diff options
| author | Patrick Williams <patrick@stwcx.xyz> | 2024-03-01 23:30:19 +0300 |
|---|---|---|
| committer | Patrick Williams <patrick@stwcx.xyz> | 2024-03-02 00:24:34 +0300 |
| commit | 7363086d8a6f87f6c162a314937f1c2e3c063b42 (patch) | |
| tree | f37b4996342d0af75369338b4a1a0fc416c5feeb | |
| parent | d4fa64b8fbad9ed7bef03090adec4a99cf9ecd5b (diff) | |
| download | openbmc-nanbield.tar.xz | |
subtree updatesnanbield
meta-arm: 79c52afe74..9a4ae38e84:
Emekcan Aras (1):
arm-bsp/optee: Improve PIN counter handling robustness
Harsimran Singh Tungal (2):
corstone1000:arm-bsp/tftf: Fix tftf tests on mps3
arm-bsp/tf-a-tests: fix corstone1000
Ross Burton (2):
arm-bsp/documentation: upgrade Sphinx slightly
CI: use https: to fetch meta-virtualization
meta-openembedded: 2da6e1b0e4..da9063bdfb:
Changqing Li (2):
postgresql: upgrade 15.4 -> 15.5
redis: upgrade 6.2.13 -> 6.2.14
Khem Raj (1):
webkitgtk3: upgrade 2.42.0 -> 2.42.1
Meenali Gupta (1):
nginx: upgrade 1.25.2 -> 1.25.3
Mingli Yu (1):
mariadb: Upgrade to 10.11.6
Wang Mingyu (5):
strongswan: upgrade 5.9.12 -> 5.9.13
webkitgtk3: upgrade 2.42.1 -> 2.42.2
webkitgtk3: upgrade 2.42.2 -> 2.42.3
webkitgtk3: upgrade 2.42.3 -> 2.42.4
libssh: upgrade 0.10.5 -> 0.10.6
Yi Zhao (1):
samba: upgrade 4.18.8 -> 4.18.9
poky: 61a59d00a0..1a5c00f00c:
Alassane Yattara (1):
bitbake: toaster/toastergui: Bug-fix verify given layer path only if import/add local layer
Alexander Kanavin (2):
glibc-y2038-tests: do not run tests using 32 bit time APIs
icon-naming-utils: take tarball from debian
Alexander Sverdlin (1):
linux-firmware: upgrade 20231030 -> 20231211
Anuj Mittal (2):
base-passwd: upgrade 3.6.2 -> 3.6.3
glib-2.0: upgrade 2.78.1 -> 2.78.3
Baruch Siach (1):
contributor-guide: fix lore URL
Benjamin Bara (1):
glibc: stable 2.38 branch updates
Bruce Ashfield (8):
linux-yocto/6.1: update to v6.1.69
linux-yocto/6.1: update to v6.1.70
linux-yocto/6.1: update CVE exclusions
linux-yocto/6.1: update to v6.1.72
linux-yocto/6.1: update CVE exclusions
linux-yocto/6.1: security/cfg: add configs to harden protection
linux-yocto/6.1: update to v6.1.73
linux-yocto/6.1: update CVE exclusions
Chen Qi (2):
sudo: upgrade from 1.9.15p2 to 1.9.15p5
multilib_global.bbclass: fix parsing error with no kernel module split
Clay Chang (1):
devtool: deploy: provide max_process to strip_execs
Enguerrand de Ribaucourt (1):
manuals: document VSCode extension
Ilya A. Kriveshko (1):
dev-manual: update license manifest path
Jason Andryuk (3):
linux-firmware: Package iwlwifi .pnvm files
linux-firmware: Change bnx2 packaging
linux-firmware: Create bnx2x subpackage
Jeremy A. Puhlman (1):
create-spdx-2.2: combine spdx can try to write before dir creation
Joao Marcos Costa (1):
documentation.conf: fix do_menuconfig description
Jonathan GUILLOT (1):
udev-extraconf: fix unmount directories containing octal-escaped chars
Jose Quaresma (2):
go: update 1.20.10 -> 1.20.11
go: update 1.20.11 -> 1.20.12
Joshua Watt (2):
rpcbind: Specify state directory under /run
classes-global/sstate: Fix variable typo
Julien Stephan (1):
externalsrc: fix task dependency for do_populate_lic
Jörg Sommer (1):
documentation: Add UBOOT_BINARY, extend UBOOT_CONFIG
Kai Kang (1):
xserver-xorg: 21.1.9 -> 21.1.11
Khem Raj (2):
tiff: Backport fixes for CVE-2023-6277
tcl: Fix prepending to run-ptest script
Lee Chee Yang (5):
curl: Fix CVE-2023-46219
qemu: 8.1.2 -> 8.1.4
migration-guide: add release notes for 4.3.2
migration-guide: add release notes for 4.0.16
migration-guide: add release notes for 4.3.3
Markus Volk (1):
libadwaita: update 1.4.0 -> 1.4.2
Massimiliano Minella (1):
zstd: fix LICENSE statement
Maxin B. John (1):
ref-manual: classes: remove insserv bbclass
Michael Opdenacker (3):
contributor-guide: use "apt" instead of "aptitude"
release-notes-4.3: fix spacing
migration-guides: fix release notes for 4.3.3
Ming Liu (2):
grub: fs/fat: Don't error when mtime is 0
qemu.bbclass: fix a python TypeError
Mingli Yu (1):
python3-license-expression: Fix the ptest failure
Peter Kjellerstedt (1):
devtool: modify: Handle recipes with a menuconfig task correctly
Peter Marko (4):
dtc: preserve version also from shallow git clones
sqlite3: upgrade 3.43.1 -> 3.43.2
sqlite: drop obsolete CVE ignore
zlib: ignore CVE-2023-6992
Richard Purdie (9):
pseudo: Update to pull in syncfs probe fix
sstate: Fix dir ownership issues in SSTATE_DIR
curl: Disable two intermittently failing tests
lib/prservice: Improve lock handling robustness
oeqa/selftest/prservice: Improve test robustness
curl: Disable test 1091 due to intermittent failures
allarch: Fix allarch corner case
reproducible: Fix race with externalsrc/devtool over lockfile
pseudo: Update to pull in gcc14 fix and missing statvfs64 intercept
Robert Berger (1):
uninative-tarball.xz - reproducibility fix
Robert Joslyn (1):
gtk: Set CVE_PRODUCT
Robert Yang (2):
nfs-utils: Upgrade 2.6.3 -> 2.6.4
nfs-utils: Update Upstream-Status
Rodrigo M. Duarte (1):
linux-firmware: Fix the linux-firmware-bcm4373 FILES variable
Ross Burton (4):
avahi: update URL for new project location
libssh2: backport fix for CVE-2023-48795
cve_check: handle CVE_STATUS being set to the empty string
cve_check: cleanup logging
Saul Wold (1):
package.py: OEHasPackage: Add MLPREFIX to packagename
Simone Weiß (5):
dev-manual: start.rst: Update use of Download page
dev-manual: start.rst: Update use of Download page
glibc: Set status for CVE-2023-5156 & CVE-2023-0687
dev-manual: gen-tapdevs need iptables installed
gcc: Update status of CVE-2023-4039
Soumya Sambu (1):
ncurses: Fix - tty is hung after reset
Steve Sakoman (2):
poky.conf: bump version for 4.3.3 release
build-appliance-image: Update to nanbield head revision
Trevor Gamblin (1):
scripts/runqemu: fix regex escape sequences
Wang Mingyu (9):
xwayland: upgrade 23.2.2 -> 23.2.3
libatomic-ops: upgrade 7.8.0 -> 7.8.2
libva-utils: upgrade 2.20.0 -> 2.20.1
kea: upgrade 2.4.0 -> 2.4.1
gstreamer1.0: upgrade 1.22.7 -> 1.22.8
aspell: upgrade 0.60.8 -> 0.60.8.1
at-spi2-core: upgrade 2.50.0 -> 2.50.1
cpio: upgrade 2.14 -> 2.15
gstreamer: upgrade 1.22.8 -> 1.22.9
William Lyu (1):
elfutils: Update license information
Xiangyu Chen (2):
shadow: Fix for CVE-2023-4641
sudo: upgrade 1.9.14p3 -> 1.9.15p2
Yang Xu (1):
rootfs.py: check depmodwrapper execution result
Yogita Urade (2):
tiff: fix CVE-2023-6228
tiff: fix CVE-2023-52355 and CVE-2023-52356
Zahir Hussain (1):
cmake: Unset CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES
baruch@tkos.co.il (1):
overlayfs: add missing closing parenthesis in selftest
Change-Id: I613697694d0eb51ae9451f7e869b69d6c1ba1fd3
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
159 files changed, 3322 insertions, 580 deletions
diff --git a/meta-arm/ci/meta-virtualization.yml b/meta-arm/ci/meta-virtualization.yml index 88f8cdc9e0..f0f6280e8e 100644 --- a/meta-arm/ci/meta-virtualization.yml +++ b/meta-arm/ci/meta-virtualization.yml @@ -5,4 +5,4 @@ header: repos: meta-virtualization: - url: git://git.yoctoproject.org/meta-virtualization + url: https://git.yoctoproject.org/meta-virtualization diff --git a/meta-arm/meta-arm-bsp/documentation/requirements.txt b/meta-arm/meta-arm-bsp/documentation/requirements.txt index b82e5e071a..6b4e3bb22d 100644 --- a/meta-arm/meta-arm-bsp/documentation/requirements.txt +++ b/meta-arm/meta-arm-bsp/documentation/requirements.txt @@ -6,7 +6,6 @@ jinja2==3.1.1 # Required to build the documentation -sphinx==4.5.0 -sphinx_rtd_theme==1.0.0 -sphinx-copybutton==0.5.0 +sphinx~=5.0 +sphinx_rtd_theme~=2.0.0 docutils==0.17.1 diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/0001-corstone1000-skip-tftf-tests.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/0001-corstone1000-skip-tftf-tests.patch new file mode 100644 index 0000000000..341d28028a --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/0001-corstone1000-skip-tftf-tests.patch @@ -0,0 +1,33 @@ +From 27300daa2397c89e13aa648db30aa5c6acb06bcc Mon Sep 17 00:00:00 2001 +From: Harsimran Singh Tungal <harsimransingh.tungal@arm.com> +Date: Fri, 2 Feb 2024 11:58:33 +0000 +Subject: [PATCH] corstone1000: skip tftf tests + +Skip some tests for platform corstone1000 which make the tftf tests +hanged when use with optee v3.22 + +Upstream-Status: Pending +Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com> +--- + plat/arm/corstone1000/tests_to_skip.txt | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/plat/arm/corstone1000/tests_to_skip.txt b/plat/arm/corstone1000/tests_to_skip.txt +index fdab230..c5eaac0 100644 +--- a/plat/arm/corstone1000/tests_to_skip.txt ++++ b/plat/arm/corstone1000/tests_to_skip.txt +@@ -13,3 +13,11 @@ Timer framework Validation/Verify the timer interrupt generation + CPU Hotplug/CPU hotplug + PSCI CPU Suspend + PSCI STAT/for valid composite state CPU suspend ++FF-A Direct messaging/FF-A Request SP-to-SP direct messaging ++FF-A Direct messaging/FF-A Request SP-to-SP direct messaging deadlock ++FF-A Memory Sharing/Share Memory with Secure World ++FF-A Memory Sharing/Request Donate Memory SP-to-SP ++FF-A Memory Sharing/Request Share Memory SP-to-VM ++SIMD,SVE Registers context/Check that SIMD registers context is preserved ++FF-A Interrupt/Test NS interrupts ++SMMUv3 tests +-- +2.34.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_%.bbappend b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_%.bbappend index 074bc683f1..d047a1eb5e 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_%.bbappend +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_%.bbappend @@ -1,6 +1,14 @@ # Machine specific TFAs +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" + COMPATIBLE_MACHINE:corstone1000 = "corstone1000" SRCREV:corstone1000 = "5f591f67738a1bbe6b262c53d9dad46ed8bbcd67" +EXTRA_OEMAKE:append:corstone1000 = " DEBUG=0" +EXTRA_OEMAKE:append:corstone1000 = " LOG_LEVEL=30" +TFTF_MODE:corstone1000 = "release" +SRC_URI:append:corstone1000 = " \ + file://0001-corstone1000-skip-tftf-tests.patch \ + " COMPATIBLE_MACHINE:n1sdp = "n1sdp" diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.8.0.bb b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.8.0.bb index ed3b349950..160ada6732 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.8.0.bb +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.8.0.bb @@ -19,6 +19,9 @@ EXTRA_OEMAKE += "USE_NVM=0" EXTRA_OEMAKE += "SHELL_COLOR=1" EXTRA_OEMAKE += "DEBUG=1" +# Modify mode based on debug or release mode +TFTF_MODE ?= "debug" + # Platform must be set for each machine TFA_PLATFORM ?= "invalid" @@ -45,7 +48,7 @@ SYSROOT_DIRS += "/firmware" do_install() { install -d -m 755 ${D}/firmware - install -m 0644 ${B}/${TFA_PLATFORM}/debug/tftf.bin ${D}/firmware/tftf.bin + install -m 0644 ${B}/${TFA_PLATFORM}/${TFTF_MODE}/tftf.bin ${D}/firmware/tftf.bin } do_deploy() { diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.22.0/0005-ta-pkcs11-Improve-PIN-counter-handling-robustness.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.22.0/0005-ta-pkcs11-Improve-PIN-counter-handling-robustness.patch new file mode 100644 index 0000000000..d95954fa1d --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.22.0/0005-ta-pkcs11-Improve-PIN-counter-handling-robustness.patch @@ -0,0 +1,205 @@ +From d75c42ff2847b090d5b1f11c49067cd41fcc2734 Mon Sep 17 00:00:00 2001 +From: Loic Poulain <loic.poulain@linaro.org> +Date: Tue, 31 Oct 2023 11:07:00 +0100 +Subject: [PATCH] ta: pkcs11: Improve PIN counter handling robustness + +Make sure PIN check attempt is saved persistently before continuing with +the actual PIN verification, improving counter and flags coherency in +case of subsequent failure with persistent saving. + +Signed-off-by: Loic Poulain <loic.poulain@linaro.org> +Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com> +Acked-by: Jerome Forissier <jerome.forissier@linaro.org> +Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/6445/commits/0a74733d9437d94a5b4b2db6c40c5755cabc5393] +--- + ta/pkcs11/src/pkcs11_token.c | 126 +++++++++++++++++------------------ + 1 file changed, 62 insertions(+), 64 deletions(-) + +diff --git a/ta/pkcs11/src/pkcs11_token.c b/ta/pkcs11/src/pkcs11_token.c +index ab0fc291e..c5271e449 100644 +--- a/ta/pkcs11/src/pkcs11_token.c ++++ b/ta/pkcs11/src/pkcs11_token.c +@@ -1132,117 +1132,115 @@ static enum pkcs11_rc check_so_pin(struct pkcs11_session *session, + uint8_t *pin, size_t pin_size) + { + struct ck_token *token = session->token; ++ struct token_persistent_main *db = token->db_main; + enum pkcs11_rc rc = PKCS11_CKR_OK; + +- assert(token->db_main->flags & PKCS11_CKFT_TOKEN_INITIALIZED); ++ assert(db->flags & PKCS11_CKFT_TOKEN_INITIALIZED); + + if (IS_ENABLED(CFG_PKCS11_TA_AUTH_TEE_IDENTITY) && +- token->db_main->flags & PKCS11_CKFT_PROTECTED_AUTHENTICATION_PATH) ++ db->flags & PKCS11_CKFT_PROTECTED_AUTHENTICATION_PATH) + return verify_identity_auth(token, PKCS11_CKU_SO); + +- if (token->db_main->flags & PKCS11_CKFT_SO_PIN_LOCKED) ++ if (db->flags & PKCS11_CKFT_SO_PIN_LOCKED) + return PKCS11_CKR_PIN_LOCKED; + +- rc = verify_pin(PKCS11_CKU_SO, pin, pin_size, +- token->db_main->so_pin_salt, +- token->db_main->so_pin_hash); +- if (rc) { +- unsigned int pin_count = 0; ++ /* ++ * Preset the counter and flags conservatively in the database so that ++ * the tentative is saved whatever happens next. ++ */ ++ db->flags |= PKCS11_CKFT_SO_PIN_COUNT_LOW; ++ db->so_pin_count++; + +- if (rc != PKCS11_CKR_PIN_INCORRECT) +- return rc; ++ if (db->so_pin_count == PKCS11_TOKEN_SO_PIN_COUNT_MAX - 1) ++ db->flags |= PKCS11_CKFT_SO_PIN_FINAL_TRY; ++ else if (db->so_pin_count == PKCS11_TOKEN_SO_PIN_COUNT_MAX) ++ db->flags |= PKCS11_CKFT_SO_PIN_LOCKED; + +- token->db_main->flags |= PKCS11_CKFT_SO_PIN_COUNT_LOW; +- token->db_main->so_pin_count++; +- +- pin_count = token->db_main->so_pin_count; +- if (pin_count == PKCS11_TOKEN_SO_PIN_COUNT_MAX - 1) +- token->db_main->flags |= PKCS11_CKFT_SO_PIN_FINAL_TRY; +- if (pin_count == PKCS11_TOKEN_SO_PIN_COUNT_MAX) +- token->db_main->flags |= PKCS11_CKFT_SO_PIN_LOCKED; +- +- update_persistent_db(token); ++ update_persistent_db(token); + +- if (token->db_main->flags & PKCS11_CKFT_SO_PIN_LOCKED) ++ rc = verify_pin(PKCS11_CKU_SO, pin, pin_size, ++ db->so_pin_salt, ++ db->so_pin_hash); ++ if (rc == PKCS11_CKR_PIN_INCORRECT) { ++ if (db->flags & PKCS11_CKFT_SO_PIN_LOCKED) + return PKCS11_CKR_PIN_LOCKED; + + return PKCS11_CKR_PIN_INCORRECT; + } + +- if (token->db_main->so_pin_count) { +- token->db_main->so_pin_count = 0; ++ if (rc) ++ db->so_pin_count--; ++ else ++ db->so_pin_count = 0; + +- update_persistent_db(token); ++ db->flags &= ~PKCS11_CKFT_SO_PIN_LOCKED; ++ if (db->so_pin_count < PKCS11_TOKEN_SO_PIN_COUNT_MAX - 1) { ++ db->flags &= ~PKCS11_CKFT_SO_PIN_FINAL_TRY; ++ if (!db->so_pin_count) ++ db->flags &= ~PKCS11_CKFT_SO_PIN_COUNT_LOW; + } + +- if (token->db_main->flags & (PKCS11_CKFT_SO_PIN_COUNT_LOW | +- PKCS11_CKFT_SO_PIN_FINAL_TRY)) { +- token->db_main->flags &= ~(PKCS11_CKFT_SO_PIN_COUNT_LOW | +- PKCS11_CKFT_SO_PIN_FINAL_TRY); +- +- update_persistent_db(token); +- } ++ update_persistent_db(token); + +- return PKCS11_CKR_OK; ++ return rc; + } + + static enum pkcs11_rc check_user_pin(struct pkcs11_session *session, + uint8_t *pin, size_t pin_size) + { + struct ck_token *token = session->token; ++ struct token_persistent_main *db = token->db_main; + enum pkcs11_rc rc = PKCS11_CKR_OK; + + if (IS_ENABLED(CFG_PKCS11_TA_AUTH_TEE_IDENTITY) && +- token->db_main->flags & PKCS11_CKFT_PROTECTED_AUTHENTICATION_PATH) ++ db->flags & PKCS11_CKFT_PROTECTED_AUTHENTICATION_PATH) + return verify_identity_auth(token, PKCS11_CKU_USER); + +- if (!token->db_main->user_pin_salt) ++ if (!db->user_pin_salt) + return PKCS11_CKR_USER_PIN_NOT_INITIALIZED; + +- if (token->db_main->flags & PKCS11_CKFT_USER_PIN_LOCKED) ++ if (db->flags & PKCS11_CKFT_USER_PIN_LOCKED) + return PKCS11_CKR_PIN_LOCKED; + +- rc = verify_pin(PKCS11_CKU_USER, pin, pin_size, +- token->db_main->user_pin_salt, +- token->db_main->user_pin_hash); +- if (rc) { +- unsigned int pin_count = 0; +- +- if (rc != PKCS11_CKR_PIN_INCORRECT) +- return rc; +- +- token->db_main->flags |= PKCS11_CKFT_USER_PIN_COUNT_LOW; +- token->db_main->user_pin_count++; ++ /* ++ * Preset the counter and flags conservatively in the database so that ++ * the tentative is saved whatever happens next. ++ */ ++ db->flags |= PKCS11_CKFT_USER_PIN_COUNT_LOW; ++ db->user_pin_count++; + +- pin_count = token->db_main->user_pin_count; +- if (pin_count == PKCS11_TOKEN_USER_PIN_COUNT_MAX - 1) +- token->db_main->flags |= PKCS11_CKFT_USER_PIN_FINAL_TRY; +- if (pin_count == PKCS11_TOKEN_USER_PIN_COUNT_MAX) +- token->db_main->flags |= PKCS11_CKFT_USER_PIN_LOCKED; ++ if (db->user_pin_count == PKCS11_TOKEN_USER_PIN_COUNT_MAX - 1) ++ db->flags |= PKCS11_CKFT_USER_PIN_FINAL_TRY; ++ else if (db->user_pin_count == PKCS11_TOKEN_USER_PIN_COUNT_MAX) ++ db->flags |= PKCS11_CKFT_USER_PIN_LOCKED; + +- update_persistent_db(token); ++ update_persistent_db(token); + +- if (token->db_main->flags & PKCS11_CKFT_USER_PIN_LOCKED) ++ rc = verify_pin(PKCS11_CKU_USER, pin, pin_size, ++ db->user_pin_salt, ++ db->user_pin_hash); ++ if (rc == PKCS11_CKR_PIN_INCORRECT) { ++ if (db->flags & PKCS11_CKFT_USER_PIN_LOCKED) + return PKCS11_CKR_PIN_LOCKED; + + return PKCS11_CKR_PIN_INCORRECT; + } + +- if (token->db_main->user_pin_count) { +- token->db_main->user_pin_count = 0; ++ if (rc) ++ db->user_pin_count--; ++ else ++ db->user_pin_count = 0; + +- update_persistent_db(token); ++ db->flags &= ~PKCS11_CKFT_USER_PIN_LOCKED; ++ if (db->user_pin_count < PKCS11_TOKEN_USER_PIN_COUNT_MAX - 1) { ++ db->flags &= ~PKCS11_CKFT_USER_PIN_FINAL_TRY; ++ if (!db->user_pin_count) ++ db->flags &= ~PKCS11_CKFT_USER_PIN_COUNT_LOW; + } + +- if (token->db_main->flags & (PKCS11_CKFT_USER_PIN_COUNT_LOW | +- PKCS11_CKFT_USER_PIN_FINAL_TRY)) { +- token->db_main->flags &= ~(PKCS11_CKFT_USER_PIN_COUNT_LOW | +- PKCS11_CKFT_USER_PIN_FINAL_TRY); +- +- update_persistent_db(token); +- } ++ update_persistent_db(token); + +- return PKCS11_CKR_OK; ++ return rc; + } + + enum pkcs11_rc entry_ck_set_pin(struct pkcs11_client *client, +-- +2.25.1 + + diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.22.0.bb b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.22.0.bb index e12201920e..16a193c386 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.22.0.bb +++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.22.0.bb @@ -10,4 +10,5 @@ SRC_URI += " \ file://0002-core-Define-section-attributes-for-clang.patch \ file://0003-optee-enable-clang-support.patch \ file://0004-core-link-add-no-warn-rwx-segments.patch \ + file://0005-ta-pkcs11-Improve-PIN-counter-handling-robustness.patch \ " diff --git a/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.18.8.bb b/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.18.9.bb index f80742640f..73ceb7b754 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.18.8.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.18.9.bb @@ -31,7 +31,7 @@ SRC_URI:append:libc-musl = " \ file://samba-4.3.9-remove-getpwent_r.patch \ " -SRC_URI[sha256sum] = "4fb87bceaeb01d832a59046c197a044b7e8e8000581548b5d577a6cda03344d1" +SRC_URI[sha256sum] = "f455c1d6351ed3a36fc2cb6e8ab1bfd0effe54a56686ffd495d64ab52d50f245" UPSTREAM_CHECK_REGEX = "samba\-(?P<pver>4\.18(\.\d+)+).tar.gz" diff --git a/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.12.bb b/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.13.bb index 87d12bc6c8..4523187af2 100644 --- a/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.12.bb +++ b/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.13.bb @@ -11,7 +11,7 @@ DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \ " -SRC_URI[sha256sum] = "5e6018b07cbe9f72c044c129955a13be3e2f799ceb53f53a4459da6a922b95e5" +SRC_URI[sha256sum] = "56e30effb578fd9426d8457e3b76c8c3728cd8a5589594b55649b2719308ba55" UPSTREAM_CHECK_REGEX = "strongswan-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb-native_10.11.5.bb b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb-native_10.11.6.bb index 578357b480..578357b480 100644 --- a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb-native_10.11.5.bb +++ b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb-native_10.11.6.bb diff --git a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb.inc index d64d5b0e42..7e6ef42bc3 100644 --- a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb.inc +++ b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb.inc @@ -23,10 +23,9 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \ file://0001-sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \ file://lfs64.patch \ file://0001-Add-missing-includes-cstdint-and-cstdio.patch \ - file://libfmt_make_fmt.patch \ " SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch" -SRC_URI[sha256sum] = "4c9484048d4d0c71dd076ab33fc2a9ce8510bdf762886de0d63fe52496f3dbbb" +SRC_URI[sha256sum] = "1c0163463e98d71f4780741611a40981eee2bc44d392601ca49bbf948d04dd67" UPSTREAM_CHECK_URI = "https://github.com/MariaDB/server/releases" diff --git a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/libfmt_make_fmt.patch b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/libfmt_make_fmt.patch deleted file mode 100644 index 4d5f4a611b..0000000000 --- a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/libfmt_make_fmt.patch +++ /dev/null @@ -1,68 +0,0 @@ -Make make_arg work with libfmt 10.1+ - -This ensures that compiler can find the correct template to use -Fixes - -mariadb-10.11.5/sql/item_strfunc.cc:1429:22: error: no matching functi -on for call to 'make_arg' -| 1429 | vargs[carg-1]= fmt::detail::make_arg<ctx>(args[carg]->val_int()); -| | ^~~~~~~~~~~~~~~~~~~~~~~~~~ -| /mnt/b/yoe/master/build/tmp/work/cortexa72-cortexa53-crypto-yoe-linux/mariadb/10.11.5/recipe-sysroot/usr/include/fmt/core.h:1588:20: note: candidate functio -n [with Context = fmt::basic_format_context<fmt::appender, char>, T = long long] not viable: expects an lvalue for 1st argument -| 1588 | FMT_CONSTEXPR auto make_arg(T& val) -> basic_format_arg<Context> { -| | ^ ~~~~~~ -| /mnt/b/yoe/master/build/tmp/work/cortexa72-cortexa53-crypto-yoe-linux/mariadb/10.11.5/recipe-sysroot/usr/include/fmt/core.h:1559:31: note: candidate templat -e ignored: invalid explicitly-specified argument for template parameter 'PACKED' -| 1559 | FMT_CONSTEXPR FMT_INLINE auto make_arg(T& [ 46%] Building C object mysys/CMakeFiles/mysys.dir/my_likely.c.o -| val) -> value<Context> { -| | ^ -| /mnt/b/yoe/master/build/tmp/work/cortexa72-cortexa53-crypto-yoe-linux/mariadb/10.11.5/recipe-sysroot/usr/include/fmt/core.h:1596:27: note: candidate templat -e ignored: invalid explicitly-specified argument for template parameter 'PACKED' -| 1596 | FMT_CONSTEXPR inline auto make_arg(T& val) -> basic_format_arg<Context> { -| | ^ - -Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> - ---- a/cmake/libfmt.cmake -+++ b/cmake/libfmt.cmake -@@ -33,8 +33,9 @@ MACRO (CHECK_LIBFMT) - #include <fmt/format-inl.h> - #include <iostream> - int main() { -+ int val = 42; - fmt::format_args::format_arg arg= -- fmt::detail::make_arg<fmt::format_context>(42); -+ fmt::detail::make_arg<fmt::format_context>(val); - std::cout << fmt::vformat(\"The answer is {}.\", - fmt::format_args(&arg, 1)); - }" HAVE_SYSTEM_LIBFMT) ---- a/sql/item_strfunc.cc -+++ b/sql/item_strfunc.cc -@@ -1426,14 +1426,22 @@ String *Item_func_sformat::val_str(Strin - switch (args[carg]->result_type()) - { - case INT_RESULT: -- vargs[carg-1]= fmt::detail::make_arg<ctx>(args[carg]->val_int()); -+ int intval; -+ intval = args[carg]->val_int(); -+ vargs[carg-1]= fmt::detail::make_arg<ctx>(intval); - break; - case DECIMAL_RESULT: // TODO - case REAL_RESULT: -+ float fval; -+ int val; - if (args[carg]->field_type() == MYSQL_TYPE_FLOAT) -- vargs[carg-1]= fmt::detail::make_arg<ctx>((float)args[carg]->val_real()); -- else -- vargs[carg-1]= fmt::detail::make_arg<ctx>(args[carg]->val_real()); -+ { -+ fval = (float)args[carg]->val_real(); -+ vargs[carg-1]= fmt::detail::make_arg<ctx>(fval); -+ } else { -+ val = args[carg]->val_real(); -+ vargs[carg-1]= fmt::detail::make_arg<ctx>(val); -+ } - break; - case STRING_RESULT: - if (!(parg= args[carg]->val_str(&val_arg[carg-1]))) diff --git a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb_10.11.5.bb b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb_10.11.6.bb index a4498fa44e..a4498fa44e 100644 --- a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb_10.11.5.bb +++ b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb_10.11.6.bb diff --git a/meta-openembedded/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch b/meta-openembedded/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch index fb70b22720..ab578056ff 100644 --- a/meta-openembedded/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch +++ b/meta-openembedded/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch @@ -1,4 +1,4 @@ -From 5f9dedc91a0a9710033fa155ea759f765ce5b58b Mon Sep 17 00:00:00 2001 +From d44c83ed0f30462a31930d6d925762b3f8412ce2 Mon Sep 17 00:00:00 2001 From: Yi Fan Yu <yifan.yu@windriver.com> Date: Fri, 5 Feb 2021 17:15:42 -0500 Subject: [PATCH] configure.ac: bypass autoconf 2.69 version check @@ -13,12 +13,12 @@ Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com> 1 file changed, 4 deletions(-) diff --git a/configure.ac b/configure.ac -index 524fdf1..3bea642 100644 +index e988503..d1b2cfd 100644 --- a/configure.ac +++ b/configure.ac @@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch undefined macros - AC_INIT([PostgreSQL], [15.4], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) + AC_INIT([PostgreSQL], [15.5], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) -m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required. -Untested combinations of 'autoconf' and PostgreSQL versions are not @@ -28,5 +28,5 @@ index 524fdf1..3bea642 100644 AC_CONFIG_SRCDIR([src/backend/access/common/heaptuple.c]) AC_CONFIG_AUX_DIR(config) -- -2.34.1 +2.25.1 diff --git a/meta-openembedded/meta-oe/recipes-dbs/postgresql/postgresql_15.4.bb b/meta-openembedded/meta-oe/recipes-dbs/postgresql/postgresql_15.5.bb index 3aa2662891..cb90ff930a 100644 --- a/meta-openembedded/meta-oe/recipes-dbs/postgresql/postgresql_15.4.bb +++ b/meta-openembedded/meta-oe/recipes-dbs/postgresql/postgresql_15.5.bb @@ -11,6 +11,6 @@ SRC_URI += "\ file://0001-postgresql-fix-ptest-failure-of-sysviews.patch \ " -SRC_URI[sha256sum] = "baec5a4bdc4437336653b6cb5d9ed89be5bd5c0c58b94e0becee0a999e63c8f9" +SRC_URI[sha256sum] = "8f53aa95d78eb8e82536ea46b68187793b42bba3b4f65aa342f540b23c9b10a6" CVE_STATUS[CVE-2017-8806] = "not-applicable-config: Ddoesn't apply to out configuration of postgresql so we can safely ignore it." diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.13.bb b/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.14.bb index 640831c525..fa430ce402 100644 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.13.bb +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.14.bb @@ -17,7 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://GNU_SOURCE.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ " -SRC_URI[sha256sum] = "89ff27c80d420456a721ccfb3beb7cc628d883c53059803513749e13214a23d1" +SRC_URI[sha256sum] = "34e74856cbd66fdb3a684fb349d93961d8c7aa668b06f81fd93ff267d09bc277" inherit autotools-brokensep update-rc.d systemd useradd diff --git a/meta-openembedded/meta-oe/recipes-support/libssh/libssh/0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch b/meta-openembedded/meta-oe/recipes-support/libssh/libssh/0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch index 19775fa529..d2d1fb5955 100644 --- a/meta-openembedded/meta-oe/recipes-support/libssh/libssh/0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch +++ b/meta-openembedded/meta-oe/recipes-support/libssh/libssh/0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch @@ -1,4 +1,4 @@ -From 0cade4573334571055127a2d4fe3641e2397948d Mon Sep 17 00:00:00 2001 +From 49a8ae4d6f77434ed9f7a601b9df488b921e4a22 Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Mon, 20 Mar 2023 21:59:19 -0700 Subject: [PATCH] libgcrypt.c: Fix prototype of des3_encrypt/des3_decrypt @@ -18,15 +18,16 @@ TOPDIR/build/tmp/work/cortexa15t2hf-neon-yoe-linux-gnueabi/libssh/0.10.4-r0/git/ Upstream-Status: Pending Signed-off-by: Khem Raj <raj.khem@gmail.com> + --- src/libgcrypt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/libgcrypt.c b/src/libgcrypt.c -index da5588ad..e482b654 100644 +index f410d997..e3f66781 100644 --- a/src/libgcrypt.c +++ b/src/libgcrypt.c -@@ -469,12 +469,12 @@ static int des3_set_key(struct ssh_cipher_struct *cipher, void *key, void *IV) { +@@ -416,12 +416,12 @@ static int des3_set_key(struct ssh_cipher_struct *cipher, void *key, void *IV) { } static void des3_encrypt(struct ssh_cipher_struct *cipher, void *in, @@ -41,6 +42,3 @@ index da5588ad..e482b654 100644 gcry_cipher_decrypt(cipher->key[0], out, len, in, len); } --- -2.40.0 - diff --git a/meta-openembedded/meta-oe/recipes-support/libssh/libssh/0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch b/meta-openembedded/meta-oe/recipes-support/libssh/libssh/0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch index 0c7f53029e..d6bc75c3a6 100644 --- a/meta-openembedded/meta-oe/recipes-support/libssh/libssh/0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch +++ b/meta-openembedded/meta-oe/recipes-support/libssh/libssh/0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch @@ -1,4 +1,4 @@ -From d2525ba0bc7b11de12c54ea1a3d1eb862537136d Mon Sep 17 00:00:00 2001 +From 69a89e8f015802f61637fed0d3791d20a594f298 Mon Sep 17 00:00:00 2001 From: Yi Zhao <yi.zhao@windriver.com> Date: Wed, 15 Mar 2023 16:51:58 +0800 Subject: [PATCH] tests/CMakeLists.txt: do not search ssh/sshd commands on host @@ -9,12 +9,13 @@ not required by unittests, we can skip the search. Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Yi Zhao <yi.zhao@windriver.com> + --- tests/CMakeLists.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt -index 22a36f37..aa32ca2e 100644 +index f5c30061..885c926a 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -86,6 +86,7 @@ set(TEST_TARGET_LIBRARIES @@ -25,7 +26,7 @@ index 22a36f37..aa32ca2e 100644 # OpenSSH Capabilities are required for all unit tests find_program(SSH_EXECUTABLE NAMES ssh) if (SSH_EXECUTABLE) -@@ -293,6 +294,7 @@ if (CLIENT_TESTING OR SERVER_TESTING) +@@ -302,6 +303,7 @@ if (CLIENT_TESTING OR SERVER_TESTING) message(STATUS "TORTURE_ENVIRONMENT=${TORTURE_ENVIRONMENT}") endif () @@ -33,6 +34,3 @@ index 22a36f37..aa32ca2e 100644 configure_file(tests_config.h.cmake ${CMAKE_CURRENT_BINARY_DIR}/tests_config.h) --- -2.25.1 - diff --git a/meta-openembedded/meta-oe/recipes-support/libssh/libssh_0.10.5.bb b/meta-openembedded/meta-oe/recipes-support/libssh/libssh_0.10.6.bb index f33987acf5..31f29c1b7d 100644 --- a/meta-openembedded/meta-oe/recipes-support/libssh/libssh_0.10.5.bb +++ b/meta-openembedded/meta-oe/recipes-support/libssh/libssh_0.10.6.bb @@ -11,7 +11,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch \ file://run-ptest \ " -SRCREV = "479eca13aaaa46b43e68c52186e3783f06ae6f34" +SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-oe/recipes-support/webkitgtk/webkitgtk3_2.42.0.bb b/meta-openembedded/meta-oe/recipes-support/webkitgtk/webkitgtk3_2.42.4.bb index f682cd9f03..3c6b7db811 100644 --- a/meta-openembedded/meta-oe/recipes-support/webkitgtk/webkitgtk3_2.42.0.bb +++ b/meta-openembedded/meta-oe/recipes-support/webkitgtk/webkitgtk3_2.42.4.bb @@ -15,7 +15,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/webkitgtk-${PV}.tar.xz \ file://0d3344e17d258106617b0e6d783d073b188a2548.patch \ file://no-musttail-arm.patch \ " -SRC_URI[sha256sum] = "828f95935861fae583fb8f2ae58cf64c63c178ae2b7c2d6f73070813ad64ed1b" +SRC_URI[sha256sum] = "52288b30bda22373442cecb86f9c9a569ad8d4769a1f97b352290ed92a67ed86" inherit cmake pkgconfig gobject-introspection perlnative features_check upstream-version-is-even gi-docgen diff --git a/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.25.2.bb b/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.25.3.bb index 66eef23895..8aa9fa0267 100644 --- a/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.25.2.bb +++ b/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.25.3.bb @@ -2,5 +2,5 @@ require nginx.inc LIC_FILES_CHKSUM = "file://LICENSE;md5=79ad2eb837299421c4435dedc8897b3d" -SRC_URI[sha256sum] = "05dd6d9356d66a74e61035f2a42162f8c754c97cf1ba64e7a801ba158d6c0711" +SRC_URI[sha256sum] = "64c5b975ca287939e828303fa857d22f142b251f17808dfe41733512d9cded86" diff --git a/poky/bitbake/lib/toaster/toastergui/api.py b/poky/bitbake/lib/toaster/toastergui/api.py index a06ffc00dc..e367bd910e 100644 --- a/poky/bitbake/lib/toaster/toastergui/api.py +++ b/poky/bitbake/lib/toaster/toastergui/api.py @@ -227,7 +227,7 @@ class XhrSetDefaultImageUrl(View): # same logical name # * Each project that uses a layer will have its own # LayerVersion and Project Layer for it -# * During the Paroject delete process, when the last +# * During the Project delete process, when the last # LayerVersion for a 'local_source_dir' layer is deleted # then the Layer record is deleted to remove orphans # @@ -457,15 +457,18 @@ class XhrLayer(View): 'layerdetailurl': layer_dep.get_detailspage_url(project.pk)}) - # Scan the layer's content and update components - scan_layer_content(layer,layer_version) + # Only scan_layer_content if layer is local + if layer_data.get('local_source_dir', None): + # Scan the layer's content and update components + scan_layer_content(layer,layer_version) except Layer_Version.DoesNotExist: return error_response("layer-dep-not-found") except Project.DoesNotExist: return error_response("project-not-found") - except KeyError: - return error_response("incorrect-parameters") + except KeyError as e: + _log("KeyError: %s" % e) + return error_response(f"incorrect-parameters") return JsonResponse({'error': "ok", 'imported_layer': { diff --git a/poky/documentation/contributor-guide/submit-changes.rst b/poky/documentation/contributor-guide/submit-changes.rst index 5a6136c8c8..61f3157d60 100644 --- a/poky/documentation/contributor-guide/submit-changes.rst +++ b/poky/documentation/contributor-guide/submit-changes.rst @@ -57,7 +57,7 @@ Set up Git The first thing to do is to install Git packages. Here is an example on Debian and Ubuntu:: - sudo aptitude install git-core git-email + sudo apt install git-core git-email Then, you need to set a name and e-mail address that Git will use to identify your commits:: @@ -438,7 +438,7 @@ their e-mail clients will default to including your email address in the conversation anyway. Anyway, you'll also be able to access the new messages on mailing list archives, -either through a web browser, or for the lists archived on https://lore.kernelorg, +either through a web browser, or for the lists archived on https://lore.kernel.org, through an individual newsgroup feed or a git repository. Sending Patches via Email diff --git a/poky/documentation/dev-manual/building.rst b/poky/documentation/dev-manual/building.rst index a395793493..e964bd1aee 100644 --- a/poky/documentation/dev-manual/building.rst +++ b/poky/documentation/dev-manual/building.rst @@ -32,6 +32,10 @@ build host running Linux. OpenEmbedded build system, see the :doc:`/brief-yoctoprojectqs/index` document. + - You can also use the `Yocto Project BitBake + <https://marketplace.visualstudio.com/items?itemName=yocto-project.yocto-bitbake>`__ + extension for Visual Studio Code to build images. + The build process creates an entire Linux distribution from source and places it in your :term:`Build Directory` under ``tmp/deploy/images``. For detailed information on the build process using BitBake, see the diff --git a/poky/documentation/dev-manual/licenses.rst b/poky/documentation/dev-manual/licenses.rst index 3b9190d47f..57713effa0 100644 --- a/poky/documentation/dev-manual/licenses.rst +++ b/poky/documentation/dev-manual/licenses.rst @@ -332,7 +332,7 @@ completeness. The Yocto Project generates a license manifest during image creation that is located in - ``${DEPLOY_DIR}/licenses/<image-name>-<machine>.rootfs-<datestamp>/`` + ``${DEPLOY_DIR}/licenses/${SSTATE_PKGARCH}/<image-name>-<machine>.rootfs-<datestamp>/`` to assist with any audits. Providing the Source Code diff --git a/poky/documentation/dev-manual/runtime-testing.rst b/poky/documentation/dev-manual/runtime-testing.rst index be1e8c02e5..1a2e9ec4fe 100644 --- a/poky/documentation/dev-manual/runtime-testing.rst +++ b/poky/documentation/dev-manual/runtime-testing.rst @@ -52,6 +52,8 @@ In order to run tests, you need to do the following: - Be sure to use an absolute path when calling this script with sudo. + - Ensure that your host has the package ``iptables`` installed. + - The package recipe ``qemu-helper-native`` is required to run this script. Build the package using the following command:: diff --git a/poky/documentation/dev-manual/start.rst b/poky/documentation/dev-manual/start.rst index 4a556967eb..b108337795 100644 --- a/poky/documentation/dev-manual/start.rst +++ b/poky/documentation/dev-manual/start.rst @@ -334,7 +334,10 @@ to use the Extensible SDK, see the ":doc:`/sdk-manual/extensible`" Chapter in th Project Application Development and the Extensible Software Development Kit (eSDK) manual. If you want to work on the kernel, see the :doc:`/kernel-dev/index`. If you are going to use Toaster, see the ":doc:`/toaster-manual/setup-and-use`" -section in the Toaster User Manual. +section in the Toaster User Manual. If you are a VSCode user, you can configure +the `Yocto Project BitBake +<https://marketplace.visualstudio.com/items?itemName=yocto-project.yocto-bitbake>`__ +extension accordingly. Setting Up to Use CROss PlatformS (CROPS) ----------------------------------------- @@ -426,7 +429,10 @@ section. If you are going to use the Extensible SDK container, see the Project Application Development and the Extensible Software Development Kit (eSDK) manual. If you are going to use the Toaster container, see the ":doc:`/toaster-manual/setup-and-use`" -section in the Toaster User Manual. +section in the Toaster User Manual. If you are a VSCode user, you can configure +the `Yocto Project BitBake +<https://marketplace.visualstudio.com/items?itemName=yocto-project.yocto-bitbake>`__ +extension accordingly. Setting Up to Use Windows Subsystem For Linux (WSL 2) ----------------------------------------------------- @@ -554,7 +560,10 @@ Extensible SDK container, see the ":doc:`/sdk-manual/extensible`" Chapter in the Project Application Development and the Extensible Software Development Kit (eSDK) manual. If you are going to use the Toaster container, see the ":doc:`/toaster-manual/setup-and-use`" -section in the Toaster User Manual. +section in the Toaster User Manual. If you are a VSCode user, you can configure +the `Yocto Project BitBake +<https://marketplace.visualstudio.com/items?itemName=yocto-project.yocto-bitbake>`__ +extension accordingly. Locating Yocto Project Source Files =================================== @@ -621,7 +630,7 @@ a selection of these components. Using the Downloads Page ------------------------ -The :yocto_home:`Yocto Project Website <>` uses a "DOWNLOADS" page +The :yocto_home:`Yocto Project Website <>` uses a "RELEASES" page from which you can locate and download tarballs of any Yocto Project release. Rather than Git repositories, these files represent snapshot tarballs similar to the tarballs located in the Index of Releases @@ -630,12 +639,13 @@ described in the ":ref:`dev-manual/start:accessing source archives`" section. #. *Go to the Yocto Project Website:* Open The :yocto_home:`Yocto Project Website <>` in your browser. -#. *Get to the Downloads Area:* Select the "DOWNLOADS" item from the - pull-down "SOFTWARE" tab menu near the top of the page. +#. *Get to the Downloads Area:* Select the "RELEASES" item from the + pull-down "DEVELOPMENT" tab menu near the top of the page. -#. *Select a Yocto Project Release:* Use the menu next to "RELEASE" to - display and choose a recent or past supported Yocto Project release - (e.g. &DISTRO_NAME_NO_CAP;, &DISTRO_NAME_NO_CAP_MINUS_ONE;, and so forth). +#. *Select a Yocto Project Release:* On the top of the "RELEASE" page currently + supported releases are displayed, further down past supported Yocto Project + releases are visible. The "Download" links in the rows of the table there + will lead to the download tarballs for the release. .. note:: @@ -645,9 +655,9 @@ described in the ":ref:`dev-manual/start:accessing source archives`" section. You can use the "RELEASE ARCHIVE" link to reveal a menu of all Yocto Project releases. -#. *Download Tools or Board Support Packages (BSPs):* From the - "DOWNLOADS" page, you can download tools or BSPs as well. Just scroll - down the page and look for what you need. +#. *Download Tools or Board Support Packages (BSPs):* Next to the tarballs you + will find download tools or BSPs as well. Just select a Yocto Project + release and look for what you need. Cloning and Checking Out Branches ================================= diff --git a/poky/documentation/migration-guides/release-4.0.rst b/poky/documentation/migration-guides/release-4.0.rst index 09fb8ca049..dfe5e186e5 100644 --- a/poky/documentation/migration-guides/release-4.0.rst +++ b/poky/documentation/migration-guides/release-4.0.rst @@ -22,3 +22,4 @@ Release 4.0 (kirkstone) release-notes-4.0.13 release-notes-4.0.14 release-notes-4.0.15 + release-notes-4.0.16 diff --git a/poky/documentation/migration-guides/release-4.3.rst b/poky/documentation/migration-guides/release-4.3.rst index 5b651a2efd..fa5653c467 100644 --- a/poky/documentation/migration-guides/release-4.3.rst +++ b/poky/documentation/migration-guides/release-4.3.rst @@ -8,3 +8,5 @@ Release 4.3 (nanbield) migration-4.3 release-notes-4.3 release-notes-4.3.1 + release-notes-4.3.2 + release-notes-4.3.3 diff --git a/poky/documentation/migration-guides/release-notes-4.0.16.rst b/poky/documentation/migration-guides/release-notes-4.0.16.rst new file mode 100644 index 0000000000..0eb31832ab --- /dev/null +++ b/poky/documentation/migration-guides/release-notes-4.0.16.rst @@ -0,0 +1,191 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Release notes for Yocto-4.0.16 (Kirkstone) +------------------------------------------ + +Security Fixes in Yocto-4.0.16 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- cpio: Fix :cve_mitre:`2023-7207` +- curl: Revert "curl: Backport fix CVE-2023-32001" +- curl: Fix :cve:`2023-46218` +- dropbear:Fix :cve:`2023-48795` +- ffmpeg: Fix :cve:`2022-3964` and :cve:`2022-3965` +- ghostscript: Fix :cve:`2023-46751` +- gnutls: Fix :cve:`2024-0553` and :cve:`2024-0567` +- go: Fix :cve:`2023-39326` +- openssh: Fix :cve:`2023-48795`, :cve:`2023-51384` and :cve:`2023-51385` +- openssl: Fix :cve:`2023-6129` and :cve_mitre:`2023-6237` +- pam: Fix :cve_mitre:`2024-22365` +- perl: Fix :cve:`2023-47038` +- qemu: Fix :cve:`2023-5088` +- sqlite3: Fix :cve:`2023-7104` +- systemd: Fix :cve:`2023-7008` +- tiff: Fix :cve:`2023-6228` +- xserver-xorg: Fix :cve:`2023-6377`, :cve:`2023-6478`, :cve:`2023-6816`, :cve_mitre:`2024-0229`, :cve:`2024-0408`, :cve:`2024-0409`, :cve_mitre:`2024-21885` and :cve_mitre:`2024-21886` +- zlib: Ignore :cve:`2023-6992` + + +Fixes in Yocto-4.0.16 +~~~~~~~~~~~~~~~~~~~~~ + +- bitbake: asyncrpc: Add context manager API +- bitbake: data: Add missing dependency handling of remove operator +- bitbake: lib/bb: Add workaround for libgcc issues with python 3.8 and 3.9 +- bitbake: toastergui: verify that an existing layer path is given +- build-appliance-image: Update to kirkstone head revision +- contributor-guide: add License-Update tag +- contributor-guide: fix command option +- contributor-guide: use "apt" instead of "aptitude" +- cpio: upgrade to 2.14 +- cve-update-nvd2-native: faster requests with API keys +- cve-update-nvd2-native: increase the delay between subsequent request failures +- cve-update-nvd2-native: make number of fetch attemtps configurable +- cve-update-nvd2-native: remove unused variable CVE_SOCKET_TIMEOUT +- dev-manual: Discourage the use of SRC_URI[md5sum] +- dev-manual: layers: update link to YP Compatible form +- dev-manual: runtime-testing: fix test module name +- dev-manual: start.rst: update use of Download page +- docs:what-i-wish-id-known.rst: fix URL +- docs: document VSCode extension +- docs:brief-yoctoprojectqs:index.rst: align variable order with default local.conf +- docs:migration-guides: add release notes for 4.0.15 +- docs:migration-guides: release 3.5 is actually 4.0 +- elfutils: Disable stringop-overflow warning for build host +- externalsrc: Ensure :term:`SRCREV` is processed before accessing :term:`SRC_URI` +- linux-firmware: upgrade to 20231030 +- manuals: Add :term:`CONVERSION_CMD` definition +- manuals: Add :term:`UBOOT_BINARY`, extend :term:`UBOOT_CONFIG` +- perl: upgrade to 5.34.3 +- poky.conf: bump version for 4.0.16 +- pybootchartgui: fix 2 SyntaxWarnings +- python3-ptest: skip test_storlines +- ref-manual: Fix reference to MIRRORS/PREMIRRORS defaults +- ref-manual: classes: remove insserv bbclass +- ref-manual: releases.svg: update nanbield release status +- ref-manual: resources: sync with master branch +- ref-manual: update tested and supported distros +- test-manual: add links to python unittest +- test-manual: add or improve hyperlinks +- test-manual: explicit or fix file paths +- test-manual: resource updates +- test-manual: text and formatting fixes +- test-manual: use working example +- testimage: Exclude wtmp from target-dumper commands +- testimage: drop target_dumper, host_dumper, and monitor_dumper +- tzdata: Upgrade to 2023d + + +Known Issues in Yocto-4.0.16 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- N/A + + +Contributors to Yocto-4.0.16 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- Aatir Manzur +- Archana Polampalli +- Dhairya Nagodra +- Dmitry Baryshkov +- Enguerrand de Ribaucourt +- Hitendra Prajapati +- Insu Park +- Joshua Watt +- Justin Bronder +- Jörg Sommer +- Khem Raj +- Lee Chee Yang +- mark.yang +- Marta Rybczynska +- Martin Jansa +- Maxin B. John +- Michael Opdenacker +- Paul Barker +- Peter Kjellerstedt +- Peter Marko +- Poonam Jadhav +- Richard Purdie +- Shubham Kulkarni +- Simone Weiß +- Soumya Sambu +- Sourav Pramanik +- Steve Sakoman +- Trevor Gamblin +- Vijay Anusuri +- Vivek Kumbhar +- Yoann Congal +- Yogita Urade + + +Repositories / Downloads for Yocto-4.0.16 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +poky + +- Repository Location: :yocto_git:`/poky` +- Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>` +- Tag: :yocto_git:`yocto-4.0.16 </poky/log/?h=yocto-4.0.16>` +- Git Revision: :yocto_git:`54af8c5e80ebf63707ef4e51cc9d374f716da603 </poky/commit/?id=54af8c5e80ebf63707ef4e51cc9d374f716da603>` +- Release Artefact: poky-54af8c5e80ebf63707ef4e51cc9d374f716da603 +- sha: a53ec3a661cf56ca40c0fbf1500288c2c20abe94896d66a572bc5ccf5d92e9d6 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.16/poky-54af8c5e80ebf63707ef4e51cc9d374f716da603.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.16/poky-54af8c5e80ebf63707ef4e51cc9d374f716da603.tar.bz2 + +openembedded-core + +- Repository Location: :oe_git:`/openembedded-core` +- Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>` +- Tag: :oe_git:`yocto-4.0.16 </openembedded-core/log/?h=yocto-4.0.16>` +- Git Revision: :oe_git:`a744a897f0ea7d34c31c024c13031221f9a85f24 </openembedded-core/commit/?id=a744a897f0ea7d34c31c024c13031221f9a85f24>` +- Release Artefact: oecore-a744a897f0ea7d34c31c024c13031221f9a85f24 +- sha: 8c2bc9487597b0caa9f5a1d72b18cfcd1ddc7e6d91f0f051313563d6af95aeec +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.16/oecore-a744a897f0ea7d34c31c024c13031221f9a85f24.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.16/oecore-a744a897f0ea7d34c31c024c13031221f9a85f24.tar.bz2 + +meta-mingw + +- Repository Location: :yocto_git:`/meta-mingw` +- Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>` +- Tag: :yocto_git:`yocto-4.0.16 </meta-mingw/log/?h=yocto-4.0.16>` +- Git Revision: :yocto_git:`f6b38ce3c90e1600d41c2ebb41e152936a0357d7 </meta-mingw/commit/?id=f6b38ce3c90e1600d41c2ebb41e152936a0357d7>` +- Release Artefact: meta-mingw-f6b38ce3c90e1600d41c2ebb41e152936a0357d7 +- sha: 7d57167c19077f4ab95623d55a24c2267a3a3fb5ed83688659b4c03586373b25 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.16/meta-mingw-f6b38ce3c90e1600d41c2ebb41e152936a0357d7.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.16/meta-mingw-f6b38ce3c90e1600d41c2ebb41e152936a0357d7.tar.bz2 + +meta-gplv2 + +- Repository Location: :yocto_git:`/meta-gplv2` +- Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>` +- Tag: :yocto_git:`yocto-4.0.16 </meta-gplv2/log/?h=yocto-4.0.16>` +- Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>` +- Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a +- sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.16/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.16/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2 + +bitbake + +- Repository Location: :oe_git:`/bitbake` +- Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>` +- Tag: :oe_git:`yocto-4.0.16 </bitbake/log/?h=yocto-4.0.16>` +- Git Revision: :oe_git:`ee090484cc25d760b8c20f18add17b5eff485b40 </bitbake/commit/?id=ee090484cc25d760b8c20f18add17b5eff485b40>` +- Release Artefact: bitbake-ee090484cc25d760b8c20f18add17b5eff485b40 +- sha: 479e3a57ae9fbc2aa95292a7554caeef113bbfb28c226ed19547b8dde1c95314 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.16/bitbake-ee090484cc25d760b8c20f18add17b5eff485b40.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.0.16/bitbake-ee090484cc25d760b8c20f18add17b5eff485b40.tar.bz2 + +yocto-docs + +- Repository Location: :yocto_git:`/yocto-docs` +- Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>` +- Tag: :yocto_git:`yocto-4.0.16 </yocto-docs/log/?h=yocto-4.0.16>` +- Git Revision: :yocto_git:`aba67b58711019a6ba439b2b77337f813ed799ac </yocto-docs/commit/?id=aba67b58711019a6ba439b2b77337f813ed799ac>` + diff --git a/poky/documentation/migration-guides/release-notes-4.3.2.rst b/poky/documentation/migration-guides/release-notes-4.3.2.rst new file mode 100644 index 0000000000..3a40d83bc2 --- /dev/null +++ b/poky/documentation/migration-guides/release-notes-4.3.2.rst @@ -0,0 +1,247 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Release notes for Yocto-4.3.2 (Nanbield) +---------------------------------------- + +Security Fixes in Yocto-4.3.2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- avahi: Fix :cve:`2023-1981`, :cve:`2023-38469`, :cve:`2023-38470`, :cve:`2023-38471`, :cve:`2023-38472` and :cve:`2023-38473` +- curl: Fix :cve:`2023-46218` +- ghostscript: Fix :cve:`2023-46751` +- grub: fix :cve:`2023-4692` and :cve:`2023-4693` +- gstreamer1.0: Fix :cve_mitre:`2023-44446` +- linux-yocto/6.1: Ignore :cve_mitre:`2023-39197`, :cve:`2023-39198`, :cve:`2023-5090`, :cve:`2023-5633`, :cve:`2023-6111`, :cve:`2023-6121` and :cve:`2023-6176` +- linux-yocto/6.5: Ignore :cve:`2022-44034`, :cve_mitre:`2023-39197`, :cve:`2023-39198`, :cve:`2023-5972`, :cve:`2023-6039`, :cve:`2023-6111` and :cve:`2023-6176` +- perl: fix :cve:`2023-47100` +- python3-urllib3: Fix :cve:`2023-45803` +- rust: Fix :cve:`2023-40030` +- vim: Fix :cve:`2023-48231`, :cve:`2023-48232`, :cve:`2023-48233`, :cve:`2023-48234`, :cve:`2023-48235`, :cve:`2023-48236` and :cve:`2023-48237` +- xserver-xorg: Fix :cve:`2023-5367` and :cve:`2023-5380` +- xwayland: Fix :cve:`2023-5367` + + +Fixes in Yocto-4.3.2 +~~~~~~~~~~~~~~~~~~~~ + +- base-passwd: Upgrade to 3.6.2 +- bind: Upgrade to 9.18.20 +- binutils: stable 2.41 branch updates +- bitbake: command: Make parseRecipeFile() handle virtual recipes correctly +- bitbake: lib/bb: Add workaround for libgcc issues with python 3.8 and 3.9 +- bitbake: toastergui: verify that an existing layer path is given +- bluez5: fix connection for ps5/dualshock controllers +- build-appliance-image: Update to nanbield head revision +- cmake: Upgrade to 3.27.7 +- contributor-guide: add License-Update tag +- contributor-guide: fix command option +- cups: Add root,sys,wheel to system groups +- cve-update-nvd2-native: faster requests with API keys +- cve-update-nvd2-native: increase the delay between subsequent request failures +- cve-update-nvd2-native: make number of fetch attemtps configurable +- cve-update-nvd2-native: remove unused variable CVE_SOCKET_TIMEOUT +- dev-manual: Discourage the use of SRC_URI[md5sum] +- dev-manual: layers: update link to YP Compatible form +- dev-manual: runtime-testing: fix test module name +- devtool: finish/update-recipe: restrict mode srcrev to recipes fetched from SCM +- devtool: fix update-recipe dry-run mode +- ell: Upgrade to 0.60 +- enchant2: Upgrade to 2.6.2 +- ghostscript: Upgrade to 10.02.1 +- glib-2.0: Upgrade to 2.78.1 +- glibc: stable 2.38 branch updates +- gstreamer1.0: Upgrade to 1.22.7 +- gtk: Add rdepend on printbackend for cups +- harfbuzz: Upgrade to 8.2.2 +- json-c: fix icecc compilation +- kern-tools: bump :term:`SRCREV` for queue processing changes +- kern-tools: make lower context patches reproducible +- kern-tools: update :term:`SRCREV` to include SECURITY.md file +- kernel-arch: use ccache only for compiler +- kernel-yocto: improve metadata patching +- lib/oe/buildcfg.py: Include missing import +- lib/oe/buildcfg.py: Remove unused parameter +- lib/oe/patch: ensure os.chdir restoring always happens +- lib/oe/path: Deploy files can start only with a dot +- libgcrypt: Upgrade to 1.10.3 +- libjpeg-turbo: Upgrade to 3.0.1 +- libnewt: Upgrade to 0.52.24 +- libnsl2: Upgrade to 2.0.1 +- libsolv: Upgrade to 0.7.26 +- libxslt: Upgrade to 1.1.39 +- linux-firmware: add audio topology symlink to the X13's audio package +- linux-firmware: add missing depenencies on license packages +- linux-firmware: add new fw file to ${PN}-rtl8821 +- linux-firmware: add notice file to sdm845 modem firmware +- linux-firmware: create separate packages +- linux-firmware: package Qualcomm Venus 6.0 firmware +- linux-firmware: package Robotics RB5 sensors DSP firmware +- linux-firmware: package firmware for Qualcomm Adreno a702 +- linux-firmware: package firmware for Qualcomm QCM2290 / QRB4210 +- linux-firmware: Upgrade to 20231030 +- linux-yocto-rt/6.1: update to -rt18 +- linux-yocto/6.1: cfg: restore CONFIG_DEVMEM +- linux-yocto/6.1: drop removed IMA option +- linux-yocto/6.1: Upgrade to v6.1.68 +- linux-yocto/6.5: cfg: restore CONFIG_DEVMEM +- linux-yocto/6.5: cfg: split runtime and symbol debug +- linux-yocto/6.5: drop removed IMA option +- linux-yocto/6.5: fix AB-INT: QEMU kernel panic: No irq handler for vector +- linux-yocto/6.5: Upgrade to v6.5.13 +- linux/cve-exclusion6.1: Update to latest kernel point release +- log4cplus: Upgrade to 2.1.1 +- lsb-release: use https for :term:`UPSTREAM_CHECK_URI` +- manuals: brief-yoctoprojectqs: align variable order with default local.conf +- manuals: fix URL +- meson: use correct targets for rust binaries +- migration-guide: add release notes for 4.0.14, 4.0.15, 4.2.4, 4.3.1 +- migration-guides: release 3.5 is actually 4.0 +- migration-guides: reword fix in release-notes-4.3.1 +- msmtp: Upgrade to 1.8.25 +- oeqa/selftest/tinfoil: Add tests that parse virtual recipes +- openssl: improve handshake test error reporting +- package_ipk: Fix Source: field variable dependency +- patchtest: shorten patch signed-off-by test output +- perf: lift :term:`TARGET_CC_ARCH` modification out of security_flags.inc +- perl: Upgrade to 5.38.2 +- perlcross: Upgrade to 1.5.2 +- poky.conf: bump version for 4.3.2 release +- python3-ptest: skip test_storlines +- python3-urllib3: Upgrade to 2.0.7 +- qemu: Upgrade to 8.1.2 +- ref-manual: Fix reference to MIRRORS/PREMIRRORS defaults +- ref-manual: releases.svg: update nanbield release status +- useradd_base: sed -i destroys symlinks +- rootfs-postcommands: sed -i destroys symlinks +- sstate: Ensure sstate searches update file mtime +- strace: backport fix for so_peerpidfd-test +- systemd-boot: Fix build issues on armv7a-linux +- systemd-compat-units.bb: fix postinstall script +- systemd: fix DynamicUser issue +- systemd: update :term:`LICENSE` statement +- tcl: skip async and event tests in run-ptest +- tcl: skip timing-dependent tests in run-ptest +- test-manual: add links to python unittest +- test-manual: add or improve hyperlinks +- test-manual: explicit or fix file paths +- test-manual: resource updates +- test-manual: text and formatting fixes +- test-manual: use working example +- testimage: Drop target_dumper and most of monitor_dumper +- testimage: Exclude wtmp from target-dumper commands +- tzdata: Upgrade to 2023d +- update_gtk_icon_cache: Fix for GTK4-only builds +- useradd_base: Fix sed command line for passwd-expire +- vim: Upgrade to 9.0.2130 +- xserver-xorg: Upgrade to 21.1.9 +- xwayland: Upgrade to 23.2.2 + + +Known Issues in Yocto-4.3.2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- N/A + +Contributors to Yocto-4.3.2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- Adam Johnston +- Alexander Kanavin +- Anuj Mittal +- Bastian Krause +- Bruce Ashfield +- Chen Qi +- Deepthi Hemraj +- Dhairya Nagodra +- Dmitry Baryshkov +- Fahad Arslan +- Javier Tia +- Jermain Horsman +- Joakim Tjernlund +- Julien Stephan +- Justin Bronder +- Khem Raj +- Lee Chee Yang +- Marco Felsch +- Markus Volk +- Marta Rybczynska +- Massimiliano Minella +- Michael Opdenacker +- Paul Barker +- Peter Kjellerstedt +- Peter Marko +- Randy MacLeod +- Rasmus Villemoes +- Richard Purdie +- Ross Burton +- Shubham Kulkarni +- Simone Weiß +- Steve Sakoman +- Sundeep KOKKONDA +- Tim Orling +- Trevor Gamblin +- Vijay Anusuri +- Viswanath Kraleti +- Vyacheslav Yurkov +- Wang Mingyu +- William Lyu +- Zoltán Böszörményi + +Repositories / Downloads for Yocto-4.3.2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +poky + +- Repository Location: :yocto_git:`/poky` +- Branch: :yocto_git:`nanbield </poky/log/?h=nanbield>` +- Tag: :yocto_git:`yocto-4.3.2 </poky/log/?h=yocto-4.3.2>` +- Git Revision: :yocto_git:`f768ffb8916feb6542fcbe3e946cbf30e247b151 </poky/commit/?id=f768ffb8916feb6542fcbe3e946cbf30e247b151>` +- Release Artefact: poky-f768ffb8916feb6542fcbe3e946cbf30e247b151 +- sha: 21ca1695d70aba9b4bd8626d160111feab76206883cd14fe41eb024692bdfd7b +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.3.2/poky-f768ffb8916feb6542fcbe3e946cbf30e247b151.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.3.2/poky-f768ffb8916feb6542fcbe3e946cbf30e247b151.tar.bz2 + +openembedded-core + +- Repository Location: :oe_git:`/openembedded-core` +- Branch: :oe_git:`nanbield </openembedded-core/log/?h=nanbield>` +- Tag: :oe_git:`yocto-4.3.2 </openembedded-core/log/?h=yocto-4.3.2>` +- Git Revision: :oe_git:`ff595b937d37d2315386aebf315cea719e2362ea </openembedded-core/commit/?id=ff595b937d37d2315386aebf315cea719e2362ea>` +- Release Artefact: oecore-ff595b937d37d2315386aebf315cea719e2362ea +- sha: a7c6332dc0e09ecc08221e78b11151e8e2a3fd9fa3eaad96a4c03b67012bfb97 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.3.2/oecore-ff595b937d37d2315386aebf315cea719e2362ea.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.3.2/oecore-ff595b937d37d2315386aebf315cea719e2362ea.tar.bz2 + +meta-mingw + +- Repository Location: :yocto_git:`/meta-mingw` +- Branch: :yocto_git:`nanbield </meta-mingw/log/?h=nanbield>` +- Tag: :yocto_git:`yocto-4.3.2 </meta-mingw/log/?h=yocto-4.3.2>` +- Git Revision: :yocto_git:`49617a253e09baabbf0355bc736122e9549c8ab2 </meta-mingw/commit/?id=49617a253e09baabbf0355bc736122e9549c8ab2>` +- Release Artefact: meta-mingw-49617a253e09baabbf0355bc736122e9549c8ab2 +- sha: 2225115b73589cdbf1e491115221035c6a61679a92a93b2a3cf761ff87bf4ecc +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.3.2/meta-mingw-49617a253e09baabbf0355bc736122e9549c8ab2.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.3.2/meta-mingw-49617a253e09baabbf0355bc736122e9549c8ab2.tar.bz2 + +bitbake + +- Repository Location: :oe_git:`/bitbake` +- Branch: :oe_git:`2.6 </bitbake/log/?h=2.6>` +- Tag: :oe_git:`yocto-4.3.2 </bitbake/log/?h=yocto-4.3.2>` +- Git Revision: :oe_git:`72bf75f0b2e7f36930185e18a1de8277ce7045d8 </bitbake/commit/?id=72bf75f0b2e7f36930185e18a1de8277ce7045d8>` +- Release Artefact: bitbake-72bf75f0b2e7f36930185e18a1de8277ce7045d8 +- sha: 0b6ccd4796ccd211605090348a3d4378358c839ae1bb4c35964d0f36f2663187 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.3.2/bitbake-72bf75f0b2e7f36930185e18a1de8277ce7045d8.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.3.2/bitbake-72bf75f0b2e7f36930185e18a1de8277ce7045d8.tar.bz2 + +yocto-docs + +- Repository Location: :yocto_git:`/yocto-docs` +- Branch: :yocto_git:`nanbield </yocto-docs/log/?h=nanbield>` +- Tag: :yocto_git:`yocto-4.3.2 </yocto-docs/log/?h=yocto-4.3.2>` +- Git Revision: :yocto_git:`fac88b9e80646a68b31975c915a718a9b6b2b439 </yocto-docs/commit/?id=fac88b9e80646a68b31975c915a718a9b6b2b439>` + diff --git a/poky/documentation/migration-guides/release-notes-4.3.3.rst b/poky/documentation/migration-guides/release-notes-4.3.3.rst new file mode 100644 index 0000000000..2a0658a9c9 --- /dev/null +++ b/poky/documentation/migration-guides/release-notes-4.3.3.rst @@ -0,0 +1,200 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +Release notes for Yocto-4.3.3 (Nanbield) +---------------------------------------- + +Security Fixes in Yocto-4.3.3 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- curl: Fix :cve:`2023-46219` +- glibc: Ignore fixed :cve:`2023-0687` and :cve:`2023-5156` +- linux-yocto/6.1: Ignore :cve:`2022-48619`, :cve:`2023-4610`, :cve:`2023-5178`, :cve:`2023-5972`, :cve:`2023-6040`, :cve:`2023-6531`, :cve:`2023-6546`, :cve:`2023-6622`, :cve:`2023-6679`, :cve:`2023-6817`, :cve:`2023-6931`, :cve:`2023-6932`, :cve:`2023-7192`, :cve:`2024-0193` and :cve:`2024-0443` +- linux-yocto/6.1: Fix :cve:`2023-1193`, :cve_mitre:`2023-51779`, :cve:`2023-51780`, :cve:`2023-51781`, :cve:`2023-51782` and :cve:`2023-6606` +- qemu: Fix :cve:`2023-3019` +- shadow: Fix :cve:`2023-4641` +- sqlite3: Fix :cve:`2024-0232` +- sqlite3: drop obsolete CVE ignore :cve:`2023-36191` +- sudo: Fix :cve:`2023-42456` and :cve:`2023-42465` +- tiff: Fix :cve:`2023-6277` +- xwayland: Fix :cve:`2023-6377` and :cve:`2023-6478` + + +Fixes in Yocto-4.3.3 +~~~~~~~~~~~~~~~~~~~~ + +- aspell: upgrade to 0.60.8.1 +- avahi: update URL for new project location +- base-passwd: upgrade to 3.6.3 +- bitbake: asyncrpc: Add context manager API +- bitbake: toaster/toastergui: Bug-fix verify given layer path only if import/add local layer +- build-appliance-image: Update to nanbield head revision +- classes-global/sstate: Fix variable typo +- cmake: Unset CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES +- contributor-guide: fix lore URL +- contributor-guide: use "apt" instead of "aptitude" +- create-spdx-2.2: combine spdx can try to write before dir creation +- curl: Disable test 1091 due to intermittent failures +- curl: Disable two intermittently failing tests +- dev-manual: gen-tapdevs need iptables installed +- dev-manual: start.rst: Update use of Download page +- dev-manual: update license manifest path +- devtool: deploy: provide max_process to strip_execs +- devtool: modify: Handle recipes with a menuconfig task correctly +- docs: document VSCode extension +- dtc: preserve version also from shallow git clones +- elfutils: Update license information +- glib-2.0: upgrade to 2.78.3 +- glibc-y2038-tests: do not run tests using 32 bit time APIs +- go: upgrade to 1.20.12 +- grub: fs/fat: Don't error when mtime is 0 +- gstreamer1.0: upgrade to 1.22.8 +- icon-naming-utils: take tarball from debian +- kea: upgrade to 2.4.1 +- lib/prservice: Improve lock handling robustness +- libadwaita: upgrade to 1.4.2 +- libatomic-ops: upgrade to 7.8.2 +- libva-utils: upgrade to 2.20.1 +- linux-firmware: Change bnx2 packaging +- linux-firmware: Create bnx2x subpackage +- linux-firmware: Fix the linux-firmware-bcm4373 :term:`FILES` variable +- linux-firmware: Package iwlwifi .pnvm files +- linux-yocto/6.1: security/cfg: add configs to harden protection +- linux-yocto/6.1: update to v6.1.73 +- meta/documentation.conf: fix do_menuconfig description +- migration-guide: add release notes for 4.0.16 +- migration-guide: add release notes for 4.3.2 +- ncurses: Fix - tty is hung after reset +- nfs-utils: Update Upstream-Status +- nfs-utils: upgrade to 2.6.4 +- oeqa/selftest/prservice: Improve test robustness +- package.py: OEHasPackage: Add :term:`MLPREFIX` to packagename +- poky.conf: bump version for 4.3.3 release +- pseudo: Update to pull in syncfs probe fix +- python3-license-expression: Fix the ptest failure +- qemu.bbclass: fix a python TypeError +- qemu: upgrade to 8.1.4 +- ref-manual: Add UBOOT_BINARY, extend :term:`UBOOT_CONFIG` +- ref-manual: classes: remove insserv bbclass +- ref-manual: update tested and supported distros +- release-notes-4.3: fix spacing +- rootfs.py: check depmodwrapper execution result +- rpcbind: Specify state directory under /run +- scripts/runqemu: fix regex escape sequences +- sqlite3: upgrade to 3.43.2 +- sstate: Fix dir ownership issues in :term:`SSTATE_DIR` +- sudo: upgrade to 1.9.15p5 +- tcl: Fix prepending to run-ptest script +- uninative-tarball.xz - reproducibility fix +- xwayland: upgrade to 23.2.3 +- zstd: fix :term:`LICENSE` statement + + +Known Issues in Yocto-4.3.3 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- N/A + + +Contributors to Yocto-4.3.3 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- Alassane Yattara +- Alexander Kanavin +- Anuj Mittal +- Baruch Siach +- Bruce Ashfield +- Chen Qi +- Clay Chang +- Enguerrand de Ribaucourt +- Ilya A. Kriveshko +- Jason Andryuk +- Jeremy A. Puhlman +- Joao Marcos Costa +- Jose Quaresma +- Joshua Watt +- Jörg Sommer +- Khem Raj +- Lee Chee Yang +- Markus Volk +- Massimiliano Minella +- Maxin B. John +- Michael Opdenacker +- Ming Liu +- Mingli Yu +- Peter Kjellerstedt +- Peter Marko +- Richard Purdie +- Robert Berger +- Robert Yang +- Rodrigo M. Duarte +- Ross Burton +- Saul Wold +- Simone Weiß +- Soumya Sambu +- Steve Sakoman +- Trevor Gamblin +- Wang Mingyu +- William Lyu +- Xiangyu Chen +- Yang Xu +- Zahir Hussain + + +Repositories / Downloads for Yocto-4.3.3 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +poky + +- Repository Location: :yocto_git:`/poky` +- Branch: :yocto_git:`nanbield </poky/log/?h=nanbield>` +- Tag: :yocto_git:`yocto-4.3.3 </poky/log/?h=yocto-4.3.3>` +- Git Revision: :yocto_git:`d3b27346c3a4a7ef7ec517e9d339d22bda74349d </poky/commit/?id=d3b27346c3a4a7ef7ec517e9d339d22bda74349d>` +- Release Artefact: poky-d3b27346c3a4a7ef7ec517e9d339d22bda74349d +- sha: 2db39f1bf7bbcee039e9970eed1f6f9233bcc95d675159647c9a2a334fc81eb0 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.3.3/poky-d3b27346c3a4a7ef7ec517e9d339d22bda74349d.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.3.3/poky-d3b27346c3a4a7ef7ec517e9d339d22bda74349d.tar.bz2 + +openembedded-core + +- Repository Location: :oe_git:`/openembedded-core` +- Branch: :oe_git:`nanbield </openembedded-core/log/?h=nanbield>` +- Tag: :oe_git:`yocto-4.3.3 </openembedded-core/log/?h=yocto-4.3.3>` +- Git Revision: :oe_git:`0584d01f623e1f9b0fef4dfa95dd66de6cbfb7b3 </openembedded-core/commit/?id=0584d01f623e1f9b0fef4dfa95dd66de6cbfb7b3>` +- Release Artefact: oecore-0584d01f623e1f9b0fef4dfa95dd66de6cbfb7b3 +- sha: 730de0d5744f139322402ff9a6b2483c6ab929f704cec06258ae51de1daebe3d +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.3.3/oecore-0584d01f623e1f9b0fef4dfa95dd66de6cbfb7b3.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.3.3/oecore-0584d01f623e1f9b0fef4dfa95dd66de6cbfb7b3.tar.bz2 + +meta-mingw + +- Repository Location: :yocto_git:`/meta-mingw` +- Branch: :yocto_git:`nanbield </meta-mingw/log/?h=nanbield>` +- Tag: :yocto_git:`yocto-4.3.3 </meta-mingw/log/?h=yocto-4.3.3>` +- Git Revision: :yocto_git:`49617a253e09baabbf0355bc736122e9549c8ab2 </meta-mingw/commit/?id=49617a253e09baabbf0355bc736122e9549c8ab2>` +- Release Artefact: meta-mingw-49617a253e09baabbf0355bc736122e9549c8ab2 +- sha: 2225115b73589cdbf1e491115221035c6a61679a92a93b2a3cf761ff87bf4ecc +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.3.3/meta-mingw-49617a253e09baabbf0355bc736122e9549c8ab2.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.3.3/meta-mingw-49617a253e09baabbf0355bc736122e9549c8ab2.tar.bz2 + +bitbake + +- Repository Location: :oe_git:`/bitbake` +- Branch: :oe_git:`2.6 </bitbake/log/?h=2.6>` +- Tag: :oe_git:`yocto-4.3.3 </bitbake/log/?h=yocto-4.3.3>` +- Git Revision: :oe_git:`380a9ac97de5774378ded5e37d40b79b96761a0c </bitbake/commit/?id=380a9ac97de5774378ded5e37d40b79b96761a0c>` +- Release Artefact: bitbake-380a9ac97de5774378ded5e37d40b79b96761a0c +- sha: 78f579b9d29e72d09b6fb10ac62aa925104335e92d2afb3155bc9ab1994e36c1 +- Download Locations: + http://downloads.yoctoproject.org/releases/yocto/yocto-4.3.3/bitbake-380a9ac97de5774378ded5e37d40b79b96761a0c.tar.bz2 + http://mirrors.kernel.org/yocto/yocto/yocto-4.3.3/bitbake-380a9ac97de5774378ded5e37d40b79b96761a0c.tar.bz2 + +yocto-docs + +- Repository Location: :yocto_git:`/yocto-docs` +- Branch: :yocto_git:`nanbield </yocto-docs/log/?h=nanbield>` +- Tag: :yocto_git:`yocto-4.3.3 </yocto-docs/log/?h=yocto-4.3.3>` +- Git Revision: :yocto_git:`dde4b815db82196af086847f68ee27d7902b4ffa </yocto-docs/commit/?id=dde4b815db82196af086847f68ee27d7902b4ffa>` + diff --git a/poky/documentation/migration-guides/release-notes-4.3.rst b/poky/documentation/migration-guides/release-notes-4.3.rst index 85180dfc3c..0e175067da 100644 --- a/poky/documentation/migration-guides/release-notes-4.3.rst +++ b/poky/documentation/migration-guides/release-notes-4.3.rst @@ -94,7 +94,7 @@ New Features / Enhancements in 4.3 API to access the kernel tracefs directory (from meta-openembedded) - `libxmlb <https://github.com/hughsie/libxmlb>`__: A library to help create - and query binary XML blobs (from meta-oe) + and query binary XML blobs (from meta-oe) - ``musl-legacy-error``: glibc ``error()`` API implementation still needed by a few packages. diff --git a/poky/documentation/overview-manual/development-environment.rst b/poky/documentation/overview-manual/development-environment.rst index 262d5cb203..d79173ff55 100644 --- a/poky/documentation/overview-manual/development-environment.rst +++ b/poky/documentation/overview-manual/development-environment.rst @@ -131,6 +131,14 @@ are several ways of working in the Yocto Project environment: Toaster and on how to use Toaster in general, see the :doc:`/toaster-manual/index`. +- *Using the VSCode Extension:* You can use the `Yocto Project BitBake + <https://marketplace.visualstudio.com/items?itemName=yocto-project.yocto-bitbake>`__ + extension for Visual Studio Code to start your BitBake builds through a + graphical user interface. + + Learn more about the VSCode Extension on the `extension's marketplace page + <https://marketplace.visualstudio.com/items?itemName=yocto-project.yocto-bitbake>`__. + Yocto Project Source Repositories ================================= diff --git a/poky/documentation/overview-manual/yp-intro.rst b/poky/documentation/overview-manual/yp-intro.rst index d694642af2..1e6820c14e 100644 --- a/poky/documentation/overview-manual/yp-intro.rst +++ b/poky/documentation/overview-manual/yp-intro.rst @@ -340,6 +340,18 @@ the Yocto Project: view information about builds. For information on Toaster, see the :doc:`/toaster-manual/index`. +- *VSCode IDE Extension:* The `Yocto Project BitBake + <https://marketplace.visualstudio.com/items?itemName=yocto-project.yocto-bitbake>`__ + extension for Visual Studio Code provides a rich set of features for working + with BitBake recipes. The extension provides syntax highlighting, + hover tips, and completion for BitBake files as well as embedded Python and + Bash languages. Additional views and commands allow you to efficiently + browse, build and edit recipes. It also provides SDK integration for + cross-compiling and debugging through ``devtool``. + + Learn more about the VSCode Extension on the `extension's frontpage + <https://marketplace.visualstudio.com/items?itemName=yocto-project.yocto-bitbake>`__. + Production Tools ---------------- @@ -605,6 +617,14 @@ Build Host runs, you have several choices. For information about and how to use Toaster, see the :doc:`/toaster-manual/index`. +- *Using the VSCode Extension:* You can use the `Yocto Project BitBake + <https://marketplace.visualstudio.com/items?itemName=yocto-project.yocto-bitbake>`__ + extension for Visual Studio Code to start your BitBake builds through a + graphical user interface. + + Learn more about the VSCode Extension on the `extension's marketplace page + <https://marketplace.visualstudio.com/items?itemName=yocto-project.yocto-bitbake>`__ + Reference Embedded Distribution (Poky) ====================================== diff --git a/poky/documentation/ref-manual/classes.rst b/poky/documentation/ref-manual/classes.rst index a8afe9f2dc..81dab1f4b3 100644 --- a/poky/documentation/ref-manual/classes.rst +++ b/poky/documentation/ref-manual/classes.rst @@ -1538,16 +1538,6 @@ Here are the tests you can list with the :term:`WARN_QA` and automatically get these versions. Consequently, you should only need to explicitly add dependencies to binary driver recipes. -.. _ref-classes-insserv: - -``insserv`` -=========== - -The :ref:`ref-classes-insserv` class uses the ``insserv`` utility to update the order -of symbolic links in ``/etc/rc?.d/`` within an image based on -dependencies specified by LSB headers in the ``init.d`` scripts -themselves. - .. _ref-classes-kernel: ``kernel`` @@ -3210,7 +3200,7 @@ The :ref:`ref-classes-uboot-config` class provides support for U-Boot configurat a machine. Specify the machine in your recipe as follows:: UBOOT_CONFIG ??= <default> - UBOOT_CONFIG[foo] = "config,images" + UBOOT_CONFIG[foo] = "config,images,binary" You can also specify the machine using this method:: diff --git a/poky/documentation/ref-manual/resources.rst b/poky/documentation/ref-manual/resources.rst index 8c3726e83b..8e54ac87c9 100644 --- a/poky/documentation/ref-manual/resources.rst +++ b/poky/documentation/ref-manual/resources.rst @@ -169,6 +169,11 @@ Here is a list of resources you might find helpful: the :term:`OpenEmbedded Build System`, which uses BitBake, that reports build information. +- `Yocto Project BitBake extension for VSCode + <https://marketplace.visualstudio.com/items?itemName=yocto-project.yocto-bitbake>`__: + This extension provides a rich feature set when working with BitBake recipes + within the Visual Studio Code IDE. + - :yocto_wiki:`FAQ </FAQ>`: A list of commonly asked questions and their answers. diff --git a/poky/documentation/ref-manual/variables.rst b/poky/documentation/ref-manual/variables.rst index b394d31099..6f7d6ff01e 100644 --- a/poky/documentation/ref-manual/variables.rst +++ b/poky/documentation/ref-manual/variables.rst @@ -9383,23 +9383,30 @@ system and gives an overview of their function and contents. See the machine include files in the :term:`Source Directory` for these features. + :term:`UBOOT_BINARY` + Specifies the name of the binary build by U-Boot. + :term:`UBOOT_CONFIG` - Configures the :term:`UBOOT_MACHINE` and can - also define :term:`IMAGE_FSTYPES` for individual - cases. - - Following is an example from the ``meta-fsl-arm`` layer. :: - - UBOOT_CONFIG ??= "sd" - UBOOT_CONFIG[sd] = "mx6qsabreauto_config,sdcard" - UBOOT_CONFIG[eimnor] = "mx6qsabreauto_eimnor_config" - UBOOT_CONFIG[nand] = "mx6qsabreauto_nand_config,ubifs" - UBOOT_CONFIG[spinor] = "mx6qsabreauto_spinor_config" - - In this example, "sd" is selected as the configuration of the possible four for the - :term:`UBOOT_MACHINE`. The "sd" configuration defines - "mx6qsabreauto_config" as the value for :term:`UBOOT_MACHINE`, while the - "sdcard" specifies the :term:`IMAGE_FSTYPES` to use for the U-Boot image. + Configures one or more U-Boot configurations to build. Each + configuration can define the :term:`UBOOT_MACHINE` and optionally the + :term:`IMAGE_FSTYPES` and the :term:`UBOOT_BINARY`. + + Following is an example from the ``meta-freescale`` layer. :: + + UBOOT_CONFIG ??= "sdcard-ifc-secure-boot sdcard-ifc sdcard-qspi lpuart qspi secure-boot nor" + UBOOT_CONFIG[nor] = "ls1021atwr_nor_defconfig" + UBOOT_CONFIG[sdcard-ifc] = "ls1021atwr_sdcard_ifc_defconfig,,u-boot-with-spl-pbl.bin" + UBOOT_CONFIG[sdcard-qspi] = "ls1021atwr_sdcard_qspi_defconfig,,u-boot-with-spl-pbl.bin" + UBOOT_CONFIG[lpuart] = "ls1021atwr_nor_lpuart_defconfig" + UBOOT_CONFIG[qspi] = "ls1021atwr_qspi_defconfig" + UBOOT_CONFIG[secure-boot] = "ls1021atwr_nor_SECURE_BOOT_defconfig" + UBOOT_CONFIG[sdcard-ifc-secure-boot] = "ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig,,u-boot-with-spl-pbl.bin" + + In this example, all possible seven configurations are selected. Each + configuration specifies "..._defconfig" as :term:`UBOOT_MACHINE`, and + the "sd..." configurations define an individual name for + :term:`UBOOT_BINARY`. No configuration defines a second parameter for + :term:`IMAGE_FSTYPES` to use for the U-Boot image. For more information on how the :term:`UBOOT_CONFIG` is handled, see the :ref:`ref-classes-uboot-config` class. diff --git a/poky/documentation/what-i-wish-id-known.rst b/poky/documentation/what-i-wish-id-known.rst index fe79bc0129..5bc55804f6 100644 --- a/poky/documentation/what-i-wish-id-known.rst +++ b/poky/documentation/what-i-wish-id-known.rst @@ -214,6 +214,13 @@ contact us with other suggestions. OpenEmbedded build system. If you are interested in using this type of interface to create images, see the :doc:`/toaster-manual/index`. + * **Discover the VSCode extension**: The `Yocto Project BitBake + <https://marketplace.visualstudio.com/items?itemName=yocto-project.yocto-bitbake>`__ + extension for the Visual Studio Code IDE provides language features and + commands for working with the Yocto Project. If you are interested in using + this extension, visit its `marketplace page + <https://marketplace.visualstudio.com/items?itemName=yocto-project.yocto-bitbake>`__. + * **Have Available the Yocto Project Reference Manual**: Unlike the rest of the Yocto Project manual set, this manual is comprised of material suited for reference rather than procedures. You can get build details, a closer diff --git a/poky/meta-poky/conf/distro/poky.conf b/poky/meta-poky/conf/distro/poky.conf index 7d6eb60cbb..ca07b3ddee 100644 --- a/poky/meta-poky/conf/distro/poky.conf +++ b/poky/meta-poky/conf/distro/poky.conf @@ -1,6 +1,6 @@ DISTRO = "poky" DISTRO_NAME = "Poky (Yocto Project Reference Distro)" -DISTRO_VERSION = "4.3.2" +DISTRO_VERSION = "4.3.3" DISTRO_CODENAME = "nanbield" SDK_VENDOR = "-pokysdk" SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}" diff --git a/poky/meta-selftest/recipes-test/aspell/aspell_0.60.8.bbappend b/poky/meta-selftest/recipes-test/aspell/aspell_%.bbappend index 205720982c..205720982c 100644 --- a/poky/meta-selftest/recipes-test/aspell/aspell_0.60.8.bbappend +++ b/poky/meta-selftest/recipes-test/aspell/aspell_%.bbappend diff --git a/poky/meta-selftest/recipes-test/overlayfs-user/overlayfs-user.bb b/poky/meta-selftest/recipes-test/overlayfs-user/overlayfs-user.bb index 50cba9514b..20f4213a62 100644 --- a/poky/meta-selftest/recipes-test/overlayfs-user/overlayfs-user.bb +++ b/poky/meta-selftest/recipes-test/overlayfs-user/overlayfs-user.bb @@ -18,5 +18,5 @@ do_install() { FILES:${PN} += "\ ${exec_prefix} \ - ${sysconfdir \ + ${sysconfdir} \ " diff --git a/poky/meta/classes-global/sstate.bbclass b/poky/meta/classes-global/sstate.bbclass index 5b27a1f0f9..08e6421093 100644 --- a/poky/meta/classes-global/sstate.bbclass +++ b/poky/meta/classes-global/sstate.bbclass @@ -336,7 +336,7 @@ def sstate_install(ss, d): for lock in locks: bb.utils.unlockfile(lock) -sstate_install[vardepsexclude] += "SSTATE_ALLOW_OVERLAP_FILES STATE_MANMACH SSTATE_MANFILEPREFIX" +sstate_install[vardepsexclude] += "SSTATE_ALLOW_OVERLAP_FILES SSTATE_MANMACH SSTATE_MANFILEPREFIX" sstate_install[vardeps] += "${SSTATEPOSTINSTFUNCS}" def sstate_installpkg(ss, d): @@ -703,7 +703,7 @@ def sstate_package(ss, d): if d.getVar('SSTATE_SKIP_CREATION') == '1': return - sstate_create_package = ['sstate_report_unihash', 'sstate_create_package'] + sstate_create_package = ['sstate_report_unihash', 'sstate_create_pkgdirs', 'sstate_create_package'] if d.getVar('SSTATE_SIG_KEY'): sstate_create_package.append('sstate_sign_package') @@ -810,6 +810,12 @@ python sstate_task_postfunc () { } sstate_task_postfunc[dirs] = "${WORKDIR}" +python sstate_create_pkgdirs () { + # report_unihash can change SSTATE_PKG and mkdir -p in shell doesn't own intermediate directories + # correctly so do this in an intermediate python task + with bb.utils.umask(0o002): + bb.utils.mkdirhier(os.path.dirname(d.getVar('SSTATE_PKG'))) +} # # Shell function to generate a sstate package from a directory @@ -822,7 +828,6 @@ sstate_create_package () { return fi - mkdir --mode=0775 -p `dirname ${SSTATE_PKG}` TFILE=`mktemp ${SSTATE_PKG}.XXXXXXXX` OPT="-cS" diff --git a/poky/meta/classes-recipe/allarch.bbclass b/poky/meta/classes-recipe/allarch.bbclass index 9138f40ed8..e429b92437 100644 --- a/poky/meta/classes-recipe/allarch.bbclass +++ b/poky/meta/classes-recipe/allarch.bbclass @@ -63,9 +63,9 @@ python () { d.appendVarFlag("emit_pkgdata", "vardepsexclude", " MULTILIB_VARIANTS") d.appendVarFlag("write_specfile", "vardepsexclude", " MULTILIBS") d.appendVarFlag("do_package", "vardepsexclude", " package_do_shlibs") + + d.setVar("qemu_wrapper_cmdline", "def qemu_wrapper_cmdline(data, rootfs_path, library_paths):\n return 'false'") elif bb.data.inherits_class('packagegroup', d) and not bb.data.inherits_class('nativesdk', d): bb.error("Please ensure recipe %s sets PACKAGE_ARCH before inherit packagegroup" % d.getVar("FILE")) } -def qemu_wrapper_cmdline(data, rootfs_path, library_paths): - return 'false' diff --git a/poky/meta/classes-recipe/populate_sdk_base.bbclass b/poky/meta/classes-recipe/populate_sdk_base.bbclass index dfd4bb1d4d..8fadfef942 100644 --- a/poky/meta/classes-recipe/populate_sdk_base.bbclass +++ b/poky/meta/classes-recipe/populate_sdk_base.bbclass @@ -285,7 +285,7 @@ python check_sdk_sysroots() { dir_walk(SCAN_ROOT) } -SDKTAROPTS = "--owner=root --group=root" +SDKTAROPTS = "--owner=root --group=root --clamp-mtime --mtime=@${SOURCE_DATE_EPOCH}" fakeroot archive_sdk() { # Package it up diff --git a/poky/meta/classes-recipe/qemu.bbclass b/poky/meta/classes-recipe/qemu.bbclass index 874b15127c..dbb5ee0b66 100644 --- a/poky/meta/classes-recipe/qemu.bbclass +++ b/poky/meta/classes-recipe/qemu.bbclass @@ -34,7 +34,7 @@ def qemu_wrapper_cmdline(data, rootfs_path, library_paths): if qemu_binary == "qemu-allarch": qemu_binary = "qemuwrapper" - qemu_options = data.getVar("QEMU_OPTIONS") + qemu_options = data.getVar("QEMU_OPTIONS") or "" return "PSEUDO_UNLOAD=1 " + qemu_binary + " " + qemu_options + " -L " + rootfs_path\ + " -E LD_LIBRARY_PATH=" + ":".join(library_paths) + " " diff --git a/poky/meta/classes/create-spdx-2.2.bbclass b/poky/meta/classes/create-spdx-2.2.bbclass index b0aef80db1..486efadba9 100644 --- a/poky/meta/classes/create-spdx-2.2.bbclass +++ b/poky/meta/classes/create-spdx-2.2.bbclass @@ -1075,7 +1075,7 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx "%s:%s" % (runtime_ref.externalDocumentId, runtime_doc.SPDXID), comment="Runtime dependencies for %s" % name ) - + bb.utils.mkdirhier(spdx_workdir) image_spdx_path = spdx_workdir / (rootfs_name + ".spdx.json") with image_spdx_path.open("wb") as f: diff --git a/poky/meta/classes/externalsrc.bbclass b/poky/meta/classes/externalsrc.bbclass index a54f316aa0..70e27a8d35 100644 --- a/poky/meta/classes/externalsrc.bbclass +++ b/poky/meta/classes/externalsrc.bbclass @@ -104,6 +104,7 @@ python () { # If we deltask do_patch, there's no dependency to ensure do_unpack gets run, so add one # Note that we cannot use d.appendVarFlag() here because deps is expected to be a list object, not a string d.setVarFlag('do_configure', 'deps', (d.getVarFlag('do_configure', 'deps', False) or []) + ['do_unpack']) + d.setVarFlag('do_populate_lic', 'deps', (d.getVarFlag('do_populate_lic', 'deps', False) or []) + ['do_unpack']) for task in d.getVar("SRCTREECOVEREDTASKS").split(): if local_srcuri and task in fetch_tasks: diff --git a/poky/meta/classes/multilib_global.bbclass b/poky/meta/classes/multilib_global.bbclass index dcd89b2f63..6095d278dd 100644 --- a/poky/meta/classes/multilib_global.bbclass +++ b/poky/meta/classes/multilib_global.bbclass @@ -195,6 +195,7 @@ python multilib_virtclass_handler_global () { # from a copy of the datastore localdata = bb.data.createCopy(d) localdata.delVar("KERNEL_VERSION") + localdata.delVar("KERNEL_VERSION_PKG_NAME") variants = (e.data.getVar("MULTILIB_VARIANTS") or "").split() diff --git a/poky/meta/conf/documentation.conf b/poky/meta/conf/documentation.conf index d03c497c0e..486c62b6e8 100644 --- a/poky/meta/conf/documentation.conf +++ b/poky/meta/conf/documentation.conf @@ -28,7 +28,7 @@ do_kernel_configcheck[doc] = "Validates the kernel configuration for a linux-yoc do_kernel_configme[doc] = "Assembles the kernel configuration for a linux-yocto style kernel" do_kernel_link_images[doc] = "Creates a symbolic link in arch/$arch/boot for vmlinux and vmlinuz kernel images" do_listtasks[doc] = "Lists all defined tasks for a target" -do_menuconfig[doc] = "Runs 'make menuconfig' for the kernel" +do_menuconfig[doc] = "Runs 'make menuconfig' in the compilation directory" do_package[doc] = "Analyzes the content of the holding area and splits it into subsets based on available packages and files" do_package_index[doc] = "Creates or updates the index in the Package Feed area" do_package_qa[doc] = "Runs QA checks on packaged files" diff --git a/poky/meta/lib/oe/cve_check.py b/poky/meta/lib/oe/cve_check.py index 3fa77bf9a7..ed5c714cb8 100644 --- a/poky/meta/lib/oe/cve_check.py +++ b/poky/meta/lib/oe/cve_check.py @@ -79,20 +79,19 @@ def get_patched_cves(d): import re import oe.patch - pn = d.getVar("PN") - cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") + cve_match = re.compile(r"CVE:( CVE-\d{4}-\d+)+") # Matches the last "CVE-YYYY-ID" in the file name, also if written # in lowercase. Possible to have multiple CVE IDs in a single # file name, but only the last one will be detected from the file name. # However, patch files contents addressing multiple CVE IDs are supported # (cve_match regular expression) - - cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)") + cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)", re.IGNORECASE) patched_cves = set() - bb.debug(2, "Looking for patches that solves CVEs for %s" % pn) - for url in oe.patch.src_patches(d): + patches = oe.patch.src_patches(d) + bb.debug(2, "Scanning %d patches for CVEs" % len(patches)) + for url in patches: patch_file = bb.fetch.decodeurl(url)[2] # Check patch file name for CVE ID @@ -100,7 +99,7 @@ def get_patched_cves(d): if fname_match: cve = fname_match.group(1).upper() patched_cves.add(cve) - bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) + bb.debug(2, "Found %s from patch file name %s" % (cve, patch_file)) # Remote patches won't be present and compressed patches won't be # unpacked, so say we're not scanning them @@ -231,7 +230,7 @@ def decode_cve_status(d, cve): Convert CVE_STATUS into status, detail and description. """ status = d.getVarFlag("CVE_STATUS", cve) - if status is None: + if not status: return ("", "", "") status_split = status.split(':', 1) @@ -240,7 +239,7 @@ def decode_cve_status(d, cve): status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail) if status_mapping is None: - bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status)) + bb.warn('Invalid detail "%s" for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status)) status_mapping = "Unpatched" return (status_mapping, detail, description) diff --git a/poky/meta/lib/oe/prservice.py b/poky/meta/lib/oe/prservice.py index 2f2a0c128a..c41242c878 100644 --- a/poky/meta/lib/oe/prservice.py +++ b/poky/meta/lib/oe/prservice.py @@ -78,8 +78,7 @@ def prserv_export_tofile(d, metainfo, datainfo, lockdown, nomax=False): bb.utils.mkdirhier(d.getVar('PRSERV_DUMPDIR')) df = d.getVar('PRSERV_DUMPFILE') #write data - lf = bb.utils.lockfile("%s.lock" % df) - with open(df, "a") as f: + with open(df, "a") as f, bb.utils.fileslocked(["%s.lock" % df]) as locks: if metainfo: #dump column info f.write("#PR_core_ver = \"%s\"\n\n" % metainfo['core_ver']); @@ -113,7 +112,6 @@ def prserv_export_tofile(d, metainfo, datainfo, lockdown, nomax=False): if not nomax: for i in idx: f.write("PRAUTO_%s_%s = \"%s\"\n" % (str(datainfo[idx[i]]['version']),str(datainfo[idx[i]]['pkgarch']),str(datainfo[idx[i]]['value']))) - bb.utils.unlockfile(lf) def prserv_check_avail(d): host_params = list([_f for _f in (d.getVar("PRSERV_HOST") or '').split(':') if _f]) diff --git a/poky/meta/lib/oe/reproducible.py b/poky/meta/lib/oe/reproducible.py index 9ac75c02e3..448befce33 100644 --- a/poky/meta/lib/oe/reproducible.py +++ b/poky/meta/lib/oe/reproducible.py @@ -131,6 +131,9 @@ def get_source_date_epoch_from_youngest_file(d, sourcedir): files = [f for f in files if not f[0] == '.'] for fname in files: + if fname == "singletask.lock": + # Ignore externalsrc/devtool lockfile [YOCTO #14921] + continue filename = os.path.join(root, fname) try: mtime = int(os.lstat(filename).st_mtime) diff --git a/poky/meta/lib/oe/rootfs.py b/poky/meta/lib/oe/rootfs.py index 1a48ed10b3..3f27164536 100644 --- a/poky/meta/lib/oe/rootfs.py +++ b/poky/meta/lib/oe/rootfs.py @@ -349,7 +349,8 @@ class Rootfs(object, metaclass=ABCMeta): bb.utils.mkdirhier(versioned_modules_dir) bb.note("Running depmodwrapper for %s ..." % versioned_modules_dir) - self._exec_shell_cmd(['depmodwrapper', '-a', '-b', self.image_rootfs, kernel_ver, kernel_package_name]) + if self._exec_shell_cmd(['depmodwrapper', '-a', '-b', self.image_rootfs, kernel_ver, kernel_package_name]): + bb.fatal("Kernel modules dependency generation failed") """ Create devfs: diff --git a/poky/meta/lib/oeqa/runtime/decorator/package.py b/poky/meta/lib/oeqa/runtime/decorator/package.py index 8aba3f325b..b78ac9fc38 100644 --- a/poky/meta/lib/oeqa/runtime/decorator/package.py +++ b/poky/meta/lib/oeqa/runtime/decorator/package.py @@ -38,11 +38,12 @@ class OEHasPackage(OETestDecorator): if isinstance(self.need_pkgs, str): self.need_pkgs = [self.need_pkgs,] + mlprefix = self.case.td.get("MLPREFIX") for pkg in self.need_pkgs: if pkg.startswith('!'): - unneed_pkgs.add(pkg[1:]) + unneed_pkgs.add(mlprefix + pkg[1:]) else: - need_pkgs.add(pkg) + need_pkgs.add(mlprefix + pkg) if unneed_pkgs: msg = 'Checking if %s is not installed' % ', '.join(unneed_pkgs) diff --git a/poky/meta/lib/oeqa/selftest/cases/prservice.py b/poky/meta/lib/oeqa/selftest/cases/prservice.py index 9fe3b80a31..8da3739c57 100644 --- a/poky/meta/lib/oeqa/selftest/cases/prservice.py +++ b/poky/meta/lib/oeqa/selftest/cases/prservice.py @@ -14,6 +14,8 @@ from oeqa.selftest.case import OESelftestTestCase from oeqa.utils.commands import runCmd, bitbake, get_bb_var from oeqa.utils.network import get_free_port +import bb.utils + class BitbakePrTests(OESelftestTestCase): @classmethod @@ -21,6 +23,16 @@ class BitbakePrTests(OESelftestTestCase): super(BitbakePrTests, cls).setUpClass() cls.pkgdata_dir = get_bb_var('PKGDATA_DIR') + cls.exported_db_path = os.path.join(cls.builddir, 'export.inc') + cls.current_db_path = os.path.join(get_bb_var('PERSISTENT_DIR'), 'prserv.sqlite3') + + def cleanup(self): + # Ensure any memory resident bitbake is stopped + bitbake("-m") + # Remove any existing export file or prserv database + bb.utils.remove(self.exported_db_path) + bb.utils.remove(self.current_db_path + "*") + def get_pr_version(self, package_name): package_data_file = os.path.join(self.pkgdata_dir, 'runtime', package_name) package_data = ftools.read_file(package_data_file) @@ -49,6 +61,7 @@ class BitbakePrTests(OESelftestTestCase): self.assertEqual(res.status, 0, msg=res.output) def config_pr_tests(self, package_name, package_type='rpm', pr_socket='localhost:0'): + self.cleanup() config_package_data = 'PACKAGE_CLASSES = "package_%s"' % package_type self.write_config(config_package_data) config_server_data = 'PRSERV_HOST = "%s"' % pr_socket @@ -68,24 +81,24 @@ class BitbakePrTests(OESelftestTestCase): self.assertTrue(pr_2 - pr_1 == 1, "New PR %s did not increment as expected (from %s), difference should be 1" % (pr_2, pr_1)) self.assertTrue(stamp_1 != stamp_2, "Different pkg rev. but same stamp: %s" % stamp_1) + self.cleanup() + def run_test_pr_export_import(self, package_name, replace_current_db=True): self.config_pr_tests(package_name) self.increment_package_pr(package_name) pr_1 = self.get_pr_version(package_name) - exported_db_path = os.path.join(self.builddir, 'export.inc') - export_result = runCmd("bitbake-prserv-tool export %s" % exported_db_path, ignore_status=True) + export_result = runCmd("bitbake-prserv-tool export %s" % self.exported_db_path, ignore_status=True) self.assertEqual(export_result.status, 0, msg="PR Service database export failed: %s" % export_result.output) - self.assertTrue(os.path.exists(exported_db_path), msg="%s didn't exist, tool output %s" % (exported_db_path, export_result.output)) + self.assertTrue(os.path.exists(self.exported_db_path), msg="%s didn't exist, tool output %s" % (self.exported_db_path, export_result.output)) if replace_current_db: - current_db_path = os.path.join(get_bb_var('PERSISTENT_DIR'), 'prserv.sqlite3') - self.assertTrue(os.path.exists(current_db_path), msg="Path to current PR Service database is invalid: %s" % current_db_path) - os.remove(current_db_path) + self.assertTrue(os.path.exists(self.current_db_path), msg="Path to current PR Service database is invalid: %s" % self.current_db_path) + os.remove(self.current_db_path) - import_result = runCmd("bitbake-prserv-tool import %s" % exported_db_path, ignore_status=True) - os.remove(exported_db_path) + import_result = runCmd("bitbake-prserv-tool import %s" % self.exported_db_path, ignore_status=True) + #os.remove(self.exported_db_path) self.assertEqual(import_result.status, 0, msg="PR Service database import failed: %s" % import_result.output) self.increment_package_pr(package_name) @@ -93,6 +106,8 @@ class BitbakePrTests(OESelftestTestCase): self.assertTrue(pr_2 - pr_1 == 1, "New PR %s did not increment as expected (from %s), difference should be 1" % (pr_2, pr_1)) + self.cleanup() + def test_import_export_replace_db(self): self.run_test_pr_export_import('m4') diff --git a/poky/meta/recipes-bsp/grub/files/0001-fs-fat-Don-t-error-when-mtime-is-0.patch b/poky/meta/recipes-bsp/grub/files/0001-fs-fat-Don-t-error-when-mtime-is-0.patch new file mode 100644 index 0000000000..a5fbd58f46 --- /dev/null +++ b/poky/meta/recipes-bsp/grub/files/0001-fs-fat-Don-t-error-when-mtime-is-0.patch @@ -0,0 +1,70 @@ +From e43f3d93b28cce852c110c7a8e40d8311bcd8bb1 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood <rharwood@redhat.com> +Date: Fri, 15 Jul 2022 16:13:02 -0400 +Subject: [PATCH] fs/fat: Don't error when mtime is 0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In the wild, we occasionally see valid ESPs where some file modification +times are 0. For instance: + + ├── [Dec 31 1979] EFI + │ ├── [Dec 31 1979] BOOT + │ │ ├── [Dec 31 1979] BOOTX64.EFI + │ │ └── [Dec 31 1979] fbx64.efi + │ └── [Jun 27 02:41] fedora + │ ├── [Dec 31 1979] BOOTX64.CSV + │ ├── [Dec 31 1979] fonts + │ ├── [Mar 14 03:35] fw + │ │ ├── [Mar 14 03:35] fwupd-359c1169-abd6-4a0d-8bce-e4d4713335c1.cap + │ │ ├── [Mar 14 03:34] fwupd-9d255c4b-2d88-4861-860d-7ee52ade9463.cap + │ │ └── [Mar 14 03:34] fwupd-b36438d8-9128-49d2-b280-487be02d948b.cap + │ ├── [Dec 31 1979] fwupdx64.efi + │ ├── [May 10 10:47] grub.cfg + │ ├── [Jun 3 12:38] grub.cfg.new.new + │ ├── [May 10 10:41] grub.cfg.old + │ ├── [Jun 27 02:41] grubenv + │ ├── [Dec 31 1979] grubx64.efi + │ ├── [Dec 31 1979] mmx64.efi + │ ├── [Dec 31 1979] shim.efi + │ ├── [Dec 31 1979] shimx64.efi + │ └── [Dec 31 1979] shimx64-fedora.efi + └── [Dec 31 1979] FSCK0000.REC + + 5 directories, 17 files + +This causes grub-probe failure, which in turn causes grub-mkconfig +failure. They are valid filesystems that appear intact, and the Linux +FAT stack is able to mount and manipulate them without complaint. + +The check for mtime of 0 has been present since +20def1a3c3952982395cd7c3ea7e78638527962b (fat: support file +modification times). + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e43f3d93b28cce852c110c7a8e40d8311bcd8bb1] + +Signed-off-by: Robbie Harwood <rharwood@redhat.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +Signed-off-by: Ming Liu <liu.ming50@gmail.com> +--- + grub-core/fs/fat.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/grub-core/fs/fat.c b/grub-core/fs/fat.c +index 0951b2e63..c5efed724 100644 +--- a/grub-core/fs/fat.c ++++ b/grub-core/fs/fat.c +@@ -1027,9 +1027,6 @@ grub_fat_dir (grub_device_t device, const char *path, grub_fs_dir_hook_t hook, + grub_le_to_cpu16 (ctxt.dir.w_date), + &info.mtime); + #endif +- if (info.mtimeset == 0) +- grub_error (GRUB_ERR_OUT_OF_RANGE, +- "invalid modification timestamp for %s", path); + + if (hook (ctxt.filename, &info, hook_data)) + break; +-- +2.34.1 + diff --git a/poky/meta/recipes-bsp/grub/grub2.inc b/poky/meta/recipes-bsp/grub/grub2.inc index f594e7d3a4..1215b24668 100644 --- a/poky/meta/recipes-bsp/grub/grub2.inc +++ b/poky/meta/recipes-bsp/grub/grub2.inc @@ -44,6 +44,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://0001-fs-ext2-Ignore-checksum-seed-incompat-feature.patch \ file://CVE-2023-4692.patch \ file://CVE-2023-4693.patch \ + file://0001-fs-fat-Don-t-error-when-mtime-is-0.patch \ " SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" diff --git a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb index bfd945c7ae..1f18d4491d 100644 --- a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -6,7 +6,7 @@ IPv4 Link-Local Addresses" (IETF RFC3927), a protocol for automatic IP address \ configuration from the link-local 169.254.0.0/16 range without the need for a central \ server.' HOMEPAGE = "http://avahi.org" -BUGTRACKER = "https://github.com/lathiat/avahi/issues" +BUGTRACKER = "https://github.com/avahi/avahi/issues" SECTION = "network" # major part is under LGPL-2.1-or-later, but several .dtd, .xsl, initscripts and @@ -37,8 +37,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \ file://CVE-2023-38473.patch \ " -GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/" -SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7" +GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/" SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda" CVE_STATUS[CVE-2021-26720] = "not-applicable-platform: Issue only affects Debian/SUSE" diff --git a/poky/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch b/poky/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch index 451b409c88..5b135b3aee 100644 --- a/poky/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch +++ b/poky/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch @@ -1,4 +1,4 @@ -From d027b1d85a8c1a0193b6e4a00083d3038d699a59 Mon Sep 17 00:00:00 2001 +From 06ebd1b2ced426c420ed162980eca194f9f918ae Mon Sep 17 00:00:00 2001 From: Kai Kang <kai.kang@windriver.com> Date: Tue, 22 Sep 2020 15:02:33 +0800 Subject: [PATCH] There are conflict of config files between kea and lib32-kea: @@ -35,10 +35,10 @@ index e6ae8b8..50a3092 100644 // "param1": "foo" // } diff --git a/src/bin/keactrl/kea-dhcp4.conf.pre b/src/bin/keactrl/kea-dhcp4.conf.pre -index 26bf163..49ddb0a 100644 +index 6edb8a1..b2a7385 100644 --- a/src/bin/keactrl/kea-dhcp4.conf.pre +++ b/src/bin/keactrl/kea-dhcp4.conf.pre -@@ -252,7 +252,7 @@ +@@ -255,7 +255,7 @@ // // of all devices serviced by Kea, including their identifiers // // (like MAC address), their location in the network, times // // when they were active etc. @@ -47,7 +47,7 @@ index 26bf163..49ddb0a 100644 // "parameters": { // "path": "/var/lib/kea", // "base-name": "kea-forensic4" -@@ -269,7 +269,7 @@ +@@ -272,7 +272,7 @@ // // of specific options or perhaps even a combination of several // // options and fields to uniquely identify a client. Those scenarios // // are addressed by the Flexible Identifiers hook application. diff --git a/poky/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch b/poky/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch index b7c2fd4f0d..63a6a2805b 100644 --- a/poky/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch +++ b/poky/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch @@ -1,4 +1,4 @@ -From 18f4f6206c248d6169aa67b3ecf16bf54e9292e8 Mon Sep 17 00:00:00 2001 +From c878a356712606549f7f188b62f7d1cae08a176e Mon Sep 17 00:00:00 2001 From: Armin kuster <akuster808@gmail.com> Date: Wed, 14 Oct 2020 22:48:31 -0700 Subject: [PATCH] Busybox does not support ps -p so use pgrep @@ -13,10 +13,10 @@ Signed-off-by: Armin kuster <akuster808@gmail.com> 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/bin/keactrl/keactrl.in b/src/bin/keactrl/keactrl.in -index ae5bd8e..e9f9b73 100644 +index 450e997..c353ca9 100644 --- a/src/bin/keactrl/keactrl.in +++ b/src/bin/keactrl/keactrl.in -@@ -151,8 +151,8 @@ check_running() { +@@ -149,8 +149,8 @@ check_running() { # Get the PID from the PID file (if it exists) get_pid_from_file "${proc_name}" if [ ${_pid} -gt 0 ]; then diff --git a/poky/meta/recipes-connectivity/kea/kea_2.4.0.bb b/poky/meta/recipes-connectivity/kea/kea_2.4.1.bb index 316468754e..c3aa4dc8f0 100644 --- a/poky/meta/recipes-connectivity/kea/kea_2.4.0.bb +++ b/poky/meta/recipes-connectivity/kea/kea_2.4.1.bb @@ -19,7 +19,7 @@ SRC_URI = "http://ftp.isc.org/isc/kea/${PV}/${BP}.tar.gz \ file://0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch \ file://0001-kea-fix-reproducible-build-failure.patch \ " -SRC_URI[sha256sum] = "3a33cd08dc3319ff544e6bbf2c0429042106f4051ebe115dc1bb2625c95003f7" +SRC_URI[sha256sum] = "815c61f5c271caa4a1db31dd656eb50a7f6ea973da3690f7c8581408e180131a" inherit autotools systemd update-rc.d upstream-version-is-even diff --git a/poky/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-configure.ac-libevent-and-libsqlite3-checked-when-nf.patch b/poky/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-configure.ac-libevent-and-libsqlite3-checked-when-nf.patch deleted file mode 100644 index 5afc714f19..0000000000 --- a/poky/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-configure.ac-libevent-and-libsqlite3-checked-when-nf.patch +++ /dev/null @@ -1,80 +0,0 @@ -From b62a3fe424026b73ec6b1934483b16863c7dff23 Mon Sep 17 00:00:00 2001 -From: Wiktor Jaskulski <wjaskulski@adva.com> -Date: Thu, 11 May 2023 15:28:23 -0400 -Subject: [PATCH] configure.ac: libevent and libsqlite3 checked when nfsv4 is - disabled - -Upstream-Status: Backport -(http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=bc4a5deef9f820c55fdac3c0070364c17cd91cca) - -Signed-off-by: Steve Dickson <steved@redhat.com> -Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> ---- - configure.ac | 38 +++++++++++++++----------------------- - 1 file changed, 15 insertions(+), 23 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 4ade528d..519cacbf 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -335,42 +335,34 @@ AC_CHECK_HEADER(rpc/rpc.h, , - AC_MSG_ERROR([Header file rpc/rpc.h not found - maybe try building with --enable-tirpc])) - CPPFLAGS="${nfsutils_save_CPPFLAGS}" - -+dnl check for libevent libraries and headers -+AC_LIBEVENT -+ -+dnl Check for sqlite3 -+AC_SQLITE3_VERS -+ -+case $libsqlite3_cv_is_recent in -+yes) ;; -+unknown) -+ dnl do not fail when cross-compiling -+ AC_MSG_WARN([assuming sqlite is at least v3.3]) ;; -+*) -+ AC_MSG_ERROR([nfsdcld requires sqlite-devel]) ;; -+esac -+ - if test "$enable_nfsv4" = yes; then -- dnl check for libevent libraries and headers -- AC_LIBEVENT - - dnl check for the keyutils libraries and headers - AC_KEYUTILS - -- dnl Check for sqlite3 -- AC_SQLITE3_VERS -- - if test "$enable_nfsdcld" = "yes"; then - AC_CHECK_HEADERS([libgen.h sys/inotify.h], , - AC_MSG_ERROR([Cannot find header needed for nfsdcld])) -- -- case $libsqlite3_cv_is_recent in -- yes) ;; -- unknown) -- dnl do not fail when cross-compiling -- AC_MSG_WARN([assuming sqlite is at least v3.3]) ;; -- *) -- AC_MSG_ERROR([nfsdcld requires sqlite-devel]) ;; -- esac - fi - - if test "$enable_nfsdcltrack" = "yes"; then - AC_CHECK_HEADERS([libgen.h sys/inotify.h], , - AC_MSG_ERROR([Cannot find header needed for nfsdcltrack])) -- -- case $libsqlite3_cv_is_recent in -- yes) ;; -- unknown) -- dnl do not fail when cross-compiling -- AC_MSG_WARN([assuming sqlite is at least v3.3]) ;; -- *) -- AC_MSG_ERROR([nfsdcltrack requires sqlite-devel]) ;; -- esac - fi - - else --- -2.41.0 - diff --git a/poky/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch b/poky/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch new file mode 100644 index 0000000000..57d4660571 --- /dev/null +++ b/poky/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch @@ -0,0 +1,34 @@ +From 45597a58e98f351b18db8444292b1cf6dd0cd810 Mon Sep 17 00:00:00 2001 +From: Robert Yang <liezhi.yang@windriver.com> +Date: Sat, 9 Dec 2023 23:34:08 -0800 +Subject: [PATCH] reexport.h: Include unistd.h to compile with musl + +Fixed error when compile with musl +reexport.c: In function 'reexpdb_init': +reexport.c:62:17: error: implicit declaration of function 'sleep' [-Werror=implicit-function-declaration] + 62 | sleep(1); + + +Upstream-Status: Submitted [https://marc.info/?l=linux-nfs&m=170254661824522&w=2] + +Signed-off-by: Robert Yang <liezhi.yang@windriver.com> +--- + support/reexport/reexport.h | 1 + + 1 files changed, 1 insertions(+) + +diff --git a/support/reexport/reexport.h b/support/reexport/reexport.h +index 85fd59c..02f8684 100644 +--- a/support/reexport/reexport.h ++++ b/support/reexport/reexport.h +@@ -1,6 +1,8 @@ + #ifndef REEXPORT_H + #define REEXPORT_H + ++#include <unistd.h> ++ + #include "nfslib.h" + + enum { +-- +2.42.0 + diff --git a/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.3.bb b/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb index 35cf6af6d4..2f2644f9a8 100644 --- a/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.3.bb +++ b/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb @@ -30,11 +30,11 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.x file://bugfix-adjust-statd-service-name.patch \ file://0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch \ file://clang-warnings.patch \ - file://0001-configure.ac-libevent-and-libsqlite3-checked-when-nf.patch \ - file://0001-locktest-Makefile.am-Do-not-use-build-flags.patch \ - file://0001-tools-locktest-Use-intmax_t-to-print-off_t.patch \ + file://0001-locktest-Makefile.am-Do-not-use-build-flags.patch \ + file://0001-tools-locktest-Use-intmax_t-to-print-off_t.patch \ + file://0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch \ " -SRC_URI[sha256sum] = "38d89e853a71d3c560ff026af3d969d75e24f782ff68324e76261fe0344459e1" +SRC_URI[sha256sum] = "01b3b0fb9c7d0bbabf5114c736542030748c788ec2fd9734744201e9b0a1119d" # Only kernel-module-nfsd is required here (but can be built-in) - the nfsd module will # pull in the remainder of the dependencies. diff --git a/poky/meta/recipes-core/base-passwd/base-passwd_3.6.2.bb b/poky/meta/recipes-core/base-passwd/base-passwd_3.6.3.bb index bb4b49e6ab..9d7703b1c0 100644 --- a/poky/meta/recipes-core/base-passwd/base-passwd_3.6.2.bb +++ b/poky/meta/recipes-core/base-passwd/base-passwd_3.6.3.bb @@ -15,7 +15,7 @@ SRC_URI = "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar file://0001-base-passwd-Add-the-sgx-group.patch \ " -SRC_URI[sha256sum] = "06dc78352bf38a8df76ff295e15ab5654cdefe41e62368b15bfcbbab8e4ec2a0" +SRC_URI[sha256sum] = "83575327d8318a419caf2d543341215c046044073d1afec2acc0ac4d8095ff39" # the package is taken from launchpad; that source is static and goes stale # so we check the latest upstream from a directory that does get updated diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Do-not-write-bindir-into-pkg-config-files.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Do-not-write-bindir-into-pkg-config-files.patch index 0d44ddf299..0e5f371cb5 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Do-not-write-bindir-into-pkg-config-files.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Do-not-write-bindir-into-pkg-config-files.patch @@ -1,4 +1,4 @@ -From 9ec4eedeb3f67db0bff09f5d859318d05ff47964 Mon Sep 17 00:00:00 2001 +From cf7df91cc8c3b4811235ef8aec144c5f0cf90bdb Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Fri, 15 Feb 2019 11:17:27 +0100 Subject: [PATCH] Do not write $bindir into pkg-config files @@ -16,7 +16,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/gio/meson.build b/gio/meson.build -index a320c0f..86ce7c4 100644 +index 5f91586..1a95f4f 100644 --- a/gio/meson.build +++ b/gio/meson.build @@ -884,14 +884,14 @@ pkg.generate(libgio, diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Fix-DATADIRNAME-on-uclibc-Linux.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Fix-DATADIRNAME-on-uclibc-Linux.patch index 16f2d31496..1254466063 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Fix-DATADIRNAME-on-uclibc-Linux.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Fix-DATADIRNAME-on-uclibc-Linux.patch @@ -1,4 +1,4 @@ -From c94e669de98a3892c699bd8d0d2b5164b2de747e Mon Sep 17 00:00:00 2001 +From b907a6681c4c24e5d3745538d9fcd471cf1c4c4a Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Sat, 15 Mar 2014 22:42:29 -0700 Subject: [PATCH] Fix DATADIRNAME on uclibc/Linux @@ -9,7 +9,6 @@ based systems therefore lets set DATADIRNAME to "share". Signed-off-by: Khem Raj <raj.khem@gmail.com> Upstream-Status: Pending - --- m4macros/glib-gettext.m4 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Install-gio-querymodules-as-libexec_PROGRAM.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Install-gio-querymodules-as-libexec_PROGRAM.patch index 597864d9ac..50d369c24e 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Install-gio-querymodules-as-libexec_PROGRAM.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Install-gio-querymodules-as-libexec_PROGRAM.patch @@ -1,4 +1,4 @@ -From 0015db45cd1bfefc04959dffab5dabeead93136f Mon Sep 17 00:00:00 2001 +From 6e2ddcb5465d10618345b12e0b4471ead0f14304 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen <jussi.kukkonen@intel.com> Date: Tue, 22 Mar 2016 15:14:58 +0200 Subject: [PATCH] Install gio-querymodules as libexec_PROGRAM @@ -14,10 +14,10 @@ Upstream-Status: Inappropriate [OE specific] 1 file changed, 1 insertion(+) diff --git a/gio/meson.build b/gio/meson.build -index 2ef60ed..532b086 100644 +index f9fdf6e..5f91586 100644 --- a/gio/meson.build +++ b/gio/meson.build -@@ -936,6 +936,7 @@ gio_querymodules = executable('gio-querymodules', 'gio-querymodules.c', 'giomodu +@@ -1005,6 +1005,7 @@ gio_querymodules = executable('gio-querymodules', 'gio-querymodules.c', 'giomodu c_args : gio_c_args, # intl.lib is not compatible with SAFESEH link_args : noseh_link_args, diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Remove-the-warning-about-deprecated-paths-in-schemas.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Remove-the-warning-about-deprecated-paths-in-schemas.patch index 6fd93526ce..f810574d97 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Remove-the-warning-about-deprecated-paths-in-schemas.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Remove-the-warning-about-deprecated-paths-in-schemas.patch @@ -1,4 +1,4 @@ -From 4f47b8a8d650d185aa61aec2f56a283522a723c4 Mon Sep 17 00:00:00 2001 +From c8c223045821cac97f798cfa63f19853621a8a2a Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Fri, 12 Jun 2015 17:08:46 +0300 Subject: [PATCH] Remove the warning about deprecated paths in schemas @@ -15,7 +15,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> 1 file changed, 13 deletions(-) diff --git a/gio/glib-compile-schemas.c b/gio/glib-compile-schemas.c -index 7888120..7acbd5b 100644 +index 04ef404..e791ce2 100644 --- a/gio/glib-compile-schemas.c +++ b/gio/glib-compile-schemas.c @@ -1232,19 +1232,6 @@ parse_state_start_schema (ParseState *state, diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Set-host_machine-correctly-when-building-with-mingw3.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Set-host_machine-correctly-when-building-with-mingw3.patch index 2e1e2313e8..e1d2fb0e54 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Set-host_machine-correctly-when-building-with-mingw3.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Set-host_machine-correctly-when-building-with-mingw3.patch @@ -1,4 +1,4 @@ -From ba1728bc27c88597164957d000b70ec4be6edf28 Mon Sep 17 00:00:00 2001 +From bafde4eedc0a22b45e73ee6183b9a11393a1e400 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Wed, 13 Feb 2019 15:32:05 +0100 Subject: [PATCH] Set host_machine correctly when building with mingw32 @@ -13,7 +13,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/gio/tests/meson.build b/gio/tests/meson.build -index f644aa2..64a8684 100644 +index 4ef3343..e498e7e 100644 --- a/gio/tests/meson.build +++ b/gio/tests/meson.build @@ -29,7 +29,7 @@ endif @@ -25,7 +25,7 @@ index f644aa2..64a8684 100644 common_gio_tests_deps += [iphlpapi_dep, winsock2, cc.find_library ('secur32')] endif -@@ -210,7 +210,7 @@ if have_dbus_daemon +@@ -230,7 +230,7 @@ if have_dbus_daemon endif # Test programs buildable on UNIX only @@ -34,7 +34,7 @@ index f644aa2..64a8684 100644 gio_tests += { 'file' : {}, 'gdbus-peer-object-manager' : {}, -@@ -462,7 +462,7 @@ if host_machine.system() != 'windows' +@@ -562,7 +562,7 @@ if host_machine.system() != 'windows' endif # unix # Test programs buildable on Windows only @@ -43,7 +43,7 @@ index f644aa2..64a8684 100644 gio_tests += {'win32-streams' : {}} endif -@@ -532,7 +532,7 @@ if cc.get_id() != 'msvc' and cc.get_id() != 'clang-cl' +@@ -632,7 +632,7 @@ if cc.get_id() != 'msvc' and cc.get_id() != 'clang-cl' } endif @@ -53,10 +53,10 @@ index f644aa2..64a8684 100644 'gdbus-example-unix-fd-client' : { 'install' : false, diff --git a/glib/tests/meson.build b/glib/tests/meson.build -index db01b54..6950817 100644 +index d80c86e..5329cda 100644 --- a/glib/tests/meson.build +++ b/glib/tests/meson.build -@@ -188,7 +188,7 @@ if glib_conf.has('HAVE_EVENTFD') +@@ -216,7 +216,7 @@ if glib_conf.has('HAVE_EVENTFD') } endif @@ -66,10 +66,10 @@ index db01b54..6950817 100644 glib_tests += { 'gpoll' : { diff --git a/meson.build b/meson.build -index 43bb468..5f9b59c 100644 +index f7e936e..122f8b5 100644 --- a/meson.build +++ b/meson.build -@@ -43,6 +43,9 @@ else +@@ -54,6 +54,9 @@ else endif host_system = host_machine.system() diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch index d33fdd4d8b..e4c2f77459 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch @@ -1,4 +1,4 @@ -From 92de6c7eb30b961b24a2dce812d5276487b7d23d Mon Sep 17 00:00:00 2001 +From 3f05b9418c88bbb83c08b57cc5529b006f26fff4 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Wed, 8 Jan 2020 18:22:46 +0100 Subject: [PATCH] gio/tests/resources.c: comment out a build host-only test @@ -14,10 +14,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gio/tests/resources.c b/gio/tests/resources.c -index c44d214..e289a01 100644 +index f567914..b21b616 100644 --- a/gio/tests/resources.c +++ b/gio/tests/resources.c -@@ -993,7 +993,7 @@ main (int argc, +@@ -1068,7 +1068,7 @@ main (int argc, g_test_add_func ("/resource/automatic", test_resource_automatic); /* This only uses automatic resources too, so it tests the constructors and destructors */ g_test_add_func ("/resource/module", test_resource_module); diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-meson-Run-atomics-test-on-clang-as-well.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-meson-Run-atomics-test-on-clang-as-well.patch index 44482dd2b7..071e4a7c4d 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-meson-Run-atomics-test-on-clang-as-well.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-meson-Run-atomics-test-on-clang-as-well.patch @@ -1,4 +1,4 @@ -From 4b97f457b7b44117e27d2a218c4b68e7fe3fe4ce Mon Sep 17 00:00:00 2001 +From 17d718640ae6f953e5eea714c1bd64eeb6e4799f Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Sat, 12 Oct 2019 17:46:26 -0700 Subject: [PATCH] meson: Run atomics test on clang as well @@ -15,10 +15,10 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com> 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meson.build b/meson.build -index afb6eaa..6aa70f5 100644 +index 122f8b5..f055079 100644 --- a/meson.build +++ b/meson.build -@@ -1692,7 +1692,7 @@ atomicdefine = ''' +@@ -1938,7 +1938,7 @@ atomicdefine = ''' # We know that we can always use real ("lock free") atomic operations with MSVC if cc.get_id() == 'msvc' or cc.get_id() == 'clang-cl' or cc.links(atomictest, name : 'atomic ops') have_atomic_lock_free = true diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch index 788f420d11..e03f9a3c84 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch @@ -1,4 +1,4 @@ -From 9aa9574861fad39d0679025e35fe1e188345f685 Mon Sep 17 00:00:00 2001 +From 7865d698b5d392aac3a3d32e9ebd5fea45017d15 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex@linutronix.de> Date: Sat, 16 Sep 2023 22:28:27 +0200 Subject: [PATCH] meson.build: do not enable pidfd features on native glib @@ -9,12 +9,13 @@ where these features are not implemented. Upstream-Status: Inappropriate [oe-core specific] Signed-off-by: Alexander Kanavin <alex@linutronix.de> + --- meson.build | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meson.build b/meson.build -index 1c36993..bbf97fc 100644 +index f055079..77d78aa 100644 --- a/meson.build +++ b/meson.build @@ -981,7 +981,8 @@ if cc.links('''#include <sys/syscall.h> @@ -27,6 +28,3 @@ index 1c36993..bbf97fc 100644 endif # Check for __uint128_t (gcc) by checking for 128-bit division --- -2.30.2 - diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0010-Do-not-hardcode-python-path-into-various-tools.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0010-Do-not-hardcode-python-path-into-various-tools.patch index 1c645f3a9a..4b75167da6 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0010-Do-not-hardcode-python-path-into-various-tools.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0010-Do-not-hardcode-python-path-into-various-tools.patch @@ -1,4 +1,4 @@ -From 79ce7e545dd3a93f77d2146d50b6fa061fbceed9 Mon Sep 17 00:00:00 2001 +From 53bcd4b6cd3fe3fe4246914462e6724761eecf51 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Tue, 3 Oct 2017 10:45:55 +0300 Subject: [PATCH] Do not hardcode python path into various tools @@ -23,7 +23,7 @@ index 67d3675..4e92a7a 100755 # GDBus - GLib D-Bus Library # diff --git a/gobject/glib-genmarshal.in b/gobject/glib-genmarshal.in -index 7380f24..c8abeaa 100755 +index aa5af43..56e8e2e 100755 --- a/gobject/glib-genmarshal.in +++ b/gobject/glib-genmarshal.in @@ -1,4 +1,4 @@ @@ -33,7 +33,7 @@ index 7380f24..c8abeaa 100755 # pylint: disable=too-many-lines, missing-docstring, invalid-name diff --git a/gobject/glib-mkenums.in b/gobject/glib-mkenums.in -index 91ad779..3ebef62 100755 +index 353e53a..8ed6c39 100755 --- a/gobject/glib-mkenums.in +++ b/gobject/glib-mkenums.in @@ -1,4 +1,4 @@ diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/relocate-modules.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/relocate-modules.patch index 841fedef8a..95a73298d8 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/relocate-modules.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/relocate-modules.patch @@ -1,4 +1,4 @@ -From b90d13900dd2777c2ab90c5b0be1a872c10a17da Mon Sep 17 00:00:00 2001 +From 03a069cb8066d3e8ef72a43f7b1db5c9625e9cc2 Mon Sep 17 00:00:00 2001 From: Ross Burton <ross.burton@intel.com> Date: Fri, 11 Mar 2016 15:35:55 +0000 Subject: [PATCH] glib-2.0: relocate the GIO module directory for native builds diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0_2.78.1.bb b/poky/meta/recipes-core/glib-2.0/glib-2.0_2.78.3.bb index a490262112..13d4b38e22 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0_2.78.1.bb +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0_2.78.3.bb @@ -19,7 +19,7 @@ SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ " -SRC_URI[sha256sum] = "915bc3d0f8507d650ead3832e2f8fb670fce59aac4d7754a7dab6f1e6fed78b2" +SRC_URI[sha256sum] = "609801dd373796e515972bf95fc0b2daa44545481ee2f465c4f204d224b2bc21" # Find any meson cross files in FILESPATH that are relevant for the current # build (using siteinfo) and add them to EXTRA_OEMESON. diff --git a/poky/meta/recipes-core/glibc/glibc-version.inc b/poky/meta/recipes-core/glibc/glibc-version.inc index 0ef4289557..212f960cb5 100644 --- a/poky/meta/recipes-core/glibc/glibc-version.inc +++ b/poky/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.38/master" PV = "2.38+git" -SRCREV_glibc ?= "44f757a6364a546359809d48c76b3debd26e77d4" +SRCREV_glibc ?= "d37c2b20a4787463d192b32041c3406c2bd91de0" SRCREV_localedef ?= "e0eca29583b9e0f62645c4316ced93cf4e4e26e1" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https" @@ -10,4 +10,9 @@ UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+(\.(?!90)\d+)*)" CVE_STATUS[CVE-2023-4527] = "fixed-version: Fixed in stable branch updates" CVE_STATUS[CVE-2023-4911] = "fixed-version: Fixed in stable branch updates" CVE_STATUS[CVE-2023-4806] = "fixed-version: Fixed in stable branch updates" +CVE_STATUS[CVE-2023-5156] = "fixed-version: Fixed in stable branch updates" CVE_STATUS[CVE-2023-4527] = "fixed-version: Fixed in stable branch updates" +CVE_STATUS[CVE-2023-0687] = "fixed-version: Fixed in stable branch updates" +CVE_STATUS[CVE-2023-6246] = "fixed-version: Fixed in stable branch updates" +CVE_STATUS[CVE-2023-6779] = "fixed-version: Fixed in stable branch updates" +CVE_STATUS[CVE-2023-6780] = "fixed-version: Fixed in stable branch updates" diff --git a/poky/meta/recipes-core/glibc/glibc/run-ptest b/poky/meta/recipes-core/glibc/glibc/run-ptest index c394b49866..cb71c75682 100755 --- a/poky/meta/recipes-core/glibc/glibc/run-ptest +++ b/poky/meta/recipes-core/glibc/glibc/run-ptest @@ -22,12 +22,12 @@ tst_time64=$(ls -r ${PWD}/tests/glibc-ptest/*-time64) # related tst_time_tmp=$(sed -e "s/-time64$//" <<< ${tst_time64}) -# Run tests supporting only 32 bit time -for i in ${tst_time_tmp} -do - $i >/dev/null 2>&1 - output -done +# Do not run tests supporting only 32 bit time +#for i in ${tst_time_tmp} +#do +# $i >/dev/null 2>&1 +# output +#done # Run tests supporting only 64 bit time for i in ${tst_time64} diff --git a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb index 3a049b8e37..d63079bb34 100644 --- a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb @@ -26,7 +26,7 @@ inherit core-image setuptools3 features_check REQUIRED_DISTRO_FEATURES += "xattr" -SRCREV ?= "59e8c565ef9cddb4cab90017d187368aa34f361b" +SRCREV ?= "17635c5e4d2460a762152f550ac98d66b9090904" SRC_URI = "git://git.yoctoproject.org/poky;branch=nanbield \ file://Yocto_Build_Appliance.vmx \ file://Yocto_Build_Appliance.vmxf \ diff --git a/poky/meta/recipes-core/ncurses/files/0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch b/poky/meta/recipes-core/ncurses/files/0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch new file mode 100644 index 0000000000..121db6bffe --- /dev/null +++ b/poky/meta/recipes-core/ncurses/files/0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch @@ -0,0 +1,499 @@ +From 135d37072755704b8d018e5de74e62ff3f28c930 Mon Sep 17 00:00:00 2001 +From: Thomas E. Dickey <dickey@invisible-island.net> +Date: Sun, 5 Nov 2023 05:54:54 +0530 +Subject: [PATCH] Updating reset code - ncurses 6.4 - patch 20231104 + ++ modify reset command to avoid altering clocal if the terminal uses a + modem (prompted by discussion with Werner Fink, Michal Suchanek, + OpenSUSE #1201384, Debian #60377). ++ build-fixes for --with-caps variations. ++ correct a couple of section-references in INSTALL. + +Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net> + +Upstream-Status: Backport [https://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=135d37072755704b8d018e5de74e62ff3f28c930] + +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> +--- + INSTALL | 8 +- + include/curses.events | 2 +- + ncurses/tinfo/lib_tparm.c | 2 + + progs/reset_cmd.c | 281 +++++++++++++++++++++----------------- + progs/tabs.c | 10 +- + progs/tic.c | 4 + + 6 files changed, 176 insertions(+), 131 deletions(-) + +diff --git a/INSTALL b/INSTALL +index d9c1dd12..d0a39af0 100644 +--- a/INSTALL ++++ b/INSTALL +@@ -47,7 +47,7 @@ If you are converting from BSD curses and do not have root access, be sure + to read the BSD CONVERSION NOTES section below. + + If you are trying to build applications using gpm with ncurses, +-read the USING NCURSES WITH GPM section below. ++read the USING GPM section below. + + If you are cross-compiling, see the note below on BUILDING WITH A CROSS-COMPILER. + +@@ -79,7 +79,7 @@ INSTALLATION PROCEDURE: + The --prefix option to configure changes the root directory for installing + ncurses. The default is normally in subdirectories of /usr/local, except + for systems where ncurses is normally installed as a system library (see +- "IF YOU ARE A SYSTEM INTEGRATOR"). Use --prefix=/usr to replace your ++ "FOR SYSTEM INTEGRATORS"). Use --prefix=/usr to replace your + default curses distribution. + + The package gets installed beneath the --prefix directory as follows: +@@ -176,7 +176,7 @@ INSTALLATION PROCEDURE: + You can make curses and terminfo fall back to an existing file of termcap + definitions by configuring with --enable-termcap. If you do this, the + library will search /etc/termcap before the terminfo database, and will +- also interpret the contents of the TERM environment variable. See the ++ also interpret the contents of the $TERM environment variable. See the + section BSD CONVERSION NOTES below. + + 3. Type `make'. Ignore any warnings, no error messages should be produced. +@@ -1231,7 +1231,7 @@ CONFIGURE OPTIONS: + Specify a search-list of terminfo directories which will be compiled + into the ncurses library (default: DATADIR/terminfo) + +- This is a colon-separated list, like the TERMINFO_DIRS environment ++ This is a colon-separated list, like the $TERMINFO_DIRS environment + variable. + + --with-termlib[=XXX] +diff --git a/include/curses.events b/include/curses.events +index 25a2583f..468bde18 100644 +--- a/include/curses.events ++++ b/include/curses.events +@@ -50,6 +50,6 @@ typedef struct + extern NCURSES_EXPORT(int) wgetch_events (WINDOW *, _nc_eventlist *) GCC_DEPRECATED(experimental option); /* experimental */ + extern NCURSES_EXPORT(int) wgetnstr_events (WINDOW *,char *,int,_nc_eventlist *) GCC_DEPRECATED(experimental option); /* experimental */ + +-#define KEY_EVENT 0633 /* We were interrupted by an event */ ++#define KEY_EVENT 0634 /* We were interrupted by an event */ + + #endif /* NCURSES_WGETCH_EVENTS */ +diff --git a/ncurses/tinfo/lib_tparm.c b/ncurses/tinfo/lib_tparm.c +index a10a3877..cd972c0f 100644 +--- a/ncurses/tinfo/lib_tparm.c ++++ b/ncurses/tinfo/lib_tparm.c +@@ -1113,8 +1113,10 @@ check_string_caps(TPARM_DATA *data, const char *string) + want_type = 2; /* function key #1, transmit string #2 */ + else if (CHECK_CAP(plab_norm)) + want_type = 2; /* label #1, show string #2 */ ++#ifdef pkey_plab + else if (CHECK_CAP(pkey_plab)) + want_type = 6; /* function key #1, type string #2, show string #3 */ ++#endif + #if NCURSES_XNAMES + else { + char *check; +diff --git a/progs/reset_cmd.c b/progs/reset_cmd.c +index eff3af72..aec4b077 100644 +--- a/progs/reset_cmd.c ++++ b/progs/reset_cmd.c +@@ -75,6 +75,9 @@ MODULE_ID("$Id: reset_cmd.c,v 1.28 2021/10/02 18:08:44 tom Exp $") + # endif + #endif + ++#define set_flags(target, mask) target |= mask ++#define clear_flags(target, mask) target &= ~((unsigned)(mask)) ++ + static FILE *my_file; + + static bool use_reset = FALSE; /* invoked as reset */ +@@ -188,6 +191,79 @@ out_char(int c) + #define reset_char(item, value) \ + tty_settings->c_cc[item] = CHK(tty_settings->c_cc[item], value) + ++/* ++ * Simplify ifdefs ++ */ ++#ifndef BSDLY ++#define BSDLY 0 ++#endif ++#ifndef CRDLY ++#define CRDLY 0 ++#endif ++#ifndef ECHOCTL ++#define ECHOCTL 0 ++#endif ++#ifndef ECHOKE ++#define ECHOKE 0 ++#endif ++#ifndef ECHOPRT ++#define ECHOPRT 0 ++#endif ++#ifndef FFDLY ++#define FFDLY 0 ++#endif ++#ifndef IMAXBEL ++#define IMAXBEL 0 ++#endif ++#ifndef IUCLC ++#define IUCLC 0 ++#endif ++#ifndef IXANY ++#define IXANY 0 ++#endif ++#ifndef NLDLY ++#define NLDLY 0 ++#endif ++#ifndef OCRNL ++#define OCRNL 0 ++#endif ++#ifndef OFDEL ++#define OFDEL 0 ++#endif ++#ifndef OFILL ++#define OFILL 0 ++#endif ++#ifndef OLCUC ++#define OLCUC 0 ++#endif ++#ifndef ONLCR ++#define ONLCR 0 ++#endif ++#ifndef ONLRET ++#define ONLRET 0 ++#endif ++#ifndef ONOCR ++#define ONOCR 0 ++#endif ++#ifndef OXTABS ++#define OXTABS 0 ++#endif ++#ifndef TAB3 ++#define TAB3 0 ++#endif ++#ifndef TABDLY ++#define TABDLY 0 ++#endif ++#ifndef TOSTOP ++#define TOSTOP 0 ++#endif ++#ifndef VTDLY ++#define VTDLY 0 ++#endif ++#ifndef XCASE ++#define XCASE 0 ++#endif ++ + /* + * Reset the terminal mode bits to a sensible state. Very useful after + * a child program dies in raw mode. +@@ -195,6 +271,10 @@ out_char(int c) + void + reset_tty_settings(int fd, TTY * tty_settings, int noset) + { ++ unsigned mask; ++#ifdef TIOCMGET ++ int modem_bits; ++#endif + GET_TTY(fd, tty_settings); + + #ifdef TERMIOS +@@ -228,106 +308,65 @@ reset_tty_settings(int fd, TTY * tty_settings, int noset) + reset_char(VWERASE, CWERASE); + #endif + +- tty_settings->c_iflag &= ~((unsigned) (IGNBRK +- | PARMRK +- | INPCK +- | ISTRIP +- | INLCR +- | IGNCR +-#ifdef IUCLC +- | IUCLC +-#endif +-#ifdef IXANY +- | IXANY +-#endif +- | IXOFF)); +- +- tty_settings->c_iflag |= (BRKINT +- | IGNPAR +- | ICRNL +- | IXON +-#ifdef IMAXBEL +- | IMAXBEL +-#endif +- ); +- +- tty_settings->c_oflag &= ~((unsigned) (0 +-#ifdef OLCUC +- | OLCUC +-#endif +-#ifdef OCRNL +- | OCRNL +-#endif +-#ifdef ONOCR +- | ONOCR +-#endif +-#ifdef ONLRET +- | ONLRET +-#endif +-#ifdef OFILL +- | OFILL +-#endif +-#ifdef OFDEL +- | OFDEL +-#endif +-#ifdef NLDLY +- | NLDLY +-#endif +-#ifdef CRDLY +- | CRDLY +-#endif +-#ifdef TABDLY +- | TABDLY +-#endif +-#ifdef BSDLY +- | BSDLY +-#endif +-#ifdef VTDLY +- | VTDLY +-#endif +-#ifdef FFDLY +- | FFDLY +-#endif +- )); +- +- tty_settings->c_oflag |= (OPOST +-#ifdef ONLCR +- | ONLCR +-#endif +- ); +- +- tty_settings->c_cflag &= ~((unsigned) (CSIZE +- | CSTOPB +- | PARENB +- | PARODD +- | CLOCAL)); +- tty_settings->c_cflag |= (CS8 | CREAD); +- tty_settings->c_lflag &= ~((unsigned) (ECHONL +- | NOFLSH +-#ifdef TOSTOP +- | TOSTOP +-#endif +-#ifdef ECHOPTR +- | ECHOPRT +-#endif +-#ifdef XCASE +- | XCASE +-#endif +- )); +- +- tty_settings->c_lflag |= (ISIG +- | ICANON +- | ECHO +- | ECHOE +- | ECHOK +-#ifdef ECHOCTL +- | ECHOCTL +-#endif +-#ifdef ECHOKE +- | ECHOKE +-#endif +- ); +-#endif ++ clear_flags(tty_settings->c_iflag, (IGNBRK ++ | PARMRK ++ | INPCK ++ | ISTRIP ++ | INLCR ++ | IGNCR ++ | IUCLC ++ | IXANY ++ | IXOFF)); ++ ++ set_flags(tty_settings->c_iflag, (BRKINT ++ | IGNPAR ++ | ICRNL ++ | IXON ++ | IMAXBEL)); ++ ++ clear_flags(tty_settings->c_oflag, (0 ++ | OLCUC ++ | OCRNL ++ | ONOCR ++ | ONLRET ++ | OFILL ++ | OFDEL ++ | NLDLY ++ | CRDLY ++ | TABDLY ++ | BSDLY ++ | VTDLY ++ | FFDLY)); ++ ++ set_flags(tty_settings->c_oflag, (OPOST ++ | ONLCR)); ++ ++ mask = (CSIZE | CSTOPB | PARENB | PARODD); ++#ifdef TIOCMGET ++ /* leave clocal alone if this appears to use a modem */ ++ if (ioctl(fd, TIOCMGET, &modem_bits) == -1) ++ mask |= CLOCAL; ++#else ++ /* cannot check - use the behavior from tset */ ++ mask |= CLOCAL; ++#endif ++ clear_flags(tty_settings->c_cflag, mask); ++ ++ set_flags(tty_settings->c_cflag, (CS8 | CREAD)); ++ clear_flags(tty_settings->c_lflag, (ECHONL ++ | NOFLSH ++ | TOSTOP ++ | ECHOPRT ++ | XCASE)); ++ ++ set_flags(tty_settings->c_lflag, (ISIG ++ | ICANON ++ | ECHO ++ | ECHOE ++ | ECHOK ++ | ECHOCTL ++ | ECHOKE)); ++#endif /* TERMIOS */ + + if (!noset) { + SET_TTY(fd, tty_settings); +@@ -402,29 +441,23 @@ set_conversions(TTY * tty_settings) + #if defined(EXP_WIN32_DRIVER) + /* FIXME */ + #else +-#ifdef ONLCR +- tty_settings->c_oflag |= ONLCR; +-#endif +- tty_settings->c_iflag |= ICRNL; +- tty_settings->c_lflag |= ECHO; +-#ifdef OXTABS +- tty_settings->c_oflag |= OXTABS; +-#endif /* OXTABS */ ++ set_flags(tty_settings->c_oflag, ONLCR); ++ set_flags(tty_settings->c_iflag, ICRNL); ++ set_flags(tty_settings->c_lflag, ECHO); ++ set_flags(tty_settings->c_oflag, OXTABS); + + /* test used to be tgetflag("NL") */ + if (VALID_STRING(newline) && newline[0] == '\n' && !newline[1]) { + /* Newline, not linefeed. */ +-#ifdef ONLCR +- tty_settings->c_oflag &= ~((unsigned) ONLCR); +-#endif +- tty_settings->c_iflag &= ~((unsigned) ICRNL); ++ clear_flags(tty_settings->c_oflag, ONLCR); ++ clear_flags(tty_settings->c_iflag, ICRNL); + } +-#ifdef OXTABS ++#if OXTABS + /* test used to be tgetflag("pt") */ + if (VALID_STRING(set_tab) && VALID_STRING(clear_all_tabs)) +- tty_settings->c_oflag &= ~OXTABS; ++ clear_flags(tty_settings->c_oflag, OXTABS); + #endif /* OXTABS */ +- tty_settings->c_lflag |= (ECHOE | ECHOK); ++ set_flags(tty_settings->c_lflag, (ECHOE | ECHOK)); + #endif + } + +@@ -490,7 +523,7 @@ send_init_strings(int fd GCC_UNUSED, TTY * old_settings) + bool need_flush = FALSE; + + (void) old_settings; +-#ifdef TAB3 ++#if TAB3 + if (old_settings != 0 && + old_settings->c_oflag & (TAB3 | ONLCR | OCRNL | ONLRET)) { + old_settings->c_oflag &= (TAB3 | ONLCR | OCRNL | ONLRET); +@@ -512,22 +545,22 @@ send_init_strings(int fd GCC_UNUSED, TTY * old_settings) + + if (VALID_STRING(clear_margins)) { + need_flush |= sent_string(clear_margins); +- } else ++ } + #if defined(set_lr_margin) +- if (VALID_STRING(set_lr_margin)) { ++ else if (VALID_STRING(set_lr_margin)) { + need_flush |= sent_string(TIPARM_2(set_lr_margin, 0, columns - 1)); +- } else ++ } + #endif + #if defined(set_left_margin_parm) && defined(set_right_margin_parm) +- if (VALID_STRING(set_left_margin_parm) +- && VALID_STRING(set_right_margin_parm)) { ++ else if (VALID_STRING(set_left_margin_parm) ++ && VALID_STRING(set_right_margin_parm)) { + need_flush |= sent_string(TIPARM_1(set_left_margin_parm, 0)); + need_flush |= sent_string(TIPARM_1(set_right_margin_parm, + columns - 1)); +- } else ++ } + #endif +- if (VALID_STRING(set_left_margin) +- && VALID_STRING(set_right_margin)) { ++ else if (VALID_STRING(set_left_margin) ++ && VALID_STRING(set_right_margin)) { + need_flush |= to_left_margin(); + need_flush |= sent_string(set_left_margin); + if (VALID_STRING(parm_right_cursor)) { +diff --git a/progs/tabs.c b/progs/tabs.c +index 7378d116..d904330b 100644 +--- a/progs/tabs.c ++++ b/progs/tabs.c +@@ -370,7 +370,9 @@ do_set_margin(int margin, bool no_op) + } + tputs(set_left_margin, 1, putch); + } +- } else if (VALID_STRING(set_left_margin_parm)) { ++ } ++#if defined(set_left_margin_parm) && defined(set_right_margin_parm) ++ else if (VALID_STRING(set_left_margin_parm)) { + result = TRUE; + if (!no_op) { + if (VALID_STRING(set_right_margin_parm)) { +@@ -379,12 +381,16 @@ do_set_margin(int margin, bool no_op) + tputs(TIPARM_2(set_left_margin_parm, margin, max_cols), 1, putch); + } + } +- } else if (VALID_STRING(set_lr_margin)) { ++ } ++#endif ++#if defined(set_lr_margin) ++ else if (VALID_STRING(set_lr_margin)) { + result = TRUE; + if (!no_op) { + tputs(TIPARM_2(set_lr_margin, margin, max_cols), 1, putch); + } + } ++#endif + return result; + } + +diff --git a/progs/tic.c b/progs/tic.c +index 888927e2..78b568fa 100644 +--- a/progs/tic.c ++++ b/progs/tic.c +@@ -3142,6 +3142,7 @@ guess_ANSI_VTxx(TERMTYPE2 *tp) + * In particular, any ECMA-48 terminal should support these, though the details + * for u9 are implementation dependent. + */ ++#if defined(user6) && defined(user7) && defined(user8) && defined(user9) + static void + check_user_6789(TERMTYPE2 *tp) + { +@@ -3177,6 +3178,9 @@ check_user_6789(TERMTYPE2 *tp) + break; + } + } ++#else ++#define check_user_6789(tp) /* nothing */ ++#endif + + /* other sanity-checks (things that we don't want in the normal + * logic that reads a terminfo entry) +-- +2.40.0 diff --git a/poky/meta/recipes-core/ncurses/ncurses_6.4.bb b/poky/meta/recipes-core/ncurses/ncurses_6.4.bb index 388cd8d407..2c621525f9 100644 --- a/poky/meta/recipes-core/ncurses/ncurses_6.4.bb +++ b/poky/meta/recipes-core/ncurses/ncurses_6.4.bb @@ -5,6 +5,7 @@ SRC_URI += "file://0001-tic-hang.patch \ file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \ file://exit_prototype.patch \ file://0001-Fix-CVE-2023-29491.patch \ + file://0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch \ " # commit id corresponds to the revision in package version SRCREV = "79b9071f2be20a24c7be031655a5638f6032f29f" diff --git a/poky/meta/recipes-core/udev/udev-extraconf/mount.sh b/poky/meta/recipes-core/udev/udev-extraconf/mount.sh index b7e86dbc0e..6cb0a9fea8 100644 --- a/poky/meta/recipes-core/udev/udev-extraconf/mount.sh +++ b/poky/meta/recipes-core/udev/udev-extraconf/mount.sh @@ -196,7 +196,7 @@ if [ "$ACTION" = "remove" ] || [ "$ACTION" = "change" ] && [ -x "$UMOUNT" ] && [ logger "mount.sh/remove" "cleaning up $DEVNAME, was mounted by the auto-mounter" for mnt in `cat /proc/mounts | grep "$DEVNAME" | cut -f 2 -d " " ` do - $UMOUNT $mnt + $UMOUNT "`printf $mnt`" done # Remove mount directory created by the auto-mounter # and clean up our tmp cache file diff --git a/poky/meta/recipes-core/zlib/zlib_1.3.bb b/poky/meta/recipes-core/zlib/zlib_1.3.bb index 1ed18172fa..ede75f90bd 100644 --- a/poky/meta/recipes-core/zlib/zlib_1.3.bb +++ b/poky/meta/recipes-core/zlib/zlib_1.3.bb @@ -47,3 +47,4 @@ do_install_ptest() { BBCLASSEXTEND = "native nativesdk" CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip" +CVE_STATUS[CVE-2023-6992] = "cpe-incorrect: this CVE is for cloudflare zlib" diff --git a/poky/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake b/poky/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake index d6a1e0464c..6434b27371 100644 --- a/poky/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake +++ b/poky/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake @@ -18,3 +18,6 @@ file( GLOB toolchain_config_files "${CMAKE_CURRENT_LIST_FILE}.d/*.cmake" ) foreach(config ${toolchain_config_files}) include(${config}) endforeach() + +unset(CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES) +unset(CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES) diff --git a/poky/meta/recipes-devtools/elfutils/elfutils_0.189.bb b/poky/meta/recipes-devtools/elfutils/elfutils_0.189.bb index d8bf82b022..67494cd35a 100644 --- a/poky/meta/recipes-devtools/elfutils/elfutils_0.189.bb +++ b/poky/meta/recipes-devtools/elfutils/elfutils_0.189.bb @@ -2,7 +2,7 @@ SUMMARY = "Utilities and libraries for handling compiled object files" HOMEPAGE = "https://sourceware.org/elfutils" DESCRIPTION = "elfutils is a collection of utilities and libraries to read, create and modify ELF binary files, find and handle DWARF debug data, symbols, thread state and stacktraces for processes and core files on GNU/Linux." SECTION = "base" -LICENSE = "GPL-2.0-only & GPL-2.0-or-later & LGPL-3.0-or-later & GPL-3.0-or-later" +LICENSE = "( GPL-2.0-or-later | LGPL-3.0-or-later ) & GPL-3.0-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \ file://debuginfod/debuginfod-client.c;endline=28;md5=f0a7c3170776866ee94e8f9225a6ad79 \ " @@ -106,19 +106,18 @@ EXTRA_OEMAKE:class-nativesdk = "" BBCLASSEXTEND = "native nativesdk" -# Package utilities separately +# Package utilities and libraries are listed separately PACKAGES =+ "${PN}-binutils libelf libasm libdw libdebuginfod" -# Shared libraries are licensed GPL-2.0-only or GPL-3.0-or-later, binaries -# GPL-3.0-or-later. According to NEWS file: -# "The license is now GPLv2/LGPLv3+ for the libraries and GPLv3+ for stand-alone -# programs. There is now also a formal CONTRIBUTING document describing how to -# submit patches." +# According to the upstream website https://sourceware.org/elfutils, the latest +# license policy is as follows: +# "License. The libraries and backends are dual GPLv2+/LGPLv3+. The utilities +# are GPLv3+." LICENSE:${PN}-binutils = "GPL-3.0-or-later" LICENSE:${PN} = "GPL-3.0-or-later" -LICENSE:libelf = "GPL-2.0-only | LGPL-3.0-or-later" -LICENSE:libasm = "GPL-2.0-only | LGPL-3.0-or-later" -LICENSE:libdw = "GPL-2.0-only | LGPL-3.0-or-later" +LICENSE:libelf = "GPL-2.0-or-later | LGPL-3.0-or-later" +LICENSE:libasm = "GPL-2.0-or-later | LGPL-3.0-or-later" +LICENSE:libdw = "GPL-2.0-or-later | LGPL-3.0-or-later" LICENSE:libdebuginfod = "GPL-2.0-or-later | LGPL-3.0-or-later" FILES:${PN}-binutils = "\ diff --git a/poky/meta/recipes-devtools/gcc/gcc-13.2.inc b/poky/meta/recipes-devtools/gcc/gcc-13.2.inc index 359db1e278..32fddd11c2 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-13.2.inc +++ b/poky/meta/recipes-devtools/gcc/gcc-13.2.inc @@ -115,3 +115,4 @@ EXTRA_OECONF_PATHS = "\ " CVE_STATUS[CVE-2021-37322] = "cpe-incorrect: Is a binutils 2.26 issue, not gcc" +CVE_STATUS[CVE-2023-4039] = "fixed-version: Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source" diff --git a/poky/meta/recipes-devtools/go/go-1.20.10.inc b/poky/meta/recipes-devtools/go/go-1.20.12.inc index 39509ed986..9be56c6707 100644 --- a/poky/meta/recipes-devtools/go/go-1.20.10.inc +++ b/poky/meta/recipes-devtools/go/go-1.20.12.inc @@ -15,4 +15,4 @@ SRC_URI += "\ file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ " -SRC_URI[main.sha256sum] = "72d2f51805c47150066c103754c75fddb2c19d48c9219fa33d1e46696c841dbb" +SRC_URI[main.sha256sum] = "c5bf934751d31c315c1d0bb5fb02296545fa6d08923566f7a5afec81f2ed27d6" diff --git a/poky/meta/recipes-devtools/go/go-binary-native_1.20.10.bb b/poky/meta/recipes-devtools/go/go-binary-native_1.20.12.bb index 691670c31e..e555412a19 100644 --- a/poky/meta/recipes-devtools/go/go-binary-native_1.20.10.bb +++ b/poky/meta/recipes-devtools/go/go-binary-native_1.20.12.bb @@ -9,9 +9,9 @@ PROVIDES = "go-native" # Checksums available at https://go.dev/dl/ SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}" -SRC_URI[go_linux_amd64.sha256sum] = "80d34f1fd74e382d86c2d6102e0e60d4318461a7c2f457ec1efc4042752d4248" -SRC_URI[go_linux_arm64.sha256sum] = "fb3c7e15fc4413c5b81eb9f26dbd7cd4faedd5c720b30fa8e2ff77457f74cab6" -SRC_URI[go_linux_ppc64le.sha256sum] = "ebac6e713810174f9ffd7f48c17c373fbf359d50d8e6233b1dfbbdebd524fd1c" +SRC_URI[go_linux_amd64.sha256sum] = "9c5d48c54dd8b0a3b2ef91b0f92a1190aa01f11d26e98033efa64c46a30bba7b" +SRC_URI[go_linux_arm64.sha256sum] = "8afe8e3fb6972eaa2179ef0a71678c67f26509fab4f0f67c4b00f4cdfa92dc87" +SRC_URI[go_linux_ppc64le.sha256sum] = "2ae0ec3736216dfbd7b01ff679842dc1bed365e53a024d522645bcffd01c7328" UPSTREAM_CHECK_URI = "https://golang.org/dl/" UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux" diff --git a/poky/meta/recipes-devtools/go/go-cross-canadian_1.20.10.bb b/poky/meta/recipes-devtools/go/go-cross-canadian_1.20.12.bb index 7ac9449e47..7ac9449e47 100644 --- a/poky/meta/recipes-devtools/go/go-cross-canadian_1.20.10.bb +++ b/poky/meta/recipes-devtools/go/go-cross-canadian_1.20.12.bb diff --git a/poky/meta/recipes-devtools/go/go-cross_1.20.10.bb b/poky/meta/recipes-devtools/go/go-cross_1.20.12.bb index 80b5a03f6c..80b5a03f6c 100644 --- a/poky/meta/recipes-devtools/go/go-cross_1.20.10.bb +++ b/poky/meta/recipes-devtools/go/go-cross_1.20.12.bb diff --git a/poky/meta/recipes-devtools/go/go-crosssdk_1.20.10.bb b/poky/meta/recipes-devtools/go/go-crosssdk_1.20.12.bb index 1857c8a577..1857c8a577 100644 --- a/poky/meta/recipes-devtools/go/go-crosssdk_1.20.10.bb +++ b/poky/meta/recipes-devtools/go/go-crosssdk_1.20.12.bb diff --git a/poky/meta/recipes-devtools/go/go-native_1.20.10.bb b/poky/meta/recipes-devtools/go/go-native_1.20.12.bb index ddf25b2c9b..ddf25b2c9b 100644 --- a/poky/meta/recipes-devtools/go/go-native_1.20.10.bb +++ b/poky/meta/recipes-devtools/go/go-native_1.20.12.bb diff --git a/poky/meta/recipes-devtools/go/go-runtime_1.20.10.bb b/poky/meta/recipes-devtools/go/go-runtime_1.20.12.bb index 63464a1501..63464a1501 100644 --- a/poky/meta/recipes-devtools/go/go-runtime_1.20.10.bb +++ b/poky/meta/recipes-devtools/go/go-runtime_1.20.12.bb diff --git a/poky/meta/recipes-devtools/go/go_1.20.10.bb b/poky/meta/recipes-devtools/go/go_1.20.12.bb index 46f5fbc6be..46f5fbc6be 100644 --- a/poky/meta/recipes-devtools/go/go_1.20.10.bb +++ b/poky/meta/recipes-devtools/go/go_1.20.12.bb diff --git a/poky/meta/recipes-devtools/pseudo/files/glibc238.patch b/poky/meta/recipes-devtools/pseudo/files/glibc238.patch index 76ca8c11eb..da4b8caee3 100644 --- a/poky/meta/recipes-devtools/pseudo/files/glibc238.patch +++ b/poky/meta/recipes-devtools/pseudo/files/glibc238.patch @@ -44,19 +44,6 @@ Index: git/pseudo_util.c #include <ctype.h> #include <errno.h> -Index: git/pseudolog.c -=================================================================== ---- git.orig/pseudolog.c -+++ git/pseudolog.c -@@ -8,7 +8,7 @@ - */ - /* We need _XOPEN_SOURCE for strptime(), but if we define that, - * we then don't get S_IFSOCK... _GNU_SOURCE turns on everything. */ --#define _GNU_SOURCE -+#define _DEFAULT_SOURCE - - #include <ctype.h> - #include <limits.h> Index: git/pseudo_client.c =================================================================== --- git.orig/pseudo_client.c diff --git a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb index 4a894ebdd0..025cf0fc9c 100644 --- a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb +++ b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb @@ -14,7 +14,7 @@ SRC_URI:append:class-nativesdk = " \ file://older-glibc-symbols.patch" SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa" -SRCREV = "ec6151a2b057109b3f798f151a36690af582e166" +SRCREV = "516a0a3c4b46f046895d27bfa019d685fe462dfa" S = "${WORKDIR}/git" PV = "1.9.0+git" diff --git a/poky/meta/recipes-devtools/python/python3-license-expression/run-ptest b/poky/meta/recipes-devtools/python/python3-license-expression/run-ptest index 5cec711696..8d2017d39c 100644 --- a/poky/meta/recipes-devtools/python/python3-license-expression/run-ptest +++ b/poky/meta/recipes-devtools/python/python3-license-expression/run-ptest @@ -1,3 +1,3 @@ #!/bin/sh -pytest +pytest --automake diff --git a/poky/meta/recipes-devtools/python/python3-license-expression_30.1.1.bb b/poky/meta/recipes-devtools/python/python3-license-expression_30.1.1.bb index 31fb88d6e5..92ca419e4a 100644 --- a/poky/meta/recipes-devtools/python/python3-license-expression_30.1.1.bb +++ b/poky/meta/recipes-devtools/python/python3-license-expression_30.1.1.bb @@ -26,6 +26,7 @@ SRC_URI += " \ RDEPENDS:${PN}-ptest += " \ ${PYTHON_PN}-pytest \ + ${PYTHON_PN}-unittest-automake-output \ " do_install_ptest() { @@ -33,4 +34,5 @@ do_install_ptest() { install -d ${D}${PTEST_PATH}/src cp -rf ${S}/tests/* ${D}${PTEST_PATH}/tests/ cp -rf ${S}/src/* ${D}${PTEST_PATH}/src/ + cp -rf ${S}/setup.cfg ${D}${PTEST_PATH}/ } diff --git a/poky/meta/recipes-devtools/qemu/qemu-native_8.1.2.bb b/poky/meta/recipes-devtools/qemu/qemu-native_8.1.4.bb index 73a0f63f2b..73a0f63f2b 100644 --- a/poky/meta/recipes-devtools/qemu/qemu-native_8.1.2.bb +++ b/poky/meta/recipes-devtools/qemu/qemu-native_8.1.4.bb diff --git a/poky/meta/recipes-devtools/qemu/qemu-system-native_8.1.2.bb b/poky/meta/recipes-devtools/qemu/qemu-system-native_8.1.4.bb index 558a416f7b..558a416f7b 100644 --- a/poky/meta/recipes-devtools/qemu/qemu-system-native_8.1.2.bb +++ b/poky/meta/recipes-devtools/qemu/qemu-system-native_8.1.4.bb diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index 5ab2cb83b4..0ea23ecdc3 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -37,7 +37,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" -SRC_URI[sha256sum] = "541526a764576eb494d2ff5ec46aeb253e62ea29035d1c23c0a8af4e6cd4f087" +SRC_URI[sha256sum] = "176dd6d0bdcc4c71a94172d12ddb7a3b2e8e20d638e5db26138165a382be2dbd" SRC_URI:append:class-target = " file://cross.patch" SRC_URI:append:class-nativesdk = " file://cross.patch" diff --git a/poky/meta/recipes-devtools/qemu/qemu_8.1.2.bb b/poky/meta/recipes-devtools/qemu/qemu_8.1.4.bb index 84ee0bcc49..84ee0bcc49 100644 --- a/poky/meta/recipes-devtools/qemu/qemu_8.1.2.bb +++ b/poky/meta/recipes-devtools/qemu/qemu_8.1.4.bb diff --git a/poky/meta/recipes-devtools/tcltk/tcl_8.6.13.bb b/poky/meta/recipes-devtools/tcltk/tcl_8.6.13.bb index b33a78e147..bb75353a5a 100644 --- a/poky/meta/recipes-devtools/tcltk/tcl_8.6.13.bb +++ b/poky/meta/recipes-devtools/tcltk/tcl_8.6.13.bb @@ -88,7 +88,7 @@ do_install_ptest() { do_install_ptest:append:libc-musl () { # Assumes locales other than provided by musl-locales - sed -i -e 's|SKIPPED_TESTS=|SKIPPED_TESTS="unixInit-3*"|' ${D}${PTEST_PATH}/run-ptest + sed -i -e "s|SKIPPED_TESTS='|SKIPPED_TESTS='unixInit-3* |" ${D}${PTEST_PATH}/run-ptest } # Fix some paths that might be used by Tcl extensions diff --git a/poky/meta/recipes-extended/cpio/cpio_2.14.bb b/poky/meta/recipes-extended/cpio/cpio_2.15.bb index 560038d2a6..55e9add5cd 100644 --- a/poky/meta/recipes-extended/cpio/cpio_2.14.bb +++ b/poky/meta/recipes-extended/cpio/cpio_2.15.bb @@ -7,12 +7,11 @@ LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949" SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \ - file://0001-configure-Include-needed-header-for-major-minor-macr.patch \ file://run-ptest \ file://test.sh \ " -SRC_URI[sha256sum] = "145a340fd9d55f0b84779a44a12d5f79d77c99663967f8cfa168d7905ca52454" +SRC_URI[sha256sum] = "efa50ef983137eefc0a02fdb51509d624b5e3295c980aa127ceee4183455499e" inherit autotools gettext texinfo ptest diff --git a/poky/meta/recipes-extended/cpio/files/0001-configure-Include-needed-header-for-major-minor-macr.patch b/poky/meta/recipes-extended/cpio/files/0001-configure-Include-needed-header-for-major-minor-macr.patch deleted file mode 100644 index 95ece0bbf3..0000000000 --- a/poky/meta/recipes-extended/cpio/files/0001-configure-Include-needed-header-for-major-minor-macr.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 8179be21e664cedb2e9d238cc2f6d04965e97275 Mon Sep 17 00:00:00 2001 -From: Sergey Poznyakoff <gray@gnu.org> -Date: Thu, 11 May 2023 10:18:44 +0300 -Subject: [PATCH] configure: Include needed header for major/minor macros - -This helps in avoiding the warning about implicit function declaration -which is elevated as error with newer compilers e.g. clang 16 - -Signed-off-by: Khem Raj <raj.khem@gmail.com> - -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> ---- - configure.ac | 18 ++++++++++++++++-- - 1 file changed, 16 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index de479e7..c601029 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -43,8 +43,22 @@ AC_TYPE_UID_T - AC_CHECK_TYPE(gid_t, int) - - AC_HEADER_DIRENT --AX_COMPILE_CHECK_RETTYPE([major], [0]) --AX_COMPILE_CHECK_RETTYPE([minor], [0]) -+AX_COMPILE_CHECK_RETTYPE([major], [0], [ -+#include <sys/types.h> -+#ifdef MAJOR_IN_MKDEV -+# include <sys/mkdev.h> -+#endif -+#ifdef MAJOR_IN_SYSMACROS -+# include <sys/sysmacros.h> -+#endif]) -+AX_COMPILE_CHECK_RETTYPE([minor], [0], [ -+#include <sys/types.h> -+#ifdef MAJOR_IN_MKDEV -+# include <sys/mkdev.h> -+#endif -+#ifdef MAJOR_IN_SYSMACROS -+# include <sys/sysmacros.h> -+#endif]) - - AC_CHECK_FUNCS([fchmod fchown]) - # This is needed for mingw build --- -2.34.1 - diff --git a/poky/meta/recipes-extended/rpcbind/rpcbind_1.2.6.bb b/poky/meta/recipes-extended/rpcbind/rpcbind_1.2.6.bb index dd89726afc..dbd4d32e0a 100644 --- a/poky/meta/recipes-extended/rpcbind/rpcbind_1.2.6.bb +++ b/poky/meta/recipes-extended/rpcbind/rpcbind_1.2.6.bb @@ -40,7 +40,7 @@ PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}/ systemd \ " -EXTRA_OECONF += " --enable-warmstarts --with-rpcuser=rpc" +EXTRA_OECONF += " --enable-warmstarts --with-rpcuser=rpc --with-statedir=${runtimedir}/rpcbind" do_install:append () { install -d ${D}${sysconfdir}/init.d diff --git a/poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch b/poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch new file mode 100644 index 0000000000..1fabfe928e --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch @@ -0,0 +1,147 @@ +From 25dbe2ce166a13322b7536ff2f738786ea2e61e7 Mon Sep 17 00:00:00 2001 +From: Alejandro Colomar <alx@kernel.org> +Date: Sat, 10 Jun 2023 16:20:05 +0200 +Subject: [PATCH] gpasswd(1): Fix password leak + +How to trigger this password leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When gpasswd(1) asks for the new password, it asks twice (as is usual +for confirming the new password). Each of those 2 password prompts +uses agetpass() to get the password. If the second agetpass() fails, +the first password, which has been copied into the 'static' buffer +'pass' via STRFCPY(), wasn't being zeroed. + +agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and +can fail for any of the following reasons: + +- malloc(3) or readpassphrase(3) failure. + + These are going to be difficult to trigger. Maybe getting the system + to the limits of memory utilization at that exact point, so that the + next malloc(3) gets ENOMEM, and possibly even the OOM is triggered. + About readpassphrase(3), ENFILE and EINTR seem the only plausible + ones, and EINTR probably requires privilege or being the same user; + but I wouldn't discard ENFILE so easily, if a process starts opening + files. + +- The password is longer than PASS_MAX. + + The is plausible with physical access. However, at that point, a + keylogger will be a much simpler attack. + +And, the attacker must be able to know when the second password is being +introduced, which is not going to be easy. + +How to read the password after the leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Provoking the leak yourself at the right point by entering a very long +password is easy, and inspecting the process stack at that point should +be doable. Try to find some consistent patterns. + +Then, search for those patterns in free memory, right after the victim +leaks their password. + +Once you get the leak, a program should read all the free memory +searching for patterns that gpasswd(1) leaves nearby the leaked +password. + +On 6/10/23 03:14, Seth Arnold wrote: +> An attacker process wouldn't be able to use malloc(3) for this task. +> There's a handful of tools available for userspace to allocate memory: +> +> - brk / sbrk +> - mmap MAP_ANONYMOUS +> - mmap /dev/zero +> - mmap some other file +> - shm_open +> - shmget +> +> Most of these return only pages of zeros to a process. Using mmap of an +> existing file, you can get some of the contents of the file demand-loaded +> into the memory space on the first use. +> +> The MAP_UNINITIALIZED flag only works if the kernel was compiled with +> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare. +> +> malloc(3) doesn't zero memory, to our collective frustration, but all the +> garbage in the allocations is from previous allocations in the current +> process. It isn't leftover from other processes. +> +> The avenues available for reading the memory: +> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot) +> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA) +> - ptrace (requires ptrace privileges, mediated by YAMA) +> - causing memory to be swapped to disk, and then inspecting the swap +> +> These all require a certain amount of privileges. + +How to fix it? +~~~~~~~~~~~~~~ + +memzero(), which internally calls explicit_bzero(3), or whatever +alternative the system provides with a slightly different name, will +make sure that the buffer is zeroed in memory, and optimizations are not +allowed to impede this zeroing. + +This is not really 100% effective, since compilers may place copies of +the string somewhere hidden in the stack. Those copies won't get zeroed +by explicit_bzero(3). However, that's arguably a compiler bug, since +compilers should make everything possible to avoid optimizing strings +that are later passed to explicit_bzero(3). But we all know that +sometimes it's impossible to have perfect knowledge in the compiler, so +this is plausible. Nevertheless, there's nothing we can do against such +issues, except minimizing the time such passwords are stored in plain +text. + +Security concerns +~~~~~~~~~~~~~~~~~ + +We believe this isn't easy to exploit. Nevertheless, and since the fix +is trivial, this fix should probably be applied soon, and backported to +all supported distributions, to prevent someone else having more +imagination than us to find a way. + +Affected versions +~~~~~~~~~~~~~~~~~ + +All. Bug introduced in shadow 19990709. That's the second commit in +the git history. + +Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)") + +CVE: CVE-2023-4641 +Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904] + +Reported-by: Alejandro Colomar <alx@kernel.org> +Cc: Serge Hallyn <serge@hallyn.com> +Cc: Iker Pedrosa <ipedrosa@redhat.com> +Cc: Seth Arnold <seth.arnold@canonical.com> +Cc: Christian Brauner <christian@brauner.io> +Cc: Balint Reczey <rbalint@debian.org> +Cc: Sam James <sam@gentoo.org> +Cc: David Runge <dvzrv@archlinux.org> +Cc: Andreas Jaeger <aj@suse.de> +Cc: <~hallyn/shadow@lists.sr.ht> +Signed-off-by: Alejandro Colomar <alx@kernel.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + src/gpasswd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/gpasswd.c b/src/gpasswd.c +index 5983f787..2d8869ef 100644 +--- a/src/gpasswd.c ++++ b/src/gpasswd.c +@@ -896,6 +896,7 @@ static void change_passwd (struct group *gr) + strzero (cp); + cp = getpass (_("Re-enter new password: ")); + if (NULL == cp) { ++ memzero (pass, sizeof pass); + exit (1); + } + +-- +2.34.1 + diff --git a/poky/meta/recipes-extended/shadow/shadow.inc b/poky/meta/recipes-extended/shadow/shadow.inc index 83e1a84769..ce3ce62715 100644 --- a/poky/meta/recipes-extended/shadow/shadow.inc +++ b/poky/meta/recipes-extended/shadow/shadow.inc @@ -17,6 +17,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.gz \ file://0001-Fix-can-not-print-full-login.patch \ file://CVE-2023-29383.patch \ file://0001-Overhaul-valid_field.patch \ + file://CVE-2023-4641.patch \ " SRC_URI:append:class-target = " \ diff --git a/poky/meta/recipes-extended/sudo/sudo_1.9.14p3.bb b/poky/meta/recipes-extended/sudo/sudo_1.9.15p5.bb index d5c5718ea5..8e542015ad 100644 --- a/poky/meta/recipes-extended/sudo/sudo_1.9.14p3.bb +++ b/poky/meta/recipes-extended/sudo/sudo_1.9.15p5.bb @@ -7,7 +7,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ PAM_SRC_URI = "file://sudo.pam" -SRC_URI[sha256sum] = "a08318b1c4bc8582c004d4cd9ae2903abc549e7e46ba815e41fe81d1c0782b62" +SRC_URI[sha256sum] = "558d10b9a1991fb3b9fa7fa7b07ec4405b7aefb5b3cb0b0871dbc81e3a88e558" DEPENDS += " virtual/crypt ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" RDEPENDS:${PN} += " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-limits pam-plugin-keyinit', '', d)}" diff --git a/poky/meta/recipes-extended/zstd/zstd_1.5.5.bb b/poky/meta/recipes-extended/zstd/zstd_1.5.5.bb index 5c5fb5e734..2d72af50a4 100644 --- a/poky/meta/recipes-extended/zstd/zstd_1.5.5.bb +++ b/poky/meta/recipes-extended/zstd/zstd_1.5.5.bb @@ -5,7 +5,7 @@ It's backed by a very fast entropy stage, provided by Huff0 and FSE library." HOMEPAGE = "http://www.zstd.net/" SECTION = "console/utils" -LICENSE = "BSD-3-Clause & GPL-2.0-only" +LICENSE = "BSD-3-Clause | GPL-2.0-only" LIC_FILES_CHKSUM = "file://LICENSE;md5=0822a32f7acdbe013606746641746ee8 \ file://COPYING;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0 \ " diff --git a/poky/meta/recipes-gnome/gtk+/gtk+3_3.24.38.bb b/poky/meta/recipes-gnome/gtk+/gtk+3_3.24.38.bb index 37fa0a7290..c23c46a689 100644 --- a/poky/meta/recipes-gnome/gtk+/gtk+3_3.24.38.bb +++ b/poky/meta/recipes-gnome/gtk+/gtk+3_3.24.38.bb @@ -13,3 +13,5 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2 \ file://gtk/gtk.h;endline=25;md5=1d8dc0fccdbfa26287a271dce88af737 \ file://gdk/gdk.h;endline=25;md5=c920ce39dc88c6f06d3e7c50e08086f2 \ file://tests/testgtk.c;endline=25;md5=cb732daee1d82af7a2bf953cf3cf26f1" + +CVE_PRODUCT = "gnome:gtk" diff --git a/poky/meta/recipes-gnome/gtk+/gtk4_4.12.3.bb b/poky/meta/recipes-gnome/gtk+/gtk4_4.12.3.bb index 001b06934e..2c85e7e75f 100644 --- a/poky/meta/recipes-gnome/gtk+/gtk4_4.12.3.bb +++ b/poky/meta/recipes-gnome/gtk+/gtk4_4.12.3.bb @@ -41,6 +41,8 @@ SRC_URI[sha256sum] = "148ce262f6c86487455fb1d9793c3f58bc3e1da477a29617fadb0420f5 S = "${WORKDIR}/gtk-${PV}" +CVE_PRODUCT = "gnome:gtk" + inherit meson gettext pkgconfig gi-docgen update-alternatives gsettings features_check gobject-introspection # TBD: nativesdk diff --git a/poky/meta/recipes-gnome/libadwaita/libadwaita_1.4.0.bb b/poky/meta/recipes-gnome/libadwaita/libadwaita_1.4.2.bb index d8aa2cd697..64b7473b0a 100644 --- a/poky/meta/recipes-gnome/libadwaita/libadwaita_1.4.0.bb +++ b/poky/meta/recipes-gnome/libadwaita/libadwaita_1.4.2.bb @@ -12,7 +12,7 @@ DEPENDS = " \ inherit gnomebase gobject-introspection gi-docgen vala features_check -SRC_URI[archive.sha256sum] = "e51a098a54d43568218fc48fcf52e80e36f469b3ce912d8ce9c308a37e9f47c2" +SRC_URI[archive.sha256sum] = "33fa16754e7370c841767298b3ff5f23003ee1d2515cc2ff255e65ef3d4e8713" ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}" REQUIRED_DISTRO_FEATURES = "opengl" diff --git a/poky/meta/recipes-graphics/libva/libva-utils_2.20.0.bb b/poky/meta/recipes-graphics/libva/libva-utils_2.20.1.bb index 2e1fd09406..3bce9a1e32 100644 --- a/poky/meta/recipes-graphics/libva/libva-utils_2.20.0.bb +++ b/poky/meta/recipes-graphics/libva/libva-utils_2.20.1.bb @@ -15,7 +15,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=b148fc8adf19dc9aec17cf9cd29a9a5e" SRC_URI = "git://github.com/intel/libva-utils.git;branch=v2.20-branch;protocol=https" -SRCREV = "0c8373e62af3e4d9a3831334c5402ad255797e67" +SRCREV = "2ad888bb463dc9bfb3deb512ec9faf78f1d3bfa8" S = "${WORKDIR}/git" UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))$" diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.9.bb b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.11.bb index 43c06181e3..6506d775ca 100644 --- a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.9.bb +++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.11.bb @@ -3,7 +3,7 @@ require xserver-xorg.inc SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \ file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \ " -SRC_URI[sha256sum] = "ff697be2011b4c4966b7806929e51b7a08e9d33800d505305d26d9ccde4b533a" +SRC_URI[sha256sum] = "1d3dadbd57fb86b16a018e9f5f957aeeadf744f56c0553f55737628d06d326ef" # These extensions are now integrated into the server, so declare the migration # path for in-place upgrades. diff --git a/poky/meta/recipes-graphics/xwayland/xwayland_23.2.2.bb b/poky/meta/recipes-graphics/xwayland/xwayland_23.2.3.bb index 9feac147db..9aa7b4dfcd 100644 --- a/poky/meta/recipes-graphics/xwayland/xwayland_23.2.2.bb +++ b/poky/meta/recipes-graphics/xwayland/xwayland_23.2.3.bb @@ -10,7 +10,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=5df87950af51ac2c5822094553ea1880" SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz" -SRC_URI[sha256sum] = "9f7c0938d2a41e941ffa04f99c35e5db2bcd3eec034afe8d35d5c810a22eb0a8" +SRC_URI[sha256sum] = "eb9d9aa7232c47412c8835ec15a97c575f03563726c787754ff0c019bd07e302" UPSTREAM_CHECK_REGEX = "xwayland-(?P<pver>\d+(\.(?!90\d)\d+)+)\.tar" diff --git a/poky/meta/recipes-kernel/dtc/dtc/0001-meson.build-bump-version-to-1.7.0.patch b/poky/meta/recipes-kernel/dtc/dtc/0001-meson.build-bump-version-to-1.7.0.patch new file mode 100644 index 0000000000..79a3b92b44 --- /dev/null +++ b/poky/meta/recipes-kernel/dtc/dtc/0001-meson.build-bump-version-to-1.7.0.patch @@ -0,0 +1,29 @@ +From 9153522103bd4ed7e3299c4d073f66bb37cb2d42 Mon Sep 17 00:00:00 2001 +From: Nikolay Letov <letov.nikolay@gmail.com> +Date: Wed, 22 Feb 2023 13:36:07 +0300 +Subject: [PATCH 1/2] meson.build: bump version to 1.7.0 + +[This was botched in the actual 1.7.0 release :( - David Gibson] + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/dtc/dtc.git/commit/?id=64a907f08b9bedd89833c1eee674148cff2343c6] + +Signed-off-by: Nikolay Letov <letov.nikolay@gmail.com> +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/meson.build b/meson.build +index 78251eb..d88cd9f 100644 +--- a/meson.build ++++ b/meson.build +@@ -1,5 +1,5 @@ + project('dtc', 'c', +- version: '1.6.0', ++ version: '1.7.0', + license: ['GPL2+', 'BSD-2'], + default_options: 'werror=true', + ) +-- +2.30.2 + diff --git a/poky/meta/recipes-kernel/dtc/dtc/0002-meson-allow-building-from-shallow-clones.patch b/poky/meta/recipes-kernel/dtc/dtc/0002-meson-allow-building-from-shallow-clones.patch new file mode 100644 index 0000000000..0284905913 --- /dev/null +++ b/poky/meta/recipes-kernel/dtc/dtc/0002-meson-allow-building-from-shallow-clones.patch @@ -0,0 +1,38 @@ +From 4415b0baece3c4351a6d3637c2754abbefd4795d Mon Sep 17 00:00:00 2001 +From: Peter Marko <peter.marko@siemens.com> +Date: Sat, 16 Dec 2023 18:58:31 +0100 +Subject: [PATCH 2/2] meson: allow building from shallow clones + +When building from shallow clone, tag is not available +and version defaults to git hash. +Problem is that some builds check DTC version and fail the comparison. +Example is https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git +Which fails to build with following error: +dtc version too old (039a994), you need at least version 1.4.4 + +Drop --always from git describe command, see +https://github.com/mesonbuild/meson/blob/1.3.0/mesonbuild/utils/universal.py#L773 +This will make it more closer to build via Makefile. + +Upstream-Status: Submitted [https://github.com/dgibson/dtc/pull/122] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + meson.build | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/meson.build b/meson.build +index 78251eb..fc0c92a 100644 +--- a/meson.build ++++ b/meson.build +@@ -56,6 +56,7 @@ py = py.find_installation(required: get_option('python')) + swig = find_program('swig', required: get_option('python')) + + version_gen_h = vcs_tag( ++ command: ['git', 'describe', '--dirty=+'], + input: 'version_gen.h.in', + output: 'version_gen.h', + ) +-- +2.30.2 + diff --git a/poky/meta/recipes-kernel/dtc/dtc_1.7.0.bb b/poky/meta/recipes-kernel/dtc/dtc_1.7.0.bb index 1a78a0c079..0702fc16df 100644 --- a/poky/meta/recipes-kernel/dtc/dtc_1.7.0.bb +++ b/poky/meta/recipes-kernel/dtc/dtc_1.7.0.bb @@ -8,7 +8,11 @@ LIC_FILES_CHKSUM = "file://GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://BSD-2-Clause;md5=5d6306d1b08f8df623178dfd81880927 \ file://README.license;md5=a1eb22e37f09df5b5511b8a278992d0e" -SRC_URI = "git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https" +SRC_URI = " \ + git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https \ + file://0001-meson.build-bump-version-to-1.7.0.patch \ + file://0002-meson-allow-building-from-shallow-clones.patch \ +" SRCREV = "039a99414e778332d8f9c04cbd3072e1dcc62798" UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" diff --git a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20231030.bb b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20231211.bb index c0394b9b3b..0ed4d91f8a 100644 --- a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20231030.bb +++ b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20231211.bb @@ -151,7 +151,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ " # WHENCE checksum is defined separately to ease overriding it if # class-devupstream is selected. -WHENCE_CHKSUM = "ceb5248746d24d165b603e71b288cf75" +WHENCE_CHKSUM = "3113c4ea08e5171555f3bf49eceb5b07" # These are not common licenses, set NO_GENERIC_LICENSE for them # so that the license files will be copied from fetched source @@ -237,7 +237,7 @@ SRC_URI:class-devupstream = "git://git.kernel.org/pub/scm/linux/kernel/git/firmw # Pin this to the 20220509 release, override this in local.conf SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae" -SRC_URI[sha256sum] = "c98d200fc4a3120de1a594713ce34e135819dff23e883a4ed387863ba25679c7" +SRC_URI[sha256sum] = "96af7e4b5eabd37869cdb3dcbb7ab36911106d39b76e799fa1caab16a9dbe8bb" inherit allarch @@ -248,7 +248,8 @@ do_compile() { } do_install() { - oe_runmake 'DESTDIR=${D}' 'FIRMWAREDIR=${nonarch_base_libdir}/firmware' install + # install-nodedup avoids rdfind dependency + oe_runmake 'DESTDIR=${D}' 'FIRMWAREDIR=${nonarch_base_libdir}/firmware' install-nodedup cp GPL-2 LICEN[CS]E.* WHENCE ${D}${nonarch_base_libdir}/firmware/ } @@ -340,7 +341,8 @@ PACKAGES =+ "${PN}-amphion-vpu-license ${PN}-amphion-vpu \ ${PN}-ice-license ${PN}-ice \ ${PN}-ice-enhanced-license ${PN}-ice-enhanced \ ${PN}-adsp-sst-license ${PN}-adsp-sst \ - ${PN}-bnx2-mips \ + ${PN}-bnx2 \ + ${PN}-bnx2x \ ${PN}-liquidio \ ${PN}-nvidia-license \ ${PN}-nvidia-tegra-k1 ${PN}-nvidia-tegra \ @@ -1070,6 +1072,7 @@ FILES:${PN}-bcm4373 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.bi ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373.bin \ ${nonarch_base_libdir}/firmware/cypress/cyfmac4373-sdio.bin \ ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.clm_blob \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4373-sdio.clm_blob \ " LICENSE:${PN}-bcm-0bb4-0306 = "Firmware-cypress" @@ -1087,18 +1090,28 @@ RDEPENDS:${PN}-bcm4356-pcie += "${PN}-cypress-license" LICENSE:${PN}-bcm4373 = "Firmware-cypress" RDEPENDS:${PN}-bcm4373 += "${PN}-cypress-license" -# For Broadcom bnx2-mips +# For Broadcom bnx2 # # which is a separate case to the other Broadcom firmwares since its # license is contained in the shared WHENCE file. -LICENSE:${PN}-bnx2-mips = "WHENCE" +LICENSE:${PN}-bnx2 = "WHENCE" LICENSE:${PN}-whence-license = "WHENCE" -FILES:${PN}-bnx2-mips = "${nonarch_base_libdir}/firmware/bnx2/bnx2-mips-09-6.2.1b.fw" +FILES:${PN}-bnx2 = " \ + ${nonarch_base_libdir}/firmware/bnx2/bnx2-mips*.fw \ + ${nonarch_base_libdir}/firmware/bnx2/bnx2-rv2p*.fw \ +" FILES:${PN}-whence-license = "${nonarch_base_libdir}/firmware/WHENCE" -RDEPENDS:${PN}-bnx2-mips += "${PN}-whence-license" +RDEPENDS:${PN}-bnx2 += "${PN}-whence-license" +RPROVIDES:${PN}-bnx2 = "${PN}-bnx2-mips" + +LICENSE:${PN}-bnx2x = "WHENCE" + +FILES:${PN}-bnx2x = "${nonarch_base_libdir}/firmware/bnx2x/bnx2x*.fw" + +RDEPENDS:${PN}-bnx2x += "${PN}-whence-license" # For cirrus LICENSE:${PN}-cirrus = "Firmware-cirrus" @@ -1187,7 +1200,10 @@ FILES:${PN}-iwlwifi-7265d = "${nonarch_base_libdir}/firmware/iwlwifi-7265D-*.u FILES:${PN}-iwlwifi-8000c = "${nonarch_base_libdir}/firmware/iwlwifi-8000C-*.ucode" FILES:${PN}-iwlwifi-8265 = "${nonarch_base_libdir}/firmware/iwlwifi-8265-*.ucode" FILES:${PN}-iwlwifi-9000 = "${nonarch_base_libdir}/firmware/iwlwifi-9000-*.ucode" -FILES:${PN}-iwlwifi-misc = "${nonarch_base_libdir}/firmware/iwlwifi-*.ucode" +FILES:${PN}-iwlwifi-misc = " \ + ${nonarch_base_libdir}/firmware/iwlwifi-*.ucode \ + ${nonarch_base_libdir}/firmware/iwlwifi-*.pnvm \ +" RDEPENDS:${PN}-iwlwifi-135-6 = "${PN}-iwlwifi-license" RDEPENDS:${PN}-iwlwifi-3160-7 = "${PN}-iwlwifi-license" diff --git a/poky/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/poky/meta/recipes-kernel/linux/cve-exclusion_6.1.inc index 1b51737c7d..45fcc7b260 100644 --- a/poky/meta/recipes-kernel/linux/cve-exclusion_6.1.inc +++ b/poky/meta/recipes-kernel/linux/cve-exclusion_6.1.inc @@ -1,9 +1,9 @@ # Auto-generated CVE metadata, DO NOT EDIT BY HAND. -# Generated at 2023-12-23 08:44:42.304531+00:00 for version 6.1.68 +# Generated at 2024-01-18 21:10:06.148505+00:00 for version 6.1.73 python check_kernel_cve_status_version() { - this_version = "6.1.68" + this_version = "6.1.73" kernel_version = d.getVar("LINUX_VERSION") if kernel_version != this_version: bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version)) @@ -4584,6 +4584,8 @@ CVE_STATUS[CVE-2022-48425] = "cpe-stable-backport: Backported in 6.1.33" CVE_STATUS[CVE-2022-48502] = "cpe-stable-backport: Backported in 6.1.40" +CVE_STATUS[CVE-2022-48619] = "fixed-version: Fixed from version 5.18rc1" + CVE_STATUS[CVE-2023-0030] = "fixed-version: Fixed from version 5.0rc1" CVE_STATUS[CVE-2023-0045] = "cpe-stable-backport: Backported in 6.1.5" @@ -4644,7 +4646,7 @@ CVE_STATUS[CVE-2023-1118] = "cpe-stable-backport: Backported in 6.1.16" CVE_STATUS[CVE-2023-1192] = "cpe-stable-backport: Backported in 6.1.33" -# CVE-2023-1193 needs backporting (fixed from 6.3rc6) +CVE_STATUS[CVE-2023-1193] = "cpe-stable-backport: Backported in 6.1.71" CVE_STATUS[CVE-2023-1194] = "cpe-stable-backport: Backported in 6.1.34" @@ -4666,6 +4668,8 @@ CVE_STATUS[CVE-2023-1382] = "fixed-version: Fixed from version 6.1rc7" CVE_STATUS[CVE-2023-1390] = "fixed-version: Fixed from version 5.11rc4" +# CVE-2023-1476 has no known resolution + CVE_STATUS[CVE-2023-1513] = "cpe-stable-backport: Backported in 6.1.13" CVE_STATUS[CVE-2023-1582] = "fixed-version: Fixed from version 5.17rc4" @@ -5088,7 +5092,7 @@ CVE_STATUS[CVE-2023-45871] = "cpe-stable-backport: Backported in 6.1.53" CVE_STATUS[CVE-2023-45898] = "fixed-version: only affects 6.5rc1 onwards" -# CVE-2023-4610 needs backporting (fixed from 6.4) +CVE_STATUS[CVE-2023-4610] = "fixed-version: only affects 6.4rc1 onwards" CVE_STATUS[CVE-2023-4611] = "fixed-version: only affects 6.4rc1 onwards" @@ -5106,11 +5110,21 @@ CVE_STATUS[CVE-2023-4881] = "cpe-stable-backport: Backported in 6.1.54" CVE_STATUS[CVE-2023-4921] = "cpe-stable-backport: Backported in 6.1.54" +# CVE-2023-50431 has no known resolution + CVE_STATUS[CVE-2023-5090] = "cpe-stable-backport: Backported in 6.1.62" CVE_STATUS[CVE-2023-5158] = "cpe-stable-backport: Backported in 6.1.57" -# CVE-2023-5178 needs backporting (fixed from 6.1.60) +CVE_STATUS[CVE-2023-51779] = "cpe-stable-backport: Backported in 6.1.70" + +CVE_STATUS[CVE-2023-5178] = "cpe-stable-backport: Backported in 6.1.60" + +CVE_STATUS[CVE-2023-51780] = "cpe-stable-backport: Backported in 6.1.69" + +CVE_STATUS[CVE-2023-51781] = "cpe-stable-backport: Backported in 6.1.69" + +CVE_STATUS[CVE-2023-51782] = "cpe-stable-backport: Backported in 6.1.69" CVE_STATUS[CVE-2023-5197] = "cpe-stable-backport: Backported in 6.1.56" @@ -5120,10 +5134,12 @@ CVE_STATUS[CVE-2023-5633] = "fixed-version: only affects 6.2 onwards" # CVE-2023-5717 needs backporting (fixed from 6.1.60) -# CVE-2023-5972 needs backporting (fixed from 6.6rc7) +CVE_STATUS[CVE-2023-5972] = "fixed-version: only affects 6.2rc1 onwards" # CVE-2023-6039 needs backporting (fixed from 6.5rc5) +CVE_STATUS[CVE-2023-6040] = "fixed-version: Fixed from version 5.18rc1" + CVE_STATUS[CVE-2023-6111] = "fixed-version: only affects 6.6rc3 onwards" CVE_STATUS[CVE-2023-6121] = "cpe-stable-backport: Backported in 6.1.65" @@ -5132,3 +5148,43 @@ CVE_STATUS[CVE-2023-6176] = "cpe-stable-backport: Backported in 6.1.54" # CVE-2023-6238 has no known resolution +# CVE-2023-6270 has no known resolution + +# CVE-2023-6356 has no known resolution + +CVE_STATUS[CVE-2023-6531] = "cpe-stable-backport: Backported in 6.1.68" + +# CVE-2023-6535 has no known resolution + +# CVE-2023-6536 has no known resolution + +CVE_STATUS[CVE-2023-6546] = "cpe-stable-backport: Backported in 6.1.47" + +# CVE-2023-6560 needs backporting (fixed from 6.7rc4) + +CVE_STATUS[CVE-2023-6606] = "cpe-stable-backport: Backported in 6.1.70" + +# CVE-2023-6610 needs backporting (fixed from 6.7rc7) + +CVE_STATUS[CVE-2023-6622] = "cpe-stable-backport: Backported in 6.1.68" + +CVE_STATUS[CVE-2023-6679] = "fixed-version: only affects 6.7rc1 onwards" + +CVE_STATUS[CVE-2023-6817] = "cpe-stable-backport: Backported in 6.1.68" + +CVE_STATUS[CVE-2023-6931] = "cpe-stable-backport: Backported in 6.1.68" + +CVE_STATUS[CVE-2023-6932] = "cpe-stable-backport: Backported in 6.1.66" + +# CVE-2023-7042 has no known resolution + +CVE_STATUS[CVE-2023-7192] = "cpe-stable-backport: Backported in 6.1.18" + +CVE_STATUS[CVE-2024-0193] = "fixed-version: only affects 6.5rc6 onwards" + +# CVE-2024-0340 needs backporting (fixed from 6.4rc6) + +CVE_STATUS[CVE-2024-0443] = "fixed-version: only affects 6.2rc1 onwards" + +# Skipping dd=CVE-2023-1476, no affected_versions + diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb index 5cfc5a7dd8..06c07b70c8 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb @@ -14,13 +14,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "739b3001f20153a66d2723de81faae18cd61892b" -SRCREV_meta ?= "991713c8765172cb5d18703d15589f3ec6e1b772" +SRCREV_machine ?= "6fd0860ac9846438f226257ab515bcd612fdc379" +SRCREV_meta ?= "40dede8a165ea5894f172fede6baa0dd94d23fec" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.1;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "6.1.68" +LINUX_VERSION ?= "6.1.73" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb index e19b0ec132..e391074f8b 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb @@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc # CVE exclusions include recipes-kernel/linux/cve-exclusion_6.1.inc -LINUX_VERSION ?= "6.1.68" +LINUX_VERSION ?= "6.1.73" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_meta ?= "991713c8765172cb5d18703d15589f3ec6e1b772" +SRCREV_machine ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_meta ?= "40dede8a165ea5894f172fede6baa0dd94d23fec" PV = "${LINUX_VERSION}+git" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_6.1.bb b/poky/meta/recipes-kernel/linux/linux-yocto_6.1.bb index 1329ccc958..f520954646 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_6.1.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_6.1.bb @@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.1/standard/base" KBRANCH:qemuloongarch64 ?= "v6.1/standard/base" KBRANCH:qemumips64 ?= "v6.1/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "85915187700314cb7ac70fd33da3e9dfd7c20063" -SRCREV_machine:qemuarm64 ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_machine:qemuloongarch64 ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_machine:qemumips ?= "24b06ee00fc3b65a24d7e867148b08a85296e67c" -SRCREV_machine:qemuppc ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_machine:qemuriscv64 ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_machine:qemuriscv32 ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_machine:qemux86 ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_machine:qemux86-64 ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_machine:qemumips64 ?= "d4659a339611a02e4ffc2861e697c1a278707d70" -SRCREV_machine ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_meta ?= "991713c8765172cb5d18703d15589f3ec6e1b772" +SRCREV_machine:qemuarm ?= "45e6b64447b888e94af6fa8529cf976bf8116624" +SRCREV_machine:qemuarm64 ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_machine:qemuloongarch64 ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_machine:qemumips ?= "90ea25826ce7ef511d0d93ae33c3888f3b583bf3" +SRCREV_machine:qemuppc ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_machine:qemuriscv64 ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_machine:qemuriscv32 ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_machine:qemux86 ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_machine:qemux86-64 ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_machine:qemumips64 ?= "59248cf67c17a987f898d9d0c81292cb5fcda858" +SRCREV_machine ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_meta ?= "40dede8a165ea5894f172fede6baa0dd94d23fec" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the <version>/base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "ba6f5fb465114fcd48ddb2c7a7740915b2289d6b" +SRCREV_machine:class-devupstream ?= "fec3b1451d5febbc9e04250f879c10f8952e6bed" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v6.1/base" @@ -45,7 +45,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA SRC_URI += "file://0001-perf-cpumap-Make-counter-as-unsigned-ints.patch" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "6.1.68" +LINUX_VERSION ?= "6.1.73" PV = "${LINUX_VERSION}+git" diff --git a/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.9.bb index b545f020cf..f60234b528 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.9.bb @@ -12,7 +12,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-devtools/gst-devtools-${PV} file://0001-connect-has-a-different-signature-on-musl.patch \ " -SRC_URI[sha256sum] = "157cf93fb2741cf0c3dea731be3af2ffae703c9f2cd3c0c91b380fbc685eb9f9" +SRC_URI[sha256sum] = "02e29400b44e9cc603aa6444dee5726b57edabef6455e6d0921ffed6f13840ee" DEPENDS = "json-glib glib-2.0 glib-2.0-native gstreamer1.0 gstreamer1.0-plugins-base" RRECOMMENDS:${PN} = "git" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.9.bb index 7169223636..10536acc87 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.9.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=69333daa044cb77e486cc36129f7a770 \ " SRC_URI = "https://gstreamer.freedesktop.org/src/gst-libav/gst-libav-${PV}.tar.xz" -SRC_URI[sha256sum] = "1525b917141b895fe5cf618fe8867622b2528278a0286e9f727b5f37317daca1" +SRC_URI[sha256sum] = "192f7d27d21c1e7c72c339a2647a9b0c247fedc62ea5029115f8c3e22ebb87d8" S = "${WORKDIR}/gst-libav-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.9.bb index ad40cf5513..05d64748bb 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.9.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-omx/gst-omx-${PV}.tar.xz" -SRC_URI[sha256sum] = "d7a18ec47d40a472bd5cba2015e0be72b732f1699895398cec5cd8e6a3a53b44" +SRC_URI[sha256sum] = "9362d6117985d09dcf6e27bdaef377dc08efb7df01d00101d04fb644addac61e" S = "${WORKDIR}/gst-omx-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.9.bb index b7d787b611..6e5aa2f206 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.9.bb @@ -10,7 +10,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad file://0002-avoid-including-sys-poll.h-directly.patch \ file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \ " -SRC_URI[sha256sum] = "c716f8dffa8fac3fb646941af1c6ec72fff05a045131311bf2d049fdc87bce2e" +SRC_URI[sha256sum] = "1bc65d0fd5f53a3636564efd3fcf318c3edcdec39c4109a503c1fc8203840a1d" S = "${WORKDIR}/gst-plugins-bad-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.9.bb index 3b8923e8f2..980766c74b 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.9.bb @@ -11,7 +11,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba file://0003-viv-fb-Make-sure-config.h-is-included.patch \ file://0002-ssaparse-enhance-SSA-text-lines-parsing.patch \ " -SRC_URI[sha256sum] = "62519e0d8f969ebf62a9a7996f2d23efdda330217a635f4a32c0bf1c71577468" +SRC_URI[sha256sum] = "fac3e0dd2d8e9370388b34bf8c21b89d5f63bc3cfc12cd7fdc8fc6c1cba03334" S = "${WORKDIR}/gst-plugins-base-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.9.bb index b8496a1750..052ba1801b 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.9.bb @@ -8,7 +8,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ file://0001-v4l2-Define-ioctl_req_t-for-posix-linux-case.patch" -SRC_URI[sha256sum] = "b6db0e18e398b52665b7cdce301c34a8750483d5f4fbac1ede9f80b03743cd15" +SRC_URI[sha256sum] = "26959fcfebfff637d4ea08ef40316baf31b61bb7729820b0684e800c3a1478b6" S = "${WORKDIR}/gst-plugins-good-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.9.bb index 8a67531123..722f8e9fe3 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.9.bb @@ -14,7 +14,8 @@ LICENSE_FLAGS = "commercial" SRC_URI = " \ https://gstreamer.freedesktop.org/src/gst-plugins-ugly/gst-plugins-ugly-${PV}.tar.xz \ " -SRC_URI[sha256sum] = "520b46bca637189ad86a298ff245b2d89375dbcac8b05d74daea910f81a9e9da" + +SRC_URI[sha256sum] = "0bf685d66015a01dd3fc1671b64a1c8acb321dd9d4ab9e05a29ab19782aa6236" S = "${WORKDIR}/gst-plugins-ugly-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.9.bb index a387031635..e086fa6866 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.9.bb @@ -8,7 +8,7 @@ LICENSE = "LGPL-2.1-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=c34deae4e395ca07e725ab0076a5f740" SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz" -SRC_URI[sha256sum] = "1ef8df7608012fa469329799c950ec087737a6dabad3003c230658b58c710172" +SRC_URI[sha256sum] = "3f9d5c6ffefda268703744b592a6b3983aa6723273b1220ecbcb62c2a5800009" DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base python3-pygobject" RDEPENDS:${PN} += "gstreamer1.0 gstreamer1.0-plugins-base python3-pygobject" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.9.bb index af1c2ced44..e232263a46 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.9.bb @@ -10,7 +10,7 @@ PNREAL = "gst-rtsp-server" SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz" -SRC_URI[sha256sum] = "f7fac001e20ad21e36d18397741c4657c5d43571eb1cc3b49f9a93ae127dc88f" +SRC_URI[sha256sum] = "808af148f89404ff74850f8ca5272bed4bfe67f9620231dc4514fd07eb26d0a4" S = "${WORKDIR}/${PNREAL}-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.9.bb index 4cad50742d..c53ee29051 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.9.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=4fbd65380cdd255951079008b364516c" SRC_URI = "https://gstreamer.freedesktop.org/src/${REALPN}/${REALPN}-${PV}.tar.xz" -SRC_URI[sha256sum] = "0e9fff768b89de6d318b34146e4e781d82b9a0f4025dc541b2c8349c7bcb7f67" +SRC_URI[sha256sum] = "8ba20da8c4cbf5b2953dba904672c4275d0053e1528f97fdf8e59942c7883ca8" S = "${WORKDIR}/${REALPN}-${PV}" DEPENDS = "libva gstreamer1.0 gstreamer1.0-plugins-base gstreamer1.0-plugins-bad" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.9.bb index 72161b272f..b4ab6ad10c 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.9.bb @@ -22,7 +22,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gstreamer/gstreamer-${PV}.tar.x file://0003-tests-use-a-dictionaries-for-environment.patch;striplevel=3 \ file://0004-tests-add-helper-script-to-run-the-installed_tests.patch;striplevel=3 \ " -SRC_URI[sha256sum] = "01e42c6352a06bdfa4456e64b06ab7d98c5c487a25557c761554631cbda64217" +SRC_URI[sha256sum] = "1e7124d347e8cdc80f08ec1d370c201be513002af1102bb20e83c5279cb48ebd" PACKAGECONFIG ??= "${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)} \ check \ diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch new file mode 100644 index 0000000000..f5520fcafd --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch @@ -0,0 +1,238 @@ +From 335947359ce2dd3862cd9f7c49f92eba065dfed4 Mon Sep 17 00:00:00 2001 +From: Su_Laus <sulau@freenet.de> +Date: Thu, 1 Feb 2024 13:06:08 +0000 +Subject: [PATCH] manpage: Update TIFF documentation about TIFFOpenOptions.rst + and TIFFOpenOptionsSetMaxSingleMemAlloc() usage and some other small fixes. + +CVE: CVE-2023-52355 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + doc/functions/TIFFDeferStrileArrayWriting.rst | 5 +++ + doc/functions/TIFFError.rst | 3 ++ + doc/functions/TIFFOpen.rst | 13 +++--- + doc/functions/TIFFOpenOptions.rst | 44 ++++++++++++++++++- + doc/functions/TIFFStrileQuery.rst | 5 +++ + doc/libtiff.rst | 31 ++++++++++++- + 6 files changed, 91 insertions(+), 10 deletions(-) + +diff --git a/doc/functions/TIFFDeferStrileArrayWriting.rst b/doc/functions/TIFFDeferStrileArrayWriting.rst +index 60ee746..705aebc 100644 +--- a/doc/functions/TIFFDeferStrileArrayWriting.rst ++++ b/doc/functions/TIFFDeferStrileArrayWriting.rst +@@ -61,6 +61,11 @@ Diagnostics + All error messages are directed to the :c:func:`TIFFErrorExtR` routine. + Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine. + ++Note ++---- ++ ++This functionality was introduced with libtiff 4.1. ++ + See also + -------- + +diff --git a/doc/functions/TIFFError.rst b/doc/functions/TIFFError.rst +index 99924ad..cf4b37c 100644 +--- a/doc/functions/TIFFError.rst ++++ b/doc/functions/TIFFError.rst +@@ -65,6 +65,9 @@ or :c:func:`TIFFClientOpenExt`. + Furthermore, a **custom defined data structure** *user_data* for the + error handler can be given along. + ++Please refer to :doc:`/functions/TIFFOpenOptions` for how to setup the ++application-specific handler introduced with libtiff 4.5. ++ + Note + ---- + +diff --git a/doc/functions/TIFFOpen.rst b/doc/functions/TIFFOpen.rst +index db79d7b..adc474f 100644 +--- a/doc/functions/TIFFOpen.rst ++++ b/doc/functions/TIFFOpen.rst +@@ -94,8 +94,9 @@ TIFF structure without closing the file handle and afterwards the + file should be closed using its file descriptor *fd*. + + :c:func:`TIFFOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFOpen`, +-but options, such as re-entrant error and warning handlers may be passed +-with the *opts* argument. The *opts* argument may be NULL. ++but options, such as re-entrant error and warning handlers and a limit in byte ++that libtiff internal memory allocation functions are allowed to request per call ++may be passed with the *opts* argument. The *opts* argument may be NULL. + Refer to :doc:`TIFFOpenOptions` for allocating and filling the *opts* argument + parameters. The allocated memory for :c:type:`TIFFOpenOptions` + can be released straight after successful execution of the related +@@ -105,9 +106,7 @@ can be released straight after successful execution of the related + but opens a TIFF file with a Unicode filename. + + :c:func:`TIFFFdOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFFdOpen`, +-but options, such as re-entrant error and warning handlers may be passed +-with the *opts* argument. The *opts* argument may be NULL. +-Refer to :doc:`TIFFOpenOptions` for filling the *opts* argument. ++but options argument *opts* like for :c:func:`TIFFOpenExt` can be passed. + + :c:func:`TIFFSetFileName` sets the file name in the tif-structure + and returns the old file name. +@@ -326,5 +325,5 @@ See also + + :doc:`libtiff` (3tiff), + :doc:`TIFFClose` (3tiff), +-:doc:`TIFFStrileQuery`, +-:doc:`TIFFOpenOptions` +\ No newline at end of file ++:doc:`TIFFStrileQuery` (3tiff), ++:doc:`TIFFOpenOptions` +diff --git a/doc/functions/TIFFOpenOptions.rst b/doc/functions/TIFFOpenOptions.rst +index 5c67566..23f2975 100644 +--- a/doc/functions/TIFFOpenOptions.rst ++++ b/doc/functions/TIFFOpenOptions.rst +@@ -38,12 +38,17 @@ opaque structure and returns a :c:type:`TIFFOpenOptions` pointer. + :c:func:`TIFFOpenOptionsFree` releases the allocated memory for + :c:type:`TIFFOpenOptions`. The allocated memory for :c:type:`TIFFOpenOptions` + can be released straight after successful execution of the related +-TIFF open"Ext" functions like :c:func:`TIFFOpenExt`. ++TIFFOpen"Ext" functions like :c:func:`TIFFOpenExt`. + + :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` sets parameter for the + maximum single memory limit in byte that ``libtiff`` internal memory allocation + functions are allowed to request per call. + ++.. note:: ++ However, the ``libtiff`` external functions :c:func:`_TIFFmalloc` ++ and :c:func:`_TIFFrealloc` **do not apply** this internal memory ++ allocation limit set by :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`! ++ + :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` sets the function pointer to + an application-specific and per-TIFF handle (re-entrant) error handler. + Furthermore, a pointer to a **custom defined data structure** *errorhandler_user_data* +@@ -55,6 +60,43 @@ The *errorhandler_user_data* argument may be NULL. + :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` but for the warning handler, + which is invoked through :c:func:`TIFFWarningExtR` + ++Example ++------- ++ ++:: ++ ++ #include "tiffio.h" ++ ++ typedef struct MyErrorHandlerUserDataStruct ++ { ++ /* ... any user data structure ... */ ++ } MyErrorHandlerUserDataStruct; ++ ++ static int myErrorHandler(TIFF *tiff, void *user_data, const char *module, ++ const char *fmt, va_list ap) ++ { ++ MyErrorHandlerUserDataStruct *errorhandler_user_data = ++ (MyErrorHandlerUserDataStruct *)user_data; ++ /*... code of myErrorHandler ...*/ ++ return 1; ++ } ++ ++ ++ main() ++ { ++ tmsize_t limit = (256 * 1024 * 1024); ++ MyErrorHandlerUserDataStruct user_data = { /* ... any data ... */}; ++ ++ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc(); ++ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit); ++ TIFFOpenOptionsSetErrorHandlerExtR(opts, myErrorHandler, &user_data); ++ TIFF *tif = TIFFOpenExt("foo.tif", "r", opts); ++ TIFFOpenOptionsFree(opts); ++ /* ... go on here ... */ ++ ++ TIFFClose(tif); ++ } ++ + Note + ---- + +diff --git a/doc/functions/TIFFStrileQuery.rst b/doc/functions/TIFFStrileQuery.rst +index f8631af..7931fe4 100644 +--- a/doc/functions/TIFFStrileQuery.rst ++++ b/doc/functions/TIFFStrileQuery.rst +@@ -66,6 +66,11 @@ Diagnostics + All error messages are directed to the :c:func:`TIFFErrorExtR` routine. + Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine. + ++Note ++---- ++ ++This functionality was introduced with libtiff 4.1. ++ + See also + -------- + +diff --git a/doc/libtiff.rst b/doc/libtiff.rst +index 6a0054c..d96a860 100644 +--- a/doc/libtiff.rst ++++ b/doc/libtiff.rst +@@ -90,11 +90,15 @@ compatibility on machines with a segmented architecture. + :c:func:`realloc`, and :c:func:`free` routines in the C library.) + + To deal with segmented pointer issues ``libtiff`` also provides +-:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemmove` ++:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemcmp` + routines that mimic the equivalent ANSI C routines, but that are + intended for use with memory allocated through :c:func:`_TIFFmalloc` + and :c:func:`_TIFFrealloc`. + ++With ``libtiff`` 4.5 a method was introduced to limit the internal ++memory allocation that functions are allowed to request per call ++(see :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` and :c:func:`TIFFOpenExt`). ++ + Error Handling + -------------- + +@@ -106,6 +110,10 @@ routine that can be specified with a call to :c:func:`TIFFSetErrorHandler`. + Likewise warning messages are directed to a single handler routine + that can be specified with a call to :c:func:`TIFFSetWarningHandler` + ++Further application-specific and per-TIFF handle (re-entrant) error handler ++and warning handler can be set. Please refer to :doc:`/functions/TIFFError` ++and :doc:`/functions/TIFFOpenOptions`. ++ + Basic File Handling + ------------------- + +@@ -139,7 +147,7 @@ a ``"w"`` argument: + main() + { + TIFF* tif = TIFFOpen("foo.tif", "w"); +- ... do stuff ... ++ /* ... do stuff ... */ + TIFFClose(tif); + } + +@@ -157,6 +165,25 @@ to always call :c:func:`TIFFClose` or :c:func:`TIFFFlush` to flush any + buffered information to a file. Note that if you call :c:func:`TIFFClose` + you do not need to call :c:func:`TIFFFlush`. + ++.. warning:: ++ ++ In order to prevent out-of-memory issues when opening a TIFF file ++ :c:func:`TIFFOpenExt` can be used and then the maximum single memory ++ limit in byte that ``libtiff`` internal memory allocation functions ++ are allowed to request per call can be set with ++ :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`. ++ ++Example ++ ++:: ++ ++ tmsize_t limit = (256 * 1024 * 1024); ++ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc(); ++ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit); ++ TIFF *tif = TIFFOpenExt("foo.tif", "w", opts); ++ TIFFOpenOptionsFree(opts); ++ /* ... go on here ... */ ++ + TIFF Directories + ---------------- + +-- +2.40.0 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch new file mode 100644 index 0000000000..19a1ef727a --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch @@ -0,0 +1,28 @@ +From 16ab4a205cfc938c32686e8d697d048fabf97ed4 Mon Sep 17 00:00:00 2001 +From: Timothy Lyanguzov <theta682@gmail.com> +Date: Thu, 1 Feb 2024 11:19:06 +0000 +Subject: [PATCH] Fix typo. + +CVE: CVE-2023-52355 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/16ab4a205cfc938c32686e8d697d048fabf97ed4] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + doc/libtiff.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/libtiff.rst b/doc/libtiff.rst +index d96a860..4fedc3e 100644 +--- a/doc/libtiff.rst ++++ b/doc/libtiff.rst +@@ -169,7 +169,7 @@ you do not need to call :c:func:`TIFFFlush`. + + In order to prevent out-of-memory issues when opening a TIFF file + :c:func:`TIFFOpenExt` can be used and then the maximum single memory +- limit in byte that ``libtiff`` internal memory allocation functions ++ limit in bytes that ``libtiff`` internal memory allocation functions + are allowed to request per call can be set with + :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`. + +-- +2.40.0 diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch new file mode 100644 index 0000000000..75f5d8946a --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch @@ -0,0 +1,49 @@ +From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Thu, 1 Feb 2024 11:38:14 +0000 +Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of + col/row (fixes #622) + +CVE: CVE-2023-52356 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + libtiff/tif_getimage.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 41f7dfd..9cd6eee 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint32_t row, uint32_t *raster, + if (TIFFRGBAImageOK(tif, emsg) && + TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) + { ++ if (row >= img.height) ++ { ++ TIFFErrorExtR(tif, TIFFFileName(tif), ++ "Invalid row passed to TIFFReadRGBAStrip()."); ++ TIFFRGBAImageEnd(&img); ++ return (0); ++ } + + img.row_offset = row; + img.col_offset = 0; +@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint32_t col, uint32_t row, uint32_t *raster, + return (0); + } + ++ if (col >= img.width || row >= img.height) ++ { ++ TIFFErrorExtR(tif, TIFFFileName(tif), ++ "Invalid row/col passed to TIFFReadRGBATile()."); ++ TIFFRGBAImageEnd(&img); ++ return (0); ++ } ++ + /* + * The TIFFRGBAImageGet() function doesn't allow us to get off the + * edge of the image, even to fill an otherwise valid tile. So we +-- +2.40.0 diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch new file mode 100644 index 0000000000..2020508fdf --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch @@ -0,0 +1,31 @@ +From 1e7d217a323eac701b134afc4ae39b6bdfdbc96a Mon Sep 17 00:00:00 2001 +From: Su_Laus <sulau@freenet.de> +Date: Wed, 17 Jan 2024 06:57:08 +0000 +Subject: [PATCH] codec of input image is available, independently from codec + check of output image and return with error if not. + +Fixes #606. + +CVE: CVE-2023-6228 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + tools/tiffcp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index aff0626..a4f7f6b 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -846,6 +846,8 @@ static int tiffcp(TIFF *in, TIFF *out) + if (!TIFFIsCODECConfigured(compression)) + return FALSE; + TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression); ++ if (!TIFFIsCODECConfigured(input_compression)) ++ return FALSE; + TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric); + if (input_compression == COMPRESSION_JPEG) + { +-- +2.40.0 diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch new file mode 100644 index 0000000000..5d15dff1d9 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch @@ -0,0 +1,27 @@ +From e1640519208121f916da1772a5efb6ca28971b86 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Tue, 31 Oct 2023 15:04:37 +0000 +Subject: [PATCH 3/3] Apply 1 suggestion(s) to 1 file(s) + +CVE: CVE-2023-6277 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + libtiff/tif_dirread.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index fe8d6f8..58a4276 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5306,7 +5306,6 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir, + { + uint64_t space; + uint16_t n; +- filesize = TIFFGetFileSize(tif); + if (!(tif->tif_flags & TIFF_BIGTIFF)) + space = sizeof(TIFFHeaderClassic) + 2 + dircount * 12 + 4; + else +-- +2.43.0 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch new file mode 100644 index 0000000000..9fc8182fef --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch @@ -0,0 +1,36 @@ +From f500facf7723f1cae725dd288b2daad15e45131c Mon Sep 17 00:00:00 2001 +From: Su_Laus <sulau@freenet.de> +Date: Mon, 30 Oct 2023 21:21:57 +0100 +Subject: [PATCH 2/3] At image reading, compare data size of some tags / data + structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) with + file size to prevent provoked out-of-memory attacks. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +See issue #614. + +Correct declaration of ‘filesize’ shadows a previous local. + +CVE: CVE-2023-6277 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + libtiff/tif_dirread.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index c52d41f..fe8d6f8 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5305,7 +5305,6 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir, + if (td->td_compression != COMPRESSION_NONE) + { + uint64_t space; +- uint64_t filesize; + uint16_t n; + filesize = TIFFGetFileSize(tif); + if (!(tif->tif_flags & TIFF_BIGTIFF)) +-- +2.43.0 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch new file mode 100644 index 0000000000..d5854a9059 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch @@ -0,0 +1,162 @@ +From b33baa5d9c6aac8ce49b5180dd48e39697ab7a11 Mon Sep 17 00:00:00 2001 +From: Su_Laus <sulau@freenet.de> +Date: Fri, 27 Oct 2023 22:11:10 +0200 +Subject: [PATCH 1/3] At image reading, compare data size of some tags / data + structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) with + file size to prevent provoked out-of-memory attacks. + +See issue #614. + +CVE: CVE-2023-6277 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + libtiff/tif_dirread.c | 90 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 90 insertions(+) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 2c49dc6..c52d41f 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -1308,6 +1308,21 @@ TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry, + datasize = (*count) * typesize; + assert((tmsize_t)datasize > 0); + ++ /* Before allocating a huge amount of memory for corrupted files, check if ++ * size of requested memory is not greater than file size. ++ */ ++ uint64_t filesize = TIFFGetFileSize(tif); ++ if (datasize > filesize) ++ { ++ TIFFWarningExtR(tif, "ReadDirEntryArray", ++ "Requested memory size for tag %d (0x%x) %" PRIu32 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated, tag not read", ++ direntry->tdir_tag, direntry->tdir_tag, datasize, ++ filesize); ++ return (TIFFReadDirEntryErrAlloc); ++ } ++ + if (isMapped(tif) && datasize > (uint64_t)tif->tif_size) + return TIFFReadDirEntryErrIo; + +@@ -5266,6 +5281,20 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir, + if (!_TIFFFillStrilesInternal(tif, 0)) + return -1; + ++ /* Before allocating a huge amount of memory for corrupted files, check if ++ * size of requested memory is not greater than file size. */ ++ uint64_t filesize = TIFFGetFileSize(tif); ++ uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR(tif, module, ++ "Requested memory size for StripByteCounts of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ return -1; ++ } ++ + if (td->td_stripbytecount_p) + _TIFFfreeExt(tif, td->td_stripbytecount_p); + td->td_stripbytecount_p = (uint64_t *)_TIFFCheckMalloc( +@@ -5807,6 +5836,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff, + dircount16 = (uint16_t)dircount64; + dirsize = 20; + } ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ uint64_t filesize = TIFFGetFileSize(tif); ++ uint64_t allocsize = (uint64_t)dircount16 * dirsize; ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR( ++ tif, module, ++ "Requested memory size for TIFF directory of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated, TIFF directory not read", ++ allocsize, filesize); ++ return 0; ++ } + origdir = _TIFFCheckMalloc(tif, dircount16, dirsize, + "to read TIFF directory"); + if (origdir == NULL) +@@ -5921,6 +5964,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff, + "directories not supported"); + return 0; + } ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ uint64_t filesize = TIFFGetFileSize(tif); ++ uint64_t allocsize = (uint64_t)dircount16 * dirsize; ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR( ++ tif, module, ++ "Requested memory size for TIFF directory of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated, TIFF directory not read", ++ allocsize, filesize); ++ return 0; ++ } + origdir = _TIFFCheckMalloc(tif, dircount16, dirsize, + "to read TIFF directory"); + if (origdir == NULL) +@@ -5968,6 +6025,8 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff, + } + } + } ++ /* No check against filesize needed here because "dir" should have same size ++ * than "origdir" checked above. */ + dir = (TIFFDirEntry *)_TIFFCheckMalloc( + tif, dircount16, sizeof(TIFFDirEntry), "to read TIFF directory"); + if (dir == 0) +@@ -7164,6 +7223,20 @@ static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips, + return (0); + } + ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ uint64_t filesize = TIFFGetFileSize(tif); ++ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR(tif, module, ++ "Requested memory size for StripArray of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ _TIFFfreeExt(tif, data); ++ return (0); ++ } + resizeddata = (uint64_t *)_TIFFCheckMalloc( + tif, nstrips, sizeof(uint64_t), "for strip array"); + if (resizeddata == 0) +@@ -7263,6 +7336,23 @@ static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips, + } + bytecount = last_offset + last_bytecount - offset; + ++ /* Before allocating a huge amount of memory for corrupted files, check if ++ * size of StripByteCount and StripOffset tags is not greater than ++ * file size. ++ */ ++ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2; ++ uint64_t filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR(tif, "allocChoppedUpStripArrays", ++ "Requested memory size for StripByteCount and " ++ "StripOffsets %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ return; ++ } ++ + newcounts = + (uint64_t *)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), + "for chopped \"StripByteCounts\" array"); +-- +2.43.0 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/poky/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb index 49984f1125..a26e4694f6 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb +++ b/poky/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb @@ -9,6 +9,13 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3" CVE_PRODUCT = "libtiff" SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ + file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch \ + file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \ + file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \ + file://CVE-2023-6228.patch \ + file://CVE-2023-52355-0001.patch \ + file://CVE-2023-52355-0002.patch \ + file://CVE-2023-52356.patch \ " SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a" diff --git a/poky/meta/recipes-sato/sato-icon-theme/icon-naming-utils_0.8.90.bb b/poky/meta/recipes-sato/sato-icon-theme/icon-naming-utils_0.8.90.bb index 67cbd03100..5502b66905 100644 --- a/poky/meta/recipes-sato/sato-icon-theme/icon-naming-utils_0.8.90.bb +++ b/poky/meta/recipes-sato/sato-icon-theme/icon-naming-utils_0.8.90.bb @@ -14,7 +14,7 @@ DEPENDS = "libxml-simple-perl-native" LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" -SRC_URI = "http://tango.freedesktop.org/releases/icon-naming-utils-${PV}.tar.gz" +SRC_URI = "${DEBIAN_MIRROR}/main/i/icon-naming-utils/icon-naming-utils_${PV}.orig.tar.gz" SRC_URI[sha256sum] = "044ab2199ed8c6a55ce36fd4fcd8b8021a5e21f5bab028c0a7cdcf52a5902e1c" inherit autotools allarch perlnative @@ -26,4 +26,4 @@ do_configure:append() { FILES:${PN} += "${datadir}/dtds" -BBCLASSEXTEND = "native"
\ No newline at end of file +BBCLASSEXTEND = "native" diff --git a/poky/meta/recipes-support/aspell/aspell_0.60.8.bb b/poky/meta/recipes-support/aspell/aspell_0.60.8.1.bb index 39b55f4ff2..0ea9b063e0 100644 --- a/poky/meta/recipes-support/aspell/aspell_0.60.8.bb +++ b/poky/meta/recipes-support/aspell/aspell_0.60.8.1.bb @@ -13,11 +13,8 @@ HOMEPAGE = "http://aspell.net/" LICENSE = "LGPL-2.0-only | LGPL-2.1-only" LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34" -SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz \ - file://CVE-2019-25051.patch \ -" -SRC_URI[md5sum] = "012fa9209203ae4e5a61c2a668fd10e3" -SRC_URI[sha256sum] = "f9b77e515334a751b2e60daab5db23499e26c9209f5e7b7443b05235ad0226f2" +SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz" +SRC_URI[sha256sum] = "d6da12b34d42d457fa604e435ad484a74b2effcd120ff40acd6bb3fb2887d21b" PACKAGECONFIG ??= "" PACKAGECONFIG[curses] = "--enable-curses,--disable-curses,ncurses" diff --git a/poky/meta/recipes-support/aspell/files/CVE-2019-25051.patch b/poky/meta/recipes-support/aspell/files/CVE-2019-25051.patch deleted file mode 100644 index 8513f6de79..0000000000 --- a/poky/meta/recipes-support/aspell/files/CVE-2019-25051.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001 -From: Kevin Atkinson <kevina@gnu.org> -Date: Sat, 21 Dec 2019 20:32:47 +0000 -Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk - to prevent a buffer overflow - -Bug found using OSS-Fuze. - -Upstream-Status: Backport -[https://github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324a] -CVE: CVE-2019-25051 -Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> ---- - common/objstack.hpp | 18 ++++++++++++++---- - 1 file changed, 14 insertions(+), 4 deletions(-) - -diff --git a/common/objstack.hpp b/common/objstack.hpp -index 3997bf7..bd97ccd 100644 ---- a/common/objstack.hpp -+++ b/common/objstack.hpp -@@ -5,6 +5,7 @@ - #include "parm_string.hpp" - #include <stdlib.h> - #include <assert.h> -+#include <stddef.h> - - namespace acommon { - -@@ -26,6 +27,12 @@ class ObjStack - byte * temp_end; - void setup_chunk(); - void new_chunk(); -+ bool will_overflow(size_t sz) const { -+ return offsetof(Node,data) + sz > chunk_size; -+ } -+ void check_size(size_t sz) { -+ assert(!will_overflow(sz)); -+ } - - ObjStack(const ObjStack &); - void operator=(const ObjStack &); -@@ -56,7 +63,7 @@ class ObjStack - void * alloc_bottom(size_t size) { - byte * tmp = bottom; - bottom += size; -- if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;} -+ if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;} - return tmp; - } - // This alloc_bottom will insure that the object is aligned based on the -@@ -66,7 +73,7 @@ class ObjStack - align_bottom(align); - byte * tmp = bottom; - bottom += size; -- if (bottom > top) {new_chunk(); goto loop;} -+ if (bottom > top) {check_size(size); new_chunk(); goto loop;} - return tmp; - } - char * dup_bottom(ParmString str) { -@@ -79,7 +86,7 @@ class ObjStack - // always be aligned as such. - void * alloc_top(size_t size) { - top -= size; -- if (top < bottom) {new_chunk(); top -= size;} -+ if (top < bottom) {check_size(size); new_chunk(); top -= size;} - return top; - } - // This alloc_top will insure that the object is aligned based on -@@ -88,7 +95,7 @@ class ObjStack - {loop: - top -= size; - align_top(align); -- if (top < bottom) {new_chunk(); goto loop;} -+ if (top < bottom) {check_size(size); new_chunk(); goto loop;} - return top; - } - char * dup_top(ParmString str) { -@@ -117,6 +124,7 @@ class ObjStack - void * alloc_temp(size_t size) { - temp_end = bottom + size; - if (temp_end > top) { -+ check_size(size); - new_chunk(); - temp_end = bottom + size; - } -@@ -131,6 +139,7 @@ class ObjStack - } else { - size_t s = temp_end - bottom; - byte * p = bottom; -+ check_size(size); - new_chunk(); - memcpy(bottom, p, s); - temp_end = bottom + size; -@@ -150,6 +159,7 @@ class ObjStack - } else { - size_t s = temp_end - bottom; - byte * p = bottom; -+ check_size(size); - new_chunk(); - memcpy(bottom, p, s); - temp_end = bottom + size; diff --git a/poky/meta/recipes-support/atk/at-spi2-core_2.50.0.bb b/poky/meta/recipes-support/atk/at-spi2-core_2.50.1.bb index 57958fb7f5..6996ebebcd 100644 --- a/poky/meta/recipes-support/atk/at-spi2-core_2.50.0.bb +++ b/poky/meta/recipes-support/atk/at-spi2-core_2.50.1.bb @@ -11,7 +11,7 @@ MAJ_VER = "${@oe.utils.trim_version("${PV}", 2)}" SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz" -SRC_URI[sha256sum] = "e9f5a8c8235c9dd963b2171de9120301129c677dde933955e1df618b949c4adc" +SRC_URI[sha256sum] = "5727b5c0687ac57ba8040e79bd6731b714a36b8fcf32190f236b8fb3698789e7" DEPENDS = " \ dbus \ diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-46219.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-46219.patch new file mode 100644 index 0000000000..d6c8925218 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-46219.patch @@ -0,0 +1,131 @@ +CVE: CVE-2023-46219 +Upstream-Status: Backport [ https://github.com/curl/curl/commit/73b65e94f3531179de45 ] +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + +From 73b65e94f3531179de45c6f3c836a610e3d0a846 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 23 Nov 2023 08:23:17 +0100 +Subject: [PATCH] fopen: create short(er) temporary file name + +Only using random letters in the name plus a ".tmp" extension. Not by +appending characters to the final file name. + +Reported-by: Maksymilian Arciemowicz + +Closes #12388 +--- + lib/fopen.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 60 insertions(+), 5 deletions(-) + +diff --git a/lib/fopen.c b/lib/fopen.c +index 75b8a7aa534085..a73ac068ea3016 100644 +--- a/lib/fopen.c ++++ b/lib/fopen.c +@@ -39,6 +39,51 @@ + #include "curl_memory.h" + #include "memdebug.h" + ++/* ++ The dirslash() function breaks a null-terminated pathname string into ++ directory and filename components then returns the directory component up ++ to, *AND INCLUDING*, a final '/'. If there is no directory in the path, ++ this instead returns a "" string. ++ ++ This function returns a pointer to malloc'ed memory. ++ ++ The input path to this function is expected to have a file name part. ++*/ ++ ++#ifdef _WIN32 ++#define PATHSEP "\\" ++#define IS_SEP(x) (((x) == '/') || ((x) == '\\')) ++#elif defined(MSDOS) || defined(__EMX__) || defined(OS2) ++#define PATHSEP "\\" ++#define IS_SEP(x) ((x) == '\\') ++#else ++#define PATHSEP "/" ++#define IS_SEP(x) ((x) == '/') ++#endif ++ ++static char *dirslash(const char *path) ++{ ++ size_t n; ++ struct dynbuf out; ++ DEBUGASSERT(path); ++ Curl_dyn_init(&out, CURL_MAX_INPUT_LENGTH); ++ n = strlen(path); ++ if(n) { ++ /* find the rightmost path separator, if any */ ++ while(n && !IS_SEP(path[n-1])) ++ --n; ++ /* skip over all the path separators, if any */ ++ while(n && IS_SEP(path[n-1])) ++ --n; ++ } ++ if(Curl_dyn_addn(&out, path, n)) ++ return NULL; ++ /* if there was a directory, append a single trailing slash */ ++ if(n && Curl_dyn_addn(&out, PATHSEP, 1)) ++ return NULL; ++ return Curl_dyn_ptr(&out); ++} ++ + /* + * Curl_fopen() opens a file for writing with a temp name, to be renamed + * to the final name when completed. If there is an existing file using this +@@ -50,25 +95,34 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + FILE **fh, char **tempname) + { + CURLcode result = CURLE_WRITE_ERROR; +- unsigned char randsuffix[9]; ++ unsigned char randbuf[41]; + char *tempstore = NULL; + struct_stat sb; + int fd = -1; ++ char *dir; + *tempname = NULL; + ++ dir = dirslash(filename); ++ if(!dir) ++ goto fail; ++ + *fh = fopen(filename, FOPEN_WRITETEXT); + if(!*fh) + goto fail; +- if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) ++ if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) { ++ free(dir); + return CURLE_OK; ++ } + fclose(*fh); + *fh = NULL; + +- result = Curl_rand_alnum(data, randsuffix, sizeof(randsuffix)); ++ result = Curl_rand_alnum(data, randbuf, sizeof(randbuf)); + if(result) + goto fail; + +- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); ++ /* The temp file name should not end up too long for the target file ++ system */ ++ tempstore = aprintf("%s%s.tmp", dir, randbuf); + if(!tempstore) { + result = CURLE_OUT_OF_MEMORY; + goto fail; +@@ -95,6 +149,7 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + if(!*fh) + goto fail; + ++ free(dir); + *tempname = tempstore; + return CURLE_OK; + +@@ -105,7 +160,7 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + } + + free(tempstore); +- ++ free(dir); + return result; + } + diff --git a/poky/meta/recipes-support/curl/curl/disable-tests b/poky/meta/recipes-support/curl/curl/disable-tests index fdac795662..89255d6034 100644 --- a/poky/meta/recipes-support/curl/curl/disable-tests +++ b/poky/meta/recipes-support/curl/curl/disable-tests @@ -1,9 +1,17 @@ +# Intermittently fails e.g. https://autobuilder.yocto.io/pub/non-release/20231220-28/testresults/qemux86-64-ptest/curl.log +# https://autobuilder.yocto.io/pub/non-release/20231220-27/testresults/qemux86-64-ptest/curl.log +337 # These CRL test (alt-avc) are failing 356 412 413 # These CRL tests are scanning docs 971 +# Intermittently hangs e.g http://autobuilder.yocto.io/pub/non-release/20231228-18/testresults/qemux86-64-ptest/curl.log +1091 +# Intermittently hangs e.g https://autobuilder.yocto.io/pub/non-release/20231220-27/testresults/qemux86-64-ptest/curl.log +1096 +# These CRL tests are scanning docs 1119 1132 1135 diff --git a/poky/meta/recipes-support/curl/curl_8.4.0.bb b/poky/meta/recipes-support/curl/curl_8.4.0.bb index 8f1ba52692..977404c963 100644 --- a/poky/meta/recipes-support/curl/curl_8.4.0.bb +++ b/poky/meta/recipes-support/curl/curl_8.4.0.bb @@ -14,6 +14,7 @@ SRC_URI = " \ file://run-ptest \ file://disable-tests \ file://CVE-2023-46218.patch \ + file://CVE-2023-46219.patch \ " SRC_URI[sha256sum] = "16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d" diff --git a/poky/meta/recipes-support/libatomic-ops/libatomic-ops_7.8.0.bb b/poky/meta/recipes-support/libatomic-ops/libatomic-ops_7.8.2.bb index d4b77f6244..824400e743 100644 --- a/poky/meta/recipes-support/libatomic-ops/libatomic-ops_7.8.0.bb +++ b/poky/meta/recipes-support/libatomic-ops/libatomic-ops_7.8.2.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/libatomic_ops-${PV}.tar.gz" GITHUB_BASE_URI = "https://github.com/ivmai/libatomic_ops/releases" -SRC_URI[sha256sum] = "15676e7674e11bda5a7e50a73f4d9e7d60452271b8acf6fd39a71fefdf89fa31" +SRC_URI[sha256sum] = "d305207fe207f2b3fb5cb4c019da12b44ce3fcbc593dfd5080d867b1a2419b51" S = "${WORKDIR}/libatomic_ops-${PV}" diff --git a/poky/meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch b/poky/meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch new file mode 100644 index 0000000000..ab0f419ac5 --- /dev/null +++ b/poky/meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch @@ -0,0 +1,466 @@ +From d4634630432594b139b3af6b9f254b890c0f275d Mon Sep 17 00:00:00 2001 +From: Michael Buckley <michael@buckleyisms.com> +Date: Thu, 30 Nov 2023 15:08:02 -0800 +Subject: [PATCH] src: add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack" + +Refs: +https://terrapin-attack.com/ +https://seclists.org/oss-sec/2023/q4/292 +https://osv.dev/list?ecosystem=&q=CVE-2023-48795 +https://github.com/advisories/GHSA-45x7-px36-x8w8 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795 + +Fixes #1290 +Closes #1291 + +CVE: CVE-2023-48795 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> +--- + src/kex.c | 63 +++++++++++++++++++++++------------ + src/libssh2_priv.h | 18 +++++++--- + src/packet.c | 83 +++++++++++++++++++++++++++++++++++++++++++--- + src/packet.h | 2 +- + src/session.c | 3 ++ + src/transport.c | 12 ++++++- + 6 files changed, 149 insertions(+), 32 deletions(-) + +diff --git a/src/kex.c b/src/kex.c +index d4034a0a..b4b748ca 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -3037,6 +3037,13 @@ kex_method_extension_negotiation = { + 0, + }; + ++static const LIBSSH2_KEX_METHOD ++kex_method_strict_client_extension = { ++ "kex-strict-c-v00@openssh.com", ++ NULL, ++ 0, ++}; ++ + static const LIBSSH2_KEX_METHOD *libssh2_kex_methods[] = { + #if LIBSSH2_ED25519 + &kex_method_ssh_curve25519_sha256, +@@ -3055,6 +3062,7 @@ static const LIBSSH2_KEX_METHOD *libssh2_kex_methods[] = { + &kex_method_diffie_helman_group1_sha1, + &kex_method_diffie_helman_group_exchange_sha1, + &kex_method_extension_negotiation, ++ &kex_method_strict_client_extension, + NULL + }; + +@@ -3307,13 +3315,13 @@ static int kexinit(LIBSSH2_SESSION * session) + return 0; + } + +-/* kex_agree_instr ++/* _libssh2_kex_agree_instr + * Kex specific variant of strstr() + * Needle must be preceded by BOL or ',', and followed by ',' or EOL + */ +-static unsigned char * +-kex_agree_instr(unsigned char *haystack, size_t haystack_len, +- const unsigned char *needle, size_t needle_len) ++unsigned char * ++_libssh2_kex_agree_instr(unsigned char *haystack, size_t haystack_len, ++ const unsigned char *needle, size_t needle_len) + { + unsigned char *s; + unsigned char *end_haystack; +@@ -3398,7 +3406,7 @@ static int kex_agree_hostkey(LIBSSH2_SESSION * session, + while(s && *s) { + unsigned char *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); +- if(kex_agree_instr(hostkey, hostkey_len, s, method_len)) { ++ if(_libssh2_kex_agree_instr(hostkey, hostkey_len, s, method_len)) { + const LIBSSH2_HOSTKEY_METHOD *method = + (const LIBSSH2_HOSTKEY_METHOD *) + kex_get_method_by_name((char *) s, method_len, +@@ -3432,9 +3440,9 @@ static int kex_agree_hostkey(LIBSSH2_SESSION * session, + } + + while(hostkeyp && (*hostkeyp) && (*hostkeyp)->name) { +- s = kex_agree_instr(hostkey, hostkey_len, +- (unsigned char *) (*hostkeyp)->name, +- strlen((*hostkeyp)->name)); ++ s = _libssh2_kex_agree_instr(hostkey, hostkey_len, ++ (unsigned char *) (*hostkeyp)->name, ++ strlen((*hostkeyp)->name)); + if(s) { + /* So far so good, but does it suit our purposes? (Encrypting vs + Signing) */ +@@ -3468,6 +3476,12 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex, + { + const LIBSSH2_KEX_METHOD **kexp = libssh2_kex_methods; + unsigned char *s; ++ const unsigned char *strict = ++ (unsigned char *)"kex-strict-s-v00@openssh.com"; ++ ++ if(_libssh2_kex_agree_instr(kex, kex_len, strict, 28)) { ++ session->kex_strict = 1; ++ } + + if(session->kex_prefs) { + s = (unsigned char *) session->kex_prefs; +@@ -3475,7 +3489,7 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex, + while(s && *s) { + unsigned char *q, *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); +- q = kex_agree_instr(kex, kex_len, s, method_len); ++ q = _libssh2_kex_agree_instr(kex, kex_len, s, method_len); + if(q) { + const LIBSSH2_KEX_METHOD *method = (const LIBSSH2_KEX_METHOD *) + kex_get_method_by_name((char *) s, method_len, +@@ -3509,9 +3523,9 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex, + } + + while(*kexp && (*kexp)->name) { +- s = kex_agree_instr(kex, kex_len, +- (unsigned char *) (*kexp)->name, +- strlen((*kexp)->name)); ++ s = _libssh2_kex_agree_instr(kex, kex_len, ++ (unsigned char *) (*kexp)->name, ++ strlen((*kexp)->name)); + if(s) { + /* We've agreed on a key exchange method, + * Can we agree on a hostkey that works with this kex? +@@ -3555,7 +3569,7 @@ static int kex_agree_crypt(LIBSSH2_SESSION * session, + unsigned char *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); + +- if(kex_agree_instr(crypt, crypt_len, s, method_len)) { ++ if(_libssh2_kex_agree_instr(crypt, crypt_len, s, method_len)) { + const LIBSSH2_CRYPT_METHOD *method = + (const LIBSSH2_CRYPT_METHOD *) + kex_get_method_by_name((char *) s, method_len, +@@ -3577,9 +3591,9 @@ static int kex_agree_crypt(LIBSSH2_SESSION * session, + } + + while(*cryptp && (*cryptp)->name) { +- s = kex_agree_instr(crypt, crypt_len, +- (unsigned char *) (*cryptp)->name, +- strlen((*cryptp)->name)); ++ s = _libssh2_kex_agree_instr(crypt, crypt_len, ++ (unsigned char *) (*cryptp)->name, ++ strlen((*cryptp)->name)); + if(s) { + endpoint->crypt = *cryptp; + return 0; +@@ -3619,7 +3633,7 @@ static int kex_agree_mac(LIBSSH2_SESSION * session, + unsigned char *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); + +- if(kex_agree_instr(mac, mac_len, s, method_len)) { ++ if(_libssh2_kex_agree_instr(mac, mac_len, s, method_len)) { + const LIBSSH2_MAC_METHOD *method = (const LIBSSH2_MAC_METHOD *) + kex_get_method_by_name((char *) s, method_len, + (const LIBSSH2_COMMON_METHOD **) +@@ -3640,8 +3654,9 @@ static int kex_agree_mac(LIBSSH2_SESSION * session, + } + + while(*macp && (*macp)->name) { +- s = kex_agree_instr(mac, mac_len, (unsigned char *) (*macp)->name, +- strlen((*macp)->name)); ++ s = _libssh2_kex_agree_instr(mac, mac_len, ++ (unsigned char *) (*macp)->name, ++ strlen((*macp)->name)); + if(s) { + endpoint->mac = *macp; + return 0; +@@ -3672,7 +3687,7 @@ static int kex_agree_comp(LIBSSH2_SESSION *session, + unsigned char *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); + +- if(kex_agree_instr(comp, comp_len, s, method_len)) { ++ if(_libssh2_kex_agree_instr(comp, comp_len, s, method_len)) { + const LIBSSH2_COMP_METHOD *method = + (const LIBSSH2_COMP_METHOD *) + kex_get_method_by_name((char *) s, method_len, +@@ -3694,8 +3709,9 @@ static int kex_agree_comp(LIBSSH2_SESSION *session, + } + + while(*compp && (*compp)->name) { +- s = kex_agree_instr(comp, comp_len, (unsigned char *) (*compp)->name, +- strlen((*compp)->name)); ++ s = _libssh2_kex_agree_instr(comp, comp_len, ++ (unsigned char *) (*compp)->name, ++ strlen((*compp)->name)); + if(s) { + endpoint->comp = *compp; + return 0; +@@ -3876,6 +3892,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange, + session->local.kexinit = key_state->oldlocal; + session->local.kexinit_len = key_state->oldlocal_len; + key_state->state = libssh2_NB_state_idle; ++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX; + session->state &= ~LIBSSH2_STATE_KEX_ACTIVE; + session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS; + return -1; +@@ -3901,6 +3918,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange, + session->local.kexinit = key_state->oldlocal; + session->local.kexinit_len = key_state->oldlocal_len; + key_state->state = libssh2_NB_state_idle; ++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX; + session->state &= ~LIBSSH2_STATE_KEX_ACTIVE; + session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS; + return -1; +@@ -3949,6 +3967,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange, + session->remote.kexinit = NULL; + } + ++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX; + session->state &= ~LIBSSH2_STATE_KEX_ACTIVE; + session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS; + +diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h +index 82c3afe2..ee1d8b5c 100644 +--- a/src/libssh2_priv.h ++++ b/src/libssh2_priv.h +@@ -699,6 +699,9 @@ struct _LIBSSH2_SESSION + /* key signing algorithm preferences -- NULL yields server order */ + char *sign_algo_prefs; + ++ /* Whether to use the OpenSSH Strict KEX extension */ ++ int kex_strict; ++ + /* (remote as source of data -- packet_read ) */ + libssh2_endpoint_data remote; + +@@ -870,6 +873,7 @@ struct _LIBSSH2_SESSION + int fullpacket_macstate; + size_t fullpacket_payload_len; + int fullpacket_packet_type; ++ uint32_t fullpacket_required_type; + + /* State variables used in libssh2_sftp_init() */ + libssh2_nonblocking_states sftpInit_state; +@@ -910,10 +914,11 @@ struct _LIBSSH2_SESSION + }; + + /* session.state bits */ +-#define LIBSSH2_STATE_EXCHANGING_KEYS 0x00000001 +-#define LIBSSH2_STATE_NEWKEYS 0x00000002 +-#define LIBSSH2_STATE_AUTHENTICATED 0x00000004 +-#define LIBSSH2_STATE_KEX_ACTIVE 0x00000008 ++#define LIBSSH2_STATE_INITIAL_KEX 0x00000001 ++#define LIBSSH2_STATE_EXCHANGING_KEYS 0x00000002 ++#define LIBSSH2_STATE_NEWKEYS 0x00000004 ++#define LIBSSH2_STATE_AUTHENTICATED 0x00000008 ++#define LIBSSH2_STATE_KEX_ACTIVE 0x00000010 + + /* session.flag helpers */ + #ifdef MSG_NOSIGNAL +@@ -1144,6 +1149,11 @@ ssize_t _libssh2_send(libssh2_socket_t socket, const void *buffer, + int _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange, + key_exchange_state_t * state); + ++unsigned char *_libssh2_kex_agree_instr(unsigned char *haystack, ++ size_t haystack_len, ++ const unsigned char *needle, ++ size_t needle_len); ++ + /* Let crypt.c/hostkey.c expose their method structs */ + const LIBSSH2_CRYPT_METHOD **libssh2_crypt_methods(void); + const LIBSSH2_HOSTKEY_METHOD **libssh2_hostkey_methods(void); +diff --git a/src/packet.c b/src/packet.c +index b5b41981..35d4d39e 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -605,14 +605,13 @@ authagent_exit: + * layer when it has received a packet. + * + * The input pointer 'data' is pointing to allocated data that this function +- * is asked to deal with so on failure OR success, it must be freed fine. +- * The only exception is when the return code is LIBSSH2_ERROR_EAGAIN. ++ * will be freed unless return the code is LIBSSH2_ERROR_EAGAIN. + * + * This function will always be called with 'datalen' greater than zero. + */ + int + _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, +- size_t datalen, int macstate) ++ size_t datalen, int macstate, uint32_t seq) + { + int rc = 0; + unsigned char *message = NULL; +@@ -657,6 +656,70 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + break; + } + ++ if(session->state & LIBSSH2_STATE_INITIAL_KEX) { ++ if(msg == SSH_MSG_KEXINIT) { ++ if(!session->kex_strict) { ++ if(datalen < 17) { ++ LIBSSH2_FREE(session, data); ++ session->packAdd_state = libssh2_NB_state_idle; ++ return _libssh2_error(session, ++ LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting kex"); ++ } ++ else { ++ const unsigned char *strict = ++ (unsigned char *)"kex-strict-s-v00@openssh.com"; ++ struct string_buf buf; ++ unsigned char *algs = NULL; ++ size_t algs_len = 0; ++ ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr += 17; /* advance past type and cookie */ ++ ++ if(_libssh2_get_string(&buf, &algs, &algs_len)) { ++ LIBSSH2_FREE(session, data); ++ session->packAdd_state = libssh2_NB_state_idle; ++ return _libssh2_error(session, ++ LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Algs too short"); ++ } ++ ++ if(algs_len == 0 || ++ _libssh2_kex_agree_instr(algs, algs_len, strict, 28)) { ++ session->kex_strict = 1; ++ } ++ } ++ } ++ ++ if(session->kex_strict && seq) { ++ LIBSSH2_FREE(session, data); ++ session->socket_state = LIBSSH2_SOCKET_DISCONNECTED; ++ session->packAdd_state = libssh2_NB_state_idle; ++ libssh2_session_disconnect(session, "strict KEX violation: " ++ "KEXINIT was not the first packet"); ++ ++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT, ++ "strict KEX violation: " ++ "KEXINIT was not the first packet"); ++ } ++ } ++ ++ if(session->kex_strict && session->fullpacket_required_type && ++ session->fullpacket_required_type != msg) { ++ LIBSSH2_FREE(session, data); ++ session->socket_state = LIBSSH2_SOCKET_DISCONNECTED; ++ session->packAdd_state = libssh2_NB_state_idle; ++ libssh2_session_disconnect(session, "strict KEX violation: " ++ "unexpected packet type"); ++ ++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT, ++ "strict KEX violation: " ++ "unexpected packet type"); ++ } ++ } ++ + if(session->packAdd_state == libssh2_NB_state_allocated) { + /* A couple exceptions to the packet adding rule: */ + switch(msg) { +@@ -1341,6 +1404,15 @@ _libssh2_packet_ask(LIBSSH2_SESSION * session, unsigned char packet_type, + + return 0; + } ++ else if(session->kex_strict && ++ (session->state & LIBSSH2_STATE_INITIAL_KEX)) { ++ libssh2_session_disconnect(session, "strict KEX violation: " ++ "unexpected packet type"); ++ ++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT, ++ "strict KEX violation: " ++ "unexpected packet type"); ++ } + packet = _libssh2_list_next(&packet->node); + } + return -1; +@@ -1402,7 +1474,10 @@ _libssh2_packet_require(LIBSSH2_SESSION * session, unsigned char packet_type, + } + + while(session->socket_state == LIBSSH2_SOCKET_CONNECTED) { +- int ret = _libssh2_transport_read(session); ++ int ret; ++ session->fullpacket_required_type = packet_type; ++ ret = _libssh2_transport_read(session); ++ session->fullpacket_required_type = 0; + if(ret == LIBSSH2_ERROR_EAGAIN) + return ret; + else if(ret < 0) { +diff --git a/src/packet.h b/src/packet.h +index 79018bcf..6ea100a5 100644 +--- a/src/packet.h ++++ b/src/packet.h +@@ -71,6 +71,6 @@ int _libssh2_packet_burn(LIBSSH2_SESSION * session, + int _libssh2_packet_write(LIBSSH2_SESSION * session, unsigned char *data, + unsigned long data_len); + int _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, +- size_t datalen, int macstate); ++ size_t datalen, int macstate, uint32_t seq); + + #endif /* __LIBSSH2_PACKET_H */ +diff --git a/src/session.c b/src/session.c +index a4d602ba..f4bafb57 100644 +--- a/src/session.c ++++ b/src/session.c +@@ -464,6 +464,8 @@ libssh2_session_init_ex(LIBSSH2_ALLOC_FUNC((*my_alloc)), + session->abstract = abstract; + session->api_timeout = 0; /* timeout-free API by default */ + session->api_block_mode = 1; /* blocking API by default */ ++ session->state = LIBSSH2_STATE_INITIAL_KEX; ++ session->fullpacket_required_type = 0; + session->packet_read_timeout = LIBSSH2_DEFAULT_READ_TIMEOUT; + session->flag.quote_paths = 1; /* default behavior is to quote paths + for the scp subsystem */ +@@ -1186,6 +1188,7 @@ libssh2_session_disconnect_ex(LIBSSH2_SESSION *session, int reason, + const char *desc, const char *lang) + { + int rc; ++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX; + session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS; + BLOCK_ADJUST(rc, session, + session_disconnect(session, reason, desc, lang)); +diff --git a/src/transport.c b/src/transport.c +index 6d902d33..3b30ff84 100644 +--- a/src/transport.c ++++ b/src/transport.c +@@ -187,6 +187,7 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ ) + struct transportpacket *p = &session->packet; + int rc; + int compressed; ++ uint32_t seq = session->remote.seqno; + + if(session->fullpacket_state == libssh2_NB_state_idle) { + session->fullpacket_macstate = LIBSSH2_MAC_CONFIRMED; +@@ -318,7 +319,7 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ ) + if(session->fullpacket_state == libssh2_NB_state_created) { + rc = _libssh2_packet_add(session, p->payload, + session->fullpacket_payload_len, +- session->fullpacket_macstate); ++ session->fullpacket_macstate, seq); + if(rc == LIBSSH2_ERROR_EAGAIN) + return rc; + if(rc) { +@@ -329,6 +330,11 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ ) + + session->fullpacket_state = libssh2_NB_state_idle; + ++ if(session->kex_strict && ++ session->fullpacket_packet_type == SSH_MSG_NEWKEYS) { ++ session->remote.seqno = 0; ++ } ++ + return session->fullpacket_packet_type; + } + +@@ -1091,6 +1097,10 @@ int _libssh2_transport_send(LIBSSH2_SESSION *session, + + session->local.seqno++; + ++ if(session->kex_strict && data[0] == SSH_MSG_NEWKEYS) { ++ session->local.seqno = 0; ++ } ++ + ret = LIBSSH2_SEND(session, p->outbuf, total_length, + LIBSSH2_SOCKET_SEND_FLAGS(session)); + if(ret < 0) +-- +2.34.1 + diff --git a/poky/meta/recipes-support/libssh2/libssh2_1.11.0.bb b/poky/meta/recipes-support/libssh2/libssh2_1.11.0.bb index edc25db1b1..5100e6f7f9 100644 --- a/poky/meta/recipes-support/libssh2/libssh2_1.11.0.bb +++ b/poky/meta/recipes-support/libssh2/libssh2_1.11.0.bb @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=24a33237426720395ebb1dd1349ca225" SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \ file://run-ptest \ + file://CVE-2023-48795.patch \ " SRC_URI[sha256sum] = "3736161e41e2693324deb38c26cfdc3efe6209d634ba4258db1cecff6a5ad461" diff --git a/poky/meta/recipes-support/sqlite/sqlite3_3.43.1.bb b/poky/meta/recipes-support/sqlite/sqlite3_3.43.1.bb deleted file mode 100644 index 93146358c7..0000000000 --- a/poky/meta/recipes-support/sqlite/sqlite3_3.43.1.bb +++ /dev/null @@ -1,10 +0,0 @@ -require sqlite3.inc - -LICENSE = "PD" -LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66" - -SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz" -SRC_URI[sha256sum] = "39116c94e76630f22d54cd82c3cea308565f1715f716d1b2527f1c9c969ba4d9" - -CVE_STATUS[CVE-2023-36191] = "disputed: The error is a bug. It has been fixed upstream. But it is not a vulnerability" - diff --git a/poky/meta/recipes-support/sqlite/sqlite3_3.43.2.bb b/poky/meta/recipes-support/sqlite/sqlite3_3.43.2.bb new file mode 100644 index 0000000000..66d6255ac0 --- /dev/null +++ b/poky/meta/recipes-support/sqlite/sqlite3_3.43.2.bb @@ -0,0 +1,7 @@ +require sqlite3.inc + +LICENSE = "PD" +LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66" + +SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz" +SRC_URI[sha256sum] = "6d422b6f62c4de2ca80d61860e3a3fb693554d2f75bb1aaca743ccc4d6f609f0" diff --git a/poky/scripts/lib/devtool/deploy.py b/poky/scripts/lib/devtool/deploy.py index e14a587417..eadf6e1521 100644 --- a/poky/scripts/lib/devtool/deploy.py +++ b/poky/scripts/lib/devtool/deploy.py @@ -140,6 +140,7 @@ def deploy(args, config, basepath, workspace): import math import oe.recipeutils import oe.package + import oe.utils check_workspace_recipe(workspace, args.recipename, checksrc=False) @@ -174,7 +175,7 @@ def deploy(args, config, basepath, workspace): exec_fakeroot(rd, "cp -af %s %s" % (os.path.join(srcdir, '.'), recipe_outdir), shell=True) os.environ['PATH'] = ':'.join([os.environ['PATH'], rd.getVar('PATH') or '']) oe.package.strip_execs(args.recipename, recipe_outdir, rd.getVar('STRIP'), rd.getVar('libdir'), - rd.getVar('base_libdir'), rd) + rd.getVar('base_libdir'), oe.utils.get_bb_number_threads(rd), rd) filelist = [] inodes = set({}) diff --git a/poky/scripts/lib/devtool/standard.py b/poky/scripts/lib/devtool/standard.py index 55fa38ccfb..0126f75022 100644 --- a/poky/scripts/lib/devtool/standard.py +++ b/poky/scripts/lib/devtool/standard.py @@ -971,7 +971,7 @@ def modify(args, config, basepath, workspace): '}\n') if rd.getVarFlag('do_menuconfig','task'): f.write('\ndo_configure:append() {\n' - ' if [ ${@ oe.types.boolean(\'${KCONFIG_CONFIG_ENABLE_MENUCONFIG}\') } = True ]; then\n' + ' if [ ${@oe.types.boolean(d.getVar("KCONFIG_CONFIG_ENABLE_MENUCONFIG"))} = True ]; then\n' ' cp ${KCONFIG_CONFIG_ROOTDIR}/.config ${S}/.config.baseline\n' ' ln -sfT ${KCONFIG_CONFIG_ROOTDIR}/.config ${S}/.config.new\n' ' fi\n' diff --git a/poky/scripts/runqemu b/poky/scripts/runqemu index 6fca7439a1..63562cf6dc 100755 --- a/poky/scripts/runqemu +++ b/poky/scripts/runqemu @@ -367,7 +367,7 @@ class BaseConfig(object): if p.endswith('.qemuboot.conf'): self.qemuboot = p self.qbconfload = True - elif re.search('\.bin$', p) or re.search('bzImage', p) or \ + elif re.search('\\.bin$', p) or re.search('bzImage', p) or \ re.search('zImage', p) or re.search('vmlinux', p) or \ re.search('fitImage', p) or re.search('uImage', p): self.kernel = p @@ -381,19 +381,19 @@ class BaseConfig(object): fst = t break if not fst: - m = re.search('.*\.(.*)$', self.rootfs) + m = re.search('.*\\.(.*)$', self.rootfs) if m: fst = m.group(1) if fst: self.check_arg_fstype(fst) - qb = re.sub('\.' + fst + "$", '.qemuboot.conf', self.rootfs) + qb = re.sub('\\.' + fst + "$", '.qemuboot.conf', self.rootfs) if os.path.exists(qb): self.qemuboot = qb self.qbconfload = True else: logger.warning("%s doesn't exist, will try to remove '.rootfs' from filename" % qb) # They to remove .rootfs (IMAGE_NAME_SUFFIX) as well - qb = re.sub('\.rootfs.qemuboot.conf$', '.qemuboot.conf', qb) + qb = re.sub('\\.rootfs.qemuboot.conf$', '.qemuboot.conf', qb) if os.path.exists(qb): self.qemuboot = qb self.qbconfload = True |