From 2af2c470828b4b3bbcd44215d6a68c8d01cd74db Mon Sep 17 00:00:00 2001 From: "Jason M. Bills" Date: Wed, 26 Jan 2022 15:10:44 -0800 Subject: Update to internal 1.01-61 Signed-off-by: Jason M. Bills --- ...1-Fix-NULL-pointer-crashes-CVE-2021-36217.patch | 148 ++++++++++ .../avahi/0002-handle-hup-CVE-2021-3468.patch | 41 +++ .../recipes-connectivity/avahi/avahi_%.bbappend | 6 + .../recipes-connectivity/openssl/openssl_1.1.1k.bb | 211 -------------- .../recipes-connectivity/openssl/openssl_1.1.1l.bb | 211 ++++++++++++++ .../recipes-core/crashdump/crashdump_git.bb | 2 +- ...04-fix-NULL-pointer-dereference-bug-28213.patch | 39 +++ ...-in-positional-parameter-number-bug-28011.patch | 40 +++ .../meta-common/recipes-core/glibc/glibc_2.33.bb | 2 + ...pdate-Product-ID-for-EEPROM-FRU-platforms.patch | 104 ++++--- .../recipes-core/nv-sync/nv-sync/nv-syncd | 8 +- ...ic-unit-name-do-not-use-strdupa-on-a-path.patch | 64 +++++ .../recipes-core/systemd/systemd_%.bbappend | 1 + ...pcutils-be-careful-when-call-calloc-for-u.patch | 28 ++ .../recipes-core/util-linux/util-linux_%.bbappend | 6 + ...the-signal-page-contains-defined-contents.patch | 52 ++++ ..._tables-fix-compat-match-target-pad-out-o.patch | 107 +++++++ ...-bug-in-rb_per_cpu_empty-that-might-cause.patch | 106 +++++++ .../recipes-kernel/linux/linux-aspeed/intel.cfg | 4 +- .../recipes-kernel/linux/linux-aspeed_%.bbappend | 18 ++ .../0009-Add-dbus-interface-for-sol-commands.patch | 317 --------------------- ...move-Get-SOL-Config-Command-from-Netipmid.patch | 55 ++-- .../ipmi/phosphor-ipmi-net_%.bbappend | 3 +- .../webui/phosphor-webui_%.bbappend | 2 +- .../recipes-support/curl/curl_7.77.0.bb | 81 ------ .../recipes-support/curl/curl_7.78.0.bb | 80 ++++++ .../recipes-support/nettle/nettle_3.7.2.bb | 58 ---- .../recipes-support/nettle/nettle_3.7.3.bb | 58 ++++ 28 files changed, 1102 insertions(+), 750 deletions(-) create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/0001-Fix-NULL-pointer-crashes-CVE-2021-36217.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/0002-handle-hup-CVE-2021-3468.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend delete mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1k.bb create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb create mode 100644 meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0038-CVE-2021-38604-fix-NULL-pointer-dereference-bug-28213.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0039-CVE-2021-35942-handle-overflow-in-positional-parameter-number-bug-28011.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/systemd/systemd/0003-CVE-2021-33910-basic-unit-name-do-not-use-strdupa-on-a-path.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/util-linux/util-linux/CVE-2021-37600/0001-sys-utils-ipcutils-be-careful-when-call-calloc-for-u.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/util-linux/util-linux_%.bbappend create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-21781/0001-ARM-ensure-the-signal-page-contains-defined-contents.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-22555/0001-netfilter-x_tables-fix-compat-match-target-pad-out-o.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-3679/0001-tracing-Fix-bug-in-rb_per_cpu_empty-that-might-cause.patch delete mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-net/0009-Add-dbus-interface-for-sol-commands.patch delete mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.77.0.bb create mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.78.0.bb delete mode 100644 meta-openbmc-mods/meta-common/recipes-support/nettle/nettle_3.7.2.bb create mode 100644 meta-openbmc-mods/meta-common/recipes-support/nettle/nettle_3.7.3.bb diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/0001-Fix-NULL-pointer-crashes-CVE-2021-36217.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/0001-Fix-NULL-pointer-crashes-CVE-2021-36217.patch new file mode 100644 index 000000000..7b0449a2e --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/0001-Fix-NULL-pointer-crashes-CVE-2021-36217.patch @@ -0,0 +1,148 @@ +From 9d31939e55280a733d930b15ac9e4dda4497680c Mon Sep 17 00:00:00 2001 +From: Tommi Rantala +Date: Mon, 8 Feb 2021 11:04:43 +0200 +Subject: [PATCH] Fix NULL pointer crashes from #175 + +avahi-daemon is crashing when running "ping .local". +The crash is due to failing assertion from NULL pointer. +Add missing NULL pointer checks to fix it. + +Introduced in #175 - merge commit 8f75a045709a780c8cf92a6a21e9d35b593bdecd +--- + avahi-core/browse-dns-server.c | 5 ++++- + avahi-core/browse-domain.c | 5 ++++- + avahi-core/browse-service-type.c | 3 +++ + avahi-core/browse-service.c | 3 +++ + avahi-core/browse.c | 3 +++ + avahi-core/resolve-address.c | 5 ++++- + avahi-core/resolve-host-name.c | 5 ++++- + avahi-core/resolve-service.c | 5 ++++- + 8 files changed, 29 insertions(+), 5 deletions(-) + +diff --git a/avahi-core/browse-dns-server.c b/avahi-core/browse-dns-server.c +index 049752e9..c2d914fa 100644 +--- a/avahi-core/browse-dns-server.c ++++ b/avahi-core/browse-dns-server.c +@@ -343,7 +343,10 @@ AvahiSDNSServerBrowser *avahi_s_dns_server_browser_new( + AvahiSDNSServerBrowser* b; + + b = avahi_s_dns_server_browser_prepare(server, interface, protocol, domain, type, aprotocol, flags, callback, userdata); ++ if (!b) ++ return NULL; ++ + avahi_s_dns_server_browser_start(b); + + return b; +-} +\ No newline at end of file ++} +diff --git a/avahi-core/browse-domain.c b/avahi-core/browse-domain.c +index f145d56a..06fa70c0 100644 +--- a/avahi-core/browse-domain.c ++++ b/avahi-core/browse-domain.c +@@ -253,7 +253,10 @@ AvahiSDomainBrowser *avahi_s_domain_browser_new( + AvahiSDomainBrowser *b; + + b = avahi_s_domain_browser_prepare(server, interface, protocol, domain, type, flags, callback, userdata); ++ if (!b) ++ return NULL; ++ + avahi_s_domain_browser_start(b); + + return b; +-} +\ No newline at end of file ++} +diff --git a/avahi-core/browse-service-type.c b/avahi-core/browse-service-type.c +index fdd22dcd..b1fc7af8 100644 +--- a/avahi-core/browse-service-type.c ++++ b/avahi-core/browse-service-type.c +@@ -171,6 +171,9 @@ AvahiSServiceTypeBrowser *avahi_s_service_type_browser_new( + AvahiSServiceTypeBrowser *b; + + b = avahi_s_service_type_browser_prepare(server, interface, protocol, domain, flags, callback, userdata); ++ if (!b) ++ return NULL; ++ + avahi_s_service_type_browser_start(b); + + return b; +diff --git a/avahi-core/browse-service.c b/avahi-core/browse-service.c +index 5531360c..63e0275a 100644 +--- a/avahi-core/browse-service.c ++++ b/avahi-core/browse-service.c +@@ -184,6 +184,9 @@ AvahiSServiceBrowser *avahi_s_service_browser_new( + AvahiSServiceBrowser *b; + + b = avahi_s_service_browser_prepare(server, interface, protocol, service_type, domain, flags, callback, userdata); ++ if (!b) ++ return NULL; ++ + avahi_s_service_browser_start(b); + + return b; +diff --git a/avahi-core/browse.c b/avahi-core/browse.c +index 2941e579..e8a915e9 100644 +--- a/avahi-core/browse.c ++++ b/avahi-core/browse.c +@@ -634,6 +634,9 @@ AvahiSRecordBrowser *avahi_s_record_browser_new( + AvahiSRecordBrowser *b; + + b = avahi_s_record_browser_prepare(server, interface, protocol, key, flags, callback, userdata); ++ if (!b) ++ return NULL; ++ + avahi_s_record_browser_start_query(b); + + return b; +diff --git a/avahi-core/resolve-address.c b/avahi-core/resolve-address.c +index ac0b29b1..e61dd242 100644 +--- a/avahi-core/resolve-address.c ++++ b/avahi-core/resolve-address.c +@@ -286,7 +286,10 @@ AvahiSAddressResolver *avahi_s_address_resolver_new( + AvahiSAddressResolver *b; + + b = avahi_s_address_resolver_prepare(server, interface, protocol, address, flags, callback, userdata); ++ if (!b) ++ return NULL; ++ + avahi_s_address_resolver_start(b); + + return b; +-} +\ No newline at end of file ++} +diff --git a/avahi-core/resolve-host-name.c b/avahi-core/resolve-host-name.c +index 808b0e72..4e8e5973 100644 +--- a/avahi-core/resolve-host-name.c ++++ b/avahi-core/resolve-host-name.c +@@ -318,7 +318,10 @@ AvahiSHostNameResolver *avahi_s_host_name_resolver_new( + AvahiSHostNameResolver *b; + + b = avahi_s_host_name_resolver_prepare(server, interface, protocol, host_name, aprotocol, flags, callback, userdata); ++ if (!b) ++ return NULL; ++ + avahi_s_host_name_resolver_start(b); + + return b; +-} +\ No newline at end of file ++} +diff --git a/avahi-core/resolve-service.c b/avahi-core/resolve-service.c +index 66bf3cae..43771763 100644 +--- a/avahi-core/resolve-service.c ++++ b/avahi-core/resolve-service.c +@@ -519,7 +519,10 @@ AvahiSServiceResolver *avahi_s_service_resolver_new( + AvahiSServiceResolver *b; + + b = avahi_s_service_resolver_prepare(server, interface, protocol, name, type, domain, aprotocol, flags, callback, userdata); ++ if (!b) ++ return NULL; ++ + avahi_s_service_resolver_start(b); + + return b; +-} +\ No newline at end of file ++} diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/0002-handle-hup-CVE-2021-3468.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/0002-handle-hup-CVE-2021-3468.patch new file mode 100644 index 000000000..26632e544 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/0002-handle-hup-CVE-2021-3468.patch @@ -0,0 +1,41 @@ +CVE: CVE-2021-3468 +Upstream-Status: Submitted [https://github.com/lathiat/avahi/pull/330] +Signed-off-by: Ross Burton + +From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001 +From: Riccardo Schirone +Date: Fri, 26 Mar 2021 11:50:24 +0100 +Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in + client_work + +If a client fills the input buffer, client_work() disables the +AVAHI_WATCH_IN event, thus preventing the function from executing the +`read` syscall the next times it is called. However, if the client then +terminates the connection, the socket file descriptor receives a HUP +event, which is not handled, thus the kernel keeps marking the HUP event +as occurring. While iterating over the file descriptors that triggered +an event, the client file descriptor will keep having the HUP event and +the client_work() function is always called with AVAHI_WATCH_HUP but +without nothing being done, thus entering an infinite loop. + +See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938 +--- + avahi-daemon/simple-protocol.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c +index 3e0ebb11..6c0274d6 100644 +--- a/avahi-daemon/simple-protocol.c ++++ b/avahi-daemon/simple-protocol.c +@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv + } + } + ++ if (events & AVAHI_WATCH_HUP) { ++ client_free(c); ++ return; ++ } ++ + c->server->poll_api->watch_update( + watch, + (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) | diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend new file mode 100644 index 000000000..ba6b7b554 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend @@ -0,0 +1,6 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI += " \ + file://0001-Fix-NULL-pointer-crashes-CVE-2021-36217.patch \ + file://0002-handle-hup-CVE-2021-3468.patch \ + " diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1k.bb b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1k.bb deleted file mode 100644 index 034cc610d..000000000 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1k.bb +++ /dev/null @@ -1,211 +0,0 @@ -SUMMARY = "Secure Socket Layer" -DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools." -HOMEPAGE = "http://www.openssl.org/" -BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" -SECTION = "libs/network" - -# "openssl" here actually means both OpenSSL and SSLeay licenses apply -# (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped) -LICENSE = "openssl" -LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8" - -DEPENDS = "hostperl-runtime-native" - -SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ - file://run-ptest \ - file://0001-skip-test_symbol_presence.patch \ - file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ - file://afalg.patch \ - file://reproducible.patch \ - " - -SRC_URI_append_class-nativesdk = " \ - file://environment.d-openssl.sh \ - " - -SRC_URI[sha256sum] = "892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5" - -inherit lib_package multilib_header multilib_script ptest -MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" - -PACKAGECONFIG ?= "" -PACKAGECONFIG_class-native = "" -PACKAGECONFIG_class-nativesdk = "" - -PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module" - -B = "${WORKDIR}/build" -do_configure[cleandirs] = "${B}" - -#| ./libcrypto.so: undefined reference to `getcontext' -#| ./libcrypto.so: undefined reference to `setcontext' -#| ./libcrypto.so: undefined reference to `makecontext' -EXTRA_OECONF_append_libc-musl = " no-async" -EXTRA_OECONF_append_libc-musl_powerpc64 = " no-asm" - -# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions -# (native versions can be built with newer glibc, but then relocated onto a system with older glibc) -EXTRA_OECONF_class-native = "--with-rand-seed=os,devrandom" -EXTRA_OECONF_class-nativesdk = "--with-rand-seed=os,devrandom" - -# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate. -CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" -CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" - -do_configure () { - os=${HOST_OS} - case $os in - linux-gnueabi |\ - linux-gnuspe |\ - linux-musleabi |\ - linux-muslspe |\ - linux-musl ) - os=linux - ;; - *) - ;; - esac - target="$os-${HOST_ARCH}" - case $target in - linux-arm*) - target=linux-armv4 - ;; - linux-aarch64*) - target=linux-aarch64 - ;; - linux-i?86 | linux-viac3) - target=linux-x86 - ;; - linux-gnux32-x86_64 | linux-muslx32-x86_64 ) - target=linux-x32 - ;; - linux-gnu64-x86_64) - target=linux-x86_64 - ;; - linux-mips | linux-mipsel) - # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags - target="linux-mips32 ${TARGET_CC_ARCH}" - ;; - linux-gnun32-mips*) - target=linux-mips64 - ;; - linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el) - target=linux64-mips64 - ;; - linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*) - target=linux-generic32 - ;; - linux-powerpc) - target=linux-ppc - ;; - linux-powerpc64) - target=linux-ppc64 - ;; - linux-powerpc64le) - target=linux-ppc64le - ;; - linux-riscv32) - target=linux-generic32 - ;; - linux-riscv64) - target=linux-generic64 - ;; - linux-sparc | linux-supersparc) - target=linux-sparcv9 - ;; - esac - - useprefix=${prefix} - if [ "x$useprefix" = "x" ]; then - useprefix=/ - fi - # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the - # environment variables set by bitbake. Adjust the environment variables instead. - HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target - perl ${B}/configdata.pm --dump -} - -do_install () { - oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install - - oe_multilib_header openssl/opensslconf.h - - # Create SSL structure for packages such as ca-certificates which - # contain hard-coded paths to /etc/ssl. Debian does the same. - install -d ${D}${sysconfdir}/ssl - mv ${D}${libdir}/ssl-1.1/certs \ - ${D}${libdir}/ssl-1.1/private \ - ${D}${libdir}/ssl-1.1/openssl.cnf \ - ${D}${sysconfdir}/ssl/ - - # Although absolute symlinks would be OK for the target, they become - # invalid if native or nativesdk are relocated from sstate. - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf -} - -do_install_append_class-native () { - create_wrapper ${D}${bindir}/openssl \ - OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \ - SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ - SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ - OPENSSL_ENGINES=${libdir}/engines-1.1 -} - -do_install_append_class-nativesdk () { - mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d - install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh - sed 's|/usr/lib/ssl/|/usr/lib/ssl-1.1/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh -} - -PTEST_BUILD_HOST_FILES += "configdata.pm" -PTEST_BUILD_HOST_PATTERN = "perl_version =" -do_install_ptest () { - # Prune the build tree - rm -f ${B}/fuzz/*.* ${B}/test/*.* - - cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH} - cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH} - - # For test_shlibload - ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/ - ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/ - - install -d ${D}${PTEST_PATH}/apps - ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps - install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps - install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps - - install -d ${D}${PTEST_PATH}/engines - install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines -} - -# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto -# package RRECOMMENDS on this package. This will enable the configuration -# file to be installed for both the openssl-bin package and the libcrypto -# package since the openssl-bin package depends on the libcrypto package. - -PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc" - -FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}" -FILES_libssl = "${libdir}/libssl${SOLIBS}" -FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" -FILES_${PN}-engines = "${libdir}/engines-1.1" -FILES_${PN}-misc = "${libdir}/ssl-1.1/misc" -FILES_${PN} =+ "${libdir}/ssl-1.1/*" -FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" - -CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" - -RRECOMMENDS_libcrypto += "openssl-conf" -RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash" - -BBCLASSEXTEND = "native nativesdk" - -CVE_PRODUCT = "openssl:openssl" - -# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 -# Apache in meta-webserver is already recent enough -CVE_CHECK_WHITELIST += "CVE-2019-0190" diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb new file mode 100644 index 000000000..87325162b --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb @@ -0,0 +1,211 @@ +SUMMARY = "Secure Socket Layer" +DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools." +HOMEPAGE = "http://www.openssl.org/" +BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" +SECTION = "libs/network" + +# "openssl" here actually means both OpenSSL and SSLeay licenses apply +# (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped) +LICENSE = "openssl" +LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8" + +DEPENDS = "hostperl-runtime-native" + +SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ + file://run-ptest \ + file://0001-skip-test_symbol_presence.patch \ + file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ + file://afalg.patch \ + file://reproducible.patch \ + " + +SRC_URI_append_class-nativesdk = " \ + file://environment.d-openssl.sh \ + " + +SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1" + +inherit lib_package multilib_header multilib_script ptest +MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" + +PACKAGECONFIG ?= "" +PACKAGECONFIG_class-native = "" +PACKAGECONFIG_class-nativesdk = "" + +PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module" + +B = "${WORKDIR}/build" +do_configure[cleandirs] = "${B}" + +#| ./libcrypto.so: undefined reference to `getcontext' +#| ./libcrypto.so: undefined reference to `setcontext' +#| ./libcrypto.so: undefined reference to `makecontext' +EXTRA_OECONF_append_libc-musl = " no-async" +EXTRA_OECONF_append_libc-musl_powerpc64 = " no-asm" + +# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions +# (native versions can be built with newer glibc, but then relocated onto a system with older glibc) +EXTRA_OECONF_class-native = "--with-rand-seed=os,devrandom" +EXTRA_OECONF_class-nativesdk = "--with-rand-seed=os,devrandom" + +# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate. +CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" +CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" + +do_configure () { + os=${HOST_OS} + case $os in + linux-gnueabi |\ + linux-gnuspe |\ + linux-musleabi |\ + linux-muslspe |\ + linux-musl ) + os=linux + ;; + *) + ;; + esac + target="$os-${HOST_ARCH}" + case $target in + linux-arm*) + target=linux-armv4 + ;; + linux-aarch64*) + target=linux-aarch64 + ;; + linux-i?86 | linux-viac3) + target=linux-x86 + ;; + linux-gnux32-x86_64 | linux-muslx32-x86_64 ) + target=linux-x32 + ;; + linux-gnu64-x86_64) + target=linux-x86_64 + ;; + linux-mips | linux-mipsel) + # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags + target="linux-mips32 ${TARGET_CC_ARCH}" + ;; + linux-gnun32-mips*) + target=linux-mips64 + ;; + linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el) + target=linux64-mips64 + ;; + linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*) + target=linux-generic32 + ;; + linux-powerpc) + target=linux-ppc + ;; + linux-powerpc64) + target=linux-ppc64 + ;; + linux-powerpc64le) + target=linux-ppc64le + ;; + linux-riscv32) + target=linux-generic32 + ;; + linux-riscv64) + target=linux-generic64 + ;; + linux-sparc | linux-supersparc) + target=linux-sparcv9 + ;; + esac + + useprefix=${prefix} + if [ "x$useprefix" = "x" ]; then + useprefix=/ + fi + # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the + # environment variables set by bitbake. Adjust the environment variables instead. + HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target + perl ${B}/configdata.pm --dump +} + +do_install () { + oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install + + oe_multilib_header openssl/opensslconf.h + + # Create SSL structure for packages such as ca-certificates which + # contain hard-coded paths to /etc/ssl. Debian does the same. + install -d ${D}${sysconfdir}/ssl + mv ${D}${libdir}/ssl-1.1/certs \ + ${D}${libdir}/ssl-1.1/private \ + ${D}${libdir}/ssl-1.1/openssl.cnf \ + ${D}${sysconfdir}/ssl/ + + # Although absolute symlinks would be OK for the target, they become + # invalid if native or nativesdk are relocated from sstate. + ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs + ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private + ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf +} + +do_install_append_class-native () { + create_wrapper ${D}${bindir}/openssl \ + OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \ + SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ + SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ + OPENSSL_ENGINES=${libdir}/engines-1.1 +} + +do_install_append_class-nativesdk () { + mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d + install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh + sed 's|/usr/lib/ssl/|/usr/lib/ssl-1.1/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh +} + +PTEST_BUILD_HOST_FILES += "configdata.pm" +PTEST_BUILD_HOST_PATTERN = "perl_version =" +do_install_ptest () { + # Prune the build tree + rm -f ${B}/fuzz/*.* ${B}/test/*.* + + cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH} + cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH} + + # For test_shlibload + ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/ + ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/ + + install -d ${D}${PTEST_PATH}/apps + ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps + install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps + install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps + + install -d ${D}${PTEST_PATH}/engines + install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines +} + +# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto +# package RRECOMMENDS on this package. This will enable the configuration +# file to be installed for both the openssl-bin package and the libcrypto +# package since the openssl-bin package depends on the libcrypto package. + +PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc" + +FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}" +FILES_libssl = "${libdir}/libssl${SOLIBS}" +FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" +FILES_${PN}-engines = "${libdir}/engines-1.1" +FILES_${PN}-misc = "${libdir}/ssl-1.1/misc" +FILES_${PN} =+ "${libdir}/ssl-1.1/*" +FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" + +CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" + +RRECOMMENDS_libcrypto += "openssl-conf" +RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash" + +BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT = "openssl:openssl" + +# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 +# Apache in meta-webserver is already recent enough +CVE_CHECK_WHITELIST += "CVE-2019-0190" diff --git a/meta-openbmc-mods/meta-common/recipes-core/crashdump/crashdump_git.bb b/meta-openbmc-mods/meta-common/recipes-core/crashdump/crashdump_git.bb index adcdc6011..bb6d54807 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/crashdump/crashdump_git.bb +++ b/meta-openbmc-mods/meta-common/recipes-core/crashdump/crashdump_git.bb @@ -13,7 +13,7 @@ LICENSE = "Proprietary" LIC_FILES_CHKSUM = "file://LICENSE;md5=43c09494f6b77f344027eea0a1c22830" SRC_URI = "git://github.com/Intel-BMC/crashdump;protocol=git" -SRCREV = "wht-1.0.6" +SRCREV = "wht-1.0.7" S = "${WORKDIR}/git" diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0038-CVE-2021-38604-fix-NULL-pointer-dereference-bug-28213.patch b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0038-CVE-2021-38604-fix-NULL-pointer-dereference-bug-28213.patch new file mode 100644 index 000000000..3dca8cc6c --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0038-CVE-2021-38604-fix-NULL-pointer-dereference-bug-28213.patch @@ -0,0 +1,39 @@ +From b805aebd42364fe696e417808a700fdb9800c9e8 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Mon, 9 Aug 2021 20:17:34 +0530 +Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213) + +Helper thread frees copied attribute on NOTIFY_REMOVED message +received from the OS kernel. Unfortunately, it fails to check whether +copied attribute actually exists (data.attr != NULL). This worked +earlier because free() checks passed pointer before actually +attempting to release corresponding memory. But +__pthread_attr_destroy assumes pointer is not NULL. + +So passing NULL pointer to __pthread_attr_destroy will result in +segmentation fault. This scenario is possible if +notification->sigev_notify_attributes == NULL (which means default +thread attributes should be used). + +Signed-off-by: Nikita Popov +Reviewed-by: Siddhesh Poyarekar +--- + sysdeps/unix/sysv/linux/mq_notify.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c +index 9799dcdaa4..eccae2e4c6 100644 +--- a/sysdeps/unix/sysv/linux/mq_notify.c ++++ b/sysdeps/unix/sysv/linux/mq_notify.c +@@ -131,7 +131,7 @@ helper_thread (void *arg) + to wait until it is done with it. */ + (void) __pthread_barrier_wait (¬ify_barrier); + } +- else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED) ++ else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL) + { + /* The only state we keep is the copy of the thread attributes. */ + __pthread_attr_destroy (data.attr); +-- +2.27.0 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0039-CVE-2021-35942-handle-overflow-in-positional-parameter-number-bug-28011.patch b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0039-CVE-2021-35942-handle-overflow-in-positional-parameter-number-bug-28011.patch new file mode 100644 index 000000000..4ad5da6da --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0039-CVE-2021-35942-handle-overflow-in-positional-parameter-number-bug-28011.patch @@ -0,0 +1,40 @@ +From 5adda61f62b77384718b4c0d8336ade8f2b4b35c Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Fri, 25 Jun 2021 15:02:47 +0200 +Subject: [PATCH] wordexp: handle overflow in positional parameter number (bug + 28011) + +Use strtoul instead of atoi so that overflow can be detected. +--- + posix/wordexp-test.c | 1 + + posix/wordexp.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c +index f93a546d7e..9df02dbbb3 100644 +--- a/posix/wordexp-test.c ++++ b/posix/wordexp-test.c +@@ -183,6 +183,7 @@ struct test_case_struct + { 0, NULL, "$var", 0, 0, { NULL, }, IFS }, + { 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS }, + { 0, NULL, "", 0, 0, { NULL, }, IFS }, ++ { 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS }, + + /* Flags not already covered (testit() has special handling for these) */ + { 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS }, +diff --git a/posix/wordexp.c b/posix/wordexp.c +index bcbe96e48d..1f3b09f721 100644 +--- a/posix/wordexp.c ++++ b/posix/wordexp.c +@@ -1399,7 +1399,7 @@ envsubst: + /* Is it a numeric parameter? */ + else if (isdigit (env[0])) + { +- int n = atoi (env); ++ unsigned long n = strtoul (env, NULL, 10); + + if (n >= __libc_argc) + /* Substitute NULL. */ +-- +2.27.0 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_2.33.bb b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_2.33.bb index 5c4d944b0..b46782499 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_2.33.bb +++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_2.33.bb @@ -51,6 +51,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0035-Fix-build-error.patch \ file://0036-Use-__pthread_attr_copy-in-mq_notify-bug-27896.patch \ file://0037-Fix-use-of-__pthread_attr_copy-in-mq_notify-bug-27896.patch \ + file://0038-CVE-2021-38604-fix-NULL-pointer-dereference-bug-28213.patch \ + file://0039-CVE-2021-35942-handle-overflow-in-positional-parameter-number-bug-28011.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}" diff --git a/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem/0006-Update-Product-ID-for-EEPROM-FRU-platforms.patch b/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem/0006-Update-Product-ID-for-EEPROM-FRU-platforms.patch index 93dcc1c33..28b8f8a4e 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem/0006-Update-Product-ID-for-EEPROM-FRU-platforms.patch +++ b/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem/0006-Update-Product-ID-for-EEPROM-FRU-platforms.patch @@ -1,4 +1,4 @@ -From a9899d878d49c5d37810f2d97a68ae9d1de1a390 Mon Sep 17 00:00:00 2001 +From e3324be962eae4f42d6262998b413e4b6e51991d Mon Sep 17 00:00:00 2001 From: Anoop S Date: Fri, 2 Oct 2020 13:32:05 +0000 Subject: [PATCH] Update Product ID for EEPROM FRU platforms. @@ -32,12 +32,14 @@ Tested-by: Signed-off-by: Anoop S Signed-off-by: Saravanan Palanisamy + +%% original patch: 0006-Update-Product-ID-for-EEPROM-FRU-platforms.patch --- - src/appcommands.cpp | 137 ++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 131 insertions(+), 6 deletions(-) + src/appcommands.cpp | 142 ++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 136 insertions(+), 6 deletions(-) diff --git a/src/appcommands.cpp b/src/appcommands.cpp -index 10e3d13..d5b5c50 100644 +index 10e3d13..6e3df64 100644 --- a/src/appcommands.cpp +++ b/src/appcommands.cpp @@ -16,6 +16,7 @@ @@ -60,47 +62,8 @@ index 10e3d13..d5b5c50 100644 int initBMCDeviceState(ipmi::Context::ptr ctx) { -@@ -286,7 +292,6 @@ RspType> std::hex >> id; -+ devId.prodId = id; - devIdInitialized = true; - } - else -@@ -377,17 +382,137 @@ RspType convertIntelVersion(std::string& s) + return std::nullopt; } +static void getProductId(const std::string& baseboardObjPath) @@ -215,8 +178,55 @@ index 10e3d13..d5b5c50 100644 + return; +} + - static void registerAPPFunctions(void) - { + RspType> std::hex >> id; ++ devId.prodId = id; + devIdInitialized = true; + } + else +@@ -377,6 +494,17 @@ RspType registerHandler(prioOemBase, netFnApp, app::cmdGetDeviceId, Privilege::User, ipmiAppGetDeviceId); diff --git a/meta-openbmc-mods/meta-common/recipes-core/nv-sync/nv-sync/nv-syncd b/meta-openbmc-mods/meta-common/recipes-core/nv-sync/nv-sync/nv-syncd index e2bb4bb0c..538c96875 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/nv-sync/nv-sync/nv-syncd +++ b/meta-openbmc-mods/meta-common/recipes-core/nv-sync/nv-sync/nv-syncd @@ -3,8 +3,12 @@ NVMP=/tmp/.rwfs SOMP=/var/sofs +clean_var_volatile_tmp() { + rm -rf $NVMP/.overlay/var/volatile/tmp/* || : +} + do_sync() { - rsync -a --delete /tmp/.overlay/ $NVMP/.overlay + rsync -a --delete --exclude='**/var/volatile/tmp/**' /tmp/.overlay/ $NVMP/.overlay sync $NVMP/.overlay } @@ -25,6 +29,8 @@ trap stop_nv EXIT mount -o remount,rw $NVMP mount -o remount,rw $SOMP +clean_var_volatile_tmp + # Run rsync periodically to sync the overlay to NV storage while true; do do_sync diff --git a/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd/0003-CVE-2021-33910-basic-unit-name-do-not-use-strdupa-on-a-path.patch b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd/0003-CVE-2021-33910-basic-unit-name-do-not-use-strdupa-on-a-path.patch new file mode 100644 index 000000000..a240d63d4 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd/0003-CVE-2021-33910-basic-unit-name-do-not-use-strdupa-on-a-path.patch @@ -0,0 +1,64 @@ +From 4a1c5f34bd3e1daed4490e9d97918e504d19733b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 23 Jun 2021 11:46:41 +0200 +Subject: [PATCH] basic/unit-name: do not use strdupa() on a path + +The path may have unbounded length, for example through a fuse mount. + +CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and +ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo +and each mountpoint is passed to mount_setup_unit(), which calls +unit_name_path_escape() underneath. A local attacker who is able to mount a +filesystem with a very long path can crash systemd and the whole system. + +https://bugzilla.redhat.com/show_bug.cgi?id=1970887 + +The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we +can't easily check the length after simplification before doing the +simplification, which in turns uses a copy of the string we can write to. +So we can't reject paths that are too long before doing the duplication. +Hence the most obvious solution is to switch back to strdup(), as before +7410616cd9dbbec97cf98d75324da5cda2b2f7a2. + +(cherry picked from commit 441e0115646d54f080e5c3bb0ba477c892861ab9) +(cherry picked from commit 764b74113e36ac5219a4b82a05f311b5a92136ce) +--- + src/basic/unit-name.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c +index 85dcba6cb7..46b24f2d9e 100644 +--- a/src/basic/unit-name.c ++++ b/src/basic/unit-name.c +@@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) { + } + + int unit_name_path_escape(const char *f, char **ret) { +- char *p, *s; ++ _cleanup_free_ char *p = NULL; ++ char *s; + + assert(f); + assert(ret); + +- p = strdupa(f); ++ p = strdup(f); + if (!p) + return -ENOMEM; + +@@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) { + if (!path_is_normalized(p)) + return -EINVAL; + +- /* Truncate trailing slashes */ ++ /* Truncate trailing slashes and skip leading slashes */ + delete_trailing_chars(p, "/"); +- +- /* Truncate leading slashes */ +- p = skip_leading_chars(p, "/"); +- +- s = unit_name_escape(p); ++ s = unit_name_escape(skip_leading_chars(p, "/")); + } + if (!s) + return -ENOMEM; diff --git a/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend index e6df605aa..ecb27d416 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend @@ -7,6 +7,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" SRC_URI += "file://0001-Modfiy-system.conf-DefaultTimeoutStopSec.patch \ file://0002-Disable-LLMNR-port-5355.patch \ file://systemd-time-wait-sync.service \ + file://0003-CVE-2021-33910-basic-unit-name-do-not-use-strdupa-on-a-path.patch \ " USERADD_PACKAGES_remove = "${PN}-journal-gateway ${PN}-journal-upload ${PN}-journal-remote" diff --git a/meta-openbmc-mods/meta-common/recipes-core/util-linux/util-linux/CVE-2021-37600/0001-sys-utils-ipcutils-be-careful-when-call-calloc-for-u.patch b/meta-openbmc-mods/meta-common/recipes-core/util-linux/util-linux/CVE-2021-37600/0001-sys-utils-ipcutils-be-careful-when-call-calloc-for-u.patch new file mode 100644 index 000000000..bdb58d032 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/util-linux/util-linux/CVE-2021-37600/0001-sys-utils-ipcutils-be-careful-when-call-calloc-for-u.patch @@ -0,0 +1,28 @@ +From 1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Tue, 27 Jul 2021 11:58:31 +0200 +Subject: [PATCH] sys-utils/ipcutils: be careful when call calloc() for uint64 + nmembs + +Fix: https://github.com/karelzak/util-linux/issues/1395 +Signed-off-by: Karel Zak +--- + sys-utils/ipcutils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sys-utils/ipcutils.c b/sys-utils/ipcutils.c +index e784c4dcb9c0..18868cfd3885 100644 +--- a/sys-utils/ipcutils.c ++++ b/sys-utils/ipcutils.c +@@ -218,7 +218,7 @@ static void get_sem_elements(struct sem_data *p) + { + size_t i; + +- if (!p || !p->sem_nsems || p->sem_perm.id < 0) ++ if (!p || !p->sem_nsems || p->sem_nsems > SIZE_MAX || p->sem_perm.id < 0) + return; + + p->elements = xcalloc(p->sem_nsems, sizeof(struct sem_elem)); +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/util-linux/util-linux_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/util-linux/util-linux_%.bbappend new file mode 100644 index 000000000..5178ce553 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/util-linux/util-linux_%.bbappend @@ -0,0 +1,6 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}/CVE-2021-37600:" +SRC_URI += " \ + file://0001-sys-utils-ipcutils-be-careful-when-call-calloc-for-u.patch \ + " diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-21781/0001-ARM-ensure-the-signal-page-contains-defined-contents.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-21781/0001-ARM-ensure-the-signal-page-contains-defined-contents.patch new file mode 100644 index 000000000..98597243e --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-21781/0001-ARM-ensure-the-signal-page-contains-defined-contents.patch @@ -0,0 +1,52 @@ +From f49bff85b6dbb60a410c7f7dc53b52ee1dc22470 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Fri, 29 Jan 2021 10:19:07 +0000 +Subject: [PATCH] ARM: ensure the signal page contains defined contents + +[ Upstream commit 9c698bff66ab4914bb3d71da7dc6112519bde23e ] + +Ensure that the signal page contains our poison instruction to increase +the protection against ROP attacks and also contains well defined +contents. + +Acked-by: Will Deacon +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/signal.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c +index ab2568996ddb..c01f76cd0242 100644 +--- a/arch/arm/kernel/signal.c ++++ b/arch/arm/kernel/signal.c +@@ -694,18 +694,20 @@ struct page *get_signal_page(void) + + addr = page_address(page); + ++ /* Poison the entire page */ ++ memset32(addr, __opcode_to_mem_arm(0xe7fddef1), ++ PAGE_SIZE / sizeof(u32)); ++ + /* Give the signal return code some randomness */ + offset = 0x200 + (get_random_int() & 0x7fc); + signal_return_offset = offset; + +- /* +- * Copy signal return handlers into the vector page, and +- * set sigreturn to be a pointer to these. +- */ ++ /* Copy signal return handlers into the page */ + memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes)); + +- ptr = (unsigned long)addr + offset; +- flush_icache_range(ptr, ptr + sizeof(sigreturn_codes)); ++ /* Flush out all instructions in this page */ ++ ptr = (unsigned long)addr; ++ flush_icache_range(ptr, ptr + PAGE_SIZE); + + return page; + } +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-22555/0001-netfilter-x_tables-fix-compat-match-target-pad-out-o.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-22555/0001-netfilter-x_tables-fix-compat-match-target-pad-out-o.patch new file mode 100644 index 000000000..7c5363462 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-22555/0001-netfilter-x_tables-fix-compat-match-target-pad-out-o.patch @@ -0,0 +1,107 @@ +From b29c457a6511435960115c0f548c4360d5f4801d Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 7 Apr 2021 21:38:57 +0200 +Subject: [PATCH] netfilter: x_tables: fix compat match/target pad out-of-bound + write + +xt_compat_match/target_from_user doesn't check that zeroing the area +to start of next rule won't write past end of allocated ruleset blob. + +Remove this code and zero the entire blob beforehand. + +Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com +Reported-by: Andy Nguyen +Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + net/ipv4/netfilter/arp_tables.c | 2 ++ + net/ipv4/netfilter/ip_tables.c | 2 ++ + net/ipv6/netfilter/ip6_tables.c | 2 ++ + net/netfilter/x_tables.c | 10 ++-------- + 4 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index 6c26533480dd..d6d45d820d79 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1193,6 +1193,8 @@ static int translate_compat_table(struct net *net, + if (!newinfo) + goto out_unlock; + ++ memset(newinfo->entries, 0, size); ++ + newinfo->number = compatr->num_entries; + for (i = 0; i < NF_ARP_NUMHOOKS; i++) { + newinfo->hook_entry[i] = compatr->hook_entry[i]; +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index f15bc21d7301..f77ea0dbe656 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1428,6 +1428,8 @@ translate_compat_table(struct net *net, + if (!newinfo) + goto out_unlock; + ++ memset(newinfo->entries, 0, size); ++ + newinfo->number = compatr->num_entries; + for (i = 0; i < NF_INET_NUMHOOKS; i++) { + newinfo->hook_entry[i] = compatr->hook_entry[i]; +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 2e2119bfcf13..eb2b5404806c 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1443,6 +1443,8 @@ translate_compat_table(struct net *net, + if (!newinfo) + goto out_unlock; + ++ memset(newinfo->entries, 0, size); ++ + newinfo->number = compatr->num_entries; + for (i = 0; i < NF_INET_NUMHOOKS; i++) { + newinfo->hook_entry[i] = compatr->hook_entry[i]; +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index 6bd31a7a27fc..92e9d4ebc5e8 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -733,7 +733,7 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, + { + const struct xt_match *match = m->u.kernel.match; + struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; +- int pad, off = xt_compat_match_offset(match); ++ int off = xt_compat_match_offset(match); + u_int16_t msize = cm->u.user.match_size; + char name[sizeof(m->u.user.name)]; + +@@ -743,9 +743,6 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, + match->compat_from_user(m->data, cm->data); + else + memcpy(m->data, cm->data, msize - sizeof(*cm)); +- pad = XT_ALIGN(match->matchsize) - match->matchsize; +- if (pad > 0) +- memset(m->data + match->matchsize, 0, pad); + + msize += off; + m->u.user.match_size = msize; +@@ -1116,7 +1113,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, + { + const struct xt_target *target = t->u.kernel.target; + struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; +- int pad, off = xt_compat_target_offset(target); ++ int off = xt_compat_target_offset(target); + u_int16_t tsize = ct->u.user.target_size; + char name[sizeof(t->u.user.name)]; + +@@ -1126,9 +1123,6 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, + target->compat_from_user(t->data, ct->data); + else + memcpy(t->data, ct->data, tsize - sizeof(*ct)); +- pad = XT_ALIGN(target->targetsize) - target->targetsize; +- if (pad > 0) +- memset(t->data + target->targetsize, 0, pad); + + tsize += off; + t->u.user.target_size = tsize; +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-3679/0001-tracing-Fix-bug-in-rb_per_cpu_empty-that-might-cause.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-3679/0001-tracing-Fix-bug-in-rb_per_cpu_empty-that-might-cause.patch new file mode 100644 index 000000000..4ed034ac2 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-3679/0001-tracing-Fix-bug-in-rb_per_cpu_empty-that-might-cause.patch @@ -0,0 +1,106 @@ +From f899f24d34d964593b16122a774c192a78e2ca56 Mon Sep 17 00:00:00 2001 +From: Haoran Luo +Date: Wed, 21 Jul 2021 14:12:07 +0000 +Subject: [PATCH] tracing: Fix bug in rb_per_cpu_empty() that might cause + deadloop. + +commit 67f0d6d9883c13174669f88adac4f0ee656cc16a upstream. + +The "rb_per_cpu_empty()" misinterpret the condition (as not-empty) when +"head_page" and "commit_page" of "struct ring_buffer_per_cpu" points to +the same buffer page, whose "buffer_data_page" is empty and "read" field +is non-zero. + +An error scenario could be constructed as followed (kernel perspective): + +1. All pages in the buffer has been accessed by reader(s) so that all of +them will have non-zero "read" field. + +2. Read and clear all buffer pages so that "rb_num_of_entries()" will +return 0 rendering there's no more data to read. It is also required +that the "read_page", "commit_page" and "tail_page" points to the same +page, while "head_page" is the next page of them. + +3. Invoke "ring_buffer_lock_reserve()" with large enough "length" +so that it shot pass the end of current tail buffer page. Now the +"head_page", "commit_page" and "tail_page" points to the same page. + +4. Discard current event with "ring_buffer_discard_commit()", so that +"head_page", "commit_page" and "tail_page" points to a page whose buffer +data page is now empty. + +When the error scenario has been constructed, "tracing_read_pipe" will +be trapped inside a deadloop: "trace_empty()" returns 0 since +"rb_per_cpu_empty()" returns 0 when it hits the CPU containing such +constructed ring buffer. Then "trace_find_next_entry_inc()" always +return NULL since "rb_num_of_entries()" reports there's no more entry +to read. Finally "trace_seq_to_user()" returns "-EBUSY" spanking +"tracing_read_pipe" back to the start of the "waitagain" loop. + +I've also written a proof-of-concept script to construct the scenario +and trigger the bug automatically, you can use it to trace and validate +my reasoning above: + + https://github.com/aegistudio/RingBufferDetonator.git + +Tests has been carried out on linux kernel 5.14-rc2 +(2734d6c1b1a089fb593ef6a23d4b70903526fe0c), my fixed version +of kernel (for testing whether my update fixes the bug) and +some older kernels (for range of affected kernels). Test result is +also attached to the proof-of-concept repository. + +Link: https://lore.kernel.org/linux-trace-devel/YPaNxsIlb2yjSi5Y@aegistudio/ +Link: https://lore.kernel.org/linux-trace-devel/YPgrN85WL9VyrZ55@aegistudio + +Cc: stable@vger.kernel.org +Fixes: bf41a158cacba ("ring-buffer: make reentrant") +Suggested-by: Linus Torvalds +Signed-off-by: Haoran Luo +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 28 ++++++++++++++++++++++++---- + 1 file changed, 24 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 728374166653..5e1b9f6e77f3 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -3221,10 +3221,30 @@ static bool rb_per_cpu_empty(struct ring_buffer_per_cpu *cpu_buffer) + if (unlikely(!head)) + return true; + +- return reader->read == rb_page_commit(reader) && +- (commit == reader || +- (commit == head && +- head->read == rb_page_commit(commit))); ++ /* Reader should exhaust content in reader page */ ++ if (reader->read != rb_page_commit(reader)) ++ return false; ++ ++ /* ++ * If writers are committing on the reader page, knowing all ++ * committed content has been read, the ring buffer is empty. ++ */ ++ if (commit == reader) ++ return true; ++ ++ /* ++ * If writers are committing on a page other than reader page ++ * and head page, there should always be content to read. ++ */ ++ if (commit != head) ++ return false; ++ ++ /* ++ * Writers are committing on the head page, we just need ++ * to care about there're committed data, and the reader will ++ * swap reader page with head page when it is to read data. ++ */ ++ return rb_page_commit(commit) == 0; + } + + /** +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/intel.cfg b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/intel.cfg index 9c08d590f..ef07b6b13 100644 --- a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/intel.cfg +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/intel.cfg @@ -90,4 +90,6 @@ CONFIG_USB_EHCI_HCD_PLATFORM=n CONFIG_IPMB_DEVICE_INTERFACE=y CONFIG_BPF_SYSCALL=n CONFIG_IO_URING=n - +CONFIG_EXT2_FS=n +CONFIG_EXT3_FS=n +CONFIG_EXT4_FS=n diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend index 467578d85..e9916f101 100644 --- a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend @@ -264,5 +264,23 @@ SRC_URI += " \ file://0001-dm-ioctl-fix-out-of-bounds-array-access-when-no-devi.patch \ " +# CVE-2021-22555 vulnerability fix +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}/CVE-2021-22555:" +SRC_URI += " \ + file://0001-netfilter-x_tables-fix-compat-match-target-pad-out-o.patch \ + " + +# CVE-2021-3679 vulnerability fix +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}/CVE-2021-3679:" +SRC_URI += " \ + file://0001-tracing-Fix-bug-in-rb_per_cpu_empty-that-might-cause.patch \ + " + +# CVE-2020-21781 vulnerability fix +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}/CVE-2020-21781:" +SRC_URI += " \ + file://0001-ARM-ensure-the-signal-page-contains-defined-contents.patch \ + " + SRC_URI += "${@bb.utils.contains('IMAGE_FSTYPES', 'intel-pfr', 'file://0005-128MB-flashmap-for-PFR.patch', '', d)}" SRC_URI += "${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks', 'file://debug.cfg', '', d)}" diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-net/0009-Add-dbus-interface-for-sol-commands.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-net/0009-Add-dbus-interface-for-sol-commands.patch deleted file mode 100644 index 5f749af45..000000000 --- a/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-net/0009-Add-dbus-interface-for-sol-commands.patch +++ /dev/null @@ -1,317 +0,0 @@ -From e5ab844259f569656e95f5324f7428229dd811a7 Mon Sep 17 00:00:00 2001 -From: Cheng C Yang -Date: Wed, 3 Jul 2019 07:39:47 +0800 -Subject: [PATCH] Add dbus interface for sol commands - -Add dbus interface for sol config parameters so that after move set/get -sol config parameter command from net-ipmid to host-ipmid, the command -can send config parameters to net-ipmid sol service through the dbus -interface. - -Tested by: -busctl introspect xyz.openbmc_project.Settings /xyz/openbmc_project -/network/host0/sol can show correct dbus properties of sol parameters. -ipmitool -I lanplus -H x -U x -P x raw 0x0c 0x21 0x0e 0x00 0x01 -ipmitool -I lanplus -H x -U x -P x raw 0x0c 0x21 0x0e 0x01 0x00 -ipmitool -I lanplus -H x -U x -P x raw 0x0c 0x21 0x0e 0x02 0x83 -ipmitool -I lanplus -H x -U x -P x raw 0x0c 0x21 0x0e 0x03 0x5 0x03 -ipmitool -I lanplus -H x -U x -P x raw 0x0c 0x21 0x0e 0x04 0x5 0x03 -all these commands can change the dbus properties as the value in -above commands. -Before and after run these commands, ipmitool -I lanplus -H x -U x --P x sol activate can start sol session correctly. -After reboot BMC, "Progress" property in dbus interface change back -to 0 and other properties will not reset to default value. - -Signed-off-by: Cheng C Yang ---- - command/payload_cmds.cpp | 3 + - command/sol_cmds.cpp | 84 -------------------------- - sol/sol_manager.cpp | 124 +++++++++++++++++++++++++++++++++++++++ - sol/sol_manager.hpp | 1 + - sol_module.cpp | 6 -- - 5 files changed, 128 insertions(+), 90 deletions(-) - -diff --git a/command/payload_cmds.cpp b/command/payload_cmds.cpp -index c8e682e..bc987c5 100644 ---- a/command/payload_cmds.cpp -+++ b/command/payload_cmds.cpp -@@ -41,6 +41,9 @@ std::vector activatePayload(const std::vector& inPayload, - return outPayload; - } - -+ std::get(singletonPool) -+ .updateSOLParameter(ipmi::convertCurrentChannelNum( -+ ipmi::currentChNum, getInterfaceIndex())); - if (!std::get(singletonPool).enable) - { - response->completionCode = IPMI_CC_PAYLOAD_TYPE_DISABLED; -diff --git a/command/sol_cmds.cpp b/command/sol_cmds.cpp -index fda3e91..a1e820f 100644 ---- a/command/sol_cmds.cpp -+++ b/command/sol_cmds.cpp -@@ -71,90 +71,6 @@ void activating(uint8_t payloadInstance, uint32_t sessionID) - outPayload); - } - --std::vector setConfParams(const std::vector& inPayload, -- const message::Handler& handler) --{ -- std::vector outPayload(sizeof(SetConfParamsResponse)); -- auto request = -- reinterpret_cast(inPayload.data()); -- auto response = reinterpret_cast(outPayload.data()); -- response->completionCode = IPMI_CC_OK; -- -- switch (static_cast(request->paramSelector)) -- { -- case Parameter::PROGRESS: -- { -- uint8_t progress = request->value & progressMask; -- std::get(singletonPool).progress = progress; -- break; -- } -- case Parameter::ENABLE: -- { -- bool enable = request->value & enableMask; -- std::get(singletonPool).enable = enable; -- break; -- } -- case Parameter::AUTHENTICATION: -- { -- if (!request->auth.auth || !request->auth.encrypt) -- { -- response->completionCode = ipmiCCWriteReadParameter; -- } -- else if (request->auth.privilege < -- static_cast(session::Privilege::USER) || -- request->auth.privilege > -- static_cast(session::Privilege::OEM)) -- { -- response->completionCode = IPMI_CC_INVALID_FIELD_REQUEST; -- } -- else -- { -- std::get(singletonPool).solMinPrivilege = -- static_cast(request->auth.privilege); -- } -- break; -- } -- case Parameter::ACCUMULATE: -- { -- using namespace std::chrono_literals; -- -- if (request->acc.threshold == 0) -- { -- response->completionCode = IPMI_CC_INVALID_FIELD_REQUEST; -- break; -- } -- -- std::get(singletonPool).accumulateInterval = -- request->acc.interval * sol::accIntervalFactor * 1ms; -- std::get(singletonPool).sendThreshold = -- request->acc.threshold; -- break; -- } -- case Parameter::RETRY: -- { -- using namespace std::chrono_literals; -- -- std::get(singletonPool).retryCount = -- request->retry.count; -- std::get(singletonPool).retryInterval = -- request->retry.interval * sol::retryIntervalFactor * 1ms; -- break; -- } -- case Parameter::PORT: -- { -- response->completionCode = ipmiCCWriteReadParameter; -- break; -- } -- case Parameter::NVBITRATE: -- case Parameter::VBITRATE: -- case Parameter::CHANNEL: -- default: -- response->completionCode = ipmiCCParamNotSupported; -- } -- -- return outPayload; --} -- - std::vector getConfParams(const std::vector& inPayload, - const message::Handler& handler) - { -diff --git a/sol/sol_manager.cpp b/sol/sol_manager.cpp -index a118457..55d269a 100644 ---- a/sol/sol_manager.cpp -+++ b/sol/sol_manager.cpp -@@ -14,6 +14,11 @@ - #include - #include - #include -+#include -+ -+constexpr const char* solInterface = "xyz.openbmc_project.Ipmi.SOL"; -+constexpr const char* solPath = "/xyz/openbmc_project/ipmi/sol/"; -+constexpr const char* PROP_INTF = "org.freedesktop.DBus.Properties"; - - namespace sol - { -@@ -103,6 +108,125 @@ void Manager::stopHostConsole() - } - } - -+std::string getService(sdbusplus::bus::bus& bus, const std::string& intf, -+ const std::string& path) -+{ -+ auto mapperCall = -+ bus.new_method_call("xyz.openbmc_project.ObjectMapper", -+ "/xyz/openbmc_project/object_mapper", -+ "xyz.openbmc_project.ObjectMapper", "GetObject"); -+ -+ mapperCall.append(path); -+ mapperCall.append(std::vector({intf})); -+ -+ std::map> mapperResponse; -+ -+ try -+ { -+ auto mapperResponseMsg = bus.call(mapperCall); -+ mapperResponseMsg.read(mapperResponse); -+ } -+ catch (sdbusplus::exception_t&) -+ { -+ throw std::runtime_error("ERROR in mapper call"); -+ } -+ -+ if (mapperResponse.begin() == mapperResponse.end()) -+ { -+ throw std::runtime_error("ERROR in reading the mapper response"); -+ } -+ -+ return mapperResponse.begin()->first; -+} -+ -+ipmi::PropertyMap getAllDbusProperties(sdbusplus::bus::bus& bus, -+ const std::string& service, -+ const std::string& objPath, -+ const std::string& interface) -+{ -+ ipmi::PropertyMap properties; -+ -+ sdbusplus::message::message method = bus.new_method_call( -+ service.c_str(), objPath.c_str(), PROP_INTF, "GetAll"); -+ -+ method.append(interface); -+ -+ try -+ { -+ sdbusplus::message::message reply = bus.call(method); -+ reply.read(properties); -+ } -+ catch (sdbusplus::exception_t&) -+ { -+ phosphor::logging::log( -+ "Failed to get all properties", -+ phosphor::logging::entry("PATH=%s", objPath.c_str()), -+ phosphor::logging::entry("INTERFACE=%s", interface.c_str())); -+ throw std::runtime_error("ERROR in reading proerties"); -+ } -+ -+ return properties; -+} -+ -+void Manager::updateSOLParameter(uint8_t channelNum) -+{ -+ std::variant value; -+ sdbusplus::bus::bus dbus(ipmid_get_sd_bus_connection()); -+ static std::string solService{}; -+ ipmi::PropertyMap properties; -+ std::string ethdevice = ipmi::getChannelName(channelNum); -+ std::string solPathWitheEthName = solPath + ethdevice; -+ if (solService.empty()) -+ { -+ try -+ { -+ solService = getService(dbus, solInterface, solPathWitheEthName); -+ } -+ catch (const std::runtime_error& e) -+ { -+ solService.clear(); -+ phosphor::logging::log( -+ "Error: get SOL service failed"); -+ return; -+ } -+ } -+ try -+ { -+ properties = getAllDbusProperties(dbus, solService, solPathWitheEthName, -+ solInterface); -+ } -+ catch (const std::runtime_error&) -+ { -+ phosphor::logging::log( -+ "Error setting sol parameter"); -+ return; -+ } -+ -+ progress = std::get(properties["Progress"]); -+ -+ enable = std::get(properties["Enable"]); -+ -+ forceEncrypt = std::get(properties["ForceEncryption"]); -+ -+ forceAuth = std::get(properties["ForceAuthentication"]); -+ -+ solMinPrivilege = static_cast( -+ std::get(properties["Privilege"])); -+ -+ accumulateInterval = -+ std::get((properties["AccumulateIntervalMS"])) * -+ sol::accIntervalFactor * 1ms; -+ -+ sendThreshold = std::get(properties["Threshold"]); -+ -+ retryCount = std::get(properties["RetryCount"]); -+ -+ retryInterval = std::get(properties["RetryIntervalMS"]) * -+ sol::retryIntervalFactor * 1ms; -+ -+ return; -+} -+ - void Manager::startPayloadInstance(uint8_t payloadInstance, - session::SessionID sessionID) - { -diff --git a/sol/sol_manager.hpp b/sol/sol_manager.hpp -index 5b48add..4e797d4 100644 ---- a/sol/sol_manager.hpp -+++ b/sol/sol_manager.hpp -@@ -252,6 +252,7 @@ class Manager - * @return 0 on success and errno on failure. - */ - int writeConsoleSocket(const std::vector& input) const; -+ void updateSOLParameter(uint8_t channelNum); - - private: - SOLPayloadMap payloadMap; -diff --git a/sol_module.cpp b/sol_module.cpp -index 8200e74..2b1fb46 100644 ---- a/sol_module.cpp -+++ b/sol_module.cpp -@@ -42,12 +42,6 @@ void registerCommands() - &getPayloadInfo, - session::Privilege::USER, - false}, -- // Set SOL Configuration Parameters -- {{(static_cast(message::PayloadType::IPMI) << 16) | -- static_cast(::command::NetFns::TRANSPORT) | 0x21}, -- &setConfParams, -- session::Privilege::ADMIN, -- false}, - // Get SOL Configuration Parameters - {{(static_cast(message::PayloadType::IPMI) << 16) | - static_cast(::command::NetFns::TRANSPORT) | 0x22}, --- -2.17.1 - diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-net/0011-Remove-Get-SOL-Config-Command-from-Netipmid.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-net/0011-Remove-Get-SOL-Config-Command-from-Netipmid.patch index da173704b..7b690998f 100644 --- a/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-net/0011-Remove-Get-SOL-Config-Command-from-Netipmid.patch +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-net/0011-Remove-Get-SOL-Config-Command-from-Netipmid.patch @@ -1,4 +1,4 @@ -From a36f181163974b2da0a954fc97a89fb2cdbd7287 Mon Sep 17 00:00:00 2001 +From adabdfa46aa0db56f40030c7077f991ba1987b04 Mon Sep 17 00:00:00 2001 From: Cheng C Yang Date: Tue, 30 Apr 2019 05:35:31 +0800 Subject: [PATCH] Remove Get SOL Config Command from Netipmid @@ -28,21 +28,21 @@ Payload Port : 623 Signed-off-by: Cheng C Yang --- - command/sol_cmds.cpp | 91 ---------------------------- - command/sol_cmds.hpp | 168 --------------------------------------------------- + command/sol_cmds.cpp | 86 ---------------------- + command/sol_cmds.hpp | 168 ------------------------------------------- sol_module.cpp | 6 -- - 3 files changed, 265 deletions(-) + 3 files changed, 260 deletions(-) diff --git a/command/sol_cmds.cpp b/command/sol_cmds.cpp -index 804b5ea..8b2d041 100644 +index 81dfc993236c..be2cc81fc9cc 100644 --- a/command/sol_cmds.cpp +++ b/command/sol_cmds.cpp -@@ -65,97 +65,6 @@ void activating(uint8_t payloadInstance, uint32_t sessionID) +@@ -69,92 +69,6 @@ void activating(uint8_t payloadInstance, uint32_t sessionID) outPayload); } -std::vector getConfParams(const std::vector& inPayload, -- const message::Handler& handler) +- std::shared_ptr& handler) -{ - std::vector outPayload(sizeof(GetConfParamsResponse)); - auto request = @@ -60,23 +60,22 @@ index 804b5ea..8b2d041 100644 - { - case Parameter::PROGRESS: - { -- outPayload.push_back( -- std::get(singletonPool).progress); +- outPayload.push_back(sol::Manager::get().progress); - break; - } - case Parameter::ENABLE: - { -- outPayload.push_back(std::get(singletonPool).enable); +- outPayload.push_back(sol::Manager::get().enable); - break; - } - case Parameter::AUTHENTICATION: - { - Auth value{0}; - -- value.encrypt = std::get(singletonPool).forceEncrypt; -- value.auth = std::get(singletonPool).forceAuth; -- value.privilege = static_cast( -- std::get(singletonPool).solMinPrivilege); +- value.encrypt = sol::Manager::get().forceEncrypt; +- value.auth = sol::Manager::get().forceAuth; +- value.privilege = +- static_cast(sol::Manager::get().solMinPrivilege); - auto buffer = reinterpret_cast(&value); - - std::copy_n(buffer, sizeof(value), std::back_inserter(outPayload)); @@ -86,11 +85,9 @@ index 804b5ea..8b2d041 100644 - { - Accumulate value{0}; - -- value.interval = std::get(singletonPool) -- .accumulateInterval.count() / +- value.interval = sol::Manager::get().accumulateInterval.count() / - sol::accIntervalFactor; -- value.threshold = -- std::get(singletonPool).sendThreshold; +- value.threshold = sol::Manager::get().sendThreshold; - auto buffer = reinterpret_cast(&value); - - std::copy_n(buffer, sizeof(value), std::back_inserter(outPayload)); @@ -100,10 +97,9 @@ index 804b5ea..8b2d041 100644 - { - Retry value{0}; - -- value.count = std::get(singletonPool).retryCount; -- value.interval = -- std::get(singletonPool).retryInterval.count() / -- sol::retryIntervalFactor; +- value.count = sol::Manager::get().retryCount; +- value.interval = sol::Manager::get().retryInterval.count() / +- sol::retryIntervalFactor; - auto buffer = reinterpret_cast(&value); - - std::copy_n(buffer, sizeof(value), std::back_inserter(outPayload)); @@ -119,8 +115,7 @@ index 804b5ea..8b2d041 100644 - } - case Parameter::CHANNEL: - { -- outPayload.push_back( -- std::get(singletonPool).channel); +- outPayload.push_back(sol::Manager::get().channel); - break; - } - case Parameter::NVBITRATE: @@ -136,7 +131,7 @@ index 804b5ea..8b2d041 100644 } // namespace sol diff --git a/command/sol_cmds.hpp b/command/sol_cmds.hpp -index 182b73e..10cbf25 100644 +index 3e05e0fc035f..9aedfddf0d39 100644 --- a/command/sol_cmds.hpp +++ b/command/sol_cmds.hpp @@ -62,174 +62,6 @@ struct ActivatingRequest @@ -266,7 +261,7 @@ index 182b73e..10cbf25 100644 - * @return Response data for the command. - */ -std::vector setConfParams(const std::vector& inPayload, -- const message::Handler& handler); +- std::shared_ptr& handler); - -/** @struct GetConfParamsRequest - * @@ -309,16 +304,16 @@ index 182b73e..10cbf25 100644 - * @return Response data for the command. - */ -std::vector getConfParams(const std::vector& inPayload, -- const message::Handler& handler); +- std::shared_ptr& handler); - } // namespace command } // namespace sol diff --git a/sol_module.cpp b/sol_module.cpp -index 2b1fb46..6da82c0 100644 +index d9a9a7c9551f..21196d8a2cbf 100644 --- a/sol_module.cpp +++ b/sol_module.cpp -@@ -42,12 +42,6 @@ void registerCommands() +@@ -41,12 +41,6 @@ void registerCommands() &getPayloadInfo, session::Privilege::USER, false}, @@ -332,5 +327,5 @@ index 2b1fb46..6da82c0 100644 for (const auto& iter : commands) -- -2.7.4 +2.17.1 diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-net_%.bbappend b/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-net_%.bbappend index f10bb6ef4..86b8873f1 100644 --- a/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-net_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-net_%.bbappend @@ -3,7 +3,7 @@ inherit useradd # TODO: This should be removed, once up-stream bump up # issue is resolved SRC_URI += "git://github.com/openbmc/phosphor-net-ipmid" -SRCREV = "2b1edef0b1e395591dcf751d7ccf45a85bb58d4c" +SRCREV = "60d6e4ed2b74c88621f43081951d86956557baa0" USERADD_PACKAGES = "${PN}" # add a group called ipmi @@ -21,7 +21,6 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" SRC_URI += " file://10-nice-rules.conf \ file://0006-Modify-dbus-namespace-of-chassis-control-for-guid.patch \ - file://0009-Add-dbus-interface-for-sol-commands.patch \ file://0011-Remove-Get-SOL-Config-Command-from-Netipmid.patch \ file://0012-crypt_algo-Null-check-on-Cipher-context.patch \ " diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/webui/phosphor-webui_%.bbappend b/meta-openbmc-mods/meta-common/recipes-phosphor/webui/phosphor-webui_%.bbappend index 36b155fe9..6b6793914 100644 --- a/meta-openbmc-mods/meta-common/recipes-phosphor/webui/phosphor-webui_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/webui/phosphor-webui_%.bbappend @@ -1,4 +1,4 @@ SRC_URI = "git://github.com/Intel-BMC/phosphor-webui;protocol=ssh;branch=intel2" FILESEXTRAPATHS_prepend_intel := "${THISDIR}/${PN}:" -SRCREV = "2397c142c0d75c7705757a52848945b00928232d" +SRCREV = "3e7346c1ea86c08ff2fafeee8f05c0937ffef731" diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.77.0.bb b/meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.77.0.bb deleted file mode 100644 index 9a5a40ec7..000000000 --- a/meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.77.0.bb +++ /dev/null @@ -1,81 +0,0 @@ -SUMMARY = "Command line tool and library for client-side URL transfers" -HOMEPAGE = "http://curl.haxx.se/" -BUGTRACKER = "http://curl.haxx.se/mail/list.cgi?list=curl-tracker" -SECTION = "console/network" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b" - -SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ - file://0001-replace-krb5-config-with-pkg-config.patch \ -" - -SRC_URI[md5sum] = "045d28029679dabb6b20a814934671ad" -SRC_URI[sha256sum] = "6c0c28868cb82593859fc43b9c8fdb769314c855c05cf1b56b023acf855df8ea" - -CVE_PRODUCT = "curl libcurl" -inherit autotools pkgconfig binconfig multilib_header - -PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib" -PACKAGECONFIG_class-native = "ipv6 proxy ssl threaded-resolver verbose zlib" -PACKAGECONFIG_class-nativesdk = "ipv6 proxy ssl threaded-resolver verbose zlib" - -# 'ares' and 'threaded-resolver' are mutually exclusive -PACKAGECONFIG[ares] = "--enable-ares,--disable-ares,c-ares,,,threaded-resolver" -PACKAGECONFIG[brotli] = "--with-brotli,--without-brotli,brotli" -PACKAGECONFIG[builtinmanual] = "--enable-manual,--disable-manual" -PACKAGECONFIG[dict] = "--enable-dict,--disable-dict," -PACKAGECONFIG[gnutls] = "--with-gnutls,--without-gnutls,gnutls" -PACKAGECONFIG[gopher] = "--enable-gopher,--disable-gopher," -PACKAGECONFIG[imap] = "--enable-imap,--disable-imap," -PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," -PACKAGECONFIG[krb5] = "--with-gssapi,--without-gssapi,krb5" -PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap," -PACKAGECONFIG[ldaps] = "--enable-ldaps,--disable-ldaps," -PACKAGECONFIG[libidn] = "--with-libidn2,--without-libidn2,libidn2" -PACKAGECONFIG[libssh2] = "--with-libssh2,--without-libssh2,libssh2" -PACKAGECONFIG[mbedtls] = "--with-mbedtls=${STAGING_DIR_TARGET},--without-mbedtls,mbedtls" -PACKAGECONFIG[mqtt] = "--enable-mqtt,--disable-mqtt," -PACKAGECONFIG[nghttp2] = "--with-nghttp2,--without-nghttp2,nghttp2" -PACKAGECONFIG[pop3] = "--enable-pop3,--disable-pop3," -PACKAGECONFIG[proxy] = "--enable-proxy,--disable-proxy," -PACKAGECONFIG[rtmpdump] = "--with-librtmp,--without-librtmp,rtmpdump" -PACKAGECONFIG[rtsp] = "--enable-rtsp,--disable-rtsp," -PACKAGECONFIG[smb] = "--enable-smb,--disable-smb," -PACKAGECONFIG[smtp] = "--enable-smtp,--disable-smtp," -PACKAGECONFIG[ssl] = "--with-ssl --with-random=/dev/urandom,--without-ssl,openssl" -PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss" -PACKAGECONFIG[telnet] = "--enable-telnet,--disable-telnet," -PACKAGECONFIG[tftp] = "--enable-tftp,--disable-tftp," -PACKAGECONFIG[threaded-resolver] = "--enable-threaded-resolver,--disable-threaded-resolver,,,,ares" -PACKAGECONFIG[verbose] = "--enable-verbose,--disable-verbose" -PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib" - -EXTRA_OECONF = " \ - --disable-libcurl-option \ - --disable-ntlm-wb \ - --enable-crypto-auth \ - --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \ - --without-libmetalink \ - --without-libpsl \ -" - -do_install_append_class-target() { - # cleanup buildpaths from curl-config - sed -i \ - -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \ - -e 's,--with-libtool-sysroot=${STAGING_DIR_TARGET},,g' \ - -e 's|${DEBUG_PREFIX_MAP}||g' \ - ${D}${bindir}/curl-config -} - -PACKAGES =+ "lib${BPN}" - -FILES_lib${BPN} = "${libdir}/lib*.so.*" -RRECOMMENDS_lib${BPN} += "ca-certificates" - -FILES_${PN} += "${datadir}/zsh" - -inherit multilib_script -MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/curl-config" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.78.0.bb b/meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.78.0.bb new file mode 100644 index 000000000..ce2f1e8be --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.78.0.bb @@ -0,0 +1,80 @@ +SUMMARY = "Command line tool and library for client-side URL transfers" +HOMEPAGE = "http://curl.haxx.se/" +BUGTRACKER = "http://curl.haxx.se/mail/list.cgi?list=curl-tracker" +SECTION = "console/network" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b" + +SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ + file://0001-replace-krb5-config-with-pkg-config.patch \ +" + +SRC_URI[md5sum] = "9a57717210a0bb0b6becda1497f0f2b5" +SRC_URI[sha256sum] = "98530b317dc95ccb324bbe4f834f07bb642fbc393b794ddf3434f246a71ea44a" + +CVE_PRODUCT = "curl libcurl" +inherit autotools pkgconfig binconfig multilib_header + +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib" +PACKAGECONFIG_class-native = "ipv6 proxy ssl threaded-resolver verbose zlib" +PACKAGECONFIG_class-nativesdk = "ipv6 proxy ssl threaded-resolver verbose zlib" + +# 'ares' and 'threaded-resolver' are mutually exclusive +PACKAGECONFIG[ares] = "--enable-ares,--disable-ares,c-ares,,,threaded-resolver" +PACKAGECONFIG[brotli] = "--with-brotli,--without-brotli,brotli" +PACKAGECONFIG[builtinmanual] = "--enable-manual,--disable-manual" +PACKAGECONFIG[dict] = "--enable-dict,--disable-dict," +PACKAGECONFIG[gnutls] = "--with-gnutls,--without-gnutls,gnutls" +PACKAGECONFIG[gopher] = "--enable-gopher,--disable-gopher," +PACKAGECONFIG[imap] = "--enable-imap,--disable-imap," +PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," +PACKAGECONFIG[krb5] = "--with-gssapi,--without-gssapi,krb5" +PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap," +PACKAGECONFIG[ldaps] = "--enable-ldaps,--disable-ldaps," +PACKAGECONFIG[libidn] = "--with-libidn2,--without-libidn2,libidn2" +PACKAGECONFIG[libssh2] = "--with-libssh2,--without-libssh2,libssh2" +PACKAGECONFIG[mbedtls] = "--with-mbedtls=${STAGING_DIR_TARGET},--without-mbedtls,mbedtls" +PACKAGECONFIG[mqtt] = "--enable-mqtt,--disable-mqtt," +PACKAGECONFIG[nghttp2] = "--with-nghttp2,--without-nghttp2,nghttp2" +PACKAGECONFIG[pop3] = "--enable-pop3,--disable-pop3," +PACKAGECONFIG[proxy] = "--enable-proxy,--disable-proxy," +PACKAGECONFIG[rtmpdump] = "--with-librtmp,--without-librtmp,rtmpdump" +PACKAGECONFIG[rtsp] = "--enable-rtsp,--disable-rtsp," +PACKAGECONFIG[smb] = "--enable-smb,--disable-smb," +PACKAGECONFIG[smtp] = "--enable-smtp,--disable-smtp," +PACKAGECONFIG[ssl] = "--with-ssl --with-random=/dev/urandom,--without-ssl,openssl" +PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss" +PACKAGECONFIG[telnet] = "--enable-telnet,--disable-telnet," +PACKAGECONFIG[tftp] = "--enable-tftp,--disable-tftp," +PACKAGECONFIG[threaded-resolver] = "--enable-threaded-resolver,--disable-threaded-resolver,,,,ares" +PACKAGECONFIG[verbose] = "--enable-verbose,--disable-verbose" +PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib" + +EXTRA_OECONF = " \ + --disable-libcurl-option \ + --disable-ntlm-wb \ + --enable-crypto-auth \ + --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \ + --without-libpsl \ +" + +do_install_append_class-target() { + # cleanup buildpaths from curl-config + sed -i \ + -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \ + -e 's,--with-libtool-sysroot=${STAGING_DIR_TARGET},,g' \ + -e 's|${DEBUG_PREFIX_MAP}||g' \ + ${D}${bindir}/curl-config +} + +PACKAGES =+ "lib${BPN}" + +FILES_lib${BPN} = "${libdir}/lib*.so.*" +RRECOMMENDS_lib${BPN} += "ca-certificates" + +FILES_${PN} += "${datadir}/zsh" + +inherit multilib_script +MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/curl-config" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-openbmc-mods/meta-common/recipes-support/nettle/nettle_3.7.2.bb b/meta-openbmc-mods/meta-common/recipes-support/nettle/nettle_3.7.2.bb deleted file mode 100644 index 320a9048b..000000000 --- a/meta-openbmc-mods/meta-common/recipes-support/nettle/nettle_3.7.2.bb +++ /dev/null @@ -1,58 +0,0 @@ -SUMMARY = "A low level cryptographic library" -HOMEPAGE = "http://www.lysator.liu.se/~nisse/nettle/" -DESCRIPTION = "It tries to solve a problem of providing a common set of \ -cryptographic algorithms for higher-level applications by implementing a \ -context-independent set of cryptographic algorithms" -SECTION = "libs" -LICENSE = "LGPLv3+ | GPLv2+" - -LIC_FILES_CHKSUM = "file://COPYING.LESSERv3;md5=6a6a8e020838b23406c81b19c1d46df6 \ - file://COPYINGv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://serpent-decrypt.c;beginline=14;endline=36;md5=ca0d220bc413e1842ecc507690ce416e \ - file://serpent-set-key.c;beginline=14;endline=36;md5=ca0d220bc413e1842ecc507690ce416e" - -DEPENDS += "gmp" - -SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \ - file://Add-target-to-only-build-tests-not-run-them.patch \ - file://run-ptest \ - file://check-header-files-of-openssl-only-if-enable_.patch \ - " - -SRC_URI_append_class-target = "\ - file://dlopen-test.patch \ - " - -SRC_URI[md5sum] = "22849db27ed563ebbc829273f0c97e35" -SRC_URI[sha256sum] = "8d2a604ef1cde4cd5fb77e422531ea25ad064679ff0adf956e78b3352e0ef162" - - -UPSTREAM_CHECK_REGEX = "nettle-(?P\d+(\.\d+)+)\.tar" - -inherit autotools ptest multilib_header - -EXTRA_AUTORECONF += "--exclude=aclocal" - -EXTRA_OECONF = "--disable-openssl" - -do_compile_ptest() { - oe_runmake buildtest -} - -do_install_append() { - oe_multilib_header nettle/version.h -} - -do_install_ptest() { - install -d ${D}${PTEST_PATH}/testsuite/ - install ${S}/testsuite/gold-bug.txt ${D}${PTEST_PATH}/testsuite/ - install ${S}/testsuite/*-test ${D}${PTEST_PATH}/testsuite/ - # tools can be found in PATH, not in ../tools/ - sed -i -e 's|../tools/||' ${D}${PTEST_PATH}/testsuite/*-test - install ${B}/testsuite/*-test ${D}${PTEST_PATH}/testsuite/ -} - -RDEPENDS_${PN}-ptest += "${PN}-dev" -INSANE_SKIP_${PN}-ptest += "dev-deps" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-openbmc-mods/meta-common/recipes-support/nettle/nettle_3.7.3.bb b/meta-openbmc-mods/meta-common/recipes-support/nettle/nettle_3.7.3.bb new file mode 100644 index 000000000..fd50ead17 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-support/nettle/nettle_3.7.3.bb @@ -0,0 +1,58 @@ +SUMMARY = "A low level cryptographic library" +HOMEPAGE = "http://www.lysator.liu.se/~nisse/nettle/" +DESCRIPTION = "It tries to solve a problem of providing a common set of \ +cryptographic algorithms for higher-level applications by implementing a \ +context-independent set of cryptographic algorithms" +SECTION = "libs" +LICENSE = "LGPLv3+ | GPLv2+" + +LIC_FILES_CHKSUM = "file://COPYING.LESSERv3;md5=6a6a8e020838b23406c81b19c1d46df6 \ + file://COPYINGv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ + file://serpent-decrypt.c;beginline=14;endline=36;md5=ca0d220bc413e1842ecc507690ce416e \ + file://serpent-set-key.c;beginline=14;endline=36;md5=ca0d220bc413e1842ecc507690ce416e" + +DEPENDS += "gmp" + +SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \ + file://Add-target-to-only-build-tests-not-run-them.patch \ + file://run-ptest \ + file://check-header-files-of-openssl-only-if-enable_.patch \ + " + +SRC_URI_append_class-target = "\ + file://dlopen-test.patch \ + " + +SRC_URI[md5sum] = "a60273d0fab9c808646fcf5e9edc2e8f" +SRC_URI[sha256sum] = "661f5eb03f048a3b924c3a8ad2515d4068e40f67e774e8a26827658007e3bcf0" + + +UPSTREAM_CHECK_REGEX = "nettle-(?P\d+(\.\d+)+)\.tar" + +inherit autotools ptest multilib_header + +EXTRA_AUTORECONF += "--exclude=aclocal" + +EXTRA_OECONF = "--disable-openssl" + +do_compile_ptest() { + oe_runmake buildtest +} + +do_install_append() { + oe_multilib_header nettle/version.h +} + +do_install_ptest() { + install -d ${D}${PTEST_PATH}/testsuite/ + install ${S}/testsuite/gold-bug.txt ${D}${PTEST_PATH}/testsuite/ + install ${S}/testsuite/*-test ${D}${PTEST_PATH}/testsuite/ + # tools can be found in PATH, not in ../tools/ + sed -i -e 's|../tools/||' ${D}${PTEST_PATH}/testsuite/*-test + install ${B}/testsuite/*-test ${D}${PTEST_PATH}/testsuite/ +} + +RDEPENDS_${PN}-ptest += "${PN}-dev" +INSANE_SKIP_${PN}-ptest += "dev-deps" + +BBCLASSEXTEND = "native nativesdk" -- cgit v1.2.3