diff options
Diffstat (limited to 'poky/meta/recipes-connectivity')
17 files changed, 234 insertions, 35 deletions
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.11/0001-avoid-start-failure-with-bind-user.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.12/0001-avoid-start-failure-with-bind-user.patch index 8db96ec04..8db96ec04 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.11/0001-avoid-start-failure-with-bind-user.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.12/0001-avoid-start-failure-with-bind-user.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.11/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.12/0001-named-lwresd-V-and-start-log-hide-build-options.patch index 5bcc16c9b..5bcc16c9b 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.11/0001-named-lwresd-V-and-start-log-hide-build-options.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.12/0001-named-lwresd-V-and-start-log-hide-build-options.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.11/bind-ensure-searching-for-json-headers-searches-sysr.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.12/bind-ensure-searching-for-json-headers-searches-sysr.patch index f9cdc7ca4..f9cdc7ca4 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.11/bind-ensure-searching-for-json-headers-searches-sysr.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.12/bind-ensure-searching-for-json-headers-searches-sysr.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.11/bind9 b/poky/meta/recipes-connectivity/bind/bind-9.16.12/bind9 index 968679ff7..968679ff7 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.11/bind9 +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.12/bind9 diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.11/conf.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.12/conf.patch index aad345f9f..aad345f9f 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.11/conf.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.12/conf.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.11/generate-rndc-key.sh b/poky/meta/recipes-connectivity/bind/bind-9.16.12/generate-rndc-key.sh index 633e29c0e..633e29c0e 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.11/generate-rndc-key.sh +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.12/generate-rndc-key.sh diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.11/init.d-add-support-for-read-only-rootfs.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.12/init.d-add-support-for-read-only-rootfs.patch index 11db95ede..11db95ede 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.11/init.d-add-support-for-read-only-rootfs.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.12/init.d-add-support-for-read-only-rootfs.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.11/make-etc-initd-bind-stop-work.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.12/make-etc-initd-bind-stop-work.patch index 146f3e35d..146f3e35d 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.11/make-etc-initd-bind-stop-work.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.12/make-etc-initd-bind-stop-work.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.11/named.service b/poky/meta/recipes-connectivity/bind/bind-9.16.12/named.service index cda56ef01..cda56ef01 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.11/named.service +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.12/named.service diff --git a/poky/meta/recipes-connectivity/bind/bind_9.16.11.bb b/poky/meta/recipes-connectivity/bind/bind_9.16.12.bb index f48cc74c2..09f77038f 100644 --- a/poky/meta/recipes-connectivity/bind/bind_9.16.11.bb +++ b/poky/meta/recipes-connectivity/bind/bind_9.16.12.bb @@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ file://0001-avoid-start-failure-with-bind-user.patch \ " -SRC_URI[sha256sum] = "0111f64dd7d8f515cfa129e181cce96ff82070d1b27f11a21f6856110d0699c1" +SRC_URI[sha256sum] = "9914af9311fd349cab441097898d94fb28d0bfd9bf6ed04fe1f97f042644da7f" UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" # stay at 9.16 follow the ESV versions divisible by 4 @@ -113,7 +113,10 @@ FILES_${PN}-dev += "${bindir}/isc-config.h" FILES_${PN} += "${sbindir}/generate-rndc-key.sh" PACKAGE_BEFORE_PN += "${PN}-libs" -FILES_${PN}-libs = "${libdir}/*.so* ${libdir}/named/*.so*" +# special arrangement below due to +# https://github.com/isc-projects/bind9/commit/0e25af628cd776f98c04fc4cc59048f5448f6c88 +FILES_SOLIBSDEV = "${libdir}/*[!0-9].so ${libdir}/libbind9.so" +FILES_${PN}-libs = "${libdir}/named/*.so* ${libdir}/*-${PV}.so" FILES_${PN}-staticdev += "${libdir}/*.la" PACKAGE_BEFORE_PN += "${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3-bind', '', d)}" diff --git a/poky/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch b/poky/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch deleted file mode 100644 index b88bc18f1..000000000 --- a/poky/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 0f90440ca70abab947acbd77795e9f130967956c Mon Sep 17 00:00:00 2001 -From: Darren Tucker <dtucker@dtucker.net> -Date: Fri, 20 Nov 2020 13:37:54 +1100 -Subject: [PATCH] Add new pselect6_time64 syscall on ARM. - -This is apparently needed on armhfp/armv7hl. bz#3232, patch from -jjelen at redhat.com. ---- - sandbox-seccomp-filter.c | 3 +++ - 1 file changed, 3 insertions(+) - -Upstream-Status: Backport -[fixes issues on 32bit IA and probably other 32 bit platforms too with glibc 2.33] - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index e0768c063..5065ae7ef 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_pselect6 - SC_ALLOW(__NR_pselect6), - #endif -+#ifdef __NR_pselect6_time64 -+ SC_ALLOW(__NR_pselect6_time64), -+#endif - #ifdef __NR_read - SC_ALLOW(__NR_read), - #endif diff --git a/poky/meta/recipes-connectivity/openssh/openssh_8.4p1.bb b/poky/meta/recipes-connectivity/openssh/openssh_8.5p1.bb index 128e2e318..6a49cf71c 100644 --- a/poky/meta/recipes-connectivity/openssh/openssh_8.4p1.bb +++ b/poky/meta/recipes-connectivity/openssh/openssh_8.5p1.bb @@ -5,8 +5,8 @@ Ssh (Secure Shell) is a program for logging into a remote machine \ and for executing commands on a remote machine." HOMEPAGE = "http://www.openssh.com/" SECTION = "console/network" -LICENSE = "BSD & ISC & MIT" -LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3" +LICENSE = "BSD-2-Clause & BSD-3-Clause & BSD-4-Clause & BSD & ISC & MIT" +LIC_FILES_CHKSUM = "file://LICENCE;md5=d9d2753bdef9f19466dc7bc959114b11" DEPENDS = "zlib openssl virtual/crypt" DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" @@ -24,9 +24,8 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ file://sshd_check_keys \ file://add-test-support-for-busybox.patch \ - file://0f90440ca70abab947acbd77795e9f130967956c.patch \ " -SRC_URI[sha256sum] = "5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24" +SRC_URI[sha256sum] = "f52f3f41d429aa9918e38cf200af225ccdd8e66f052da572870c89737646ec25" # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded diff --git a/poky/meta/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch b/poky/meta/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch new file mode 100644 index 000000000..d62b9344c --- /dev/null +++ b/poky/meta/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch @@ -0,0 +1,62 @@ +From 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc Mon Sep 17 00:00:00 2001 +From: Alistair Francis <alistair.francis@wdc.com> +Date: Thu, 29 Aug 2019 13:56:21 -0700 +Subject: [PATCH] Add support for io_pgetevents_time64 syscall + +32-bit architectures that are y2038 safe don't include syscalls that use +32-bit time_t. Instead these architectures have suffixed syscalls that +always use a 64-bit time_t. In the case of the io_getevents syscall the +syscall has been replaced with the io_pgetevents_time64 syscall instead. + +This patch changes the io_getevents() function to use the correct +syscall based on the avaliable syscalls and the time_t size. We will +only use the new 64-bit time_t syscall if the architecture is using a +64-bit time_t. This is to avoid having to deal with 32/64-bit +conversions and relying on a 64-bit timespec struct on 32-bit time_t +platforms. As of Linux 5.3 there are no 32-bit time_t architectures +without __NR_io_getevents. In the future if a 32-bit time_t architecture +wants to use the 64-bit syscalls we can handle the conversion. + +This fixes build failures on 32-bit RISC-V. + +Signed-off-by: Alistair Francis <alistair.francis@wdc.com> + +Reviewed-by: Richard Levitte <levitte@openssl.org> +Reviewed-by: Paul Dale <paul.dale@oracle.com> +(Merged from https://github.com/openssl/openssl/pull/9819) +Upstream-Status: Accepted +--- + engines/e_afalg.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/engines/e_afalg.c b/engines/e_afalg.c +index dacbe358cb..99516cb1bb 100644 +--- a/engines/e_afalg.c ++++ b/engines/e_afalg.c +@@ -125,7 +125,23 @@ static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, + struct io_event *events, + struct timespec *timeout) + { ++#if defined(__NR_io_getevents) + return syscall(__NR_io_getevents, ctx, min, max, events, timeout); ++#elif defined(__NR_io_pgetevents_time64) ++ /* Let's only support the 64 suffix syscalls for 64-bit time_t. ++ * This simplifies the code for us as we don't need to use a 64-bit ++ * version of timespec with a 32-bit time_t and handle converting ++ * between 64-bit and 32-bit times and check for overflows. ++ */ ++ if (sizeof(timeout->tv_sec) == 8) ++ return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL); ++ else { ++ errno = ENOSYS; ++ return -1; ++ } ++#else ++# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64." ++#endif + } + + static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key, +-- +2.30.1 + diff --git a/poky/meta/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch b/poky/meta/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch new file mode 100644 index 000000000..c8bc6f5c6 --- /dev/null +++ b/poky/meta/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch @@ -0,0 +1,99 @@ +From e5499a3cac1e823c3e0697e8667e952317b70cc8 Mon Sep 17 00:00:00 2001 +From: Alistair Francis <alistair.francis@wdc.com> +Date: Thu, 4 Mar 2021 12:10:11 -0500 +Subject: [PATCH] Fixup support for io_pgetevents_time64 syscall + +This is a fixup for the original commit 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc +"Add support for io_pgetevents_time64 syscall" that didn't correctly +work for 32-bit architecutres with a 64-bit time_t that aren't RISC-V. + +For a full discussion of the issue see: +https://github.com/openssl/openssl/commit/5b5e2985f355c8e99c196d9ce5d02c15bebadfbc + +Signed-off-by: Alistair Francis <alistair.francis@wdc.com> + +Reviewed-by: Tomas Mraz <tomas@openssl.org> +Reviewed-by: Paul Dale <pauli@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/14432) +Upstream-Status: Accepted +--- + engines/e_afalg.c | 55 ++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 42 insertions(+), 13 deletions(-) + +diff --git a/engines/e_afalg.c b/engines/e_afalg.c +index 9480d7c24b..4e9d67db2d 100644 +--- a/engines/e_afalg.c ++++ b/engines/e_afalg.c +@@ -124,27 +124,56 @@ static ossl_inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) + return syscall(__NR_io_submit, ctx, n, iocb); + } + ++/* A version of 'struct timespec' with 32-bit time_t and nanoseconds. */ ++struct __timespec32 ++{ ++ __kernel_long_t tv_sec; ++ __kernel_long_t tv_nsec; ++}; ++ + static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, + struct io_event *events, + struct timespec *timeout) + { ++#if defined(__NR_io_pgetevents_time64) ++ /* Check if we are a 32-bit architecture with a 64-bit time_t */ ++ if (sizeof(*timeout) != sizeof(struct __timespec32)) { ++ int ret = syscall(__NR_io_pgetevents_time64, ctx, min, max, events, ++ timeout, NULL); ++ if (ret == 0 || errno != ENOSYS) ++ return ret; ++ } ++#endif ++ + #if defined(__NR_io_getevents) +- return syscall(__NR_io_getevents, ctx, min, max, events, timeout); +-#elif defined(__NR_io_pgetevents_time64) +- /* Let's only support the 64 suffix syscalls for 64-bit time_t. +- * This simplifies the code for us as we don't need to use a 64-bit +- * version of timespec with a 32-bit time_t and handle converting +- * between 64-bit and 32-bit times and check for overflows. +- */ +- if (sizeof(timeout->tv_sec) == 8) +- return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL); ++ if (sizeof(*timeout) == sizeof(struct __timespec32)) ++ /* ++ * time_t matches our architecture length, we can just use ++ * __NR_io_getevents ++ */ ++ return syscall(__NR_io_getevents, ctx, min, max, events, timeout); + else { +- errno = ENOSYS; +- return -1; ++ /* ++ * We don't have __NR_io_pgetevents_time64, but we are using a ++ * 64-bit time_t on a 32-bit architecture. If we can fit the ++ * timeout value in a 32-bit time_t, then let's do that ++ * and then use the __NR_io_getevents syscall. ++ */ ++ if (timeout && timeout->tv_sec == (long)timeout->tv_sec) { ++ struct __timespec32 ts32; ++ ++ ts32.tv_sec = (__kernel_long_t) timeout->tv_sec; ++ ts32.tv_nsec = (__kernel_long_t) timeout->tv_nsec; ++ ++ return syscall(__NR_io_getevents, ctx, min, max, events, ts32); ++ } else { ++ return syscall(__NR_io_getevents, ctx, min, max, events, NULL); ++ } + } +-#else +-# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64." + #endif ++ ++ errno = ENOSYS; ++ return -1; + } + + static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key, +-- +2.30.1 + diff --git a/poky/meta/recipes-connectivity/openssl/openssl_1.1.1j.bb b/poky/meta/recipes-connectivity/openssl/openssl_1.1.1k.bb index 181790e6a..e518cb6a0 100644 --- a/poky/meta/recipes-connectivity/openssl/openssl_1.1.1j.bb +++ b/poky/meta/recipes-connectivity/openssl/openssl_1.1.1k.bb @@ -23,7 +23,12 @@ SRC_URI_append_class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf" +SRC_URI_append_riscv32 = " \ + file://0003-Add-support-for-io_pgetevents_time64-syscall.patch \ + file://0004-Fixup-support-for-io_pgetevents_time64-syscall.patch \ + " + +SRC_URI[sha256sum] = "892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5" inherit lib_package multilib_header multilib_script ptest MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch new file mode 100644 index 000000000..004b1dbd1 --- /dev/null +++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch @@ -0,0 +1,58 @@ +From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Tue, 8 Dec 2020 23:52:50 +0200 +Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request + +p2p_add_device() may remove the oldest entry if there is no room in the +peer table for a new peer. This would result in any pointer to that +removed entry becoming stale. A corner case with an invalid PD Request +frame could result in such a case ending up using (read+write) freed +memory. This could only by triggered when the peer table has reached its +maximum size and the PD Request frame is received from the P2P Device +Address of the oldest remaining entry and the frame has incorrect P2P +Device Address in the payload. + +Fix this by fetching the dev pointer again after having called +p2p_add_device() so that the stale pointer cannot be used. + +Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> + +Upstream-Status: Backport +CVE: CVE-2021-27803 + +Reference to upstream patch: +[https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + src/p2p/p2p_pd.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c +index 3994ec0..05fd593 100644 +--- a/src/p2p/p2p_pd.c ++++ b/src/p2p/p2p_pd.c +@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, + goto out; + } + ++ dev = p2p_get_device(p2p, sa); + if (!dev) { +- dev = p2p_get_device(p2p, sa); +- if (!dev) { +- p2p_dbg(p2p, +- "Provision Discovery device not found " +- MACSTR, MAC2STR(sa)); +- goto out; +- } ++ p2p_dbg(p2p, ++ "Provision Discovery device not found " ++ MACSTR, MAC2STR(sa)); ++ goto out; + } + } else if (msg.wfd_subelems) { + wpabuf_free(dev->info.wfd_subelems); +-- +2.17.1 + diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb index caa6018ce..357c28634 100644 --- a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb +++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb @@ -31,6 +31,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \ file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \ file://CVE-2021-0326.patch \ + file://CVE-2021-27803.patch \ " SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190" SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17" |