diff options
Diffstat (limited to 'poky/meta/recipes-connectivity')
28 files changed, 318 insertions, 32 deletions
diff --git a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb index c8a3f876a..430231088 100644 --- a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -24,16 +24,20 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV} file://99avahi-autoipd \ file://initscript.patch \ file://0001-Fix-opening-etc-resolv.conf-error.patch \ + file://handle-hup.patch \ " UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7" SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda" +# Issue only affects Debian/SUSE, not us +CVE_CHECK_WHITELIST += "CVE-2021-26720" + DEPENDS = "expat libcap libdaemon glib-2.0 intltool-native" # For gtk related PACKAGECONFIGs: gtk, gtk3 -AVAHI_GTK ?= "gtk3" +AVAHI_GTK ?= "" PACKAGECONFIG ??= "dbus ${@bb.utils.contains_any('DISTRO_FEATURES','x11 wayland','${AVAHI_GTK}','',d)}" PACKAGECONFIG[dbus] = "--enable-dbus,--disable-dbus,dbus" diff --git a/poky/meta/recipes-connectivity/avahi/files/handle-hup.patch b/poky/meta/recipes-connectivity/avahi/files/handle-hup.patch new file mode 100644 index 000000000..26632e544 --- /dev/null +++ b/poky/meta/recipes-connectivity/avahi/files/handle-hup.patch @@ -0,0 +1,41 @@ +CVE: CVE-2021-3468 +Upstream-Status: Submitted [https://github.com/lathiat/avahi/pull/330] +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001 +From: Riccardo Schirone <sirmy15@gmail.com> +Date: Fri, 26 Mar 2021 11:50:24 +0100 +Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in + client_work + +If a client fills the input buffer, client_work() disables the +AVAHI_WATCH_IN event, thus preventing the function from executing the +`read` syscall the next times it is called. However, if the client then +terminates the connection, the socket file descriptor receives a HUP +event, which is not handled, thus the kernel keeps marking the HUP event +as occurring. While iterating over the file descriptors that triggered +an event, the client file descriptor will keep having the HUP event and +the client_work() function is always called with AVAHI_WATCH_HUP but +without nothing being done, thus entering an infinite loop. + +See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938 +--- + avahi-daemon/simple-protocol.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c +index 3e0ebb11..6c0274d6 100644 +--- a/avahi-daemon/simple-protocol.c ++++ b/avahi-daemon/simple-protocol.c +@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv + } + } + ++ if (events & AVAHI_WATCH_HUP) { ++ client_free(c); ++ return; ++ } ++ + c->server->poll_api->watch_update( + watch, + (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) | diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/0001-avoid-start-failure-with-bind-user.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.16/0001-avoid-start-failure-with-bind-user.patch index 8db96ec04..8db96ec04 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/0001-avoid-start-failure-with-bind-user.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/0001-avoid-start-failure-with-bind-user.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.16/0001-named-lwresd-V-and-start-log-hide-build-options.patch index 5bcc16c9b..5bcc16c9b 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/0001-named-lwresd-V-and-start-log-hide-build-options.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/0001-named-lwresd-V-and-start-log-hide-build-options.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/bind-ensure-searching-for-json-headers-searches-sysr.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.16/bind-ensure-searching-for-json-headers-searches-sysr.patch index f9cdc7ca4..f9cdc7ca4 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/bind-ensure-searching-for-json-headers-searches-sysr.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/bind-ensure-searching-for-json-headers-searches-sysr.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/bind9 b/poky/meta/recipes-connectivity/bind/bind-9.16.16/bind9 index 968679ff7..968679ff7 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/bind9 +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/bind9 diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/conf.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.16/conf.patch index aad345f9f..aad345f9f 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/conf.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/conf.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/generate-rndc-key.sh b/poky/meta/recipes-connectivity/bind/bind-9.16.16/generate-rndc-key.sh index 633e29c0e..633e29c0e 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/generate-rndc-key.sh +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/generate-rndc-key.sh diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/init.d-add-support-for-read-only-rootfs.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.16/init.d-add-support-for-read-only-rootfs.patch index 11db95ede..11db95ede 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/init.d-add-support-for-read-only-rootfs.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/init.d-add-support-for-read-only-rootfs.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/make-etc-initd-bind-stop-work.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.16/make-etc-initd-bind-stop-work.patch index 146f3e35d..146f3e35d 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/make-etc-initd-bind-stop-work.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/make-etc-initd-bind-stop-work.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/named.service b/poky/meta/recipes-connectivity/bind/bind-9.16.16/named.service index cda56ef01..cda56ef01 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/named.service +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/named.service diff --git a/poky/meta/recipes-connectivity/bind/bind_9.16.12.bb b/poky/meta/recipes-connectivity/bind/bind_9.16.16.bb index 09f77038f..b15259840 100644 --- a/poky/meta/recipes-connectivity/bind/bind_9.16.12.bb +++ b/poky/meta/recipes-connectivity/bind/bind_9.16.16.bb @@ -20,12 +20,16 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ file://0001-avoid-start-failure-with-bind-user.patch \ " -SRC_URI[sha256sum] = "9914af9311fd349cab441097898d94fb28d0bfd9bf6ed04fe1f97f042644da7f" +SRC_URI[sha256sum] = "6c913902adf878e7dc5e229cea94faefc9d40f44775a30213edd08860f761d7b" UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" # stay at 9.16 follow the ESV versions divisible by 4 UPSTREAM_CHECK_REGEX = "(?P<pver>9.(16|20|24|28)(\.\d+)+(-P\d+)*)/" +# Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore +# so the issue doesn't affect us. +CVE_CHECK_WHITELIST += "CVE-2019-6470" + inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives # PACKAGECONFIGs readline and libedit should NOT be set at same time diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5.inc b/poky/meta/recipes-connectivity/bluez5/bluez5.inc index a7b628ce1..635cad813 100644 --- a/poky/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/poky/meta/recipes-connectivity/bluez5/bluez5.inc @@ -52,6 +52,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ file://0001-test-gatt-Fix-hung-issue.patch \ + file://0001-audio-Rename-pause-funciton-to-avoid-shadowing-glibc.patch \ + file://0001-Makefile.am-add-missing-mkdir-for-ell-shared.patch \ " S = "${WORKDIR}/bluez-${PV}" diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5/0001-Makefile.am-add-missing-mkdir-for-ell-shared.patch b/poky/meta/recipes-connectivity/bluez5/bluez5/0001-Makefile.am-add-missing-mkdir-for-ell-shared.patch new file mode 100644 index 000000000..03b42f73c --- /dev/null +++ b/poky/meta/recipes-connectivity/bluez5/bluez5/0001-Makefile.am-add-missing-mkdir-for-ell-shared.patch @@ -0,0 +1,25 @@ +From d341ba650af1b7068d9ad034732b4f41b91bb2c1 Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex.kanavin@gmail.com> +Date: Sun, 25 Apr 2021 18:56:41 +0200 +Subject: [PATCH] Makefile.am: add missing mkdir for ell/shared + +This addresses build errors out of source tree. + +Upstream-Status: Backport +Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> +--- + Makefile.am | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Makefile.am b/Makefile.am +index be5d5c7..72ad425 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -623,6 +623,7 @@ lib/bluetooth/%.h: lib/%.h + $(AM_V_GEN)$(LN_S) -f $(abspath $<) $@ + + ell/shared: Makefile ++ $(AM_V_at)$(MKDIR_P) ell + $(AM_V_GEN)for f in $(ell_shared) ; do \ + if [ ! -f $$f ] ; then \ + $(LN_S) -t ell -f $(abs_srcdir)/../ell/$$f ; \ diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5/0001-audio-Rename-pause-funciton-to-avoid-shadowing-glibc.patch b/poky/meta/recipes-connectivity/bluez5/bluez5/0001-audio-Rename-pause-funciton-to-avoid-shadowing-glibc.patch new file mode 100644 index 000000000..d9067df02 --- /dev/null +++ b/poky/meta/recipes-connectivity/bluez5/bluez5/0001-audio-Rename-pause-funciton-to-avoid-shadowing-glibc.patch @@ -0,0 +1,48 @@ +From 8adab7f1e04948e78854953f9373cac741445a0f Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Fri, 30 Apr 2021 21:09:33 -0700 +Subject: [PATCH] audio: Rename pause funciton to avoid shadowing glibc + defintions + +Fixes +profiles/audio/media.c:1284:13: error: static declaration of 'pause' follows non-static declaration +static bool pause(void *user_data) + ^ +/mnt/b/yoe/master/build/tmp/work/core2-64-yoe-linux/bluez5/5.56-r0/recipe-sysroot/usr/include/unistd.h:478:12: note: previous declaration is here +extern int pause (void); + ^ +../bluez-5.56/profiles/audio/media.c:1334:11: warning: incompatible function pointer types initializing 'bool (*)(void *)' with an expression of type 'int (void)' [-Wincompatible-function-pointer-types] + .pause = pause, + ^~~~~ + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + profiles/audio/media.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/profiles/audio/media.c b/profiles/audio/media.c +index c84bbe2..7110089 100644 +--- a/profiles/audio/media.c ++++ b/profiles/audio/media.c +@@ -1281,7 +1281,7 @@ static bool stop(void *user_data) + return media_player_send(mp, "Stop"); + } + +-static bool pause(void *user_data) ++static bool apause(void *user_data) + { + struct media_player *mp = user_data; + +@@ -1331,7 +1331,7 @@ static struct avrcp_player_cb player_cb = { + .set_volume = set_volume, + .play = play, + .stop = stop, +- .pause = pause, ++ .pause = apause, + .next = next, + .previous = previous, + }; +-- +2.31.1 + diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5_5.56.bb b/poky/meta/recipes-connectivity/bluez5/bluez5_5.58.bb index 676cb2dbb..eb8475ec1 100644 --- a/poky/meta/recipes-connectivity/bluez5/bluez5_5.56.bb +++ b/poky/meta/recipes-connectivity/bluez5/bluez5_5.58.bb @@ -1,7 +1,9 @@ require bluez5.inc -SRC_URI[md5sum] = "e6c51b2aefa7c56ff072819a78611fa5" -SRC_URI[sha256sum] = "59c4dba9fc8aae2a6a5f8f12f19bc1b0c2dc27355c7ca3123eed3fe6bd7d0b9d" +SRC_URI[sha256sum] = "c8065e75a5eb67236849ef68a354b1700540305a8c88ef0a0fd6288f19daf1f1" + +# These issues have kernel fixes rather than bluez fixes so exclude here +CVE_CHECK_WHITELIST += "CVE-2020-12352 CVE-2020-24490" # noinst programs in Makefile.tools that are conditional on READLINE # support diff --git a/poky/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch b/poky/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch index 942b9c97b..9dca21a02 100644 --- a/poky/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch +++ b/poky/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch @@ -1,4 +1,4 @@ -From c7734e1547db967eccf242fe4b9e8a30b9ff141c Mon Sep 17 00:00:00 2001 +From 01974865e4d331eeaf25248bee1bb96539c450d9 Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Mon, 6 Apr 2015 23:02:21 -0700 Subject: [PATCH] resolve: musl does not implement res_ninit @@ -15,7 +15,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com> 1 file changed, 13 insertions(+), 21 deletions(-) diff --git a/gweb/gresolv.c b/gweb/gresolv.c -index 38a554e..a9e8740 100644 +index 954e7cf..2a9bc51 100644 --- a/gweb/gresolv.c +++ b/gweb/gresolv.c @@ -36,6 +36,7 @@ @@ -26,7 +26,7 @@ index 38a554e..a9e8740 100644 #include "gresolv.h" -@@ -877,8 +878,6 @@ GResolv *g_resolv_new(int index) +@@ -878,8 +879,6 @@ GResolv *g_resolv_new(int index) resolv->index = index; resolv->nameserver_list = NULL; @@ -35,7 +35,7 @@ index 38a554e..a9e8740 100644 return resolv; } -@@ -918,8 +917,6 @@ void g_resolv_unref(GResolv *resolv) +@@ -919,8 +918,6 @@ void g_resolv_unref(GResolv *resolv) flush_nameservers(resolv); @@ -44,7 +44,7 @@ index 38a554e..a9e8740 100644 g_free(resolv); } -@@ -1022,24 +1019,19 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname, +@@ -1023,24 +1020,19 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname, debug(resolv, "hostname %s", hostname); if (!resolv->nameserver_list) { diff --git a/poky/meta/recipes-connectivity/connman/connman_1.39.bb b/poky/meta/recipes-connectivity/connman/connman_1.40.bb index df42e9ffb..15d105e2b 100644 --- a/poky/meta/recipes-connectivity/connman/connman_1.39.bb +++ b/poky/meta/recipes-connectivity/connman/connman_1.40.bb @@ -9,7 +9,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" -SRC_URI[sha256sum] = "9f62a7169b7491c670a1ff2e335b0d966308fb2f62e285c781105eb90f181af3" +SRC_URI[sha256sum] = "1a57ae7ce234aa3a1744aac3be5c2121d98dce999440ef8ab9cc4edfd5edcb12" RRECOMMENDS_${PN} = "connman-conf" RCONFLICTS_${PN} = "networkmanager" diff --git a/poky/meta/recipes-connectivity/iproute2/iproute2_5.11.0.bb b/poky/meta/recipes-connectivity/iproute2/iproute2_5.12.0.bb index e27b42d23..363112337 100644 --- a/poky/meta/recipes-connectivity/iproute2/iproute2_5.11.0.bb +++ b/poky/meta/recipes-connectivity/iproute2/iproute2_5.12.0.bb @@ -4,7 +4,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/net/${BPN}/${BP}.tar.xz \ file://0001-libc-compat.h-add-musl-workaround.patch \ " -SRC_URI[sha256sum] = "c5e2ea108212b3445051b35953ec267f9f3469e1d5c67ac034ab559849505c54" +SRC_URI[sha256sum] = "9d268db98a36ee2a0e3ff3b92b2efff66fc1138a51e409bdef6ab3cfe15f326f" # CFLAGS are computed in Makefile and reference CCOPTS # diff --git a/poky/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb b/poky/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.15.1.bb index 9a83898e5..f3b64174c 100644 --- a/poky/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb +++ b/poky/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.15.1.bb @@ -11,7 +11,7 @@ DEPENDS = "avahi" SRC_URI = "git://github.com/lathiat/nss-mdns \ " -SRCREV = "41c9c5e78f287ed4b41ac438c1873fa71bfa70ae" +SRCREV = "4b3cfe818bf72d99a02b8ca8b8813cb2d6b40633" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-connectivity/libpcap/libpcap_1.10.0.bb b/poky/meta/recipes-connectivity/libpcap/libpcap_1.10.1.bb index 967eabcc1..f528595c9 100644 --- a/poky/meta/recipes-connectivity/libpcap/libpcap_1.10.0.bb +++ b/poky/meta/recipes-connectivity/libpcap/libpcap_1.10.1.bb @@ -10,10 +10,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5eb289217c160e2920d2e35bddc36453 \ file://pcap.h;beginline=1;endline=32;md5=39af3510e011f34b8872f120b1dc31d2" DEPENDS = "flex-native bison-native" -SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz \ - " -SRC_URI[md5sum] = "8c12dc19dd7e0d02d2bb6596eb5a71c7" -SRC_URI[sha256sum] = "8d12b42623eeefee872f123bd0dc85d535b00df4d42e865f993c40f7bfc92b1e" +SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz" +SRC_URI[sha256sum] = "ed285f4accaf05344f90975757b3dbfe772ba41d1c401c2648b7fa45b711bdd4" inherit autotools binconfig-disabled pkgconfig diff --git a/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.5.3.bb b/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.5.4.bb index d8c6391b3..5500a9249 100644 --- a/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.5.3.bb +++ b/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.5.4.bb @@ -31,7 +31,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.x file://0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch \ file://clang-warnings.patch \ " -SRC_URI[sha256sum] = "b54d6d8ea2ee62d64111278301ba4631b7bb19174e7f717a724fe5d463900c80" +SRC_URI[sha256sum] = "51997d94e4c8bcef5456dd36a9ccc38e231207c4e9b6a9a2c108841e6aebe3dd" # Only kernel-module-nfsd is required here (but can be built-in) - the nfsd module will # pull in the remainder of the dependencies. diff --git a/poky/meta/recipes-connectivity/ofono/ofono/0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch b/poky/meta/recipes-connectivity/ofono/ofono/0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch new file mode 100644 index 000000000..3655b3fd6 --- /dev/null +++ b/poky/meta/recipes-connectivity/ofono/ofono/0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch @@ -0,0 +1,28 @@ +From 76e4054801350ebd4a44057379431a33d460ad0f Mon Sep 17 00:00:00 2001 +From: Martin Jansa <Martin.Jansa@gmail.com> +Date: Wed, 21 Apr 2021 11:01:34 +0000 +Subject: [PATCH] mbim: Fix build with ell-0.39 by restoring unlikely macro + from ell/util.h + +Upstream-Status: Pending + +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + drivers/mbimmodem/mbim-private.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/mbimmodem/mbim-private.h b/drivers/mbimmodem/mbim-private.h +index 51693eae..d917312c 100644 +--- a/drivers/mbimmodem/mbim-private.h ++++ b/drivers/mbimmodem/mbim-private.h +@@ -30,6 +30,10 @@ + __result; }) + #endif + ++/* used to be part of ell/util.h before 0.39: ++ https://git.kernel.org/pub/scm/libs/ell/ell.git/commit/?id=2a682421b06e41c45098217a686157f576847021 */ ++#define unlikely(x) __builtin_expect(!!(x), 0) ++ + enum mbim_control_message { + MBIM_OPEN_MSG = 0x1, + MBIM_CLOSE_MSG = 0x2, diff --git a/poky/meta/recipes-connectivity/ofono/ofono_1.31.bb b/poky/meta/recipes-connectivity/ofono/ofono_1.32.bb index 7d0976ad7..f3d875b20 100644 --- a/poky/meta/recipes-connectivity/ofono/ofono_1.31.bb +++ b/poky/meta/recipes-connectivity/ofono/ofono_1.32.bb @@ -11,9 +11,9 @@ SRC_URI = "\ ${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://ofono \ file://0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch \ + file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \ " -SRC_URI[md5sum] = "1c26340e3c6ed132cc812595081bb3dc" -SRC_URI[sha256sum] = "a15c5d28096c10eb30e47a68b6dc2e7c4a5a99d7f4cfedf0b69624f33d859e9b" +SRC_URI[sha256sum] = "f7d775887b7b80cf3b82e3f0a6c2696c6d01963d222ca2217919d21b9e803042" inherit autotools pkgconfig update-rc.d systemd gobject-introspection-data @@ -30,9 +30,14 @@ PACKAGECONFIG[bluez] = "--enable-bluetooth, --disable-bluetooth, bluez5" EXTRA_OECONF += "--enable-test --enable-external-ell" +do_configure_prepend() { + bbnote "Removing bundled ell from ${S}/ell to prevent including it" + rm -rf ${S}/ell +} + do_install_append() { - install -d ${D}${sysconfdir}/init.d/ - install -m 0755 ${WORKDIR}/ofono ${D}${sysconfdir}/init.d/ofono + install -d ${D}${sysconfdir}/init.d/ + install -m 0755 ${WORKDIR}/ofono ${D}${sysconfdir}/init.d/ofono } PACKAGES =+ "${PN}-tests" diff --git a/poky/meta/recipes-connectivity/openssh/openssh_8.5p1.bb b/poky/meta/recipes-connectivity/openssh/openssh_8.6p1.bb index 6a49cf71c..e8f041c58 100644 --- a/poky/meta/recipes-connectivity/openssh/openssh_8.5p1.bb +++ b/poky/meta/recipes-connectivity/openssh/openssh_8.6p1.bb @@ -25,12 +25,18 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://sshd_check_keys \ file://add-test-support-for-busybox.patch \ " -SRC_URI[sha256sum] = "f52f3f41d429aa9918e38cf200af225ccdd8e66f052da572870c89737646ec25" +SRC_URI[sha256sum] = "c3e6e4da1621762c850d03b47eed1e48dff4cc9608ddeb547202a234df8ed7ae" + +# This CVE is specific to OpenSSH with the pam opie which we don't build/use here +CVE_CHECK_WHITELIST += "CVE-2007-2768" # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded CVE_CHECK_WHITELIST += "CVE-2014-9278" +# CVE only applies to some distributed RHEL binaries +CVE_CHECK_WHITELIST += "CVE-2008-3844" + PAM_SRC_URI = "file://sshd" inherit manpages useradd update-rc.d update-alternatives systemd diff --git a/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch index 949c78834..003cfbc8d 100644 --- a/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch +++ b/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch @@ -25,16 +25,19 @@ Signed-off-by: Martin Hundebøll <martin@geanix.com> Update to fix buildpaths qa issue for '-fmacro-prefix-map'. Signed-off-by: Kai Kang <kai.kang@windriver.com> + +Update to fix buildpaths qa issue for '-ffile-prefix-map'. + +Signed-off-by: Khem Raj <raj.khem@gmail.com> + --- Configurations/unix-Makefile.tmpl | 10 +++++++++- crypto/build.info | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) -diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index 16af4d2087..54c162784c 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl -@@ -317,13 +317,22 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), +@@ -420,13 +420,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lfl '$(CNF_LDFLAGS)', '$(LDFLAGS)') -} BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS) @@ -49,6 +52,7 @@ index 16af4d2087..54c162784c 100644 +CFLAGS_Q={- for (@{$config{CFLAGS}}) { + s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g; + s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g; ++ s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g; + } + join(' ', @{$config{CFLAGS}}) -} + @@ -58,11 +62,9 @@ index 16af4d2087..54c162784c 100644 PERLASM_SCHEME= {- $target{perlasm_scheme} -} # For x86 assembler: Set PROCESSOR to 386 if you want to support -diff --git a/crypto/build.info b/crypto/build.info -index b515b7318e..8c9cee2a09 100644 --- a/crypto/build.info +++ b/crypto/build.info -@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ +@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl DEPEND[cversion.o]=buildinf.h @@ -71,6 +73,3 @@ index b515b7318e..8c9cee2a09 100644 DEPEND[buildinf.h]=../configdata.pm GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME) --- -2.19.1 - diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch new file mode 100644 index 000000000..e2540fc26 --- /dev/null +++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch @@ -0,0 +1,123 @@ +From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 13 Mar 2021 18:19:31 +0200 +Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters + +The supported hash algorithms do not use AlgorithmIdentifier parameters. +However, there are implementations that include NULL parameters in +addition to ones that omit the parameters. Previous implementation did +not check the parameters value at all which supported both these cases, +but did not reject any other unexpected information. + +Use strict validation of digest algorithm parameters and reject any +unexpected value when validating a signature. This is needed to prevent +potential forging attacks. + +Signed-off-by: Jouni Malinen <j@w1.fi> + +Upstream-Status: Backport +CVE: CVE-2021-30004 + +Reference to upstream patch: +[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + src/tls/pkcs1.c | 21 +++++++++++++++++++++ + src/tls/x509v3.c | 20 ++++++++++++++++++++ + 2 files changed, 41 insertions(+) + +diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c +index 141ac50..e09db07 100644 +--- a/src/tls/pkcs1.c ++++ b/src/tls/pkcs1.c +@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo", ++ hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "PKCS #1: Unexpected digest algorithm parameters"); ++ os_free(decrypted); ++ return -1; ++ } + + if (!asn1_oid_equal(&oid, hash_alg)) { + char txt[100], txt2[100]; +diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c +index 1bd5aa0..bf2289f 100644 +--- a/src/tls/x509v3.c ++++ b/src/tls/x509v3.c +@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "X509: Unexpected digest algorithm parameters"); ++ os_free(data); ++ return -1; ++ } + + if (x509_sha1_oid(&oid)) { + if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) { +-- +2.17.1 + diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb index 357c28634..16c591852 100644 --- a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb +++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=279b4f5abb9c153c285221855ddb78cc \ DEPENDS = "dbus libnl" RRECOMMENDS_${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli" -PACKAGECONFIG ??= "gnutls" +PACKAGECONFIG ??= "openssl" PACKAGECONFIG[gnutls] = ",,gnutls libgcrypt" PACKAGECONFIG[openssl] = ",,openssl" @@ -32,6 +32,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \ file://CVE-2021-0326.patch \ file://CVE-2021-27803.patch \ + file://CVE-2021-30004.patch \ " SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190" SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17" |