diff options
| author | Patrick Williams <patrick@stwcx.xyz> | 2021-08-30 23:19:52 +0300 |
|---|---|---|
| committer | Patrick Williams <patrick@stwcx.xyz> | 2021-08-30 23:20:39 +0300 |
| commit | fff6b3483881af637e01ecfe6853d5264c311442 (patch) | |
| tree | e589a65fb94e1fb0141c028a99182cd3c12173ac | |
| parent | 0d7b32aa69f75b8abd5d5ebdefd473a5b875e470 (diff) | |
| download | openbmc-fff6b3483881af637e01ecfe6853d5264c311442.tar.xz | |
subtree updates
meta-openembedded: 85f8047c71..4a0d93d250:
Anatol Belski (1):
backport: xmlsec1: Fix configure QA error caused by host lookup path
Jate Sujjavanich (1):
ufw: Fix interpreter for installed ufw and test ufw
Joe Slater (2):
php: move to version 7.4.21
nginx: fix CVE-2021-3618
Kai Kang (1):
libdbi-perl: fix CVE-2014-10402
Khem Raj (2):
fvwm: Package extra files and man pages
fvwm: Fix build time paths in target perl/python scripts
Michael Opdenacker (1):
bigbuckbunny-1080p: fix sample video URL
poky: 7d2f118cb6..ed4791c8b0:
Alexandre Belloni (1):
oeqa/runtime/cases: make date.DateTest.test_date more reliable
Armin Kuster (1):
qemu: Enable seccomp if FEATURE is set
Bruce Ashfield (5):
linux-yocto/5.4: update to v5.4.134
linux-yocto/5.4: update to v5.4.135
linux-yocto/5.4: update to v5.4.137
linux-yocto/5.4: update to v5.4.139
linux-yocto/5.4: update to v5.4.141
Changqing Li (1):
archiver.bbclass: fix do_ar_configured failure for kernel
Dmitry Baryshkov (1):
linux-firmware: add more Qualcomm firmware packages
Dragos-Marian Panait (1):
util-linux: fix CVE-2021-37600
Jose Quaresma (1):
sstate.bbclass: fix error handling when sstate mirrors is ro
Khem Raj (2):
ovmf: Fix VLA warnings with GCC 11
sdk: Enable do_populate_sdk with multilibs
Lee Chee Yang (2):
aspell: fix CVE-2019-25051
libsolv: fix CVE-2021-3200
Matthias Klein (1):
runqemu: Fix typo in error message
Michael Opdenacker (5):
oe-setup-builddir: update YP docs and OE URLs
cve-check: fix comments
cve-check: update link to NVD website for CVE details
cve-check: improve comment about CVE patch file names
cve-check: remove deprecated CVE_CHECK_CVE_WHITELIST
Mike Crowe (1):
curl: Fix CVE-2021-22924 and CVE-2021-22925
Minjae Kim (1):
ruby: 2.7.3 -> 2.7.4
Nathan Rossi (1):
qemu.inc: Add seccomp PACKAGECONFIG option
Neetika Singh (1):
curl: Fix for CVE-2021-22898
Nicolas Dechesne (4):
yocto-check-layer: improve missed dependencies
checklayer: new function get_layer_dependencies()
checklayer: rename _find_layer_depends
yocto-check-layer: ensure that all layer dependencies are tested too
Oleksandr Kravchuk (1):
bitbake.conf: change GNOME_MIRROR to new one
Paul Barker (1):
kernel-yocto: Simplify no git repo case in do_kernel_checkout
Purushottam Choudhary (1):
python3: Remove unused python3 recipe
Ralph Siemsen (2):
oeqa/manual/toaster: fix small typo
glibc: Document and whitelist CVE-2021-35942
Ranjitsinh Rathod (1):
systemd: Add fix for CVE-2020-13529 and CVE-2021-33910
Richard Purdie (4):
yocto-check-layer: Remove duplicated code
sstate: Fix rebuilds when changing layer config
license: Exclude COPYING.MIT from pseudo
oeqa/selftest/glibc: Handle incorrect encoding issuesin glibc test results
Ross Burton (5):
glew: fix Makefile race
e2fsprogs: ensure small images have 256-byte inodes
wic: don't forcibly pass -T default
tar: ignore node-tar CVEs
ovmf: build natively everywhere
Steve Sakoman (5):
Revert "gstreamer-plugins-good: ignore CVE-2021-3497/8 since they are fixed"
Revert "gstreamer-plugins-base: ignore CVE-2021-3522 since it is fixed"
gstreamer: ignore CVE-2021-3497, CVE-2021-3498, and CVE-2021-3522
libxml2: fix CVE-2021-3541
avahi: fix CVE-2021-3468
Teoh Jay Shen (5):
oeqa/ethernet_ip_connman : add test for network connections
oeqa/runtime : add test for RTC(Real Time Clock)
oeqa/suspend : add test for suspend state
oeqa/terminal : improve the test case
oeqa/usb_hid.py : add test to check the usb/human interface device status after suspend state
TeohJayShen (1):
oeqa/runtime: add test for matchbox-terminal
Ulrich Ölmann (1):
initramfs-framework/setup-live: fix shebang
Wes Lindauer (1):
oeqa/runtime/cases: Only disable/enable for current boot
Yi Zhao (1):
ifupdown: added -1 option to dhclient for dhcpv6
akuster (1):
cve-check: add include/exclude layers
hongxu (1):
sdk: fix relocate symlink failed
leimaohui (1):
archiver.bbclass: Fix patch error for recipes that inherit dos2unix.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ic71be73b34f2a3ed6e8773f898626ad69abbe836
74 files changed, 1441 insertions, 477 deletions
diff --git a/meta-openembedded/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb b/meta-openembedded/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb index 70eb6e4be7..c651d8113d 100644 --- a/meta-openembedded/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb +++ b/meta-openembedded/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb @@ -3,7 +3,7 @@ LICENSE = "CC-BY-3.0" # http://www.bigbuckbunny.org/index.php/about/ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/CC-BY-3.0;md5=dfa02b5755629022e267f10b9c0a2ab7" -SRC_URI = "http://themazzone.com/big_buck_bunny_1080p_surround.avi" +SRC_URI = "https://www.mediaspip.net/IMG/avi/big_buck_bunny_1080p_surround.avi" SRC_URI[md5sum] = "223991c8b33564eb77988a4c13c1c76a" SRC_URI[sha256sum] = "69fe2cfe7154a6e752688e3a0d7d6b07b1605bbaf75b56f6470dc7b4c20c06ea" diff --git a/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw/Add-code-to-detect-openembedded-python-interpreter.patch b/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw/Add-code-to-detect-openembedded-python-interpreter.patch index 85d51ca21f..e1fcf0ca56 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw/Add-code-to-detect-openembedded-python-interpreter.patch +++ b/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw/Add-code-to-detect-openembedded-python-interpreter.patch @@ -1,7 +1,7 @@ Add code to detect openembedded python interpreter -OE does not use /usr/bin/env as part of the interpreter, so it does not -update ufw with the interpreter name. +OE does not use /usr/bin/env as part of the interpreter, Instead, it's a +full path in sys.executable. Upstream-Status: Inappropriate (Embedded) Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> @@ -17,9 +17,9 @@ index 75c1105..3f9a5e0 100644 "-i.jjm", "1s%^#.*python.*%#! " + sys.executable + "%g", 'staging/ufw']) -+ elif '-native/python' in sys.executable and \ ++ elif '/python' in sys.executable and \ + os.path.basename(sys.executable) in ['python', 'python3']: -+ print("Detected oe native python " + os.path.basename(sys.executable)) ++ print("Detected full path " + sys.executable + ". substituting " + os.path.basename(sys.executable)) + subprocess.call(["sed", + "-i.jjm", + "1s%python$%" diff --git a/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw/setup-only-make-one-reference-to-env.patch b/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw/setup-only-make-one-reference-to-env.patch index f487a6fd6c..ff704b5a46 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw/setup-only-make-one-reference-to-env.patch +++ b/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw/setup-only-make-one-reference-to-env.patch @@ -14,10 +14,6 @@ detected or specified on the build line. Upstream-Status: Inappropriate [ embedded specific ] Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> - -Added conditional to handle sys.executable without env on python3 - -Signed-off-by Jate Sujjavanich <jatedev@gmail.com> --- setup.py | 34 ++++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) @@ -47,7 +43,7 @@ index b13d11c..73acdef 100644 # Now byte-compile everything super(Install, self).run() -@@ -107,12 +112,29 @@ class Install(_install, object): +@@ -107,12 +112,23 @@ class Install(_install, object): for f in [ script, manpage, manpage_f ]: self.mkpath(os.path.dirname(f)) @@ -66,13 +62,7 @@ index b13d11c..73acdef 100644 - 'staging/ufw']) + print("Updating staging/ufw to use (%s)" % (sys.executable)) + -+ if not re.search("(/usr/bin/env)", sys.executable): -+ print("Did not find 'env' in sys.executable (%s)" % (sys.executable)) -+ subprocess.call(["sed", -+ "-i", -+ "1s%^#.*python.*%#! /usr/bin/env " + sys.executable + "%g", -+ 'staging/ufw']) -+ elif re.search("(/usr/bin/env)", sys.executable): ++ if re.search("(/usr/bin/env)", sys.executable): + print("found 'env' in sys.executable (%s)" % (sys.executable)) + subprocess.call(["sed", + "-i.jjm", diff --git a/meta-openembedded/meta-oe/recipes-devtools/perl/libdbi-perl/CVE-2014-10402.patch b/meta-openembedded/meta-oe/recipes-devtools/perl/libdbi-perl/CVE-2014-10402.patch new file mode 100644 index 0000000000..b41bbe0a50 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/perl/libdbi-perl/CVE-2014-10402.patch @@ -0,0 +1,56 @@ +Backport patch to fix CVE-2014-10402. + +CVE: CVE-2014-10402 +Upstream-Status: Backport [https://github.com/rehsack/dbi/commit/19d0fb1] + +Ref: +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972180#12 + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + + +From 19d0fb169eed475e1c053e99036b8668625cfa94 Mon Sep 17 00:00:00 2001 +From: Jens Rehsack <sno@netbsd.org> +Date: Tue, 6 Oct 2020 10:22:17 +0200 +Subject: [PATCH] lib/DBD/File.pm: fix CVE-2014-10401 + +Dig into the root cause of RT#99508 - which resulted in CVE-2014-10401 - and +figure out that DBI->parse_dsn is the wrong helper to parse our attributes in +DSN, since in DBD::dr::connect only the "dbname" remains from DSN which causes +parse_dsn to bailout. + +Parsing on our own similar to parse_dsn shows the way out. + +Signed-off-by: Jens Rehsack <sno@netbsd.org> +--- + lib/DBD/File.pm | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm +index fb14e9a..f55076f 100644 +--- a/lib/DBD/File.pm ++++ b/lib/DBD/File.pm +@@ -109,7 +109,11 @@ sub connect + # We do not (yet) care about conflicting attributes here + # my $dbh = DBI->connect ("dbi:CSV:f_dir=test", undef, undef, { f_dir => "text" }); + # will test here that both test and text should exist +- if (my $attr_hash = (DBI->parse_dsn ($dbname))[3]) { ++ # ++ # Parsing on our own similar to parse_dsn to find attributes in 'dbname' parameter. ++ if ($dbname) { ++ my @attrs = split /;/ => $dbname; ++ my $attr_hash = { map { split /\s*=>?\s*|\s*,\s*/, $_} @attrs }; + if (defined $attr_hash->{f_dir} && ! -d $attr_hash->{f_dir}) { + my $msg = "No such directory '$attr_hash->{f_dir}"; + $drh->set_err (2, $msg); +@@ -120,7 +124,6 @@ sub connect + if ($attr and defined $attr->{f_dir} && ! -d $attr->{f_dir}) { + my $msg = "No such directory '$attr->{f_dir}"; + $drh->set_err (2, $msg); +- $attr->{RaiseError} and croak $msg; + return; + } + +-- +2.17.1 + diff --git a/meta-openembedded/meta-oe/recipes-devtools/perl/libdbi-perl_1.643.bb b/meta-openembedded/meta-oe/recipes-devtools/perl/libdbi-perl_1.643.bb index 75fad46bfd..c8abae628f 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/perl/libdbi-perl_1.643.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/perl/libdbi-perl_1.643.bb @@ -9,7 +9,9 @@ SECTION = "libs" LICENSE = "Artistic-1.0 | GPL-1.0+" LIC_FILES_CHKSUM = "file://LICENSE;md5=10982c7148e0a012c0fd80534522f5c5" -SRC_URI = "http://search.cpan.org/CPAN/authors/id/T/TI/TIMB/DBI-${PV}.tar.gz" +SRC_URI = "http://search.cpan.org/CPAN/authors/id/T/TI/TIMB/DBI-${PV}.tar.gz \ + file://CVE-2014-10402.patch \ + " SRC_URI[md5sum] = "352f80b1e23769c116082a90905d7398" SRC_URI[sha256sum] = "8a2b993db560a2c373c174ee976a51027dd780ec766ae17620c20393d2e836fa" diff --git a/meta-openembedded/meta-oe/recipes-devtools/php/php_7.4.16.bb b/meta-openembedded/meta-oe/recipes-devtools/php/php_7.4.21.bb index bc0a6b5df3..c7c00ac30e 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/php/php_7.4.16.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/php/php_7.4.21.bb @@ -33,7 +33,8 @@ SRC_URI_append_class-target = " \ " S = "${WORKDIR}/php-${PV}" -SRC_URI[sha256sum] = "85710f007cfd0fae94e13a02a3a036f4e81ef43693260cae8a2e1ca93659ce3e" +SRC_URI[sha256sum] = "36ec6102e757e2c2b7742057a700bbff77c76fa0ccbe9c860398c3d24e32822a" + inherit autotools pkgconfig python3native gettext diff --git a/meta-openembedded/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb b/meta-openembedded/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb index 51f5a4eca1..3b01a216bd 100644 --- a/meta-openembedded/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb +++ b/meta-openembedded/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb @@ -82,12 +82,17 @@ do_install_append() { install -d -m 0755 ${D}/${datadir}/fvwm touch ${D}/${datadir}/fvwm/ConfigFvwmDefaults + sed -i -e 's:${STAGING_BINDIR_NATIVE}/perl-native/perl:${USRBINPATH}/env perl:g' ${D}${bindir}/fvwm-* + sed -i -e 's:${STAGING_BINDIR_NATIVE}/perl-native/perl:${USRBINPATH}/env perl:g' ${D}${libexecdir}/fvwm/*/Fvwm* + sed -i -e 's:${STAGING_BINDIR_NATIVE}/python3-native/python3:${USRBINPATH}/env python3:g' ${D}${bindir}/fvwm-menu-desktop } # the only needed packages (note: locale packages are automatically generated # as well) PACKAGES = " \ ${PN} \ + ${PN}-extra \ + ${PN}-doc \ ${PN}-dbg \ " @@ -98,12 +103,20 @@ FILES_${PN} = " \ ${datadir}/fvwm/ConfigFvwmDefaults \ " +FILES_${PN}-extra = " \ + ${bindir} \ + ${libexecdir} \ + ${sysconfdir}/xdg/fvwm \ +" +FILES_${PN}-doc = " \ + ${mandir} \ + ${datadir}/fvwm \ +" + RDEPENDS_${PN} = " \ xuser-account \ " - -# by default a lot of stuff is installed and it's not easy to control what to -# install, so install everything, but skip the check -INSANE_SKIP_${PN} = " \ - installed-vs-shipped \ +RDEPENDS_${PN}-extra += "\ + perl \ + python3-core \ " diff --git a/meta-openembedded/meta-oe/recipes-support/xmlsec1/xmlsec1/ensure-search-path-non-host.patch b/meta-openembedded/meta-oe/recipes-support/xmlsec1/xmlsec1/ensure-search-path-non-host.patch new file mode 100644 index 0000000000..a5a298af0d --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/xmlsec1/xmlsec1/ensure-search-path-non-host.patch @@ -0,0 +1,22 @@ +xmlsec1: Fix configure QA error caused by host lookup path + +ERROR: mc:my-sdk:xmlsec1-1.2.30-r0 do_configure: QA Issue: This autoconf log indicates errors, it looked at host include and/or library paths while determining system capabilities. + +It will eventually arise after the configure QA as the configure script should only look at the staging sysroot dir, not at the host. + +Upstream-Status: Inappropriate [embedded specific] +Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com> + +--- a/configure.ac.orig 2021-01-13 14:37:42.254991177 +0000 ++++ b/configure.ac 2021-01-13 14:40:56.546269330 +0000 +@@ -250,8 +250,8 @@ + dnl ========================================================================== + dnl Common installation locations + dnl ========================================================================== +-COMMON_INCLUDE_DIR="/usr/include /usr/local/include" +-COMMON_LIB_DIR="/usr/lib /usr/lib64 /usr/local/lib" ++COMMON_INCLUDE_DIR="${STAGING_INCDIR}" ++COMMON_LIB_DIR="${STAGING_LIBDIR}" + case $host in + i*86-*-linux-gnu) COMMON_LIB_DIR="$COMMON_LIB_DIR /usr/lib/i386-linux-gnu" ;; + x86_64-*-linux-gnu) COMMON_LIB_DIR="$COMMON_LIB_DIR /usr/lib/x86_64-linux-gnu" ;; diff --git a/meta-openembedded/meta-oe/recipes-support/xmlsec1/xmlsec1_1.2.30.bb b/meta-openembedded/meta-oe/recipes-support/xmlsec1/xmlsec1_1.2.30.bb index 20c7b2d371..391614b5f2 100644 --- a/meta-openembedded/meta-oe/recipes-support/xmlsec1/xmlsec1_1.2.30.bb +++ b/meta-openembedded/meta-oe/recipes-support/xmlsec1/xmlsec1_1.2.30.bb @@ -19,6 +19,7 @@ SRC_URI = "http://www.aleksey.com/xmlsec/download/${BP}.tar.gz \ file://xmlsec1-examples-allow-build-in-separate-dir.patch \ file://0001-nss-nspr-fix-for-multilib.patch \ file://run-ptest \ + file://ensure-search-path-non-host.patch \ " SRC_URI[md5sum] = "b66ec21e0a0ac331afb4b1bc5c9ef966" diff --git a/meta-openembedded/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch b/meta-openembedded/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch new file mode 100644 index 0000000000..3fab8bac6c --- /dev/null +++ b/meta-openembedded/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch @@ -0,0 +1,89 @@ +From 6dafcdebde58577f4fcb190be46a0eb910cf1b96 Mon Sep 17 00:00:00 2001 +From: Maxim Dounin <mdounin@mdounin.ru> +Date: Wed, 19 May 2021 03:13:31 +0300 +Subject: [PATCH 1/1] Mail: max_errors directive. + +Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands +in Exim, specifies the number of errors after which the connection is closed. +Index: nginx-1.16.1/src/mail/ngx_mail.h +=================================================================== +--- nginx-1.16.1.orig/src/mail/ngx_mail.h ++++ nginx-1.16.1/src/mail/ngx_mail.h +@@ -113,6 +113,8 @@ typedef struct { + ngx_msec_t timeout; + ngx_msec_t resolver_timeout; + ++ ngx_uint_t max_errors; ++ + ngx_str_t server_name; + + u_char *file_name; +@@ -225,6 +227,7 @@ typedef struct { + ngx_uint_t command; + ngx_array_t args; + ++ ngx_uint_t errors; + ngx_uint_t login_attempt; + + /* used to parse POP3/IMAP/SMTP command */ +Index: nginx-1.16.1/src/mail/ngx_mail_core_module.c +=================================================================== +--- nginx-1.16.1.orig/src/mail/ngx_mail_core_module.c ++++ nginx-1.16.1/src/mail/ngx_mail_core_module.c +@@ -85,6 +85,13 @@ static ngx_command_t ngx_mail_core_comm + offsetof(ngx_mail_core_srv_conf_t, resolver_timeout), + NULL }, + ++ { ngx_string("max_errors"), ++ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, ++ ngx_conf_set_num_slot, ++ NGX_MAIL_SRV_CONF_OFFSET, ++ offsetof(ngx_mail_core_srv_conf_t, max_errors), ++ NULL }, ++ + ngx_null_command + }; + +@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t + cscf->timeout = NGX_CONF_UNSET_MSEC; + cscf->resolver_timeout = NGX_CONF_UNSET_MSEC; + ++ cscf->max_errors = NGX_CONF_UNSET_UINT; ++ + cscf->resolver = NGX_CONF_UNSET_PTR; + + cscf->file_name = cf->conf_file->file.name.data; +@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t + ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout, + 30000); + ++ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5); + + ngx_conf_merge_str_value(conf->server_name, prev->server_name, ""); + +Index: nginx-1.16.1/src/mail/ngx_mail_handler.c +=================================================================== +--- nginx-1.16.1.orig/src/mail/ngx_mail_handler.c ++++ nginx-1.16.1/src/mail/ngx_mail_handler.c +@@ -753,7 +753,20 @@ ngx_mail_read_command(ngx_mail_session_t + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ ++ s->errors++; ++ ++ if (s->errors >= cscf->max_errors) { ++ ngx_log_error(NGX_LOG_INFO, c->log, 0, ++ "client sent too many invalid commands"); ++ s->quit = 1; ++ } ++ ++ return rc; ++ } ++ ++ if (rc == NGX_IMAP_NEXT) { + return rc; + } + diff --git a/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx.inc index a4583ed8f8..903a62b3d7 100644 --- a/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx.inc +++ b/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx.inc @@ -23,6 +23,7 @@ SRC_URI = " \ file://nginx.service \ file://nginx-fix-pidfile.patch \ file://CVE-2021-23017.patch \ + file://CVE-2021-3618.patch \ " inherit siteinfo update-rc.d useradd systemd diff --git a/poky/meta/classes/archiver.bbclass b/poky/meta/classes/archiver.bbclass index 7ca35a573b..9ef18ebd3c 100644 --- a/poky/meta/classes/archiver.bbclass +++ b/poky/meta/classes/archiver.bbclass @@ -281,7 +281,10 @@ python do_ar_configured() { # ${STAGING_DATADIR}/aclocal/libtool.m4, so we can't re-run the # do_configure, we archive the already configured ${S} to # instead of. - elif pn != 'libtool-native': + # The kernel class functions require it to be on work-shared, we + # don't unpack, patch, configure again, just archive the already + # configured ${S} + elif not (pn == 'libtool-native' or is_work_shared(d)): def runTask(task): prefuncs = d.getVarFlag(task, 'prefuncs') or '' for func in prefuncs.split(): @@ -484,6 +487,9 @@ python do_unpack_and_patch() { src_orig = '%s.orig' % src oe.path.copytree(src, src_orig) + if bb.data.inherits_class('dos2unix', d): + bb.build.exec_func('do_convert_crlf_to_lf', d) + # Make sure gcc and kernel sources are patched only once if not (d.getVar('SRC_URI') == "" or is_work_shared(d)): bb.build.exec_func('do_patch', d) diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass index 8086cf05e9..b6df2c31da 100644 --- a/poky/meta/classes/cve-check.bbclass +++ b/poky/meta/classes/cve-check.bbclass @@ -20,7 +20,7 @@ # the only method to check against CVEs. Running this tool # doesn't guarantee your packages are free of CVEs. -# The product name that the CVE database uses. Defaults to BPN, but may need to +# The product name that the CVE database uses defaults to BPN, but may need to # be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff). CVE_PRODUCT ??= "${BPN}" CVE_VERSION ??= "${PV}" @@ -53,7 +53,14 @@ CVE_CHECK_PN_WHITELIST ?= "" # CVE_CHECK_WHITELIST ?= "" -# set to "alphabetical" for version using single alphabetical character as increament release +# Layers to be excluded +CVE_CHECK_LAYER_EXCLUDELIST ??= "" + +# Layers to be included +CVE_CHECK_LAYER_INCLUDELIST ??= "" + + +# set to "alphabetical" for version using single alphabetical character as increment release CVE_VERSION_SUFFIX ??= "" python cve_save_summary_handler () { @@ -159,9 +166,12 @@ def get_patches_cves(d): pn = d.getVar("PN") cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") - # Matches last CVE-1234-211432 in the file name, also if written - # with small letters. Not supporting multiple CVE id's in a single - # file name. + # Matches the last "CVE-YYYY-ID" in the file name, also if written + # in lowercase. Possible to have multiple CVE IDs in a single + # file name, but only the last one will be detected from the file name. + # However, patch files contents addressing multiple CVE IDs are supported + # (cve_match regular expression) + cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)") patched_cves = set() @@ -223,14 +233,11 @@ def check_cves(d, patched_cves): return ([], [], []) pv = d.getVar("CVE_VERSION").split("+git")[0] - # If the recipe has been whitlisted we return empty lists + # If the recipe has been whitelisted we return empty lists if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split(): bb.note("Recipe has been whitelisted, skipping check") return ([], [], []) - old_cve_whitelist = d.getVar("CVE_CHECK_CVE_WHITELIST") - if old_cve_whitelist: - bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.") cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split() import sqlite3 @@ -334,11 +341,21 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): CVE manifest if enabled. """ + cve_file = d.getVar("CVE_CHECK_LOG") fdir_name = d.getVar("FILE_DIRNAME") layer = fdir_name.split("/")[-3] - nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId=" + include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split() + exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split() + + if exclude_layers and layer in exclude_layers: + return + + if include_layers and layer not in include_layers: + return + + nvd_link = "https://nvd.nist.gov/vuln/detail/" write_string = "" unpatched_cves = [] bb.utils.mkdirhier(os.path.dirname(cve_file)) diff --git a/poky/meta/classes/kernel-yocto.bbclass b/poky/meta/classes/kernel-yocto.bbclass index 66cce92362..a1a073b738 100644 --- a/poky/meta/classes/kernel-yocto.bbclass +++ b/poky/meta/classes/kernel-yocto.bbclass @@ -320,6 +320,21 @@ do_kernel_checkout() { fi fi cd ${S} + + # convert any remote branches to local tracking ones + for i in `git branch -a --no-color | grep remotes | grep -v HEAD`; do + b=`echo $i | cut -d' ' -f2 | sed 's%remotes/origin/%%'`; + git show-ref --quiet --verify -- "refs/heads/$b" + if [ $? -ne 0 ]; then + git branch $b $i > /dev/null + fi + done + + # Create a working tree copy of the kernel by checking out a branch + machine_branch="${@ get_machine_branch(d, "${KBRANCH}" )}" + + # checkout and clobber any unimportant files + git checkout -f ${machine_branch} else # case: we have no git repository at all. # To support low bandwidth options for building the kernel, we'll just @@ -341,21 +356,6 @@ do_kernel_checkout() { git commit -q -m "baseline commit: creating repo for ${PN}-${PV}" git clean -d -f fi - - # convert any remote branches to local tracking ones - for i in `git branch -a --no-color | grep remotes | grep -v HEAD`; do - b=`echo $i | cut -d' ' -f2 | sed 's%remotes/origin/%%'`; - git show-ref --quiet --verify -- "refs/heads/$b" - if [ $? -ne 0 ]; then - git branch $b $i > /dev/null - fi - done - - # Create a working tree copy of the kernel by checking out a branch - machine_branch="${@ get_machine_branch(d, "${KBRANCH}" )}" - - # checkout and clobber any unimportant files - git checkout -f ${machine_branch} } do_kernel_checkout[dirs] = "${S}" diff --git a/poky/meta/classes/license.bbclass b/poky/meta/classes/license.bbclass index dc91118340..73f99e87a8 100644 --- a/poky/meta/classes/license.bbclass +++ b/poky/meta/classes/license.bbclass @@ -31,8 +31,8 @@ python do_populate_lic() { f.write("%s: %s\n" % (key, info[key])) } -PSEUDO_IGNORE_PATHS .= ",${@','.join(((d.getVar('COMMON_LICENSE_DIR') or '') + ' ' + (d.getVar('LICENSE_PATH') or '')).split())}" -# it would be better to copy them in do_install_append, but find_license_filesa is python +PSEUDO_IGNORE_PATHS .= ",${@','.join(((d.getVar('COMMON_LICENSE_DIR') or '') + ' ' + (d.getVar('LICENSE_PATH') or '') + ' ' + d.getVar('COREBASE') + '/meta/COPYING').split())}" +# it would be better to copy them in do_install:append, but find_license_filesa is python python perform_packagecopy_prepend () { enabled = oe.data.typed_value('LICENSE_CREATE_PACKAGE', d) if d.getVar('CLASSOVERRIDE') == 'class-target' and enabled: diff --git a/poky/meta/classes/multilib.bbclass b/poky/meta/classes/multilib.bbclass index ee677da1e2..9a8b02d4f6 100644 --- a/poky/meta/classes/multilib.bbclass +++ b/poky/meta/classes/multilib.bbclass @@ -106,7 +106,6 @@ python __anonymous () { d.setVar("LINGUAS_INSTALL", "") # FIXME, we need to map this to something, not delete it! d.setVar("PACKAGE_INSTALL_ATTEMPTONLY", "") - bb.build.deltask('do_populate_sdk', d) bb.build.deltask('do_populate_sdk_ext', d) return diff --git a/poky/meta/classes/populate_sdk_base.bbclass b/poky/meta/classes/populate_sdk_base.bbclass index ca56d803cb..b46f1aed27 100644 --- a/poky/meta/classes/populate_sdk_base.bbclass +++ b/poky/meta/classes/populate_sdk_base.bbclass @@ -66,7 +66,7 @@ python () { SDK_RDEPENDS = "${TOOLCHAIN_TARGET_TASK} ${TOOLCHAIN_HOST_TASK}" SDK_DEPENDS = "virtual/fakeroot-native ${SDK_ARCHIVE_DEPENDS} cross-localedef-native nativesdk-qemuwrapper-cross ${@' '.join(["%s-qemuwrapper-cross" % m for m in d.getVar("MULTILIB_VARIANTS").split()])} qemuwrapper-cross" -PATH_prepend = "${STAGING_DIR_HOST}${SDKPATHNATIVE}${bindir}/crossscripts:${@":".join(all_multilib_tune_values(d, 'STAGING_BINDIR_CROSS').split())}:" +PATH_prepend = "${WORKDIR}/recipe-sysroot/${SDKPATHNATIVE}${bindir}/crossscripts:${@":".join(all_multilib_tune_values(d, 'STAGING_BINDIR_CROSS').split())}:" SDK_DEPENDS += "nativesdk-glibc-locale" # We want the MULTIARCH_TARGET_SYS to point to the TUNE_PKGARCH, not PACKAGE_ARCH as it diff --git a/poky/meta/classes/sstate.bbclass b/poky/meta/classes/sstate.bbclass index 0a25e3ed9d..2ff0d6850c 100644 --- a/poky/meta/classes/sstate.bbclass +++ b/poky/meta/classes/sstate.bbclass @@ -705,6 +705,7 @@ def sstate_package(ss, d): pass except OSError as e: # Handle read-only file systems gracefully + import errno if e.errno != errno.EROFS: raise e @@ -1014,6 +1015,7 @@ def sstate_checkhashes(sq_data, d, siginfo=False, currentcount=0, summary=True, bb.parse.siggen.checkhashes(sq_data, missed, found, d) return found +setscene_depvalid[vardepsexclude] = "SSTATE_EXCLUDEDEPS_SYSROOT" BB_SETSCENE_DEPVALID = "setscene_depvalid" @@ -1147,6 +1149,7 @@ python sstate_eventhandler() { pass except OSError as e: # Handle read-only file systems gracefully + import errno if e.errno != errno.EROFS: raise e diff --git a/poky/meta/conf/bitbake.conf b/poky/meta/conf/bitbake.conf index 76942d923b..0141919021 100644 --- a/poky/meta/conf/bitbake.conf +++ b/poky/meta/conf/bitbake.conf @@ -639,7 +639,7 @@ APACHE_MIRROR = "https://archive.apache.org/dist" DEBIAN_MIRROR = "http://ftp.debian.org/debian/pool" GENTOO_MIRROR = "http://distfiles.gentoo.org/distfiles" GNOME_GIT = "git://gitlab.gnome.org/GNOME" -GNOME_MIRROR = "https://ftp.gnome.org/pub/GNOME/sources" +GNOME_MIRROR = "https://download.gnome.org/sources/" GNU_MIRROR = "https://ftp.gnu.org/gnu" GNUPG_MIRROR = "https://www.gnupg.org/ftp/gcrypt" GPE_MIRROR = "http://gpe.linuxtogo.org/download/source" diff --git a/poky/meta/files/toolchain-shar-relocate.sh b/poky/meta/files/toolchain-shar-relocate.sh index 5433741296..ba873373e2 100644 --- a/poky/meta/files/toolchain-shar-relocate.sh +++ b/poky/meta/files/toolchain-shar-relocate.sh @@ -72,7 +72,7 @@ fi # change all symlinks pointing to @SDKPATH@ for l in $($SUDO_EXEC find $native_sysroot -type l); do - $SUDO_EXEC ln -sfn $(readlink $l|$SUDO_EXEC sed -e "s:$DEFAULT_INSTALL_DIR:$target_sdk_dir:") $l + $SUDO_EXEC ln -sfn $(readlink $l|$SUDO_EXEC sed -e "s:$SDK_BUILD_PATH:$target_sdk_dir:") $l if [ $? -ne 0 ]; then echo "Failed to setup symlinks. Relocate script failed. Abort!" exit 1 diff --git a/poky/meta/lib/oeqa/manual/toaster-managed-mode.json b/poky/meta/lib/oeqa/manual/toaster-managed-mode.json index 12374c7c64..9566d9d10e 100644 --- a/poky/meta/lib/oeqa/manual/toaster-managed-mode.json +++ b/poky/meta/lib/oeqa/manual/toaster-managed-mode.json @@ -136,7 +136,7 @@ "expected_results": "" }, "3": { - "action": "Check that default values are as follows: \n\tDISTRO - poky \n\tIMAGE_FSTYPES - ext3 jffs2 tar.bz2 \n\tIMAGE_INSTALL_append - \"Not set\" \n\tPACKAGE_CLASES - package_rpm \n SSTATE_DIR - /homeDirectory/poky/sstate-cache \n\n", + "action": "Check that default values are as follows: \n\tDISTRO - poky \n\tIMAGE_FSTYPES - ext3 jffs2 tar.bz2 \n\tIMAGE_INSTALL_append - \"Not set\" \n\tPACKAGE_CLASSES - package_rpm \n SSTATE_DIR - /homeDirectory/poky/sstate-cache \n\n", "expected_results": "" }, "4": { diff --git a/poky/meta/lib/oeqa/runtime/cases/date.py b/poky/meta/lib/oeqa/runtime/cases/date.py index fdd2a6ae58..bd6537400e 100644 --- a/poky/meta/lib/oeqa/runtime/cases/date.py +++ b/poky/meta/lib/oeqa/runtime/cases/date.py @@ -13,12 +13,12 @@ class DateTest(OERuntimeTestCase): def setUp(self): if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd': self.logger.debug('Stopping systemd-timesyncd daemon') - self.target.run('systemctl disable --now systemd-timesyncd') + self.target.run('systemctl disable --now --runtime systemd-timesyncd') def tearDown(self): if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd': self.logger.debug('Starting systemd-timesyncd daemon') - self.target.run('systemctl enable --now systemd-timesyncd') + self.target.run('systemctl enable --now --runtime systemd-timesyncd') @OETestDepends(['ssh.SSHTest.test_ssh']) @OEHasPackage(['coreutils', 'busybox']) @@ -28,14 +28,13 @@ class DateTest(OERuntimeTestCase): self.assertEqual(status, 0, msg=msg) oldDate = output - sampleDate = '"2016-08-09 10:00:00"' - (status, output) = self.target.run("date -s %s" % sampleDate) + sampleTimestamp = 1488800000 + (status, output) = self.target.run("date -s @%d" % sampleTimestamp) self.assertEqual(status, 0, msg='Date set failed, output: %s' % output) - (status, output) = self.target.run("date -R") - p = re.match('Tue, 09 Aug 2016 10:00:.. \+0000', output) + (status, output) = self.target.run('date +"%s"') msg = 'The date was not set correctly, output: %s' % output - self.assertTrue(p, msg=msg) + self.assertTrue(int(output) - sampleTimestamp < 300, msg=msg) (status, output) = self.target.run('date -s "%s"' % oldDate) msg = 'Failed to reset date, output: %s' % output diff --git a/poky/meta/lib/oeqa/runtime/cases/ethernet_ip_connman.py b/poky/meta/lib/oeqa/runtime/cases/ethernet_ip_connman.py new file mode 100644 index 0000000000..e010612838 --- /dev/null +++ b/poky/meta/lib/oeqa/runtime/cases/ethernet_ip_connman.py @@ -0,0 +1,36 @@ +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.core.decorator.data import skipIfQemu + +class Ethernet_Test(OERuntimeTestCase): + + def set_ip(self, x): + x = x.split(".") + sample_host_address = '150' + x[3] = sample_host_address + x = '.'.join(x) + return x + + @skipIfQemu('qemuall', 'Test only runs on real hardware') + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_set_virtual_ip(self): + (status, output) = self.target.run("ifconfig eth0 | grep 'inet ' | awk '{print $2}'") + self.assertEqual(status, 0, msg='Failed to get ip address. Make sure you have an ethernet connection on your device, output: %s' % output) + original_ip = output + virtual_ip = self.set_ip(original_ip) + + (status, output) = self.target.run("ifconfig eth0:1 %s netmask 255.255.255.0 && sleep 2 && ping -c 5 %s && ifconfig eth0:1 down" % (virtual_ip,virtual_ip)) + self.assertEqual(status, 0, msg='Failed to create virtual ip address, output: %s' % output) + + @OETestDepends(['ethernet_ip_connman.Ethernet_Test.test_set_virtual_ip']) + def test_get_ip_from_dhcp(self): + (status, output) = self.target.run("connmanctl services | grep -E '*AO Wired|*AR Wired' | awk '{print $3}'") + self.assertEqual(status, 0, msg='No wired interfaces are detected, output: %s' % output) + wired_interfaces = output + + (status, output) = self.target.run("ip route | grep default | awk '{print $3}'") + self.assertEqual(status, 0, msg='Failed to retrieve the default gateway, output: %s' % output) + default_gateway = output + + (status, output) = self.target.run("connmanctl config %s --ipv4 dhcp && sleep 2 && ping -c 5 %s" % (wired_interfaces,default_gateway)) + self.assertEqual(status, 0, msg='Failed to get dynamic IP address via DHCP in connmand, output: %s' % output)
\ No newline at end of file diff --git a/poky/meta/lib/oeqa/runtime/cases/rtc.py b/poky/meta/lib/oeqa/runtime/cases/rtc.py new file mode 100644 index 0000000000..c4e6681324 --- /dev/null +++ b/poky/meta/lib/oeqa/runtime/cases/rtc.py @@ -0,0 +1,38 @@ +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + +import re + +class RTCTest(OERuntimeTestCase): + + def setUp(self): + if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd': + self.logger.debug('Stopping systemd-timesyncd daemon') + self.target.run('systemctl disable --now --runtime systemd-timesyncd') + + def tearDown(self): + if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd': + self.logger.debug('Starting systemd-timesyncd daemon') + self.target.run('systemctl enable --now --runtime systemd-timesyncd') + + @OETestDepends(['ssh.SSHTest.test_ssh']) + @OEHasPackage(['coreutils', 'busybox']) + def test_rtc(self): + (status, output) = self.target.run('hwclock -r') + self.assertEqual(status, 0, msg='Failed to get RTC time, output: %s' % output) + + (status, current_datetime) = self.target.run('date +"%m%d%H%M%Y"') + self.assertEqual(status, 0, msg='Failed to get system current date & time, output: %s' % current_datetime) + + example_datetime = '062309452008' + (status, output) = self.target.run('date %s ; hwclock -w ; hwclock -r' % example_datetime) + check_hwclock = re.search('2008-06-23 09:45:..', output) + self.assertTrue(check_hwclock, msg='The RTC time was not set correctly, output: %s' % output) + + (status, output) = self.target.run('date %s' % current_datetime) + self.assertEqual(status, 0, msg='Failed to reset system date & time, output: %s' % output) + + (status, output) = self.target.run('hwclock -w') + self.assertEqual(status, 0, msg='Failed to reset RTC time, output: %s' % output) + diff --git a/poky/meta/lib/oeqa/runtime/cases/suspend.py b/poky/meta/lib/oeqa/runtime/cases/suspend.py new file mode 100644 index 0000000000..67b6f7e56f --- /dev/null +++ b/poky/meta/lib/oeqa/runtime/cases/suspend.py @@ -0,0 +1,33 @@ +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.core.decorator.data import skipIfQemu +import threading +import time + +class Suspend_Test(OERuntimeTestCase): + + def test_date(self): + (status, output) = self.target.run('date') + self.assertEqual(status, 0, msg = 'Failed to run date command, output : %s' % output) + + def test_ping(self): + t_thread = threading.Thread(target=self.target.run, args=("ping 8.8.8.8",)) + t_thread.start() + time.sleep(2) + + status, output = self.target.run('pidof ping') + self.target.run('kill -9 %s' % output) + self.assertEqual(status, 0, msg = 'Not able to find process that runs ping, output : %s' % output) + + def set_suspend(self): + (status, output) = self.target.run('sudo rtcwake -m mem -s 10') + self.assertEqual(status, 0, msg = 'Failed to suspends your system to RAM, output : %s' % output) + + @skipIfQemu('qemuall', 'Test only runs on real hardware') + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_suspend(self): + self.test_date() + self.test_ping() + self.set_suspend() + self.test_date() + self.test_ping() diff --git a/poky/meta/lib/oeqa/runtime/cases/terminal.py b/poky/meta/lib/oeqa/runtime/cases/terminal.py new file mode 100644 index 0000000000..8fcca99f47 --- /dev/null +++ b/poky/meta/lib/oeqa/runtime/cases/terminal.py @@ -0,0 +1,21 @@ +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + +import threading +import time + +class TerminalTest(OERuntimeTestCase): + + @OEHasPackage(['matchbox-terminal']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_terminal_running(self): + t_thread = threading.Thread(target=self.target.run, args=("export DISPLAY=:0 && matchbox-terminal -e 'sh -c \"uname -a && exec sh\"'",)) + t_thread.start() + time.sleep(2) + + status, output = self.target.run('pidof matchbox-terminal') + number_of_terminal = len(output.split()) + self.assertEqual(number_of_terminal, 1, msg='There should be only one terminal being launched. Number of terminal launched : %s' % number_of_terminal) + self.target.run('kill -9 %s' % output) + self.assertEqual(status, 0, msg='Not able to find process that runs terminal.') diff --git a/poky/meta/lib/oeqa/runtime/cases/usb_hid.py b/poky/meta/lib/oeqa/runtime/cases/usb_hid.py new file mode 100644 index 0000000000..3c292cf661 --- /dev/null +++ b/poky/meta/lib/oeqa/runtime/cases/usb_hid.py @@ -0,0 +1,22 @@ +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.core.decorator.data import skipIfQemu +from oeqa.runtime.decorator.package import OEHasPackage + +class USB_HID_Test(OERuntimeTestCase): + + def keyboard_mouse_simulation(self): + (status, output) = self.target.run('export DISPLAY=:0 && xdotool key F2 && xdotool mousemove 100 100') + return self.assertEqual(status, 0, msg = 'Failed to simulate keyboard/mouse input event, output : %s' % output) + + def set_suspend(self): + (status, output) = self.target.run('sudo rtcwake -m mem -s 10') + return self.assertEqual(status, 0, msg = 'Failed to suspends your system to RAM, output : %s' % output) + + @OEHasPackage(['xdotool']) + @skipIfQemu('qemuall', 'Test only runs on real hardware') + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_USB_Hid_input(self): + self.keyboard_mouse_simulation() + self.set_suspend() + self.keyboard_mouse_simulation() diff --git a/poky/meta/lib/oeqa/selftest/cases/glibc.py b/poky/meta/lib/oeqa/selftest/cases/glibc.py index c687f6ef93..cf8c92887b 100644 --- a/poky/meta/lib/oeqa/selftest/cases/glibc.py +++ b/poky/meta/lib/oeqa/selftest/cases/glibc.py @@ -33,7 +33,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase): ptestsuite = "glibc-user" if ssh is None else "glibc" self.ptest_section(ptestsuite) - with open(os.path.join(builddir, "tests.sum"), "r") as f: + with open(os.path.join(builddir, "tests.sum"), "r", errors='replace') as f: for test, result in parse_values(f): self.ptest_result(ptestsuite, test, result) diff --git a/poky/meta/recipes-connectivity/avahi/avahi.inc b/poky/meta/recipes-connectivity/avahi/avahi.inc index 6acedb5412..25bb41b738 100644 --- a/poky/meta/recipes-connectivity/avahi/avahi.inc +++ b/poky/meta/recipes-connectivity/avahi/avahi.inc @@ -21,6 +21,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \ file://fix-CVE-2017-6519.patch \ + file://CVE-2021-3468.patch \ " UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" diff --git a/poky/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch b/poky/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch new file mode 100644 index 0000000000..638a1f6071 --- /dev/null +++ b/poky/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch @@ -0,0 +1,42 @@ +From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001 +From: Riccardo Schirone <sirmy15@gmail.com> +Date: Fri, 26 Mar 2021 11:50:24 +0100 +Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in + client_work + +If a client fills the input buffer, client_work() disables the +AVAHI_WATCH_IN event, thus preventing the function from executing the +`read` syscall the next times it is called. However, if the client then +terminates the connection, the socket file descriptor receives a HUP +event, which is not handled, thus the kernel keeps marking the HUP event +as occurring. While iterating over the file descriptors that triggered +an event, the client file descriptor will keep having the HUP event and +the client_work() function is always called with AVAHI_WATCH_HUP but +without nothing being done, thus entering an infinite loop. + +See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938 + +Upstream-Status: Backport +CVE: CVE-2021-3468 +Signed-off-by: Steve Sakoman <steve@sakoman.com> + +--- + avahi-daemon/simple-protocol.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c +index 3e0ebb11..6c0274d6 100644 +--- a/avahi-daemon/simple-protocol.c ++++ b/avahi-daemon/simple-protocol.c +@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv + } + } + ++ if (events & AVAHI_WATCH_HUP) { ++ client_free(c); ++ return; ++ } ++ + c->server->poll_api->watch_update( + watch, + (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) | diff --git a/poky/meta/recipes-core/glibc/glibc_2.31.bb b/poky/meta/recipes-core/glibc/glibc_2.31.bb index 23242fff76..8742efc36f 100644 --- a/poky/meta/recipes-core/glibc/glibc_2.31.bb +++ b/poky/meta/recipes-core/glibc/glibc_2.31.bb @@ -18,6 +18,16 @@ CVE_CHECK_WHITELIST += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024" # Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853 CVE_CHECK_WHITELIST += "CVE-2019-1010025" +# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35942 +# The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash +# or read arbitrary memory in parse_param (in posix/wordexp.c) when called with +# an untrusted, crafted pattern, potentially resulting in a denial of service +# or disclosure of information. Patch was backported to 2.31 branch already: +# https://sourceware.org/git/?p=glibc.git;a=commit;h=4f0a61f75385c9a5879cbe7202042e88f692a3c8 +# which is already included in the dunfell branch of poky: +# https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?h=dunfell&id=e1e89ff7d75c3d2223f9e3bd875b9b0c5e15836b +CVE_CHECK_WHITELIST += "CVE-2021-35942" + DEPENDS += "gperf-native bison-native make-native" NATIVESDKFIXES ?= "" diff --git a/poky/meta/recipes-core/ifupdown/files/0001-inet6.defn-Added-1-option-to-dhclient-on-upping-an-i.patch b/poky/meta/recipes-core/ifupdown/files/0001-inet6.defn-Added-1-option-to-dhclient-on-upping-an-i.patch new file mode 100644 index 0000000000..e374d8ca59 --- /dev/null +++ b/poky/meta/recipes-core/ifupdown/files/0001-inet6.defn-Added-1-option-to-dhclient-on-upping-an-i.patch @@ -0,0 +1,65 @@ +From e2263b58d7733835355d7b46c3caa96d911a4717 Mon Sep 17 00:00:00 2001 +From: Simon Schwarz <simon.schwarz@infoteam.de> +Date: Fri, 6 Nov 2020 08:53:20 +0100 +Subject: [PATCH] inet6.defn: Added -1 option to dhclient on upping an + interface + +This prevents hangs on startup when no server is available and dhcpv6 is used + +Upstream-Status: Pending + +Signed-off-by: Simon Schwarz <simon.schwarz@infoteam.de> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + inet6.defn | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/inet6.defn b/inet6.defn +index 73dce24..25022e3 100644 +--- a/inet6.defn ++++ b/inet6.defn +@@ -29,9 +29,9 @@ method auto + if (var_set("accept_ra", ifd) && !var_true("accept_ra", ifd)) + /sbin/ip link set dev %iface% up + /lib/ifupdown/wait-for-ll6.sh if (var_true("dhcp", ifd) && execable("/lib/ifupdown/wait-for-ll6.sh")) +- /sbin/dhclient -6 -v -P -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \ ++ /sbin/dhclient -6 -1 -v -P -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \ + if (var_true("dhcp", ifd) && execable("/sbin/dhclient") && var_true("request_prefix", ifd)) +- /sbin/dhclient -6 -v -S -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \ ++ /sbin/dhclient -6 -1 -v -S -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \ + elsif (var_true("dhcp", ifd) && execable("/sbin/dhclient")) + echo 'No DHCPv6 client software found!' >&2; false \ + elsif (var_true("dhcp", ifd)) +@@ -154,9 +154,9 @@ method dhcp + if (var_set("accept_ra", ifd) && !var_true("accept_ra", ifd)) + /sbin/ip link set dev %iface% [[address %hwaddress%]] up + /lib/ifupdown/wait-for-ll6.sh if (execable("/lib/ifupdown/wait-for-ll6.sh")) +- /sbin/dhclient -6 -v -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -P -N -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \ ++ /sbin/dhclient -6 -1 -v -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -P -N -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \ + if (execable("/sbin/dhclient") && var_true("request_prefix", ifd)) +- /sbin/dhclient -6 -v -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \ ++ /sbin/dhclient -6 -1 -v -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \ + elsif (execable("/sbin/dhclient")) + echo 'No DHCPv6 client software found!' >&2; false \ + elsif (1) +@@ -325,7 +325,7 @@ method dhcp + + up + /sbin/ifconfig %iface% [[link %hwaddress%]] up +- /sbin/dhclient -6 -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \ ++ /sbin/dhclient -6 -1 -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \ + if (execable("/sbin/dhclient")) + echo 'No DHCPv6 client software found!' >&2; false \ + elsif (1) +@@ -397,7 +397,7 @@ method dhcp + up + [[Warning: Option hwaddress: %hwaddress% not yet supported]] + inetutils-ifconfig --interface %iface% --up +- /sbin/dhclient -6 -pf /run/dhclient6.%iface///.%.pid -lf /var/lib/dhcp/dhclient6.%iface///.%.leases -I -df /var/lib/dhcp/dhclient.%iface///.%.leases %iface% \ ++ /sbin/dhclient -6 -1 -pf /run/dhclient6.%iface///.%.pid -lf /var/lib/dhcp/dhclient6.%iface///.%.leases -I -df /var/lib/dhcp/dhclient.%iface///.%.leases %iface% \ + if (execable("/sbin/dhclient")) + echo 'No DHCPv6 client software found!' >&2; false \ + elsif (1) +-- +2.17.1 + diff --git a/poky/meta/recipes-core/ifupdown/ifupdown_0.8.35.bb b/poky/meta/recipes-core/ifupdown/ifupdown_0.8.35.bb index ae175848b7..16807eb675 100644 --- a/poky/meta/recipes-core/ifupdown/ifupdown_0.8.35.bb +++ b/poky/meta/recipes-core/ifupdown/ifupdown_0.8.35.bb @@ -12,6 +12,7 @@ SRC_URI = "git://salsa.debian.org/debian/ifupdown.git;protocol=https \ file://99_network \ file://0001-Define-FNM_EXTMATCH-for-musl.patch \ file://0001-Makefile-do-not-use-dpkg-for-determining-OS-type.patch \ + file://0001-inet6.defn-Added-1-option-to-dhclient-on-upping-an-i.patch \ file://run-ptest \ ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'file://tweak-ptest-script.patch', '', d)} \ " diff --git a/poky/meta/recipes-core/initrdscripts/initramfs-framework/setup-live b/poky/meta/recipes-core/initrdscripts/initramfs-framework/setup-live index 4c79f41285..7e92f93322 100644 --- a/poky/meta/recipes-core/initrdscripts/initramfs-framework/setup-live +++ b/poky/meta/recipes-core/initrdscripts/initramfs-framework/setup-live @@ -1,4 +1,4 @@ -#/bin/sh +#!/bin/sh # Copyright (C) 2011 O.S. Systems Software LTDA. # Licensed on MIT diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch new file mode 100644 index 0000000000..1f392b4cd7 --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch @@ -0,0 +1,73 @@ +From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Thu, 13 May 2021 14:55:12 +0200 +Subject: [PATCH] Patch for security issue CVE-2021-3541 + +This is relapted to parameter entities expansion and following +the line of the billion laugh attack. Somehow in that path the +counting of parameters was missed and the normal algorithm based +on entities "density" was useless. + +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e] +CVE: CVE-2021-3541 +Signed-off-by: Steve Sakoman <steve@sakoman.com> + +--- + parser.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/parser.c b/parser.c +index f5e5e169..c9312fa4 100644 +--- a/parser.c ++++ b/parser.c +@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + xmlEntityPtr ent, size_t replacement) + { + size_t consumed = 0; ++ int i; + + if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE)) + return (0); +@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + rep = NULL; + } + } ++ ++ /* ++ * Prevent entity exponential check, not just replacement while ++ * parsing the DTD ++ * The check is potentially costly so do that only once in a thousand ++ */ ++ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) && ++ (ctxt->nbentities % 1024 == 0)) { ++ for (i = 0;i < ctxt->inputNr;i++) { ++ consumed += ctxt->inputTab[i]->consumed + ++ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base); ++ } ++ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) { ++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); ++ ctxt->instate = XML_PARSER_EOF; ++ return (1); ++ } ++ consumed = 0; ++ } ++ ++ ++ + if (replacement != 0) { + if (replacement < XML_MAX_TEXT_LENGTH) + return(0); +@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + xmlChar start[4]; + xmlCharEncoding enc; + ++ if (xmlParserEntityCheck(ctxt, 0, entity, 0)) ++ return; ++ + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && +-- +GitLab + diff --git a/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb b/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb index b5fb3e6315..60dc71f38d 100644 --- a/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb @@ -26,6 +26,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ file://CVE-2021-3517.patch \ file://CVE-2021-3537.patch \ file://CVE-2021-3518.patch \ + file://CVE-2021-3541.patch \ " SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" diff --git a/poky/meta/recipes-core/ovmf/ovmf/0001-Fix-VLA-parameter-warning.patch b/poky/meta/recipes-core/ovmf/ovmf/0001-Fix-VLA-parameter-warning.patch new file mode 100644 index 0000000000..d658123b81 --- /dev/null +++ b/poky/meta/recipes-core/ovmf/ovmf/0001-Fix-VLA-parameter-warning.patch @@ -0,0 +1,51 @@ +From 498627ebda6271b59920f43a0b9b6187edeb7b09 Mon Sep 17 00:00:00 2001 +From: Adrian Herrera <adr.her.arc.95@gmail.com> +Date: Mon, 22 Mar 2021 21:06:47 +0000 +Subject: [PATCH] Fix VLA parameter warning + +Make VLA buffer types consistent in declarations and definitions. +Resolves build crash when using -Werror due to "vla-parameter" warning. + +Upstream-Status: Submitted [https://github.com/google/brotli/pull/893] +Signed-off-by: Adrian Herrera <adr.her.arc.95@gmail.com> +--- + c/dec/decode.c | 6 ++++-- + c/enc/encode.c | 5 +++-- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c +index 114c505..bb6f1ab 100644 +--- a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c ++++ b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c +@@ -2030,8 +2030,10 @@ static BROTLI_NOINLINE BrotliDecoderErrorCode SafeProcessCommands( + } + + BrotliDecoderResult BrotliDecoderDecompress( +- size_t encoded_size, const uint8_t* encoded_buffer, size_t* decoded_size, +- uint8_t* decoded_buffer) { ++ size_t encoded_size, ++ const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)], ++ size_t* decoded_size, ++ uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]) { + BrotliDecoderState s; + BrotliDecoderResult result; + size_t total_out = 0; +diff --git a/c/enc/encode.c b/c/enc/encode.c +index 68548ef..ab0a490 100644 +--- a/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c ++++ c/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c +@@ -1470,8 +1470,9 @@ static size_t MakeUncompressedStream( + + BROTLI_BOOL BrotliEncoderCompress( + int quality, int lgwin, BrotliEncoderMode mode, size_t input_size, +- const uint8_t* input_buffer, size_t* encoded_size, +- uint8_t* encoded_buffer) { ++ const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)], ++ size_t* encoded_size, ++ uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]) { + BrotliEncoderState* s; + size_t out_size = *encoded_size; + const uint8_t* input_start = input_buffer; +-- +2.31.1 + diff --git a/poky/meta/recipes-core/ovmf/ovmf_git.bb b/poky/meta/recipes-core/ovmf/ovmf_git.bb index 088e348bdc..b00119313b 100644 --- a/poky/meta/recipes-core/ovmf/ovmf_git.bb +++ b/poky/meta/recipes-core/ovmf/ovmf_git.bb @@ -17,7 +17,8 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \ file://0003-ovmf-enable-long-path-file.patch \ file://0004-ovmf-Update-to-latest.patch \ - " + file://0001-Fix-VLA-parameter-warning.patch \ + " PV = "edk2-stable202008" SRCREV = "06dc822d045c2bb42e497487935485302486e151" @@ -37,7 +38,7 @@ EDK_TOOLS_DIR="edk2_basetools" BUILD_OPTIMIZATION="-pipe" # OVMF supports IA only, although it could conceivably support ARM someday. -COMPATIBLE_HOST='(i.86|x86_64).*' +COMPATIBLE_HOST_class-target='(i.86|x86_64).*' # Additional build flags for OVMF with Secure Boot. # Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD". diff --git a/poky/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch b/poky/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch new file mode 100644 index 0000000000..6b499efbd8 --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch @@ -0,0 +1,42 @@ +From 38e980a6a5a3442c2f48b1f827284388096d8ca5 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe <watanabe.yu+github@gmail.com> +Date: Thu, 24 Jun 2021 01:22:07 +0900 +Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command + +This makes DHCP client ignore FORCERENEW requests, as unauthenticated +FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). + +Let's re-enable this after RFC3118 (Authentication for DHCP Messages) +and/or RFC6704 (Forcerenew Nonce Authentication) are implemented. + +Fixes #16774. + +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/38e980a6a5a3442c2f48b1f827284388096d8ca5] +CVE: CVE-2020-13529 + +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/src/libsystemd-network/sd-dhcp-client.c ++++ b/src/libsystemd-network/sd-dhcp-client.c +@@ -1392,9 +1392,17 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force, + if (r != DHCP_FORCERENEW) + return -ENOMSG; + ++#if 0 + log_dhcp_client(client, "FORCERENEW"); + + return 0; ++#else ++ /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP ++ * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW ++ * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */ ++ log_dhcp_client(client, "Received FORCERENEW, ignoring."); ++ return -ENOMSG; ++#endif + } + + static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) { diff --git a/poky/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch b/poky/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch new file mode 100644 index 0000000000..e92d721d3d --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch @@ -0,0 +1,67 @@ +Backport of: + +From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> +Date: Wed, 23 Jun 2021 11:46:41 +0200 +Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path + +The path may have unbounded length, for example through a fuse mount. + +CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and +ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo +and each mountpoint is passed to mount_setup_unit(), which calls +unit_name_path_escape() underneath. A local attacker who is able to mount a +filesystem with a very long path can crash systemd and the whole system. + +https://bugzilla.redhat.com/show_bug.cgi?id=1970887 + +The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we +can't easily check the length after simplification before doing the +simplification, which in turns uses a copy of the string we can write to. +So we can't reject paths that are too long before doing the duplication. +Hence the most obvious solution is to switch back to strdup(), as before +7410616cd9dbbec97cf98d75324da5cda2b2f7a2. + +Upstream-Status: Backport [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9] +CVE: CVE-2021-33910 + +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + src/basic/unit-name.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/src/basic/unit-name.c ++++ b/src/basic/unit-name.c +@@ -369,12 +369,13 @@ int unit_name_unescape(const char *f, char **ret) { + } + + int unit_name_path_escape(const char *f, char **ret) { +- char *p, *s; ++ _cleanup_free_ char *p = NULL; ++ char *s; + + assert(f); + assert(ret); + +- p = strdupa(f); ++ p = strdup(f); + if (!p) + return -ENOMEM; + +@@ -386,13 +387,9 @@ int unit_name_path_escape(const char *f, char **ret) { + if (!path_is_normalized(p)) + return -EINVAL; + +- /* Truncate trailing slashes */ ++ /* Truncate trailing slashes and skip leading slashes */ + delete_trailing_chars(p, "/"); +- +- /* Truncate leading slashes */ +- p = skip_leading_chars(p, "/"); +- +- s = unit_name_escape(p); ++ s = unit_name_escape(skip_leading_chars(p, "/")); + } + if (!s) + return -ENOMEM; diff --git a/poky/meta/recipes-core/systemd/systemd_244.5.bb b/poky/meta/recipes-core/systemd/systemd_244.5.bb index 8c95648ca0..7a7eddcd45 100644 --- a/poky/meta/recipes-core/systemd/systemd_244.5.bb +++ b/poky/meta/recipes-core/systemd/systemd_244.5.bb @@ -20,6 +20,8 @@ SRC_URI += "file://touchscreen.rules \ file://99-default.preset \ file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \ file://0003-implment-systemd-sysv-install-for-OE.patch \ + file://CVE-2021-33910.patch \ + file://CVE-2020-13529.patch \ " # patches needed by musl diff --git a/poky/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch b/poky/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch new file mode 100644 index 0000000000..2b306c435b --- /dev/null +++ b/poky/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch @@ -0,0 +1,33 @@ +From 1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c Mon Sep 17 00:00:00 2001 +From: Karel Zak <kzak@redhat.com> +Date: Tue, 27 Jul 2021 11:58:31 +0200 +Subject: [PATCH] sys-utils/ipcutils: be careful when call calloc() for uint64 + nmembs + +Fix: https://github.com/karelzak/util-linux/issues/1395 +Signed-off-by: Karel Zak <kzak@redhat.com> + +CVE: CVE-2021-37600 +Upstream-Status: Backport [1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c] + +Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com> +--- + sys-utils/ipcutils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sys-utils/ipcutils.c b/sys-utils/ipcutils.c +index e784c4dcb..18868cfd3 100644 +--- a/sys-utils/ipcutils.c ++++ b/sys-utils/ipcutils.c +@@ -218,7 +218,7 @@ static void get_sem_elements(struct sem_data *p) + { + size_t i; + +- if (!p || !p->sem_nsems || p->sem_perm.id < 0) ++ if (!p || !p->sem_nsems || p->sem_nsems > SIZE_MAX || p->sem_perm.id < 0) + return; + + p->elements = xcalloc(p->sem_nsems, sizeof(struct sem_elem)); +-- +2.25.1 + diff --git a/poky/meta/recipes-core/util-linux/util-linux_2.35.1.bb b/poky/meta/recipes-core/util-linux/util-linux_2.35.1.bb index 516b783887..731f0618eb 100644 --- a/poky/meta/recipes-core/util-linux/util-linux_2.35.1.bb +++ b/poky/meta/recipes-core/util-linux/util-linux_2.35.1.bb @@ -11,6 +11,7 @@ SRC_URI += "file://configure-sbindir.patch \ file://0001-libfdisk-script-accept-sector-size-ignore-unknown-he.patch \ file://0001-kill-include-sys-types.h-before-checking-SYS_pidfd_s.patch \ file://0001-include-cleanup-pidfd-inckudes.patch \ + file://CVE-2021-37600.patch \ " SRC_URI[md5sum] = "7f64882f631225f0295ca05080cee1bf" SRC_URI[sha256sum] = "d9de3edd287366cd908e77677514b9387b22bc7b88f45b83e1922c3597f1d7f9" diff --git a/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch b/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch new file mode 100644 index 0000000000..caeb560d32 --- /dev/null +++ b/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch @@ -0,0 +1,22 @@ +Ensure "small" file systems also have the default inode size (256 bytes) so that +can store 64-bit timestamps and work past 2038. + +The "small" type is any size >3MB and <512MB, which covers a lot of relatively +small filesystems built by OE, especially when they're sized to fit the contents +and expand to the storage on boot. + +Upstream-Status: Inappropriate +Signed-off-by: Ross Burton <ross.burton@arm.com> + +diff --git a/misc/mke2fs.conf.in b/misc/mke2fs.conf.in +index 01e35cf8..29f41dc0 100644 +--- a/misc/mke2fs.conf.in ++++ b/misc/mke2fs.conf.in +@@ -16,7 +16,6 @@ + } + small = { + blocksize = 1024 +- inode_size = 128 + inode_ratio = 4096 + } + floppy = { diff --git a/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb b/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb index 439928e433..2eae9cd892 100644 --- a/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb +++ b/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb @@ -14,6 +14,7 @@ SRC_URI += "file://remove.ldconfig.call.patch \ SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \ file://quiet-debugfs.patch \ + file://big-inodes-for-small-fs.patch \ " SRCREV = "984ff8d6a0a1d5dc300505f67b38ed5047d51dac" diff --git a/poky/meta/recipes-devtools/python/python3_3.8.10.bb b/poky/meta/recipes-devtools/python/python3_3.8.10.bb deleted file mode 100644 index 7295c6320e..0000000000 --- a/poky/meta/recipes-devtools/python/python3_3.8.10.bb +++ /dev/null @@ -1,363 +0,0 @@ -SUMMARY = "The Python Programming Language" -HOMEPAGE = "http://www.python.org" -DESCRIPTION = "Python is a programming language that lets you work more quickly and integrate your systems more effectively." -LICENSE = "PSF-2.0 & BSD-0-Clause" -SECTION = "devel/python" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=c22d2438294c784731bf9dd224a467b7" - -SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ - file://run-ptest \ - file://create_manifest3.py \ - file://get_module_deps3.py \ - file://python3-manifest.json \ - file://check_build_completeness.py \ - file://cgi_py.patch \ - file://0001-Do-not-add-usr-lib-termcap-to-linker-flags-to-avoid-.patch \ - ${@bb.utils.contains('PACKAGECONFIG', 'tk', '', 'file://avoid_warning_about_tkinter.patch', d)} \ - file://0001-Do-not-use-the-shell-version-of-python-config-that-w.patch \ - file://python-config.patch \ - file://0001-Makefile.pre-use-qemu-wrapper-when-gathering-profile.patch \ - file://0001-Do-not-hardcode-lib-as-location-for-site-packages-an.patch \ - file://0001-python3-use-cc_basename-to-replace-CC-for-checking-c.patch \ - file://0001-Lib-sysconfig.py-fix-another-place-where-lib-is-hard.patch \ - file://0001-Makefile-fix-Issue36464-parallel-build-race-problem.patch \ - file://0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch \ - file://crosspythonpath.patch \ - file://reformat_sysconfig.py \ - file://0001-Use-FLAG_REF-always-for-interned-strings.patch \ - file://0001-test_locale.py-correct-the-test-output-format.patch \ - file://0017-setup.py-do-not-report-missing-dependencies-for-disa.patch \ - file://0001-setup.py-pass-missing-libraries-to-Extension-for-mul.patch \ - file://0001-Makefile-do-not-compile-.pyc-in-parallel.patch \ - file://0001-configure.ac-fix-LIBPL.patch \ - file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ - file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ - file://0001-test_ctypes.test_find-skip-without-tools-sdk.patch \ - " - -SRC_URI_append_class-native = " \ - file://0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch \ - file://12-distutils-prefix-is-inside-staging-area.patch \ - file://0001-Don-t-search-system-for-headers-libraries.patch \ - " - -SRC_URI[md5sum] = "d9eee4b20155553830a2025e4dcaa7b3" -SRC_URI[sha256sum] = "6af24a66093dd840bcccf371d4044a3027e655cf24591ce26e48022bc79219d9" - -# exclude pre-releases for both python 2.x and 3.x -UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" - -CVE_PRODUCT = "python" - -# Upstream consider this expected behaviour -CVE_CHECK_WHITELIST += "CVE-2007-4559" -# This is not exploitable when glibc has CVE-2016-10739 fixed. -CVE_CHECK_WHITELIST += "CVE-2019-18348" - -# This is windows only issue. -CVE_CHECK_WHITELIST += "CVE-2020-15523" - -PYTHON_MAJMIN = "3.8" - -S = "${WORKDIR}/Python-${PV}" - -BBCLASSEXTEND = "native nativesdk" - -inherit autotools pkgconfig qemu ptest multilib_header update-alternatives - -MULTILIB_SUFFIX = "${@d.getVar('base_libdir',1).split('/')[-1]}" - -ALTERNATIVE_${PN}-dev = "python3-config" -ALTERNATIVE_LINK_NAME[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config" -ALTERNATIVE_TARGET[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX}" - - -DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2 autoconf-archive" -DEPENDS_append_class-target = " python3-native" -DEPENDS_append_class-nativesdk = " python3-native" - -EXTRA_OECONF = " --without-ensurepip --enable-shared" -EXTRA_OECONF_append_class-native = " --bindir=${bindir}/${PN}" - -export CROSSPYTHONPATH="${STAGING_LIBDIR_NATIVE}/python${PYTHON_MAJMIN}/lib-dynload/" - -EXTRANATIVEPATH += "python3-native" - -CACHED_CONFIGUREVARS = " \ - ac_cv_file__dev_ptmx=yes \ - ac_cv_file__dev_ptc=no \ - ac_cv_working_tzset=yes \ -" -python() { - # PGO currently causes builds to not be reproducible, so disable it for - # now. See YOCTO #13407 - if bb.utils.contains('MACHINE_FEATURES', 'qemu-usermode', True, False, d) and d.getVar('BUILD_REPRODUCIBLE_BINARIES') != '1': - d.setVar('PACKAGECONFIG_PGO', 'pgo') - else: - d.setVar('PACKAGECONFIG_PGO', '') -} - -PACKAGECONFIG_class-target ??= "readline ${PACKAGECONFIG_PGO} gdbm" -PACKAGECONFIG_class-native ??= "readline gdbm" -PACKAGECONFIG_class-nativesdk ??= "readline gdbm" -PACKAGECONFIG[readline] = ",,readline" -# Use profile guided optimisation by running PyBench inside qemu-user -PACKAGECONFIG[pgo] = "--enable-optimizations,,qemu-native" -PACKAGECONFIG[tk] = ",,tk" -PACKAGECONFIG[gdbm] = ",,gdbm" - -do_configure_prepend () { - mkdir -p ${B}/Modules - cat > ${B}/Modules/Setup.local << EOF -*disabled* -${@bb.utils.contains('PACKAGECONFIG', 'gdbm', '', '_gdbm _dbm', d)} -${@bb.utils.contains('PACKAGECONFIG', 'readline', '', 'readline', d)} -EOF -} - -CPPFLAGS_append = " -I${STAGING_INCDIR}/ncursesw -I${STAGING_INCDIR}/uuid" - -EXTRA_OEMAKE = '\ - STAGING_LIBDIR=${STAGING_LIBDIR} \ - STAGING_INCDIR=${STAGING_INCDIR} \ - LIB=${baselib} \ -' - -do_compile_prepend_class-target() { - if ${@bb.utils.contains('PACKAGECONFIG', 'pgo', 'true', 'false', d)}; then - qemu_binary="${@qemu_wrapper_cmdline(d, '${STAGING_DIR_TARGET}', ['${B}', '${STAGING_DIR_TARGET}/${base_libdir}'])}" - cat >pgo-wrapper <<EOF -#!/bin/sh -cd ${B} -$qemu_binary "\$@" -EOF - chmod +x pgo-wrapper - fi -} - -do_install_prepend() { - ${WORKDIR}/check_build_completeness.py ${T}/log.do_compile -} - -do_install_append_class-target() { - oe_multilib_header python${PYTHON_MAJMIN}/pyconfig.h -} - -do_install_append_class-native() { - # Make sure we use /usr/bin/env python - for PYTHSCRIPT in `grep -rIl ${bindir}/${PN}/python ${D}${bindir}/${PN}`; do - sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' $PYTHSCRIPT - done - # Add a symlink to the native Python so that scripts can just invoke - # "nativepython" and get the right one without needing absolute paths - # (these often end up too long for the #! parser in the kernel as the - # buffer is 128 bytes long). - ln -s python3-native/python3 ${D}${bindir}/nativepython3 -} - -do_install_append() { - mkdir -p ${D}${libdir}/python-sysconfigdata - sysconfigfile=`find ${D} -name _sysconfig*.py` - cp $sysconfigfile ${D}${libdir}/python-sysconfigdata/_sysconfigdata.py - - sed -i \ - -e "s,^ 'LIBDIR'.*, 'LIBDIR': '${STAGING_LIBDIR}'\,,g" \ - -e "s,^ 'INCLUDEDIR'.*, 'INCLUDEDIR': '${STAGING_INCDIR}'\,,g" \ - -e "s,^ 'CONFINCLUDEDIR'.*, 'CONFINCLUDEDIR': '${STAGING_INCDIR}'\,,g" \ - -e "/^ 'INCLDIRSTOMAKE'/{N; s,/usr/include,${STAGING_INCDIR},g}" \ - -e "/^ 'INCLUDEPY'/s,/usr/include,${STAGING_INCDIR},g" \ - ${D}${libdir}/python-sysconfigdata/_sysconfigdata.py -} - -do_install_append_class-nativesdk () { - create_wrapper ${D}${bindir}/python${PYTHON_MAJMIN} TERMINFO_DIRS='${sysconfdir}/terminfo:/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo' PYTHONNOUSERSITE='1' -} - -SSTATE_SCAN_FILES += "Makefile _sysconfigdata.py" -PACKAGE_PREPROCESS_FUNCS += "py_package_preprocess" - -py_package_preprocess () { - # Remove references to buildmachine paths in target Makefile and _sysconfigdata - sed -i -e 's:--sysroot=${STAGING_DIR_TARGET}::g' -e s:'--with-libtool-sysroot=${STAGING_DIR_TARGET}'::g \ - -e 's|${DEBUG_PREFIX_MAP}||g' \ - -e 's:${HOSTTOOLS_DIR}/::g' \ - -e 's:${RECIPE_SYSROOT_NATIVE}::g' \ - -e 's:${RECIPE_SYSROOT}::g' \ - -e 's:${BASE_WORKDIR}/${MULTIMACH_TARGET_SYS}::g' \ - ${PKGD}/${libdir}/python${PYTHON_MAJMIN}/config-${PYTHON_MAJMIN}${PYTHON_ABI}*/Makefile \ - ${PKGD}/${libdir}/python${PYTHON_MAJMIN}/_sysconfigdata*.py \ - ${PKGD}/${bindir}/python${PYTHON_MAJMIN}-config - - # Reformat _sysconfigdata after modifying it so that it remains - # reproducible - for c in ${PKGD}/${libdir}/python${PYTHON_MAJMIN}/_sysconfigdata*.py; do - python3 ${WORKDIR}/reformat_sysconfig.py $c - done - - # Recompile _sysconfigdata after modifying it - cd ${PKGD} - sysconfigfile=`find . -name _sysconfigdata_*.py` - ${STAGING_BINDIR_NATIVE}/python3-native/python3 \ - -c "from py_compile import compile; compile('$sysconfigfile')" - ${STAGING_BINDIR_NATIVE}/python3-native/python3 \ - -c "from py_compile import compile; compile('$sysconfigfile', optimize=1)" - ${STAGING_BINDIR_NATIVE}/python3-native/python3 \ - -c "from py_compile import compile; compile('$sysconfigfile', optimize=2)" - cd - - - mv ${PKGD}/${bindir}/python${PYTHON_MAJMIN}-config ${PKGD}/${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX} - - #Remove the unneeded copy of target sysconfig data - rm -rf ${PKGD}/${libdir}/python-sysconfigdata -} - -# We want bytecode precompiled .py files (.pyc's) by default -# but the user may set it on their own conf -INCLUDE_PYCS ?= "1" - -python(){ - import collections, json - - filename = os.path.join(d.getVar('THISDIR'), 'python3', 'python3-manifest.json') - # This python changes the datastore based on the contents of a file, so mark - # that dependency. - bb.parse.mark_dependency(d, filename) - - with open(filename) as manifest_file: - manifest_str = manifest_file.read() - json_start = manifest_str.find('# EOC') + 6 - manifest_file.seek(json_start) - manifest_str = manifest_file.read() - python_manifest = json.loads(manifest_str, object_pairs_hook=collections.OrderedDict) - - # First set RPROVIDES for -native case - # Hardcoded since it cant be python3-native-foo, should be python3-foo-native - pn = 'python3' - rprovides = d.getVar('RPROVIDES').split() - - # ${PN}-misc-native is not in the manifest - rprovides.append(pn + '-misc-native') - - for key in python_manifest: - pypackage = pn + '-' + key + '-native' - if pypackage not in rprovides: - rprovides.append(pypackage) - - d.setVar('RPROVIDES_class-native', ' '.join(rprovides)) - - # Then work on the target - include_pycs = d.getVar('INCLUDE_PYCS') - - packages = d.getVar('PACKAGES').split() - pn = d.getVar('PN') - - newpackages=[] - for key in python_manifest: - pypackage = pn + '-' + key - - if pypackage not in packages: - # We need to prepend, otherwise python-misc gets everything - # so we use a new variable - newpackages.append(pypackage) - - # "Build" python's manifest FILES, RDEPENDS and SUMMARY - d.setVar('FILES_' + pypackage, '') - for value in python_manifest[key]['files']: - d.appendVar('FILES_' + pypackage, ' ' + value) - - # Add cached files - if include_pycs == '1': - for value in python_manifest[key]['cached']: - d.appendVar('FILES_' + pypackage, ' ' + value) - - for value in python_manifest[key]['rdepends']: - # Make it work with or without $PN - if '${PN}' in value: - value=value.split('-', 1)[1] - d.appendVar('RDEPENDS_' + pypackage, ' ' + pn + '-' + value) - - for value in python_manifest[key].get('rrecommends', ()): - if '${PN}' in value: - value=value.split('-', 1)[1] - d.appendVar('RRECOMMENDS_' + pypackage, ' ' + pn + '-' + value) - - d.setVar('SUMMARY_' + pypackage, python_manifest[key]['summary']) - - # Prepending so to avoid python-misc getting everything - packages = newpackages + packages - d.setVar('PACKAGES', ' '.join(packages)) - d.setVar('ALLOW_EMPTY_${PN}-modules', '1') - d.setVar('ALLOW_EMPTY_${PN}-pkgutil', '1') -} - -# Files needed to create a new manifest - -do_create_manifest() { - # This task should be run with every new release of Python. - # We must ensure that PACKAGECONFIG enables everything when creating - # a new manifest, this is to base our new manifest on a complete - # native python build, containing all dependencies, otherwise the task - # wont be able to find the required files. - # e.g. BerkeleyDB is an optional build dependency so it may or may not - # be present, we must ensure it is. - - cd ${WORKDIR} - # This needs to be executed by python-native and NOT by HOST's python - nativepython3 create_manifest3.py ${PYTHON_MAJMIN} - cp python3-manifest.json.new ${THISDIR}/python3/python3-manifest.json -} - -# bitbake python -c create_manifest -# Make sure we have native python ready when we create a new manifest -addtask do_create_manifest after do_patch do_prepare_recipe_sysroot - -# manual dependency additions -RRECOMMENDS_${PN}-core_append_class-nativesdk = " nativesdk-python3-modules" -RRECOMMENDS_${PN}-crypt_append_class-target = " openssl ca-certificates" -RRECOMMENDS_${PN}-crypt_append_class-nativesdk = " openssl ca-certificates" - -# For historical reasons PN is empty and provided by python3-modules -FILES_${PN} = "" -RPROVIDES_${PN}-modules = "${PN}" - -FILES_${PN}-pydoc += "${bindir}/pydoc${PYTHON_MAJMIN} ${bindir}/pydoc3" -FILES_${PN}-idle += "${bindir}/idle3 ${bindir}/idle${PYTHON_MAJMIN}" - -# provide python-pyvenv from python3-venv -RPROVIDES_${PN}-venv += "python3-pyvenv" - -# package libpython3 -PACKAGES =+ "libpython3 libpython3-staticdev" -FILES_libpython3 = "${libdir}/libpython*.so.*" -FILES_libpython3-staticdev += "${libdir}/python${PYTHON_MAJMIN}/config-${PYTHON_MAJMIN}-*/libpython${PYTHON_MAJMIN}.a" -INSANE_SKIP_${PN}-dev += "dev-elf" -INSANE_SKIP_${PN}-ptest += "dev-deps" - -# catch all the rest (unsorted) -PACKAGES += "${PN}-misc" -RDEPENDS_${PN}-misc += "python3-core python3-email python3-codecs python3-pydoc python3-pickle python3-audio" -RDEPENDS_${PN}-modules_append_class-target = " python3-misc" -RDEPENDS_${PN}-modules_append_class-nativesdk = " python3-misc" -FILES_${PN}-misc = "${libdir}/python${PYTHON_MAJMIN} ${libdir}/python${PYTHON_MAJMIN}/lib-dynload" - -# catch manpage -PACKAGES += "${PN}-man" -FILES_${PN}-man = "${datadir}/man" - -# See https://bugs.python.org/issue18748 and https://bugs.python.org/issue37395 -RDEPENDS_libpython3_append_libc-glibc = " libgcc" -RDEPENDS_${PN}-ctypes_append_libc-glibc = " ${MLPREFIX}ldconfig" -RDEPENDS_${PN}-ptest = "${PN}-modules ${PN}-tests ${PN}-dev unzip bzip2 libgcc tzdata-europe coreutils sed" -RDEPENDS_${PN}-ptest_append_libc-glibc = " locale-base-tr-tr.iso-8859-9" -RDEPENDS_${PN}-tkinter += "${@bb.utils.contains('PACKAGECONFIG', 'tk', 'tk tk-lib', '', d)}" -RDEPENDS_${PN}-dev = "" - -RDEPENDS_${PN}-tests_append_class-target = " bash" -RDEPENDS_${PN}-tests_append_class-nativesdk = " bash" - -# Python's tests contain large numbers of files we don't need in the recipe sysroots -SYSROOT_PREPROCESS_FUNCS += " py3_sysroot_cleanup" -py3_sysroot_cleanup () { - rm -rf ${SYSROOT_DESTDIR}${libdir}/python${PYTHON_MAJMIN}/test -} diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index 8f927bdf54..e25c2524aa 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -210,6 +210,7 @@ PACKAGECONFIG[glusterfs] = "--enable-glusterfs,--disable-glusterfs" PACKAGECONFIG[xkbcommon] = "--enable-xkbcommon,--disable-xkbcommon,libxkbcommon" PACKAGECONFIG[libudev] = "--enable-libudev,--disable-libudev,eudev" PACKAGECONFIG[libxml2] = "--enable-libxml2,--disable-libxml2,libxml2" +PACKAGECONFIG[seccomp] = "--enable-seccomp,--disable-seccomp,libseccomp" INSANE_SKIP_${PN} = "arch" diff --git a/poky/meta/recipes-devtools/qemu/qemu_4.2.0.bb b/poky/meta/recipes-devtools/qemu/qemu_4.2.0.bb index 9c76144749..f9905e2812 100644 --- a/poky/meta/recipes-devtools/qemu/qemu_4.2.0.bb +++ b/poky/meta/recipes-devtools/qemu/qemu_4.2.0.bb @@ -26,5 +26,6 @@ do_install_append_class-nativesdk() { PACKAGECONFIG ??= " \ fdt sdl kvm \ ${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \ + ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \ " PACKAGECONFIG_class-nativesdk ??= "fdt sdl kvm" diff --git a/poky/meta/recipes-devtools/ruby/ruby_2.7.3.bb b/poky/meta/recipes-devtools/ruby/ruby_2.7.4.bb index 318b9acdae..dafa7d2f6b 100644 --- a/poky/meta/recipes-devtools/ruby/ruby_2.7.3.bb +++ b/poky/meta/recipes-devtools/ruby/ruby_2.7.4.bb @@ -9,8 +9,8 @@ SRC_URI += " \ file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \ " -SRC_URI[md5sum] = "72ef97685008981de3ddb748d0dab31f" -SRC_URI[sha256sum] = "8925a95e31d8f2c81749025a52a544ea1d05dad18794e6828709268b92e55338" +SRC_URI[md5sum] = "823cd21d93c69e4168b03dd127369343" +SRC_URI[sha256sum] = "3043099089608859fc8cce7f9fdccaa1f53a462457e3838ec3b25a7d609fbc5b" PACKAGECONFIG ??= "" PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}" diff --git a/poky/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch b/poky/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch new file mode 100644 index 0000000000..74164ab495 --- /dev/null +++ b/poky/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch @@ -0,0 +1,67 @@ +From 0077ef29eb46d2e1df2f230fc95a1d9748d49dec Mon Sep 17 00:00:00 2001 +From: Michael Schroeder <mls@suse.de> +Date: Mon, 14 Dec 2020 11:12:00 +0100 +Subject: [PATCH] testcase_read: error out if repos are added or the system is + changed too late + +We must not add new solvables after the considered map was created, the solver +was created, or jobs were added. We may not changed the system after jobs have +been added. + +(Jobs may point inside the whatproviedes array, so we must not invalidate this +area.) + +Upstream-Status: Backport +https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec +CVE: CVE-2021-3200 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + ext/testcase.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/ext/testcase.c b/ext/testcase.c +index 0be7a213..8fb6d793 100644 +--- a/ext/testcase.c ++++ b/ext/testcase.c +@@ -1991,6 +1991,7 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res + Id *genid = 0; + int ngenid = 0; + Queue autoinstq; ++ int oldjobsize = job ? job->count : 0; + + if (resultp) + *resultp = 0; +@@ -2065,6 +2066,21 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res + int prio, subprio; + const char *rdata; + ++ if (pool->considered) ++ { ++ pool_error(pool, 0, "testcase_read: cannot add repos after packages were disabled"); ++ continue; ++ } ++ if (solv) ++ { ++ pool_error(pool, 0, "testcase_read: cannot add repos after the solver was created"); ++ continue; ++ } ++ if (job && job->count != oldjobsize) ++ { ++ pool_error(pool, 0, "testcase_read: cannot add repos after jobs have been created"); ++ continue; ++ } + prepared = 0; + if (!poolflagsreset) + { +@@ -2125,6 +2141,11 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res + int i; + + /* must set the disttype before the arch */ ++ if (job && job->count != oldjobsize) ++ { ++ pool_error(pool, 0, "testcase_read: cannot change the system after jobs have been created"); ++ continue; ++ } + prepared = 0; + if (strcmp(pieces[2], "*") != 0) + { diff --git a/poky/meta/recipes-extended/libsolv/libsolv_0.7.10.bb b/poky/meta/recipes-extended/libsolv/libsolv_0.7.10.bb index 1cf5e2eb29..eadf04aa5a 100644 --- a/poky/meta/recipes-extended/libsolv/libsolv_0.7.10.bb +++ b/poky/meta/recipes-extended/libsolv/libsolv_0.7.10.bb @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.BSD;md5=62272bd11c97396d4aaf1c41bc11f7d8" DEPENDS = "expat zlib" SRC_URI = "git://github.com/openSUSE/libsolv.git \ + file://CVE-2021-3200.patch \ " SRCREV = "605dd2645ef899e2b7c95709476fb51e28d7e378" diff --git a/poky/meta/recipes-extended/tar/tar_1.32.bb b/poky/meta/recipes-extended/tar/tar_1.32.bb index 3ae6d674a5..0fe0b801c2 100644 --- a/poky/meta/recipes-extended/tar/tar_1.32.bb +++ b/poky/meta/recipes-extended/tar/tar_1.32.bb @@ -65,3 +65,6 @@ PROVIDES_append_class-native = " tar-replacement-native" NATIVE_PACKAGE_PATH_SUFFIX = "/${PN}" BBCLASSEXTEND = "native nativesdk" + +# These are both specific to the NPM package node-tar +CVE_CHECK_WHITELIST += "CVE-2021-32803 CVE-2021-32804" diff --git a/poky/meta/recipes-graphics/glew/glew/0001-Fix-build-race-in-Makefile.patch b/poky/meta/recipes-graphics/glew/glew/0001-Fix-build-race-in-Makefile.patch new file mode 100644 index 0000000000..7edcfe8de8 --- /dev/null +++ b/poky/meta/recipes-graphics/glew/glew/0001-Fix-build-race-in-Makefile.patch @@ -0,0 +1,56 @@ +Upstream-Status: Submitted [https://github.com/nigels-com/glew/pull/311] +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 0ce0a85597db48a2fca619bd95e34af091e54ae8 Mon Sep 17 00:00:00 2001 +From: Ross Burton <ross.burton@arm.com> +Date: Thu, 22 Jul 2021 16:31:11 +0100 +Subject: [PATCH] Fix build race in Makefile + +The current rule for the binaries is: + +glew.bin: glew.lib bin bin/$(GLEWINFO.BIN) bin/$(VISUALINFO.BIN) + +In parallel builds, all of those targets happen at the same time. This +means that 'bin' can happen *after* 'bin/$(GLEWINFO.BIN)', which is a +problem as the 'bin' target's responsibility is to create the directory +that the other target writes into. + +Solve this by not having a separate 'create directory' target which is +fundamentally racy, and simply mkdir in each target which writes into it. +--- + Makefile | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/Makefile b/Makefile +index d0e4614..04af44c 100644 +--- a/Makefile ++++ b/Makefile +@@ -171,21 +171,20 @@ VISUALINFO.BIN.OBJ := $(VISUALINFO.BIN.OBJ:.c=.o) + # Don't build glewinfo or visualinfo for NaCL, yet. + + ifneq ($(filter nacl%,$(SYSTEM)),) +-glew.bin: glew.lib bin ++glew.bin: glew.lib + else +-glew.bin: glew.lib bin bin/$(GLEWINFO.BIN) bin/$(VISUALINFO.BIN) ++glew.bin: glew.lib bin/$(GLEWINFO.BIN) bin/$(VISUALINFO.BIN) + endif + +-bin: +- mkdir bin +- + bin/$(GLEWINFO.BIN): $(GLEWINFO.BIN.OBJ) $(LIB.SHARED.DIR)/$(LIB.SHARED) ++ @mkdir -p $(dir $@) + $(CC) $(CFLAGS) -o $@ $(GLEWINFO.BIN.OBJ) $(BIN.LIBS) + ifneq ($(STRIP),) + $(STRIP) -x $@ + endif + + bin/$(VISUALINFO.BIN): $(VISUALINFO.BIN.OBJ) $(LIB.SHARED.DIR)/$(LIB.SHARED) ++ @mkdir -p $(dir $@) + $(CC) $(CFLAGS) -o $@ $(VISUALINFO.BIN.OBJ) $(BIN.LIBS) + ifneq ($(STRIP),) + $(STRIP) -x $@ +-- +2.25.1 + diff --git a/poky/meta/recipes-graphics/glew/glew_2.2.0.bb b/poky/meta/recipes-graphics/glew/glew_2.2.0.bb index 8948444e08..92b6083648 100644 --- a/poky/meta/recipes-graphics/glew/glew_2.2.0.bb +++ b/poky/meta/recipes-graphics/glew/glew_2.2.0.bb @@ -6,6 +6,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=2ac251558de685c6b9478d89be3149c2" SRC_URI = "${SOURCEFORGE_MIRROR}/project/glew/glew/${PV}/glew-${PV}.tgz \ + file://0001-Fix-build-race-in-Makefile.patch \ file://no-strip.patch" SRC_URI[md5sum] = "3579164bccaef09e36c0af7f4fd5c7c7" diff --git a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb index 26091fba70..513932984e 100644 --- a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb +++ b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb @@ -303,8 +303,11 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \ ${PN}-qat ${PN}-qat-license \ ${PN}-qcom-license \ ${PN}-qcom-venus-1.8 ${PN}-qcom-venus-4.2 ${PN}-qcom-venus-5.2 ${PN}-qcom-venus-5.4 \ - ${PN}-qcom-adreno-a3xx ${PN}-qcom-adreno-a530 ${PN}-qcom-adreno-a630 \ + ${PN}-qcom-vpu-1.0 ${PN}-qcom-vpu-2.0 \ + ${PN}-qcom-adreno-a3xx ${PN}-qcom-adreno-a530 \ + ${PN}-qcom-adreno-a630 ${PN}-qcom-adreno-a650 ${PN}-qcom-adreno-a660 \ ${PN}-qcom-sdm845-audio ${PN}-qcom-sdm845-compute ${PN}-qcom-sdm845-modem \ + ${PN}-qcom-sm8250-audio ${PN}-qcom-sm8250-compute \ ${PN}-amlogic-vdec-license ${PN}-amlogic-vdec \ ${PN}-lt9611uxc ${PN}-lontium-license \ ${PN}-whence-license \ @@ -952,22 +955,34 @@ FILES_${PN}-qcom-venus-1.8 = "${nonarch_base_libdir}/firmware/qcom/venus-1.8/*" FILES_${PN}-qcom-venus-4.2 = "${nonarch_base_libdir}/firmware/qcom/venus-4.2/*" FILES_${PN}-qcom-venus-5.2 = "${nonarch_base_libdir}/firmware/qcom/venus-5.2/*" FILES_${PN}-qcom-venus-5.4 = "${nonarch_base_libdir}/firmware/qcom/venus-5.4/*" +FILES_${PN}-qcom-vpu-1.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-1.0/*" +FILES_${PN}-qcom-vpu-2.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-2.0/*" FILES_${PN}-qcom-adreno-a3xx = "${nonarch_base_libdir}/firmware/qcom/a300_*.fw ${nonarch_base_libdir}/firmware/a300_*.fw" FILES_${PN}-qcom-adreno-a530 = "${nonarch_base_libdir}/firmware/qcom/a530*.*" FILES_${PN}-qcom-adreno-a630 = "${nonarch_base_libdir}/firmware/qcom/a630*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/a630*.*" +FILES_${PN}-qcom-adreno-a650 = "${nonarch_base_libdir}/firmware/qcom/a650*.* ${nonarch_base_libdir}/firmware/qcom/sm8250/a650*.*" +FILES_${PN}-qcom-adreno-a660 = "${nonarch_base_libdir}/firmware/qcom/a660*.*" FILES_${PN}-qcom-sdm845-audio = "${nonarch_base_libdir}/firmware/qcom/sdm845/adsp*.*" FILES_${PN}-qcom-sdm845-compute = "${nonarch_base_libdir}/firmware/qcom/sdm845/cdsp*.*" FILES_${PN}-qcom-sdm845-modem = "${nonarch_base_libdir}/firmware/qcom/sdm845/mba.mbn ${nonarch_base_libdir}/firmware/qcom/sdm845/modem*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/wlanmdsp.mbn" +FILES_${PN}-qcom-sm8250-audio = "${nonarch_base_libdir}/firmware/qcom/sm8250/adsp*.*" +FILES_${PN}-qcom-sm8250-compute = "${nonarch_base_libdir}/firmware/qcom/sm8250/cdsp*.*" RDEPENDS_${PN}-qcom-venus-1.8 = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-venus-4.2 = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-venus-5.2 = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-venus-5.4 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-vpu-1.0 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-vpu-2.0 = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-adreno-a3xx = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-adreno-a530 = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-adreno-a630 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-adreno-a650 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-adreno-a660 = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-sdm845-audio = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-sdm845-compute = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-sdm845-modem = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-sm8250-audio = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-sm8250-compute = "${PN}-qcom-license" FILES_${PN}-liquidio = "${nonarch_base_libdir}/firmware/liquidio" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb index dcf4f12f45..53e6982619 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "135b02c845043f37c8eac73607b62b0735286756" -SRCREV_meta ?= "2ff6e592745fd397ec2da205ab02daafbf49351a" +SRCREV_machine ?= "e823f31a48749bf1d01a86c274fcec87fae1e5ba" +SRCREV_meta ?= "71f799f448d405a35d88ecee0aba3ec2b198d542" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.4.132" +LINUX_VERSION ?= "5.4.141" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb index eaef9d9b64..44a033d5cb 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.4.132" +LINUX_VERSION ?= "5.4.141" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine_qemuarm ?= "629ca595e3eafd1fdc3a3d978d6ed4547b419968" -SRCREV_machine ?= "35abc20f52ebdd41bbe76e6f2d6ee189ab3078f6" -SRCREV_meta ?= "2ff6e592745fd397ec2da205ab02daafbf49351a" +SRCREV_machine_qemuarm ?= "63d08f6ee3425e9d94eccf3a75a9ec4e474df916" +SRCREV_machine ?= "05b2de44f781a297be454242d77f619189dfc6f4" +SRCREV_meta ?= "71f799f448d405a35d88ecee0aba3ec2b198d542" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb index cb3ff75d27..0e41d734df 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb @@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base" KBRANCH_qemux86-64 ?= "v5.4/standard/base" KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "cf8b645d7a1c268d071bdfe606f01d739afbdb80" -SRCREV_machine_qemuarm64 ?= "8d40ced691b9d211840801614a1031089ed6c2a2" -SRCREV_machine_qemumips ?= "c574c7303a75e700cb7123fc93a7ca7c19c963d6" -SRCREV_machine_qemuppc ?= "5550c64c43f81e6c29abfbc6ce31f44f200644ec" -SRCREV_machine_qemuriscv64 ?= "92705f96294a9c4ac611d3242f20651d5cf6224a" -SRCREV_machine_qemux86 ?= "92705f96294a9c4ac611d3242f20651d5cf6224a" -SRCREV_machine_qemux86-64 ?= "92705f96294a9c4ac611d3242f20651d5cf6224a" -SRCREV_machine_qemumips64 ?= "9cd841f768e0b5a07251df29ba202b5ff2bdf114" -SRCREV_machine ?= "92705f96294a9c4ac611d3242f20651d5cf6224a" -SRCREV_meta ?= "2ff6e592745fd397ec2da205ab02daafbf49351a" +SRCREV_machine_qemuarm ?= "91a35a54a7b2d4d558b3f8b24c39657a3ff71c7c" +SRCREV_machine_qemuarm64 ?= "a8edc7f1b004c6fb56d142fba3e688ba2a051b54" +SRCREV_machine_qemumips ?= "4f1c4fc19e8d2cb994dac34fb8bb32a7c776b318" +SRCREV_machine_qemuppc ?= "7bb64db24c2b7bd2b6656036009bd71618eb125d" +SRCREV_machine_qemuriscv64 ?= "13fa9f66484db2492ee09667f45ad3e52e5b35ac" +SRCREV_machine_qemux86 ?= "13fa9f66484db2492ee09667f45ad3e52e5b35ac" +SRCREV_machine_qemux86-64 ?= "13fa9f66484db2492ee09667f45ad3e52e5b35ac" +SRCREV_machine_qemumips64 ?= "931ad0c17451151dd3ddfb27dc2e33965f90ce86" +SRCREV_machine ?= "13fa9f66484db2492ee09667f45ad3e52e5b35ac" +SRCREV_meta ?= "71f799f448d405a35d88ecee0aba3ec2b198d542" # remap qemuarm to qemuarma15 for the 5.4 kernel # KMACHINE_qemuarm ?= "qemuarma15" @@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" -LINUX_VERSION ?= "5.4.132" +LINUX_VERSION ?= "5.4.141" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb index 431468d459..bcfdef3bbd 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb @@ -20,10 +20,6 @@ SRC_URI = " \ SRC_URI[md5sum] = "e3ddb1bae9fb510b49a295f212f1e6e4" SRC_URI[sha256sum] = "9f02678b0bbbcc9eff107d3bd89d83ce92fec2154cd607c7c8bd34dc7fee491c" -# CPE entries for gst-plugins-base are listed as gstreamer issues -# so we need to ignore the false hit -CVE_CHECK_WHITELIST += "CVE-2021-3522" - S = "${WORKDIR}/gst-plugins-base-${PV}" DEPENDS += "iso-codes util-linux zlib" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb index e8830103ce..1038cbf224 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb @@ -15,11 +15,6 @@ SRC_URI = " \ SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e" SRC_URI[sha256sum] = "d3a23a3fe73de673f591b7655494990c9e8a0e22a3c70d6f1dbf50198b29f85f" -# CPE entries for gst-plugins-good are listed as gstreamer issues -# so we need to ignore the false hit -CVE_CHECK_WHITELIST += "CVE-2021-3497" -CVE_CHECK_WHITELIST += "CVE-2021-3498" - S = "${WORKDIR}/gst-plugins-good-${PV}" LICENSE = "GPLv2+ & LGPLv2.1+" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb index 7afe56cd7b..a516fabdaf 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb @@ -74,4 +74,13 @@ FILES_${PN}-dbg += "${datadir}/gdb ${datadir}/gstreamer-1.0/gdb" CVE_PRODUCT = "gstreamer" +# CPE entries for gst-plugins-base are listed as gstreamer issues +# so we need to ignore the false hits +CVE_CHECK_WHITELIST += "CVE-2021-3522" + +# CPE entries for gst-plugins-good are listed as gstreamer issues +# so we need to ignore the false hits +CVE_CHECK_WHITELIST += "CVE-2021-3497" +CVE_CHECK_WHITELIST += "CVE-2021-3498" + require gstreamer1.0-ptest.inc diff --git a/poky/meta/recipes-support/aspell/aspell_0.60.8.bb b/poky/meta/recipes-support/aspell/aspell_0.60.8.bb index 6548c54b64..9147c820e7 100644 --- a/poky/meta/recipes-support/aspell/aspell_0.60.8.bb +++ b/poky/meta/recipes-support/aspell/aspell_0.60.8.bb @@ -13,7 +13,9 @@ HOMEPAGE = "http://aspell.net/" LICENSE = "LGPLv2 | LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34" -SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz" +SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz \ + file://CVE-2019-25051.patch \ +" SRC_URI[md5sum] = "012fa9209203ae4e5a61c2a668fd10e3" SRC_URI[sha256sum] = "f9b77e515334a751b2e60daab5db23499e26c9209f5e7b7443b05235ad0226f2" diff --git a/poky/meta/recipes-support/aspell/files/CVE-2019-25051.patch b/poky/meta/recipes-support/aspell/files/CVE-2019-25051.patch new file mode 100644 index 0000000000..8513f6de79 --- /dev/null +++ b/poky/meta/recipes-support/aspell/files/CVE-2019-25051.patch @@ -0,0 +1,101 @@ +From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001 +From: Kevin Atkinson <kevina@gnu.org> +Date: Sat, 21 Dec 2019 20:32:47 +0000 +Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk + to prevent a buffer overflow + +Bug found using OSS-Fuze. + +Upstream-Status: Backport +[https://github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324a] +CVE: CVE-2019-25051 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + common/objstack.hpp | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/common/objstack.hpp b/common/objstack.hpp +index 3997bf7..bd97ccd 100644 +--- a/common/objstack.hpp ++++ b/common/objstack.hpp +@@ -5,6 +5,7 @@ + #include "parm_string.hpp" + #include <stdlib.h> + #include <assert.h> ++#include <stddef.h> + + namespace acommon { + +@@ -26,6 +27,12 @@ class ObjStack + byte * temp_end; + void setup_chunk(); + void new_chunk(); ++ bool will_overflow(size_t sz) const { ++ return offsetof(Node,data) + sz > chunk_size; ++ } ++ void check_size(size_t sz) { ++ assert(!will_overflow(sz)); ++ } + + ObjStack(const ObjStack &); + void operator=(const ObjStack &); +@@ -56,7 +63,7 @@ class ObjStack + void * alloc_bottom(size_t size) { + byte * tmp = bottom; + bottom += size; +- if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;} ++ if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;} + return tmp; + } + // This alloc_bottom will insure that the object is aligned based on the +@@ -66,7 +73,7 @@ class ObjStack + align_bottom(align); + byte * tmp = bottom; + bottom += size; +- if (bottom > top) {new_chunk(); goto loop;} ++ if (bottom > top) {check_size(size); new_chunk(); goto loop;} + return tmp; + } + char * dup_bottom(ParmString str) { +@@ -79,7 +86,7 @@ class ObjStack + // always be aligned as such. + void * alloc_top(size_t size) { + top -= size; +- if (top < bottom) {new_chunk(); top -= size;} ++ if (top < bottom) {check_size(size); new_chunk(); top -= size;} + return top; + } + // This alloc_top will insure that the object is aligned based on +@@ -88,7 +95,7 @@ class ObjStack + {loop: + top -= size; + align_top(align); +- if (top < bottom) {new_chunk(); goto loop;} ++ if (top < bottom) {check_size(size); new_chunk(); goto loop;} + return top; + } + char * dup_top(ParmString str) { +@@ -117,6 +124,7 @@ class ObjStack + void * alloc_temp(size_t size) { + temp_end = bottom + size; + if (temp_end > top) { ++ check_size(size); + new_chunk(); + temp_end = bottom + size; + } +@@ -131,6 +139,7 @@ class ObjStack + } else { + size_t s = temp_end - bottom; + byte * p = bottom; ++ check_size(size); + new_chunk(); + memcpy(bottom, p, s); + temp_end = bottom + size; +@@ -150,6 +159,7 @@ class ObjStack + } else { + size_t s = temp_end - bottom; + byte * p = bottom; ++ check_size(size); + new_chunk(); + memcpy(bottom, p, s); + temp_end = bottom + size; diff --git a/poky/meta/recipes-support/curl/curl/CVE-2021-22898.patch b/poky/meta/recipes-support/curl/curl/CVE-2021-22898.patch new file mode 100644 index 0000000000..0800e10175 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2021-22898.patch @@ -0,0 +1,26 @@ +From 39ce47f219b09c380b81f89fe54ac586c8db6bde Mon Sep 17 00:00:00 2001 +From: Harry Sintonen <sintonen@iki.fi> +Date: Fri, 7 May 2021 13:09:57 +0200 +Subject: [PATCH] telnet: check sscanf() for correct number of matches + +CVE: CVE-2021-22898 +Upstream-Status: Backport +Link: https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde +Bug: https://curl.se/docs/CVE-2021-22898.html +--- + lib/telnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 26e0658ba9cc..fdd137fb0c04 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -922,7 +922,7 @@ static void suboption(struct Curl_easy *data) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { ++ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { + msnprintf((char *)&temp[len], sizeof(temp) - len, + "%c%s%c%s", CURL_NEW_ENV_VAR, varname, + CURL_NEW_ENV_VALUE, varval); diff --git a/poky/meta/recipes-support/curl/curl/CVE-2021-22924.patch b/poky/meta/recipes-support/curl/curl/CVE-2021-22924.patch new file mode 100644 index 0000000000..68fde45ddf --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2021-22924.patch @@ -0,0 +1,226 @@ +Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and + case sensitivity CVE-2021-22924 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2021-22924.html +CVE: CVE-2021-22924 +Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6 +Signed-off-by: Mike Crowe <mac@mcrowe.com> +--- + lib/url.c | 5 +++-- + lib/urldata.h | 2 +- + lib/vtls/gtls.c | 10 +++++----- + lib/vtls/nss.c | 4 ++-- + lib/vtls/openssl.c | 12 ++++++------ + lib/vtls/vtls.c | 23 ++++++++++++++++++----- + 6 files changed, 35 insertions(+), 21 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 47fc66aed..eebad8d32 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -3555,6 +3555,9 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; + data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG]; + data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY]; ++ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG]; ++ data->set.proxy_ssl.primary.issuercert = ++ data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; + data->set.proxy_ssl.primary.random_file = + data->set.str[STRING_SSL_RANDOM_FILE]; +@@ -3575,8 +3578,6 @@ static CURLcode create_conn(struct Curl_easy *data, + + data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; + data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; +- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG]; +- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.ssl.cert = data->set.str[STRING_CERT_ORIG]; + data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; +diff --git a/lib/urldata.h b/lib/urldata.h +index fbb8b645e..615fbf369 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -224,6 +224,7 @@ struct ssl_primary_config { + long version_max; /* max supported version the client wants to use*/ + char *CApath; /* certificate dir (doesn't work on windows) */ + char *CAfile; /* certificate to verify peer against */ ++ char *issuercert; /* optional issuer certificate filename */ + char *clientcert; + char *random_file; /* path to file containing "random" data */ + char *egdsocket; /* path to file containing the EGD daemon socket */ +@@ -240,7 +241,6 @@ struct ssl_config_data { + struct ssl_primary_config primary; + long certverifyresult; /* result from the certificate verification */ + char *CRLfile; /* CRL to check certificate revocation */ +- char *issuercert;/* optional issuer certificate filename */ + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + char *cert; /* client certificate file name */ +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 46e149c7d..8c051024f 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -1059,7 +1059,7 @@ gtls_connect_step3(struct connectdata *conn, + if(!chainp) { + if(SSL_CONN_CONFIG(verifypeer) || + SSL_CONN_CONFIG(verifyhost) || +- SSL_SET_OPTION(issuercert)) { ++ SSL_CONN_CONFIG(issuercert)) { + #ifdef USE_TLS_SRP + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(username) != NULL +@@ -1241,21 +1241,21 @@ gtls_connect_step3(struct connectdata *conn, + gnutls_x509_crt_t format */ + gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER); + +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + gnutls_x509_crt_init(&x509_issuer); +- issuerp = load_file(SSL_SET_OPTION(issuercert)); ++ issuerp = load_file(SSL_CONN_CONFIG(issuercert)); + gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM); + rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer); + gnutls_x509_crt_deinit(x509_issuer); + unload_file(issuerp); + if(rc <= 0) { + failf(data, "server certificate issuer check failed (IssuerCert: %s)", +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); ++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + gnutls_x509_crt_deinit(x509_cert); + return CURLE_SSL_ISSUER_ERROR; + } + infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n", +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); ++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + } + + size = sizeof(certbuf); +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index ef51b0d91..375c78b1b 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2151,9 +2151,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) + if(result) + goto error; + +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + SECStatus ret = SECFailure; +- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert)); ++ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert)); + if(nickname) { + /* we support only nicknames in case of issuercert for now */ + ret = check_issuer_cert(BACKEND->handle, nickname); +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 64f43605a..7e81fd3a0 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -3547,7 +3547,7 @@ static CURLcode servercert(struct connectdata *conn, + deallocating the certificate. */ + + /* e.g. match issuer name with provided issuer certificate */ +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + fp = BIO_new(BIO_s_file()); + if(fp == NULL) { + failf(data, +@@ -3560,10 +3560,10 @@ static CURLcode servercert(struct connectdata *conn, + return CURLE_OUT_OF_MEMORY; + } + +- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) { ++ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) { + if(strict) + failf(data, "SSL: Unable to open issuer cert (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(BACKEND->server_cert); + BACKEND->server_cert = NULL; +@@ -3574,7 +3574,7 @@ static CURLcode servercert(struct connectdata *conn, + if(!issuer) { + if(strict) + failf(data, "SSL: Unable to read issuer cert (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + X509_free(BACKEND->server_cert); +@@ -3585,7 +3585,7 @@ static CURLcode servercert(struct connectdata *conn, + if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) { + if(strict) + failf(data, "SSL: Certificate issuer check failed (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + X509_free(BACKEND->server_cert); +@@ -3594,7 +3594,7 @@ static CURLcode servercert(struct connectdata *conn, + } + + infof(data, " SSL certificate issuer check ok (%s)\n", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + } +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index aaf73ef8f..8c681da14 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -82,6 +82,16 @@ + else \ + dest->var = NULL; + ++static bool safecmp(char *a, char *b) ++{ ++ if(a && b) ++ return !strcmp(a, b); ++ else if(!a && !b) ++ return TRUE; /* match */ ++ return FALSE; /* no match */ ++} ++ ++ + bool + Curl_ssl_config_matches(struct ssl_primary_config* data, + struct ssl_primary_config* needle) +@@ -91,11 +101,12 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && +- Curl_safe_strcasecompare(data->CApath, needle->CApath) && +- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) && +- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) && +- Curl_safe_strcasecompare(data->random_file, needle->random_file) && +- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && ++ safecmp(data->CApath, needle->CApath) && ++ safecmp(data->CAfile, needle->CAfile) && ++ safecmp(data->issuercert, needle->issuercert) && ++ safecmp(data->clientcert, needle->clientcert) && ++ safecmp(data->random_file, needle->random_file) && ++ safecmp(data->egdsocket, needle->egdsocket) && + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) +@@ -117,6 +128,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + + CLONE_STRING(CApath); + CLONE_STRING(CAfile); ++ CLONE_STRING(issuercert); + CLONE_STRING(clientcert); + CLONE_STRING(random_file); + CLONE_STRING(egdsocket); +@@ -131,6 +143,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc) + { + Curl_safefree(sslc->CApath); + Curl_safefree(sslc->CAfile); ++ Curl_safefree(sslc->issuercert); + Curl_safefree(sslc->clientcert); + Curl_safefree(sslc->random_file); + Curl_safefree(sslc->egdsocket); +-- +2.30.2 + diff --git a/poky/meta/recipes-support/curl/curl/CVE-2021-22925.patch b/poky/meta/recipes-support/curl/curl/CVE-2021-22925.patch new file mode 100644 index 0000000000..13b55f76be --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2021-22925.patch @@ -0,0 +1,43 @@ +Subject: [PATCH] telnet: fix option parser to not send uninitialized + contents CVE-2021-22925 + +Reported-by: Red Hat Product Security +Bug: https://curl.se/docs/CVE-2021-22925.html +CVE: CVE-2021-22925 +Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6 +Signed-off-by: Mike Crowe <mac@mcrowe.com> +--- + lib/telnet.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 4bf4c652c..3347ad6d1 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { +- msnprintf((char *)&temp[len], sizeof(temp) - len, +- "%c%s%c%s", CURL_NEW_ENV_VAR, varname, +- CURL_NEW_ENV_VALUE, varval); +- len += tmplen; +- } ++ int rv; ++ char sep[2] = ""; ++ varval[0] = 0; ++ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval); ++ if(rv == 1) ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s", CURL_NEW_ENV_VAR, varname); ++ else if(rv >= 2) ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s%c%s", CURL_NEW_ENV_VAR, varname, ++ CURL_NEW_ENV_VALUE, varval); + } + } + msnprintf((char *)&temp[len], sizeof(temp) - len, +-- +2.30.2 + diff --git a/poky/meta/recipes-support/curl/curl_7.69.1.bb b/poky/meta/recipes-support/curl/curl_7.69.1.bb index 13ab29cf69..21c673feda 100644 --- a/poky/meta/recipes-support/curl/curl_7.69.1.bb +++ b/poky/meta/recipes-support/curl/curl_7.69.1.bb @@ -19,6 +19,9 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2020-8286.patch \ file://CVE-2021-22876.patch \ file://CVE-2021-22890.patch \ + file://CVE-2021-22898.patch \ + file://CVE-2021-22924.patch \ + file://CVE-2021-22925.patch \ " SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" @@ -26,6 +29,7 @@ SRC_URI[sha256sum] = "2ff5e5bd507adf6aa88ff4bbafd4c7af464867ffb688be93b9930717a5 # Curl has used many names over the years... CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" +CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926" inherit autotools pkgconfig binconfig multilib_header diff --git a/poky/scripts/lib/checklayer/__init__.py b/poky/scripts/lib/checklayer/__init__.py index fe545607bb..e69a10f452 100644 --- a/poky/scripts/lib/checklayer/__init__.py +++ b/poky/scripts/lib/checklayer/__init__.py @@ -146,7 +146,7 @@ def detect_layers(layer_directories, no_auto): return layers -def _find_layer_depends(depend, layers): +def _find_layer(depend, layers): for layer in layers: if 'collections' not in layer: continue @@ -156,7 +156,7 @@ def _find_layer_depends(depend, layers): return layer return None -def add_layer_dependencies(bblayersconf, layer, layers, logger): +def get_layer_dependencies(layer, layers, logger): def recurse_dependencies(depends, layer, layers, logger, ret = []): logger.debug('Processing dependencies %s for layer %s.' % \ (depends, layer['name'])) @@ -166,7 +166,7 @@ def add_layer_dependencies(bblayersconf, layer, layers, logger): if depend == 'core': continue - layer_depend = _find_layer_depends(depend, layers) + layer_depend = _find_layer(depend, layers) if not layer_depend: logger.error('Layer %s depends on %s and isn\'t found.' % \ (layer['name'], depend)) @@ -203,6 +203,11 @@ def add_layer_dependencies(bblayersconf, layer, layers, logger): layer_depends = recurse_dependencies(depends, layer, layers, logger, layer_depends) # Note: [] (empty) is allowed, None is not! + return layer_depends + +def add_layer_dependencies(bblayersconf, layer, layers, logger): + + layer_depends = get_layer_dependencies(layer, layers, logger) if layer_depends is None: return False else: diff --git a/poky/scripts/lib/wic/canned-wks/common.wks.inc b/poky/scripts/lib/wic/canned-wks/common.wks.inc index 4fd29fa8c1..89880b417b 100644 --- a/poky/scripts/lib/wic/canned-wks/common.wks.inc +++ b/poky/scripts/lib/wic/canned-wks/common.wks.inc @@ -1,3 +1,3 @@ # This file is included into 3 canned wks files from this directory part /boot --source bootimg-pcbios --ondisk sda --label boot --active --align 1024 -part / --source rootfs --use-uuid --fstype=ext4 --mkfs-extraopts "-T default" --label platform --align 1024 +part / --source rootfs --use-uuid --fstype=ext4 --label platform --align 1024 diff --git a/poky/scripts/lib/wic/canned-wks/directdisk-gpt.wks b/poky/scripts/lib/wic/canned-wks/directdisk-gpt.wks index cf16c0c30b..8d7d8de6ea 100644 --- a/poky/scripts/lib/wic/canned-wks/directdisk-gpt.wks +++ b/poky/scripts/lib/wic/canned-wks/directdisk-gpt.wks @@ -4,7 +4,7 @@ part /boot --source bootimg-pcbios --ondisk sda --label boot --active --align 1024 -part / --source rootfs --ondisk sda --fstype=ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --use-uuid +part / --source rootfs --ondisk sda --fstype=ext4 --label platform --align 1024 --use-uuid bootloader --ptable gpt --timeout=0 --append="rootwait rootfstype=ext4 video=vesafb vga=0x318 console=tty0 console=ttyS0,115200n8" diff --git a/poky/scripts/lib/wic/canned-wks/mkefidisk.wks b/poky/scripts/lib/wic/canned-wks/mkefidisk.wks index d1878e23e5..9f534fe184 100644 --- a/poky/scripts/lib/wic/canned-wks/mkefidisk.wks +++ b/poky/scripts/lib/wic/canned-wks/mkefidisk.wks @@ -4,7 +4,7 @@ part /boot --source bootimg-efi --sourceparams="loader=grub-efi" --ondisk sda --label msdos --active --align 1024 -part / --source rootfs --ondisk sda --fstype=ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --use-uuid +part / --source rootfs --ondisk sda --fstype=ext4 --label platform --align 1024 --use-uuid part swap --ondisk sda --size 44 --label swap1 --fstype=swap diff --git a/poky/scripts/oe-setup-builddir b/poky/scripts/oe-setup-builddir index 30eaa8efbe..5a51fa793f 100755 --- a/poky/scripts/oe-setup-builddir +++ b/poky/scripts/oe-setup-builddir @@ -113,10 +113,10 @@ if [ ! -z "$SHOWYPDOC" ]; then cat <<EOM The Yocto Project has extensive documentation about OE including a reference manual which can be found at: - http://yoctoproject.org/documentation + https://docs.yoctoproject.org For more information about OpenEmbedded see their website: - http://www.openembedded.org/ + https://www.openembedded.org/ EOM # unset SHOWYPDOC diff --git a/poky/scripts/runqemu b/poky/scripts/runqemu index 63e533a934..10880ba6bb 100755 --- a/poky/scripts/runqemu +++ b/poky/scripts/runqemu @@ -764,7 +764,7 @@ class BaseConfig(object): raise RunQemuError('BIOS not found: %s' % bios_match_name) if not os.path.exists(self.bios): - raise RunQemuError("KERNEL %s not found" % self.bios) + raise RunQemuError("BIOS %s not found" % self.bios) def check_mem(self): diff --git a/poky/scripts/yocto-check-layer b/poky/scripts/yocto-check-layer index deba3cb4f8..dd930cdddd 100755 --- a/poky/scripts/yocto-check-layer +++ b/poky/scripts/yocto-check-layer @@ -24,7 +24,7 @@ import scriptpath scriptpath.add_oe_lib_path() scriptpath.add_bitbake_lib_path() -from checklayer import LayerType, detect_layers, add_layers, add_layer_dependencies, get_signatures, check_bblayers +from checklayer import LayerType, detect_layers, add_layers, add_layer_dependencies, get_layer_dependencies, get_signatures, check_bblayers from oeqa.utils.commands import get_bb_vars PROGNAME = 'yocto-check-layer' @@ -51,6 +51,8 @@ def main(): help='File to output log (optional)', action='store') parser.add_argument('--dependency', nargs="+", help='Layers to process for dependencies', action='store') + parser.add_argument('--no-auto-dependency', help='Disable automatic testing of dependencies', + action='store_true') parser.add_argument('--machines', nargs="+", help='List of MACHINEs to be used during testing', action='store') parser.add_argument('--additional-layers', nargs="+", @@ -121,6 +123,21 @@ def main(): if not layers: return 1 + # Find all dependencies, and get them checked too + if not args.no_auto_dependency: + depends = [] + for layer in layers: + layer_depends = get_layer_dependencies(layer, dep_layers, logger) + if layer_depends: + for d in layer_depends: + if d not in depends: + depends.append(d) + + for d in depends: + if d not in layers: + logger.info("Adding %s to the list of layers to test, as a dependency", d['name']) + layers.append(d) + shutil.copyfile(bblayersconf, bblayersconf + '.backup') def cleanup_bblayers(signum, frame): shutil.copyfile(bblayersconf + '.backup', bblayersconf) @@ -152,17 +169,13 @@ def main(): logger.info("Setting up for %s(%s), %s" % (layer['name'], layer['type'], layer['path'])) - shutil.copyfile(bblayersconf + '.backup', bblayersconf) - missing_dependencies = not add_layer_dependencies(bblayersconf, layer, dep_layers, logger) if not missing_dependencies: for additional_layer in additional_layers: if not add_layer_dependencies(bblayersconf, additional_layer, dep_layers, logger): missing_dependencies = True break - if not add_layer_dependencies(bblayersconf, layer, dep_layers, logger) or \ - any(map(lambda additional_layer: not add_layer_dependencies(bblayersconf, additional_layer, dep_layers, logger), - additional_layers)): + if missing_dependencies: logger.info('Skipping %s due to missing dependencies.' % layer['name']) results[layer['name']] = None results_status[layer['name']] = 'SKIPPED (Missing dependencies)' |