.3.3
python3-pulsectl: upgrade 21.5.18 -> 21.9.1
protobuf: upgrade 3.17.3 -> 3.18.0
span-lite: upgrade 0.10.0 -> 0.10.1
poky: 359e1cb62f..06dcace68b:
Alexander Kanavin (13):
lttng: update 2.12 -> 2.13.0
core-image-ptest-all: bump RAM requirement to 4G
bitbake: bitbake: drop old rules for python warnings
bitbake: bitbake: correct the collections vs collections.abc deprecation
bitbake: bitbake: fix regexp deprecation warnings
bitbake: bitbake: do not import imp in layerindexlib
bitbake: bitbake: adjust parser error check for python 3.10 compatibility
bitbake: bitbake: correct deprecation warning in process.py
bitbake: bitbake: enable python warnings at the first opportunity
meta: correct collections vs collections.abc deprecation
wic: keep rootfs_size as integer
cpan-base.bbclass: use raw string for regexp
testimage: symlink the task log and qemu console log to tmp/log/oeqa
Armin Kuster (2):
apr: Security fix for CVE-2021-35940
tar: ignore node-tar CVEs
Bruce Ashfield (11):
linux-yocto/5.13: update to v5.13.13
linux-yocto/5.13: update to v5.13.15
linux-yocto/5.10: update to v5.10.61
linux-yocto/5.10: update to v5.10.63
yocto-bsp/5.10: update to v5.10.63
yocto-bsp/5.13: update to v5.13.15
libc-headers: bump to v5.14
linux-yocto: introduce 5.14 reference kernel
systemtap: update to 4.5-latest
conf/machine: bump qemu preferred versions to 5.14
poky: set default kernel to 5.14
Changqing Li (1):
lttng-ust: fix do_compile error when PACKAGECONFIG examples is enabled
Chanho Park (1):
binutils: inherit pkgconfig to address libdebuginfod depdency
Claudius Heine (1):
rng-tools: add systemd-udev-settle wants to service
Daniel Ammann (1):
bitbake: fetch2/wget: Enable ftps
Daniel Wagenknecht (2):
mirrors.bbclass: provide additional rule for git repo fallbacks
mirrors.bbclass: remove redundant server-specific mirrors
Denys Dmytriyenko (1):
readline: correct pkg-config dependency for termcap
Hsia-Jun(Randy) Li (1):
cross-canadian: make android pass target sys check
Jon Mason (6):
Update mailing list address
README: update mailing list address
dev-manual: update mailing list address
core-image-sato: Fix runqemu error for qemuarmv5
machine/qemuarm*: use virtio graphics
testimage: remove aarch64 xorg exclusion
Joshua Watt (17):
Add SPDX licenses
classes/package: Add extended packaged data
classes/create-spdx: Add class
classes/create-spdx: Change creator
classes/create-spdx: Add SHA1 to index file
classes/create-spdx: Add index to DEPLOYDIR
classes/create-spdx: Add runtime dependency mapping
classes/create-spdx: Add NOASSERTION for unknown debug sources
classes/create-spdx: Fix another creator
classes/create-spdx: Fix up license reporting
classes/create-spdx: Speed up hash calculations
classes/create-spdx: Fix file:// in downloadLocation
classes/create-spdx: Add special exception for Public Domain license
classes/create-spdx: Collect all task dependencies
classes/create-spdx: Skip package processing for native recipes
classes/create-spdx: Comment out placeholder license warning
bitbake: cooker: Allow upstream for local hash equivalence server
Kai Kang (2):
perl: fix CVE-2021-36770
rust-common.bbclass: make sure ccache exist
Kevin Hao (1):
meta-yocto-bsp: Update the default kernel to v5.14
Khem Raj (3):
vim: Add packageconfig for sound notification support
site: Drop caching libIDL_cv_long_long_format
site: Drop ORBit2 relared cached variables
Konrad Weihmann (1):
expat: pull from github releases
Kristian Klausen (3):
systemd: Add homed PACKAGECONFIG
wic: Add extra-space argument
systemd: Add tpm2 PACKAGECONFIG
Mark Hatle (3):
reproducible_build: Remove BUILD_REPRODUCIBLE_BINARIES checking
externalsrc: Work with reproducible_build
tcf-agent: Move to the latest master version
Markus Volk (1):
util-linux: disable raw
Martin Jansa (3):
default-distrovars.inc: Set BBINCLUDELOGS to empty to disable printing failed task output multiple times
bitbake: bitbake.conf: fix vars_from_file() call
qemu-native: add direct dependency on ninja-native and meson-native
Michael Halstead (1):
releases: update to include 3.3.3
Michael Opdenacker (9):
dev-manual: explicit that devpyshell is a task
bitbake: bitbake-user-manual: replace "file name" by "filename"
manuals: replace Freenode by Libera Chat as IRC host
manuals: delete unmaintained history sections
ref-manual: document UPSTREAM_CHECK_COMMITS and UPSTREAM_VERSION_UNKNOWN
ref-manual: remove checkpkg task
ref-manual: improve "devtool check-upgrade-status" details
ref-manual: improve documentation for RECIPE_NO_UPDATE_REASON
ref-manual: update "devtool check-upgrade-status" output
Mingli Yu (6):
coreutils: add pkgconfig for selinux
findutils: add pkgconfig for selinux
tar: add pkgconfig for selinux
multilib.bbclass: add RDEPENDS related check back
insane.bbclass: add FILERDEPENDS related check back
python3: fix multilib qa issue
Peter Bergin (1):
systemd: add packageconfig for wheel-group
Peter Kjellerstedt (2):
common-licenses, licenses.conf: Remove duplicate licenses
create-spdx.bbclass: Search all license directories for licenses
Quentin Schulz (3):
bitbake: doc: bitbake-user-manual-execution: remove mention to long-gone BBHASHDEPS variable
conf/mips: mips16e: prepend override to MACHINEOVERRIDES
bitbake: doc: bitbake-user-manual-fetching: S should be set to WORKDIR/git for git fetcher
Randy MacLeod (1):
tcmode-default: add rust to the default toolchains
Ranjitsinh Rathod (1):
rpm: Handle proper return value to avoid major issues
Richard Purdie (67):
oeqa/runtime/parselogs: Make DVD ata error apply to all qemux86 machines
tcl: Exclude CVE-2021-35331 from checks
xdg-utils: Add fix for CVE-2020-27748
build-appliance-image: Update to master head revision
utils: Drop unused variable staging_install from oe_libinstall
utils: Drop obsolete oe_machinstall function
flex: Add CVE-2019-6293 to exclusions for checks
go: Exclude CVE-2021-29923 from report list
bitbake: runqueue: Avoid deadlock avoidance task graph corruption
bitbake: runqueue: Fix issues with multiconfig deferred task deadlock messages
oeqa/oescripts: Fix after tar recipe changes
pseudo: Update with fcntl and glibc 2.34 fixes
bitbake: persist_data: Drop deprecated/unused function
bitbake: parse_py: Drop deprecated function reference
bitbake: build: Match markup to real function name
bitbake: build: Handle SystemExit in python tasks correctly
bitbake: process: Don't include logs in error message if piping them
bitbake: build: Avoid duplicating logs in verbose mode
bitbake: data_smart: Make ExpansionErrors more readable
bitbake: build: Catch and error upon circular task references
bitbake: data_smart: Improve error display for handled exceptions
bitbake: fetch2: Add recursion guard
bitbake: cookerdata: Improve missing core layer error message
bitbake: cookerdata: Show error for no BBLAYERS in bblayers.conf
bitbake: runqueue: Clean up task stats handling
Revert "default-distrovars.inc: Set BBINCLUDELOGS to empty to disable printing failed task output multiple times"
bitbake.conf: Ensure XZ_THREADS doesn't change sstate checksums
sstate: Avoid problems with recipes using SRCPV when fetching sstate
local.conf.sample: Update sstate mirror entry with new hash equivalence setting
useradd: Ensure preinst data is expanded correctly in pkgdata
package: Fix pkgdata determinism issues
sstate: Ensure SDE is accounted for in package task timestamps
bash: Ensure deterministic build
sstatesig: Allow exclusion of the root directory for do_package
bitbake: bitbake-worker: Improve error handling
bitbake: runqueue/knotty: Improve UI handling of setscene task counting
bitbake: fetch2/git: Avoid races over mirror tarball creation
README: Update email address for Bruce
bitbake: cookerdata: Show a readable error for invalid multiconfig name
bitbake: fetch2/git: Use os.rename instead of mv
bitbake: tests/fetch2: Fix quoting warning
bitbake: data_smart: Don't add None to ExpansionError varlist
bitbake: fetch2/svn: Allow peg-revision functionality to be disabled
vim: Backport fix for CVE-2021-3770
libgcrypt: Upgrade 1.9.3 -> 1.9.4
sqlite3: Exclude CVE-2021-36690 from cve checks
recipes: Add missing pkgconfig inherit
lttng-tools: Add missing DEPENDS on bison-native
cross: Drop unused do_install
pybootchart: Avoid divide by zero
bitbake: tests/fetch2: Use our own git server for dtc test repo
scripts/oe-publish-sdk: Disable git gc to avoid build errors
image/qemu: Add explict depends for qemu-helper addto_recipe_sysroot task
siteinfo/autotools: Ensure task checksums reflect site files
package_ipk/deb/rpm: Drop recursive do_build task dependencies
reproducible_build/package_XXX: Ensure SDE task is in dependency chain
populate_sdk_base/images: Drop use of 'meta' class and hence do_build dependencies
buildtools-tarball/uninative-tarball/meta-ide-support: Drop useless meta class
meta: Drop useless class
staging: Mark deploy an sstate task
sstate: Ensure deploy tasks don't pull in toolchains
sstate: Avoid deploy_source_date_epoch sstate when unneeded
ssate: Cleanup directtasks handling
bitbake: build: Ensure python stdout/stderr is logged correctly
bitbake: build: Make exception printing clearer
bitbake: build: Fix log flushing race
oeqa/selftest: Add tests for bitbake shell/python task output
Robert P. J. Day (16):
dev-manual: pass False to d.getVar() for devpyshell example
ref-manual: add missing "${PN}-src" to default PACKAGES list
dev-manual: small number of minor aesthetic tweaks
dev-manual: various pedantic nitpickery
dev-manual: drop "three" since there are four requirements
ref-manual: update SYSROOT_DIRS_* variable entries
README: update manual list and names, online docs URL
image_types_wic.bbclass: alphabetize list of WICVARS
systemd: '${systemd_unitdir}/system' => '${systemd_system_unitdir}'
ref-manual: render options in monospace to show quotes properly
ref-manual: remove mention of obsolete devtool "--any-recipe" option
ref-manual: correct typo in "classes" section, "${BPN}/{PV}"
ref-manual: add potential of parallelism to defn of "Task"
ref-manual: couple minor tweaks to Chapter 1
dev-manual: emphasize that new layers live outside of poky
dev-manual: update output of "wic list images"
Robert Yang (1):
assimp: Remove it
Ross Burton (40):
lz4: remove redundant BSD license
python3-numpy: remove redundant BSD license
quota: remove BSD license
nfs-utils: set precise BSD license
dtc: set precise BSD license
acpica: set precise BSD license
libevent: set precise BSD license
openssh: remove redundant BSD license
python3-packaging: fix license statement
iputils: set precise BSD license
libx11-compose-data: set precise BSD license
webkitgtk: set precise BSD license
libwpe: set precise BSD license
wpebackend-fdo: set precise BSD license
common-licenses: add missing SPDX licences
dev-manual/common-tasks: sync libxpm fragment with the recipe
lsof: correct LICENSE
selftest/python-async-test: set precise BSD license
lsof: add upstream check
xinetd: correct LICENSE
oeqa/recipeutils: update for license change to python-async-test
libxfont: set precise BSD license
valgrind: set precise BSD license
shadow-sysroot: sync license with shadow
ovmf: set precise BSD license
ppp: set precise BSD license
ffmpeg: update LICENSE
hdparm: set correct license
recipetool/create_buildsys_python: treat BSD as BSD-3-Clause
oeqa/selftest/recipetool: update for license changes
create-spdx: transform license list into a dict for faster lookups
create-spdx: remove redundant test
create-spdx: embed unknown license texts
create-spdx: don't duplicate license texts in each package
create-spdx: handle CLOSED license
ffmpeg: fix LICENSE
avahi: remove obsolete intltool-native dependency
shared-mime-info: use a more concise description
libsoup-2.4: remove obsolete intltool dependency
oeqa/target/ssh: don't assume target_dumper is set
Sakib Sajal (1):
go: upgrade 1.16.5 -> 1.16.7
Saul Wold (2):
classes/create-spdx: extend DocumentRef to include name
create-spdx: remove trailing comma
Scott Weaver (3):
bitbake: bitbake: fetch2: fix premirror URI when downloadfilename defined
bitbake: bitbake: tests/fetch: add downloadfilename tests
bitbake: bitbake: tests/fetch: add and fix npm tests
Steve Sakoman (1):
connman: add CVE_PRODUCT
Tom Rini (1):
common-tasks: Add an example of using bbappends to add a file
Trevor Woerner (1):
hello-mod/hello.c: convert to module_init/module_exit
Valentin Danaila (1):
bitbake: fetch2/s3: allow to switch profile from environment variable
Vyacheslav Yurkov (1):
ref-manual: add overlayfs class
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I194b13991cbaac7ae9e20cc2b552b508ab879905
Diffstat (limited to 'meta-security')
-rw-r--r-- | meta-security/classes/dm-verity-img.bbclass | 5 | ||||
-rw-r--r-- | meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb | 7 | ||||
-rw-r--r-- | meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb | 2 | ||||
-rw-r--r-- | meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb | 2 | ||||
-rw-r--r-- | meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb | 2 | ||||
-rw-r--r-- | meta-security/recipes-scanners/checksec/checksec_2.4.0.bb | 2 | ||||
-rw-r--r-- | meta-security/recipes-security/cryfs/cryfs_0.10.3.bb | 10 | ||||
-rw-r--r-- | meta-security/recipes-security/isic/isic_0.07.bb | 2 | ||||
-rw-r--r-- | meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb | 2 | ||||
-rw-r--r-- | meta-security/recipes-security/sssd/files/CVE-2021-3621.patch | 288 | ||||
-rw-r--r-- | meta-security/recipes-security/sssd/sssd_2.5.2.bb (renamed from meta-security/recipes-security/sssd/sssd_2.5.1.bb) | 3 |
11 files changed, 303 insertions, 22 deletions
diff --git a/meta-security/classes/dm-verity-img.bbclass b/meta-security/classes/dm-verity-img.bbclass index a0950dabd..0b6d053a8 100644 --- a/meta-security/classes/dm-verity-img.bbclass +++ b/meta-security/classes/dm-verity-img.bbclass @@ -22,6 +22,9 @@ # is stored where it can be installed into associated initramfs rootfs. STAGING_VERITY_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/dm-verity" +# Define the data block size to use in veritysetup. +DM_VERITY_IMAGE_DATA_BLOCK_SIZE ?= "1024" + # Process the output from veritysetup and generate the corresponding .env # file. The output from veritysetup is not very machine-friendly so we need to # convert it to some better format. Let's drop the first line (doesn't contain @@ -57,7 +60,7 @@ verity_setup() { # Let's drop the first line of output (doesn't contain any useful info) # and feed the rest to another function. - veritysetup --data-block-size=1024 --hash-offset=$SIZE format $OUTPUT $OUTPUT | tail -n +2 | process_verity + veritysetup --data-block-size=${DM_VERITY_IMAGE_DATA_BLOCK_SIZE} --hash-offset=$SIZE format $OUTPUT $OUTPUT | tail -n +2 | process_verity } VERITY_TYPES = "ext2.verity ext3.verity ext4.verity btrfs.verity" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb b/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb index 8486d0016..53cf8ff11 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb +++ b/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb @@ -15,9 +15,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=8ec30b01163d242ecf07d9cd84e3611f" DEPENDS = "libtspi tpm-tools" -SRC_URI = "${SOURCEFORGE_MIRROR}/tpmquotetools/${PV}/${BP}.tar.gz" - -SRC_URI[md5sum] = "6e194f5bc534301bbaef53dc6d22c233" -SRC_URI[sha256sum] = "10dc4eade02635557a9496b388360844cd18e7864e2eb882f5e45ab2fa405ae2" +SRC_URI = "git://git.code.sf.net/p/tpmquotetools/tpm-quote-tools" +SRCREV = "4511874d5c9b4504bb96e94f8a14bd6c39a36295" +S = "${WORKDIR}/git" inherit autotools diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb index a746103de..5e03b710e 100644 --- a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb +++ b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb @@ -1,5 +1,5 @@ SUMMARY = "TrouSerS - An open-source TCG Software Stack implementation." -LICENSE = "BSD" +LICENSE = "BSD-3-Clause" HOMEPAGE = "http://sourceforge.net/projects/trousers/" LIC_FILES_CHKSUM = "file://README;startline=3;endline=4;md5=2af28fbed0832e4d83a9e6dd68bb4413" SECTION = "security/tpm" diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb index 7ea40a8c0..09b652deb 100644 --- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb +++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb @@ -9,7 +9,7 @@ Advantages of this approach: \ * Application software errors are easily reversed by simply removing the TPM state and starting over. \ * Difficult crypto errors are quickly debugged by looking inside the TPM." HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmswtpm2.html" -LICENSE = "BSD" +LICENSE = "BSD-2-Clause" SECTION = "securty/tpm" LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f" diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb index ae8974b6c..df6677963 100644 --- a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb @@ -9,7 +9,7 @@ It also comes with a web based TPM interface, suitable for a demo to an \ audience that is unfamiliar with TCG technology. It is also useful for \ basic TPM management." HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmtss2.html" -LICENSE = "BSD" +LICENSE = "BSD-2-Clause" SECTION = "securty/tpm" LIC_FILES_CHKSUM = "file://LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f" diff --git a/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb b/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb index 000e3bb73..12c9bce30 100644 --- a/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb +++ b/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb @@ -1,7 +1,7 @@ SUMMARY = "Linux system security checks" DESCRIPTION = "The checksec script is designed to test what standard Linux OS and PaX security features are being used." SECTION = "security" -LICENSE = "BSD" +LICENSE = "BSD-3-Clause" HOMEPAGE="https://github.com/slimm609/checksec.sh" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8d90285f711cf1f378e2c024457066d8" diff --git a/meta-security/recipes-security/cryfs/cryfs_0.10.3.bb b/meta-security/recipes-security/cryfs/cryfs_0.10.3.bb deleted file mode 100644 index 74f32a495..000000000 --- a/meta-security/recipes-security/cryfs/cryfs_0.10.3.bb +++ /dev/null @@ -1,10 +0,0 @@ -SUMMARY = "CryFS encrypts your files, so you can safely store them anywhere." -HOMEDIR = "https://www.cryfs.org" - -LICENSE = "LGPL-3.0" -FILE_CHK_SUM = "file://;md5=12345" - -SRC_URI = "https://github.com/${BPN}/${BPN}.git" -SRCREV = "0f83a1ab7e5ca9f37f97bc57b20d3fab0f351d11" - -inherit cmake diff --git a/meta-security/recipes-security/isic/isic_0.07.bb b/meta-security/recipes-security/isic/isic_0.07.bb index fb6e9046d..28153e3b4 100644 --- a/meta-security/recipes-security/isic/isic_0.07.bb +++ b/meta-security/recipes-security/isic/isic_0.07.bb @@ -2,7 +2,7 @@ SUMMARY = "ISIC -- IP Stack Integrity Checker" DESCRIPTION = "ISIC is a suite of utilities to exercise the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et. al.)" HOMEPAGE = "http://isic.sourceforge.net/" SECTION = "security" -LICENSE = "BSD" +LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=d41d8cd98f00b204e9800998ecf8427e" DEPENDS = "libnet" diff --git a/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb b/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb index 8e368121a..6c1bd46b7 100644 --- a/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb +++ b/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb @@ -1,6 +1,6 @@ SUMMARY = "OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones" -LICENSE = "BSD" +LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=b041dbe2da80d4efd951393fbba90937" DEPENDS = "libxml2 openssl ldns libmicrohttpd jansson libyaml " diff --git a/meta-security/recipes-security/sssd/files/CVE-2021-3621.patch b/meta-security/recipes-security/sssd/files/CVE-2021-3621.patch new file mode 100644 index 000000000..7a59df9c6 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/CVE-2021-3621.patch @@ -0,0 +1,288 @@ +Backport patch to fix CVE-2021-3621. + +Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/7ab83f9] +CVE: CVE-2021-3621 + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From 7ab83f97e1cbefb78ece17232185bdd2985f0bbe Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov <atikhono@redhat.com> +Date: Fri, 18 Jun 2021 13:17:19 +0200 +Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of + user supplied command +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +:relnote: A flaw was found in SSSD, where the sssctl command was +vulnerable to shell command injection via the logs-fetch and +cache-expire subcommands. This flaw allows an attacker to trick +the root user into running a specially crafted sssctl command, +such as via sudo, to gain root access. The highest threat from this +vulnerability is to confidentiality, integrity, as well as system +availability. +This patch fixes a flaw by replacing system() with execvp(). + +:fixes: CVE-2021-3621 + +Reviewed-by: Pavel Březina <pbrezina@redhat.com> +--- + src/tools/sssctl/sssctl.c | 39 ++++++++++++++++------- + src/tools/sssctl/sssctl.h | 2 +- + src/tools/sssctl/sssctl_data.c | 57 +++++++++++----------------------- + src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++---- + 4 files changed, 73 insertions(+), 57 deletions(-) + +diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c +index 2997dbf968..8adaf30910 100644 +--- a/src/tools/sssctl/sssctl.c ++++ b/src/tools/sssctl/sssctl.c +@@ -97,22 +97,36 @@ sssctl_prompt(const char *message, + return SSSCTL_PROMPT_ERROR; + } + +-errno_t sssctl_run_command(const char *command) ++errno_t sssctl_run_command(const char *const argv[]) + { + int ret; ++ int wstatus; + +- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command); ++ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]); + +- ret = system(command); ++ ret = fork(); + if (ret == -1) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command); + ERROR("Error while executing external command\n"); + return EFAULT; +- } else if (WEXITSTATUS(ret) != 0) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n", +- command, WEXITSTATUS(ret)); ++ } ++ ++ if (ret == 0) { ++ /* cast is safe - see ++ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html ++ "The statement about argv[] and envp[] being constants ... " ++ */ ++ execvp(argv[0], discard_const_p(char * const, argv)); + ERROR("Error while executing external command\n"); +- return EIO; ++ _exit(1); ++ } else { ++ if (waitpid(ret, &wstatus, 0) == -1) { ++ ERROR("Error while executing external command '%s'\n", argv[0]); ++ return EFAULT; ++ } else if (WEXITSTATUS(wstatus) != 0) { ++ ERROR("Command '%s' failed with [%d]\n", ++ argv[0], WEXITSTATUS(wstatus)); ++ return EIO; ++ } + } + + return EOK; +@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action) + #elif defined(HAVE_SERVICE) + switch (action) { + case SSSCTL_SVC_START: +- return sssctl_run_command(SERVICE_PATH" sssd start"); ++ return sssctl_run_command( ++ (const char *[]){SERVICE_PATH, "sssd", "start", NULL}); + case SSSCTL_SVC_STOP: +- return sssctl_run_command(SERVICE_PATH" sssd stop"); ++ return sssctl_run_command( ++ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL}); + case SSSCTL_SVC_RESTART: +- return sssctl_run_command(SERVICE_PATH" sssd restart"); ++ return sssctl_run_command( ++ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL}); + } + #endif + +diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h +index 0115b2457c..599ef65196 100644 +--- a/src/tools/sssctl/sssctl.h ++++ b/src/tools/sssctl/sssctl.h +@@ -47,7 +47,7 @@ enum sssctl_prompt_result + sssctl_prompt(const char *message, + enum sssctl_prompt_result defval); + +-errno_t sssctl_run_command(const char *command); ++errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */ + bool sssctl_start_sssd(bool force); + bool sssctl_stop_sssd(bool force); + bool sssctl_restart_sssd(bool force); +diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c +index 8d79b977fd..bf22913416 100644 +--- a/src/tools/sssctl/sssctl_data.c ++++ b/src/tools/sssctl/sssctl_data.c +@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force) + } + } + +- ret = sssctl_run_command("sss_override user-export " +- SSS_BACKUP_USER_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "user-export", ++ SSS_BACKUP_USER_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to export user overrides\n"); + return ret; + } + +- ret = sssctl_run_command("sss_override group-export " +- SSS_BACKUP_GROUP_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "group-export", ++ SSS_BACKUP_GROUP_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to export group overrides\n"); + return ret; +@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) + } + + if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { +- ret = sssctl_run_command("sss_override user-import " +- SSS_BACKUP_USER_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "user-import", ++ SSS_BACKUP_USER_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to import user overrides\n"); + return ret; +@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) + } + + if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { +- ret = sssctl_run_command("sss_override group-import " +- SSS_BACKUP_GROUP_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "group-import", ++ SSS_BACKUP_GROUP_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to import group overrides\n"); + return ret; +@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline, + void *pvt) + { + errno_t ret; +- char *cmd_args = NULL; +- const char *cachecmd = SSS_CACHE; +- char *cmd = NULL; +- int i; +- +- if (cmdline->argc == 0) { +- ret = sssctl_run_command(cachecmd); +- goto done; +- } + +- cmd_args = talloc_strdup(tool_ctx, ""); +- if (cmd_args == NULL) { +- ret = ENOMEM; +- goto done; ++ const char **args = talloc_array_size(tool_ctx, ++ sizeof(char *), ++ cmdline->argc + 2); ++ if (!args) { ++ return ENOMEM; + } ++ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc); ++ args[0] = SSS_CACHE; ++ args[cmdline->argc + 1] = NULL; + +- for (i = 0; i < cmdline->argc; i++) { +- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]); +- if (i != cmdline->argc - 1) { +- cmd_args = talloc_strdup_append(cmd_args, " "); +- } +- } +- +- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args); +- if (cmd == NULL) { +- ret = ENOMEM; +- goto done; +- } +- +- ret = sssctl_run_command(cmd); +- +-done: +- talloc_free(cmd_args); +- talloc_free(cmd); ++ ret = sssctl_run_command(args); + ++ talloc_free(args); + return ret; + } +diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c +index 9ff2be05b6..ebb2c4571c 100644 +--- a/src/tools/sssctl/sssctl_logs.c ++++ b/src/tools/sssctl/sssctl_logs.c +@@ -31,6 +31,7 @@ + #include <ldb.h> + #include <popt.h> + #include <stdio.h> ++#include <glob.h> + + #include "util/util.h" + #include "tools/common/sss_process.h" +@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, + { + struct sssctl_logs_opts opts = {0}; + errno_t ret; ++ glob_t globbuf; + + /* Parse command line. */ + struct poptOption options[] = { +@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, + + sss_signal(SIGHUP); + } else { ++ globbuf.gl_offs = 4; ++ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); ++ if (ret != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); ++ return ret; ++ } ++ globbuf.gl_pathv[0] = discard_const_p(char, "truncate"); ++ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create"); ++ globbuf.gl_pathv[2] = discard_const_p(char, "--size"); ++ globbuf.gl_pathv[3] = discard_const_p(char, "0"); ++ + PRINT("Truncating log files...\n"); +- ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES); ++ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); ++ globfree(&globbuf); + if (ret != EOK) { + ERROR("Unable to truncate log files\n"); + return ret; +@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, + void *pvt) + { + const char *file; +- const char *cmd; + errno_t ret; ++ glob_t globbuf; + + /* Parse command line. */ + ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL, +@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, + return ret; + } + +- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES); +- if (cmd == NULL) { +- ERROR("Out of memory!"); ++ globbuf.gl_offs = 3; ++ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); ++ if (ret != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); ++ return ret; + } ++ globbuf.gl_pathv[0] = discard_const_p(char, "tar"); ++ globbuf.gl_pathv[1] = discard_const_p(char, "-czf"); ++ globbuf.gl_pathv[2] = discard_const_p(char, file); + + PRINT("Archiving log files into %s...\n", file); +- ret = sssctl_run_command(cmd); ++ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); ++ globfree(&globbuf); + if (ret != EOK) { + ERROR("Unable to archive log files\n"); + return ret; diff --git a/meta-security/recipes-security/sssd/sssd_2.5.1.bb b/meta-security/recipes-security/sssd/sssd_2.5.2.bb index 1c77480eb..76d6e03e9 100644 --- a/meta-security/recipes-security/sssd/sssd_2.5.1.bb +++ b/meta-security/recipes-security/sssd/sssd_2.5.2.bb @@ -23,9 +23,10 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g file://drop_ntpdate_chk.patch \ file://fix-ldblibdir.patch \ file://musl_fixup.patch \ + file://CVE-2021-3621.patch \ " -SRC_URI[sha256sum] = "ce2f5d84a3f1750093318afd27f4fd75b1e3e75f7d80fc42d21a40cc54b58ea4" +SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f" inherit autotools pkgconfig gettext python3-dir features_check systemd |