diff options
author | Patrick Williams <patrick@stwcx.xyz> | 2021-05-27 16:04:48 +0300 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2021-05-27 16:12:32 +0300 |
commit | 67107382f0ac2ad2ff42819a3d3189dc838a7ed5 (patch) | |
tree | 65efc3f2b911d71da8e23e999b3f2b0bb976354f | |
parent | d7eca3aaccf58555fa5619465140d3b71204720c (diff) | |
download | openbmc-67107382f0ac2ad2ff42819a3d3189dc838a7ed5.tar.xz |
subtree updates
meta-raspberrypi: b601818301..11209a4981:
sss22213 (1):
recipes-bsp: Add support for Raspberry Pi HD quality camera
poky: 05a8aad57c..fd33741e27:
Alexander Kanavin (1):
bitbake: fetch2/wget: when checking latest versions, consider all numerical directories
Bastian Krause (1):
ccache: add packageconfig docs option
Michael Halstead (1):
uninative: Upgrade to 3.2 (gcc11 support)
Richard Purdie (19):
bitbake: server/process: Handle error in heartbeat funciton in OOM case
glibc: Document and whitelist CVE-2019-1010022-25
qemu: Exclude CVE-2017-5957 from cve-check
qemu: Exclude CVE-2007-0998 from cve-check
qemu: Exclude CVE-2018-18438 from cve-check
jquery: Exclude CVE-2007-2379 from cve-check
logrotate: Exclude CVE-2011-1548,1549,1550 from cve-check
openssh: Exclude CVE-2007-2768 from cve-check
openssh: Exclude CVE-2008-3844 from cve-check
unzip: Exclude CVE-2008-0888 from cve-check
cpio: Exclude CVE-2010-4226 from cve-check
ghostscript: Exclude CVE-2013-6629 from cve-check
bluez: Exclude CVE-2020-12352 CVE-2020-24490 from cve-check
tiff: Exclude CVE-2015-7313 from cve-check
coreutils: Exclude CVE-2016-2781 from cve-check
librsvg: Exclude CVE-2018-1000041 from cve-check
avahi: Exclude CVE-2021-26720 from cve-check
glibc: Add 8GB VM usage cap for usermode test suite
sstate: Handle manifest 'corruption' issue
Robert P. J. Day (2):
image.bbclass: fix comment "pacackages" -> "packages"
meta/lib/oe/rootfs.py: Fix typo "Restoreing" -> "Restoring"
Ross Burton (3):
libnotify: whitelist CVE-2013-7381 (specific to the NodeJS bindings)
builder: whitelist CVE-2008-4178 (a different builder)
cups: whitelist CVE-2021-25317
Tony Tascioglu (3):
libxml2: fix CVE-2021-3517
libxml2: fix CVE-2021-3516
libxml2: fix CVE-2021-3537
meta-openembedded: bbe3855ec7..cf5bd6a830:
Andreas Müller (2):
zsh: reduce priority slightly to avoid conflict with bash
xfce4-settings: upgrade 4.16.0 -> 4.16.1
Khem Raj (3):
aom: Match the name for AOM-Patent-License-1.0
libdevmapper,lvm2: Do not inherit license
python3-jinja2_2.%.bbappend: Delete
Saul Wold (2):
tbb: Disable PPC as COMPATIBLE_MACHINE
packagegroup-meta-oe: conditional remove tbb for powerpc
Silcet (1):
ufw: fix python shebang
zangrc (3):
fetchmail: upgrade 6.4.18 -> 6.4.19
openvpn: upgrade 2.5.1 -> 2.5.2
wireshark: upgrade 3.4.4 -> 3.4.5
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I84a4b5733ff5d04c39580402b64c5c649ac991a9
44 files changed, 375 insertions, 35 deletions
diff --git a/meta-openembedded/meta-multimedia/recipes-multimedia/aom/aom_3.0.0.bb b/meta-openembedded/meta-multimedia/recipes-multimedia/aom/aom_3.0.0.bb index 7ea9b199bf..f5a42fb860 100644 --- a/meta-openembedded/meta-multimedia/recipes-multimedia/aom/aom_3.0.0.bb +++ b/meta-openembedded/meta-multimedia/recipes-multimedia/aom/aom_3.0.0.bb @@ -1,7 +1,7 @@ SUMMARY = "Alliance for Open Media - AV1 Codec Library" DESCRIPTION = "Alliance for Open Media AV1 codec library" -LICENSE = "BSD-2-Clause & AOM-Patent-1.0" +LICENSE = "BSD-2-Clause & AOM-Patent-License-1.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=6ea91368c1bbdf877159435572b931f5 \ file://PATENTS;md5=e69ad12202bd20da3c76a5d3648cfa83 \ " diff --git a/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw/fix-dynamic-update-of-python-shebang.patch b/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw/fix-dynamic-update-of-python-shebang.patch new file mode 100644 index 0000000000..0bb0315ccd --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw/fix-dynamic-update-of-python-shebang.patch @@ -0,0 +1,57 @@ +From b961a7fceb5654c283c3f987bee593d52abaf1f5 Mon Sep 17 00:00:00 2001 +From: Silcet <camorga1@gmail.com> +Date: Mon, 26 Apr 2021 07:47:02 +0000 +Subject: [PATCH] ufw: Fix dynamic update of python shebang + +[meta-openembedded ticket #327] -- https://github.com/openembedded/meta-openembedded/issues/327 + +The python version in the shebang at the begining of the ufw script +should be the same one as the version the setup.py script was called +with. + +The fix in patch "setup-only-make-one-reference-to-env.patch" +depends on sys.executable returning "/usr/bin/env pythonX". However, +it returns "/usr/bin/pythonX". Using sys.version_info we can get the +major version of the python used to called the script and append +that to the shebang line so it works as intended. + +Upstream-status: Pending + +Signed-off-by: Silcet <camorga1@gmail.com> +--- + setup.py | 21 ++++++--------------- + 1 file changed, 6 insertions(+), 15 deletions(-) + +diff --git a/setup.py b/setup.py +index ca730b7..941bbf6 100644 +--- a/setup.py ++++ b/setup.py +@@ -112,22 +112,13 @@ class Install(_install, object): + for f in [ script, manpage, manpage_f ]: + self.mkpath(os.path.dirname(f)) + +- # if sys.executable == /usr/bin/env python* the result will be the top +- # of ufw getting: +- # +- # #! /usr/bin/env /usr/bin/env python +- # +- # which is not ideal +- # + # update the interpreter to that of the one the user specified for setup +- print("Updating staging/ufw to use (%s)" % (sys.executable)) +- +- if re.search("(/usr/bin/env)", sys.executable): +- print("found 'env' in sys.executable (%s)" % (sys.executable)) +- subprocess.call(["sed", +- "-i.jjm", +- "1s%^#.*python.*%#! " + sys.executable + "%g", +- 'staging/ufw']) ++ python_major = sys.version_info.major ++ print("Updating staging/ufw to use (python%s)" % (python_major)) ++ subprocess.call(["sed", ++ "-i.jjm", ++ "1s%^#.*python.*%#! " + sys.executable + "%g", ++ 'staging/ufw']) + + self.copy_file('staging/ufw', script) + self.copy_file('doc/ufw.8', manpage) diff --git a/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb b/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb index 42fc262589..ee366aa665 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb @@ -16,6 +16,7 @@ SRC_URI = " \ file://0003-fix-typeerror-on-error.patch \ file://0004-lp1039729.patch \ file://0005-lp1191197.patch \ + file://fix-dynamic-update-of-python-shebang.patch \ " UPSTREAM_CHECK_URI = "https://launchpad.net/ufw" diff --git a/meta-openembedded/meta-networking/recipes-support/fetchmail/fetchmail_6.4.18.bb b/meta-openembedded/meta-networking/recipes-support/fetchmail/fetchmail_6.4.19.bb index 7254a4713a..aead5e9f0f 100644 --- a/meta-openembedded/meta-networking/recipes-support/fetchmail/fetchmail_6.4.18.bb +++ b/meta-openembedded/meta-networking/recipes-support/fetchmail/fetchmail_6.4.19.bb @@ -6,13 +6,13 @@ connections). It supports every remote-mail protocol now in use on the Internet: RPOP, APOP, KPOP, all flavors of IMAP, ETRN, and ODMR. It can even support IPv6 and IPSEC." SECTION = "mail" LICENSE = "GPLv2 & MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=06a8d16599e1d0b131390bec01fb571c" +LIC_FILES_CHKSUM = "file://COPYING;md5=ad73c6bd421c137fbf18cf8b92474186" DEPENDS = "openssl" SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.xz \ " -SRC_URI[sha256sum] = "302dc9bcdc6927dedf375d2baaead2347557faa70d98b1da83f2409fa6fb259f" +SRC_URI[sha256sum] = "cd8d11a3d103e50caa2ec64bcda6307eb3d0783a4d4dfd88e668b81aaf9d6b5f" inherit autotools gettext python3-dir python3native diff --git a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.1.bb b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb index 6aa7b17be6..f82107dbee 100644 --- a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.1.bb +++ b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb @@ -14,8 +14,8 @@ SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" -SRC_URI[md5sum] = "b1c279e89d97849d5fcde31d76812f04" -SRC_URI[sha256sum] = "e9582b8e9457994bd8d50012be82c23b2f465da51460c9b2360a81da0f4e06e6" +SRC_URI[md5sum] = "7643f135b49aee49df7d83c1f434dc4e" +SRC_URI[sha256sum] = "b9d295988b34e39964ac475b619c3585d667b36c350cf1adec19e5e3c843ba11" SYSTEMD_SERVICE_${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service" SYSTEMD_AUTO_ENABLE = "disable" diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.4.bb b/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.5.bb index b75f41835b..f440328027 100644 --- a/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.4.bb +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.5.bb @@ -19,7 +19,7 @@ SRC_URI += " \ UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" -SRC_URI[sha256sum] = "729cd11e9715c600e5ad74ca472bacf8af32c20902192d5f2b271268511d4d29" +SRC_URI[sha256sum] = "de1aafd100a1e1207c850d180e97dd91ab8da0f5eb6beec545f725cdb145d333" PE = "1" diff --git a/meta-openembedded/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb b/meta-openembedded/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb index 59908e2c0f..eb095a2374 100644 --- a/meta-openembedded/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb +++ b/meta-openembedded/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb @@ -921,7 +921,7 @@ RDEPENDS_packagegroup-meta-oe-support_remove_arm ="numactl" RDEPENDS_packagegroup-meta-oe-support_remove_mipsarch = "gperftools" RDEPENDS_packagegroup-meta-oe-support_remove_riscv64 = "gperftools uim" RDEPENDS_packagegroup-meta-oe-support_remove_riscv32 = "gperftools uim" -RDEPENDS_packagegroup-meta-oe-support_remove_powerpc = "ssiapi" +RDEPENDS_packagegroup-meta-oe-support_remove_powerpc = "ssiapi tbb" RDEPENDS_packagegroup-meta-oe-support_remove_powerpc64le = "ssiapi" RDEPENDS_packagegroup-meta-oe-test ="\ diff --git a/meta-openembedded/meta-oe/recipes-shells/zsh/zsh_5.4.2.bb b/meta-openembedded/meta-oe/recipes-shells/zsh/zsh_5.4.2.bb index 3aab65bf5b..aa372b70a3 100644 --- a/meta-openembedded/meta-oe/recipes-shells/zsh/zsh_5.4.2.bb +++ b/meta-openembedded/meta-oe/recipes-shells/zsh/zsh_5.4.2.bb @@ -38,7 +38,7 @@ EXTRA_OEMAKE = "-e MAKEFLAGS=" ALTERNATIVE_${PN} = "sh" ALTERNATIVE_LINK_NAME[sh] = "${base_bindir}/sh" ALTERNATIVE_TARGET[sh] = "${base_bindir}/${BPN}" -ALTERNATIVE_PRIORITY = "100" +ALTERNATIVE_PRIORITY = "90" export AUTOHEADER = "true" diff --git a/meta-openembedded/meta-oe/recipes-support/lvm2/lvm2.inc b/meta-openembedded/meta-oe/recipes-support/lvm2/lvm2.inc index 6618e21f3b..ccb4f7ac14 100644 --- a/meta-openembedded/meta-oe/recipes-support/lvm2/lvm2.inc +++ b/meta-openembedded/meta-oe/recipes-support/lvm2/lvm2.inc @@ -21,12 +21,11 @@ SRC_URI = "git://sourceware.org/git/lvm2.git;branch=main \ SRCREV = "3e8bd8d1bd70691f09a170785836aeb4f83154e6" S = "${WORKDIR}/git" -inherit autotools-brokensep pkgconfig systemd license +inherit autotools-brokensep pkgconfig systemd LVM2_PACKAGECONFIG = "dmeventd" LVM2_PACKAGECONFIG_append_class-target = " \ ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ - ${@incompatible_license_contains('GPLv3', '', 'thin-provisioning-tools', d)} \ " # odirect is always enabled because there currently is a bug in @@ -39,6 +38,7 @@ PACKAGECONFIG[dmeventd] = "--enable-dmeventd,--disable-dmeventd" PACKAGECONFIG[odirect] = "--enable-o_direct,--disable-o_direct" PACKAGECONFIG[readline] = "--enable-readline,--disable-readline,readline" PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" +# NOTE: Add thin-provisioning-tools only if your distro policy allows GPL-3.0 license PACKAGECONFIG[thin-provisioning-tools] = "--with-thin=internal,--with-thin=none,,thin-provisioning-tools" # Unset user/group to unbreak install. @@ -55,4 +55,3 @@ EXTRA_OECONF = "--with-user= \ --with-thin-repair=${sbindir}/thin_repair \ --with-thin-restore=${sbindir}/thin_restore \ " - diff --git a/meta-openembedded/meta-oe/recipes-support/tbb/tbb_2021.2.0.bb b/meta-openembedded/meta-oe/recipes-support/tbb/tbb_2021.2.0.bb index 7e57ebf555..771ddd49b8 100644 --- a/meta-openembedded/meta-oe/recipes-support/tbb/tbb_2021.2.0.bb +++ b/meta-openembedded/meta-oe/recipes-support/tbb/tbb_2021.2.0.bb @@ -45,3 +45,6 @@ LDFLAGS_append_mips = " -latomic" LDFLAGS_append_mipsel = " -latomic" LDFLAGS_append_libc-musl = " -lucontext" + +# The latest version of oneTBB does not support PPC +COMPATIBLE_MACHINE_powerpc = "(!.*ppc).*" diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-jinja2_2.%.bbappend b/meta-openembedded/meta-python/recipes-devtools/python/python3-jinja2_2.%.bbappend deleted file mode 100644 index 9fe358427a..0000000000 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-jinja2_2.%.bbappend +++ /dev/null @@ -1,13 +0,0 @@ -# Main recipe was moved to oe-core, but with ptest disabled -inherit ${@bb.utils.filter('DISTRO_FEATURES', 'ptest', d)} - -do_install_ptest() { - install -d ${D}${PTEST_PATH}/tests - cp -rf ${S}/tests/* ${D}${PTEST_PATH}/tests/ -} - -RDEPENDS_${PN}-ptest += " \ - ${PYTHON_PN}-pytest \ - ${PYTHON_PN}-toml \ - ${PYTHON_PN}-unixadmin \ -" diff --git a/meta-openembedded/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.0.bb b/meta-openembedded/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.1.bb index 47de8c571e..ccd55723ab 100644 --- a/meta-openembedded/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.0.bb +++ b/meta-openembedded/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.1.bb @@ -9,7 +9,7 @@ inherit xfce features_check mime-xdg REQUIRED_DISTRO_FEATURES = "x11" SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch" -SRC_URI[sha256sum] = "67a1404fc754c675c6431e22a8fe0e5d79644fdfadbfe25a4523d68e1442ddc2" +SRC_URI[sha256sum] = "bb28e1be7aa34d0edb1cfbaacc509a4267db56828b36cd6be312a202973635c6" EXTRA_OECONF += "--enable-maintainer-mode --disable-debug" diff --git a/meta-raspberrypi/conf/machine/include/rpi-base.inc b/meta-raspberrypi/conf/machine/include/rpi-base.inc index 77cada7436..a800078473 100644 --- a/meta-raspberrypi/conf/machine/include/rpi-base.inc +++ b/meta-raspberrypi/conf/machine/include/rpi-base.inc @@ -31,6 +31,7 @@ RPI_KERNEL_DEVICETREE_OVERLAYS ?= " \ overlays/justboom-digi.dtbo \ overlays/i2c-rtc.dtbo \ overlays/imx219.dtbo \ + overlays/imx477.dtbo \ overlays/iqaudio-dac.dtbo \ overlays/iqaudio-dacplus.dtbo \ overlays/mcp2515-can0.dtbo \ diff --git a/meta-raspberrypi/recipes-bsp/bootfiles/rpi-cmdline.bb b/meta-raspberrypi/recipes-bsp/bootfiles/rpi-cmdline.bb index 40a9949a14..3ebd1e61c2 100644 --- a/meta-raspberrypi/recipes-bsp/bootfiles/rpi-cmdline.bb +++ b/meta-raspberrypi/recipes-bsp/bootfiles/rpi-cmdline.bb @@ -13,6 +13,8 @@ CMDLINE_SERIAL ?= "${@oe.utils.conditional("ENABLE_UART", "1", "console=serial0, CMDLINE_CMA ?= "${@oe.utils.conditional("RASPBERRYPI_CAMERA_V2", "1", "cma=64M", "", d)}" +CMDLINE_CMA ?= "${@oe.utils.conditional("RASPBERRYPI_HD_CAMERA", "1", "cma=64M", "", d)}" + CMDLINE_PITFT ?= "${@bb.utils.contains("MACHINE_FEATURES", "pitft", "fbcon=map:10 fbcon=font:VGA8x8", "", d)}" # Add the kernel debugger over console kernel command line option if enabled diff --git a/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb b/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb index c4b441182b..052206acfa 100644 --- a/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb +++ b/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb @@ -189,10 +189,16 @@ do_deploy() { # Choose Camera Sensor to be used, default imx219 sensor if [ "${RASPBERRYPI_CAMERA_V2}" = "1" ]; then - echo "# Enable Sony RaspberryPi Camera" >> $CONFIG + echo "# Enable Sony RaspberryPi Camera(imx219)" >> $CONFIG echo "dtoverlay=imx219" >> $CONFIG fi + # Choose Camera Sensor to be used, default imx477 sensor + #if [ "${RASPBERRYPI_HD_CAMERA}" = "1" ]; then + # echo "# Enable Sony RaspberryPi Camera(imx477)" >> $CONFIG + # echo "dtoverlay=imx477" >> $CONFIG + #fi + # Waveshare "C" 1024x600 7" Rev2.1 IPS capacitive touch (http://www.waveshare.com/7inch-HDMI-LCD-C.htm) if [ "${WAVESHARE_1024X600_C_2_1}" = "1" ]; then echo "# Waveshare \"C\" 1024x600 7\" Rev2.1 IPS capacitive touch screen" >> $CONFIG diff --git a/poky/bitbake/lib/bb/fetch2/wget.py b/poky/bitbake/lib/bb/fetch2/wget.py index 6d82f3af07..784df70c9f 100644 --- a/poky/bitbake/lib/bb/fetch2/wget.py +++ b/poky/bitbake/lib/bb/fetch2/wget.py @@ -472,7 +472,7 @@ class Wget(FetchMethod): version_dir = ['', '', ''] version = ['', '', ''] - dirver_regex = re.compile(r"(?P<pfx>\D*)(?P<ver>(\d+[\.\-_])+(\d+))") + dirver_regex = re.compile(r"(?P<pfx>\D*)(?P<ver>(\d+[\.\-_])*(\d+))") s = dirver_regex.search(dirver) if s: version_dir[1] = s.group('ver') diff --git a/poky/bitbake/lib/bb/server/process.py b/poky/bitbake/lib/bb/server/process.py index 3e99bcef8f..155e8d131f 100644 --- a/poky/bitbake/lib/bb/server/process.py +++ b/poky/bitbake/lib/bb/server/process.py @@ -367,7 +367,12 @@ class ProcessServer(): self.next_heartbeat = now + self.heartbeat_seconds if hasattr(self.cooker, "data"): heartbeat = bb.event.HeartbeatEvent(now) - bb.event.fire(heartbeat, self.cooker.data) + try: + bb.event.fire(heartbeat, self.cooker.data) + except Exception as exc: + if not isinstance(exc, bb.BBHandledException): + logger.exception('Running heartbeat function') + self.quit = True if nextsleep and now + nextsleep > self.next_heartbeat: # Shorten timeout so that we we wake up in time for # the heartbeat. diff --git a/poky/meta/classes/image.bbclass b/poky/meta/classes/image.bbclass index 353cc67175..67603d958d 100644 --- a/poky/meta/classes/image.bbclass +++ b/poky/meta/classes/image.bbclass @@ -38,7 +38,7 @@ IMAGE_FEATURES[validitems] += "debug-tweaks read-only-rootfs read-only-rootfs-de # Generate companion debugfs? IMAGE_GEN_DEBUGFS ?= "0" -# These pacackages will be installed as additional into debug rootfs +# These packages will be installed as additional into debug rootfs IMAGE_INSTALL_DEBUGFS ?= "" # These packages will be removed from a read-only rootfs after all other diff --git a/poky/meta/classes/sstate.bbclass b/poky/meta/classes/sstate.bbclass index 8e8efd18d5..79588df2cd 100644 --- a/poky/meta/classes/sstate.bbclass +++ b/poky/meta/classes/sstate.bbclass @@ -319,6 +319,8 @@ def sstate_install(ss, d): if os.path.exists(i): with open(i, "r") as f: manifests = f.readlines() + # We append new entries, we don't remove older entries which may have the same + # manifest name but different versions from stamp/workdir. See below. if filedata not in manifests: with open(i, "a+") as f: f.write(filedata) @@ -1183,11 +1185,21 @@ python sstate_eventhandler_reachablestamps() { i = d.expand("${SSTATE_MANIFESTS}/index-" + a) if not os.path.exists(i): continue + manseen = set() + ignore = [] with open(i, "r") as f: lines = f.readlines() - for l in lines: + for l in reversed(lines): try: (stamp, manifest, workdir) = l.split() + # The index may have multiple entries for the same manifest as the code above only appends + # new entries and there may be an entry with matching manifest but differing version in stamp/workdir. + # The last entry in the list is the valid one, any earlier entries with matching manifests + # should be ignored. + if manifest in manseen: + ignore.append(l) + continue + manseen.add(manifest) if stamp not in stamps and stamp not in preservestamps and stamp in machineindex: toremove.append(l) if stamp not in seen: @@ -1218,6 +1230,8 @@ python sstate_eventhandler_reachablestamps() { with open(i, "w") as f: for l in lines: + if l in ignore: + continue f.write(l) machineindex |= set(stamps) with open(mi, "w") as f: diff --git a/poky/meta/conf/distro/include/yocto-uninative.inc b/poky/meta/conf/distro/include/yocto-uninative.inc index 05b79d14c3..740cca0ecf 100644 --- a/poky/meta/conf/distro/include/yocto-uninative.inc +++ b/poky/meta/conf/distro/include/yocto-uninative.inc @@ -8,7 +8,7 @@ UNINATIVE_MAXGLIBCVERSION = "2.33" -UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/3.1/" -UNINATIVE_CHECKSUM[aarch64] ?= "7fa12b9fe7a95934cc09beb0e8a25ff97179ef3105116015d32548eadd27b024" -UNINATIVE_CHECKSUM[i686] ?= "bbfcdd48336800b5af97e294918c6586a0a8fa903f127f813b0bd5110de8c55c" -UNINATIVE_CHECKSUM[x86_64] ?= "5d0611df544edff6428cef7d871257a91aa6ba1bd92f5365a2df8deb54b6b31e" +UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/3.2/" +UNINATIVE_CHECKSUM[aarch64] ?= "4f0872cdca2775b637a8a99815ca5c8dd42146abe903a24a50ee0448358c764b" +UNINATIVE_CHECKSUM[i686] ?= "e2eeab92e67263db37d9bb6d4c58579abd1f47ff4cded3171bde572fece124b2" +UNINATIVE_CHECKSUM[x86_64] ?= "3ee8c7d55e2d4c7ae3887cddb97219f97b94efddfeee2e24923c0cb0e8ce84c6" diff --git a/poky/meta/lib/oe/rootfs.py b/poky/meta/lib/oe/rootfs.py index d634adda4e..16493577e3 100644 --- a/poky/meta/lib/oe/rootfs.py +++ b/poky/meta/lib/oe/rootfs.py @@ -167,7 +167,7 @@ class Rootfs(object, metaclass=ABCMeta): pass os.rename(self.image_rootfs, self.image_rootfs + '-dbg') - bb.note(" Restoreing original rootfs...") + bb.note(" Restoring original rootfs...") os.rename(self.image_rootfs + '-orig', self.image_rootfs) def _exec_shell_cmd(self, cmd): diff --git a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb index c8a3f876aa..23c0e8d823 100644 --- a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -30,6 +30,9 @@ UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7" SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda" +# Issue only affects Debian/SUSE, not us +CVE_CHECK_WHITELIST += "CVE-2021-26720" + DEPENDS = "expat libcap libdaemon glib-2.0 intltool-native" # For gtk related PACKAGECONFIGs: gtk, gtk3 diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5_5.56.bb b/poky/meta/recipes-connectivity/bluez5/bluez5_5.56.bb index 676cb2dbb2..ae0f72b678 100644 --- a/poky/meta/recipes-connectivity/bluez5/bluez5_5.56.bb +++ b/poky/meta/recipes-connectivity/bluez5/bluez5_5.56.bb @@ -3,6 +3,9 @@ require bluez5.inc SRC_URI[md5sum] = "e6c51b2aefa7c56ff072819a78611fa5" SRC_URI[sha256sum] = "59c4dba9fc8aae2a6a5f8f12f19bc1b0c2dc27355c7ca3123eed3fe6bd7d0b9d" +# These issues have kernel fixes rather than bluez fixes so exclude here +CVE_CHECK_WHITELIST += "CVE-2020-12352 CVE-2020-24490" + # noinst programs in Makefile.tools that are conditional on READLINE # support NOINST_TOOLS_READLINE ?= " \ diff --git a/poky/meta/recipes-connectivity/openssh/openssh_8.5p1.bb b/poky/meta/recipes-connectivity/openssh/openssh_8.5p1.bb index 6a49cf71cc..c6de519884 100644 --- a/poky/meta/recipes-connectivity/openssh/openssh_8.5p1.bb +++ b/poky/meta/recipes-connectivity/openssh/openssh_8.5p1.bb @@ -27,10 +27,16 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar " SRC_URI[sha256sum] = "f52f3f41d429aa9918e38cf200af225ccdd8e66f052da572870c89737646ec25" +# This CVE is specific to OpenSSH with the pam opie which we don't build/use here +CVE_CHECK_WHITELIST += "CVE-2007-2768" + # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded CVE_CHECK_WHITELIST += "CVE-2014-9278" +# CVE only applies to some distributed RHEL binaries +CVE_CHECK_WHITELIST += "CVE-2008-3844" + PAM_SRC_URI = "file://sshd" inherit manpages useradd update-rc.d update-alternatives systemd diff --git a/poky/meta/recipes-core/coreutils/coreutils_8.32.bb b/poky/meta/recipes-core/coreutils/coreutils_8.32.bb index c1962ccb90..f3fe31fd3b 100644 --- a/poky/meta/recipes-core/coreutils/coreutils_8.32.bb +++ b/poky/meta/recipes-core/coreutils/coreutils_8.32.bb @@ -26,6 +26,10 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \ SRC_URI[md5sum] = "022042695b7d5bcf1a93559a9735e668" SRC_URI[sha256sum] = "4458d8de7849df44ccab15e16b1548b285224dbba5f08fac070c1c0e0bcc4cfa" +# http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842 +# runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue. +CVE_CHECK_WHITELIST += "CVE-2016-2781" + EXTRA_OECONF_class-native = "--without-gmp" EXTRA_OECONF_class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}" EXTRA_OECONF_class-nativesdk = "--enable-install-program=arch,hostname" diff --git a/poky/meta/recipes-core/glibc/glibc/check-test-wrapper b/poky/meta/recipes-core/glibc/glibc/check-test-wrapper index f8e04e02d2..6ec9b9b29e 100644 --- a/poky/meta/recipes-core/glibc/glibc/check-test-wrapper +++ b/poky/meta/recipes-core/glibc/glibc/check-test-wrapper @@ -2,6 +2,7 @@ import sys import os import subprocess +import resource env = os.environ.copy() args = sys.argv[1:] @@ -44,6 +45,14 @@ if targettype == "user": qemuargs += ["-L", sysroot] qemuargs += ["-E", "LD_LIBRARY_PATH={}".format(":".join(libpaths))] command = qemuargs + args + + # We've seen qemu-arm using up all system memory for some glibc + # tests e.g. nptl/tst-pthread-timedlock-lockloop + # Cap at 8GB since no test should need more than that + # (5GB adds 7 failures for qemuarm glibc test run) + limit = 8*1024*1024*1024 + resource.setrlimit(resource.RLIMIT_AS, (limit, limit)) + elif targettype == "ssh": host = os.environ.get("SSH_HOST", None) user = os.environ.get("SSH_HOST_USER", None) diff --git a/poky/meta/recipes-core/glibc/glibc_2.33.bb b/poky/meta/recipes-core/glibc/glibc_2.33.bb index 5e0baa53e8..75a1f36d6b 100644 --- a/poky/meta/recipes-core/glibc/glibc_2.33.bb +++ b/poky/meta/recipes-core/glibc/glibc_2.33.bb @@ -3,6 +3,19 @@ require glibc-version.inc CVE_CHECK_WHITELIST += "CVE-2020-10029" +# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022 +# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023 +# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024 +# Upstream glibc maintainers dispute there is any issue and have no plans to address it further. +# "this is being treated as a non-security bug and no real threat." +CVE_CHECK_WHITELIST += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024" + +# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025 +# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow +# easier access for another. "ASLR bypass itself is not a vulnerability." +# Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853 +CVE_CHECK_WHITELIST += "CVE-2019-1010025" + DEPENDS += "gperf-native bison-native make-native" NATIVESDKFIXES ?= "" diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch new file mode 100644 index 0000000000..287a171924 --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch @@ -0,0 +1,36 @@ +From b76718876953e11bbd73dc6c9457323fd5aeda2e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Wed, 21 Apr 2021 13:23:27 +0200 +Subject: [PATCH 2/3] Fix use-after-free with `xmllint --html --push` + +Call htmlCtxtUseOptions to make sure that names aren't stored in +dictionaries. + +Note that this issue only affects xmllint using the HTML push parser. + +Fixes #230. + +CVE: CVE-2021-3516 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539] + +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> +--- + xmllint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmllint.c b/xmllint.c +index c0712674..ba66676b 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -2204,7 +2204,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { + if (res > 0) { + ctxt = htmlCreatePushParserCtxt(NULL, NULL, + chars, res, filename, XML_CHAR_ENCODING_NONE); +- xmlCtxtUseOptions(ctxt, options); ++ htmlCtxtUseOptions(ctxt, options); + while ((res = fread(chars, 1, pushsize, f)) > 0) { + htmlParseChunk(ctxt, chars, res, 0); + } +-- +2.25.1 + diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch new file mode 100644 index 0000000000..b6204f655a --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch @@ -0,0 +1,54 @@ +From df3de1376585f7a273d70023f92a530395957324 Mon Sep 17 00:00:00 2001 +From: Joel Hockey <joel.hockey@gmail.com> +Date: Sun, 16 Aug 2020 17:19:35 -0700 +Subject: [PATCH 1/3] Validate UTF8 in xmlEncodeEntities + +Code is currently assuming UTF-8 without validating. Truncated UTF-8 +input can cause out-of-bounds array access. + +Adds further checks to partial fix in 50f06b3e. + +Fixes #178 + +CVE: CVE-2021-3517 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2] + +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> +--- + entities.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/entities.c b/entities.c +index d575e9d1..7cdbc4de 100644 +--- a/entities.c ++++ b/entities.c +@@ -666,11 +666,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) { + } else { + /* + * We assume we have UTF-8 input. ++ * It must match either: ++ * 110xxxxx 10xxxxxx ++ * 1110xxxx 10xxxxxx 10xxxxxx ++ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx ++ * That is: ++ * cur[0] is 11xxxxxx ++ * cur[1] is 10xxxxxx ++ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx ++ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx ++ * cur[0] is not 11111xxx + */ + char buf[11], *ptr; + int val = 0, l = 1; + +- if (*cur < 0xC0) { ++ if (((cur[0] & 0xC0) != 0xC0) || ++ ((cur[1] & 0xC0) != 0x80) || ++ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF8) == 0xF8))) { + xmlEntitiesErr(XML_CHECK_NOT_UTF8, + "xmlEncodeEntities: input not UTF-8"); + if (doc != NULL) +-- +2.25.1 + diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch new file mode 100644 index 0000000000..defbe7867b --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch @@ -0,0 +1,49 @@ +From 5ae9c39401f679648301efa6d2d35e09cc376462 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sat, 1 May 2021 16:53:33 +0200 +Subject: [PATCH 3/3] Propagate error in xmlParseElementChildrenContentDeclPriv + +Check return value of recursive calls to +xmlParseElementChildrenContentDeclPriv and return immediately in case +of errors. Otherwise, struct xmlElementContent could contain unexpected +null pointers, leading to a null deref when post-validating documents +which aren't well-formed and parsed in recovery mode. + +Fixes #243. + +CVE: CVE-2021-3537 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61] + +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> +--- + parser.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/parser.c b/parser.c +index a34bb6cd..bbcff39f 100644 +--- a/parser.c ++++ b/parser.c +@@ -6195,6 +6195,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + SKIP_BLANKS; + cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); ++ if (cur == NULL) ++ return(NULL); + SKIP_BLANKS; + GROW; + } else { +@@ -6328,6 +6330,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + SKIP_BLANKS; + last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); ++ if (last == NULL) { ++ if (ret != NULL) ++ xmlFreeDocElementContent(ctxt->myDoc, ret); ++ return(NULL); ++ } + SKIP_BLANKS; + } else { + elem = xmlParseName(ctxt); +-- +2.25.1 + diff --git a/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb b/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb index 07ae68610c..b850164285 100644 --- a/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb @@ -24,6 +24,9 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ file://CVE-2019-20388.patch \ file://CVE-2020-24977.patch \ file://fix-python39.patch \ + file://CVE-2021-3517.patch \ + file://CVE-2021-3516.patch \ + file://CVE-2021-3537.patch \ " SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" diff --git a/poky/meta/recipes-devtools/ccache/ccache/0001-CMake-make-build-of-documentation-optional-842.patch b/poky/meta/recipes-devtools/ccache/ccache/0001-CMake-make-build-of-documentation-optional-842.patch new file mode 100644 index 0000000000..9f6bb1780b --- /dev/null +++ b/poky/meta/recipes-devtools/ccache/ccache/0001-CMake-make-build-of-documentation-optional-842.patch @@ -0,0 +1,36 @@ +From 857d74f2c5fff79589e9b35cd405bf8ffffafb54 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz> +Date: Mon, 3 May 2021 18:44:53 +0200 +Subject: [PATCH] CMake: make build of documentation optional (#842) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +So we don't need to support corner cases as for example one fixed in +commit f6202db308e3 ("doc/MANUAL.adoc: Don't use non-ASCII quotes +(#761)") when the documentation is actually not needed at all as ccache +is used as a build tool only. + +Signed-off-by: Petr Štetiar <ynezz@true.cz> +Upstream-Status: Backport [b96ca763c453a602b5516b4b9ca5e2829528e318] +Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> +--- + CMakeLists.txt | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 40e21a57..151cc5f7 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -131,7 +131,10 @@ target_link_libraries(ccache PRIVATE standard_settings standard_warnings ccache_ + # + # Documentation + # +-add_subdirectory(doc) ++option(ENABLE_DOCUMENTATION "Enable documentation" ON) ++if(ENABLE_DOCUMENTATION) ++ add_subdirectory(doc) ++endif() + + # + # Installation diff --git a/poky/meta/recipes-devtools/ccache/ccache_4.2.bb b/poky/meta/recipes-devtools/ccache/ccache_4.2.bb index 9957bc7e65..b76bf043f0 100644 --- a/poky/meta/recipes-devtools/ccache/ccache_4.2.bb +++ b/poky/meta/recipes-devtools/ccache/ccache_4.2.bb @@ -12,10 +12,14 @@ LIC_FILES_CHKSUM = "file://LICENSE.adoc;md5=28afb89f649f309e7ac1aab554564637" DEPENDS = "zstd" SRC_URI = "https://github.com/ccache/ccache/releases/download/v${PV}/${BP}.tar.gz" +SRC_URI += "file://0001-CMake-make-build-of-documentation-optional-842.patch" + SRC_URI[sha256sum] = "dbf139ff32031b54cb47f2d7983269f328df14b5a427882f89f7721e5c411b7e" UPSTREAM_CHECK_URI = "https://github.com/ccache/ccache/releases/" +PACKAGECONFIG[docs] = "-DENABLE_DOCUMENTATION=ON,-DENABLE_DOCUMENTATION=OFF,asciidoc" + inherit cmake PATCHTOOL = "patch" diff --git a/poky/meta/recipes-devtools/jquery/jquery_3.6.0.bb b/poky/meta/recipes-devtools/jquery/jquery_3.6.0.bb index 65905966c1..03792730fd 100644 --- a/poky/meta/recipes-devtools/jquery/jquery_3.6.0.bb +++ b/poky/meta/recipes-devtools/jquery/jquery_3.6.0.bb @@ -19,6 +19,11 @@ SRC_URI[map.sha256sum] = "399548fb0e7b146c12f5ba18099a47d594a970fee96212eee0ab48 UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js" +# https://github.com/jquery/jquery/issues/3927 +# There are ways jquery can expose security issues but any issues are in the apps exposing them +# and there is little we can directly do +CVE_CHECK_WHITELIST += "CVE-2007-2379" + inherit allarch do_install() { diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index 8b8cecd7a0..fbda0c9174 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -65,6 +65,17 @@ SRC_URI[sha256sum] = "cb18d889b628fbe637672b0326789d9b0e3b8027e0445b936537c78549 SRC_URI_append_class-target = " file://cross.patch" SRC_URI_append_class-nativesdk = " file://cross.patch" +# Applies against virglrender < 0.6.0 and not qemu itself +CVE_CHECK_WHITELIST += "CVE-2017-5957" + +# The VNC server can expose host files uder some circumstances. We don't +# enable it by default. +CVE_CHECK_WHITELIST += "CVE-2007-0998" + +# 'The issues identified by this CVE were determined to not constitute a vulnerability.' +# https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 +CVE_CHECK_WHITELIST += "CVE-2018-18438" + COMPATIBLE_HOST_mipsarchn32 = "null" COMPATIBLE_HOST_mipsarchn64 = "null" diff --git a/poky/meta/recipes-extended/cpio/cpio_2.13.bb b/poky/meta/recipes-extended/cpio/cpio_2.13.bb index 94d86100c7..f4df826ed9 100644 --- a/poky/meta/recipes-extended/cpio/cpio_2.13.bb +++ b/poky/meta/recipes-extended/cpio/cpio_2.13.bb @@ -16,6 +16,9 @@ SRC_URI[sha256sum] = "e87470d9c984317f658567c03bfefb6b0c829ff17dbf6b0de48d71a4c8 inherit autotools gettext texinfo +# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us +CVE_CHECK_WHITELIST += "CVE-2010-4226" + EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}" do_install () { diff --git a/poky/meta/recipes-extended/cups/cups.inc b/poky/meta/recipes-extended/cups/cups.inc index 244c87001f..beee614828 100644 --- a/poky/meta/recipes-extended/cups/cups.inc +++ b/poky/meta/recipes-extended/cups/cups.inc @@ -127,3 +127,7 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess" cups_sysroot_preprocess () { sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:' } + +# -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is +# root:root, so this doesn't apply. +CVE_CHECK_WHITELIST += "CVE-2021-25317"
\ No newline at end of file diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb b/poky/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb index cbf60c8c85..35826c2549 100644 --- a/poky/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb +++ b/poky/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb @@ -19,6 +19,10 @@ DEPENDS_class-native = "libpng-native" UPSTREAM_CHECK_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases" UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar" +# As of ghostscript 9.54.0 the jpeg issue in the CVE is present in the gs jpeg sources +# however we use an external jpeg which doesn't have the issue. +CVE_CHECK_WHITELIST += "CVE-2013-6629" + def gs_verdir(v): return "".join(v.split(".")) diff --git a/poky/meta/recipes-extended/logrotate/logrotate_3.18.0.bb b/poky/meta/recipes-extended/logrotate/logrotate_3.18.0.bb index 55684ac9fb..c2115e7142 100644 --- a/poky/meta/recipes-extended/logrotate/logrotate_3.18.0.bb +++ b/poky/meta/recipes-extended/logrotate/logrotate_3.18.0.bb @@ -21,6 +21,9 @@ SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz SRC_URI[sha256sum] = "841f81bf09d0014e4a2e11af166bb33fcd8429cc0c2d4a7d3d9ceb3858cfccc5" +# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used +CVE_CHECK_WHITELIST += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550" + PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}" PACKAGECONFIG[acl] = ",,acl" diff --git a/poky/meta/recipes-extended/unzip/unzip_6.0.bb b/poky/meta/recipes-extended/unzip/unzip_6.0.bb index 0c56a39d92..af5530ab38 100644 --- a/poky/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/poky/meta/recipes-extended/unzip/unzip_6.0.bb @@ -32,6 +32,9 @@ UPSTREAM_VERSION_UNKNOWN = "1" SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37" +# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source +CVE_CHECK_WHITELIST += "CVE-2008-0888" + # exclude version 5.5.2 which triggers a false positive UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz" diff --git a/poky/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb b/poky/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb index 1ff4b2e15f..bbbd72193e 100644 --- a/poky/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb +++ b/poky/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb @@ -30,3 +30,6 @@ PROVIDES += "libnotify3" RPROVIDES_${PN} += "libnotify3" RCONFLICTS_${PN} += "libnotify3" RREPLACES_${PN} += "libnotify3" + +# -7381 is specific to the NodeJS bindings +CVE_CHECK_WHITELIST += "CVE-2013-7381" diff --git a/poky/meta/recipes-gnome/librsvg/librsvg_2.40.21.bb b/poky/meta/recipes-gnome/librsvg/librsvg_2.40.21.bb index acdbc1f1b3..59de80a691 100644 --- a/poky/meta/recipes-gnome/librsvg/librsvg_2.40.21.bb +++ b/poky/meta/recipes-gnome/librsvg/librsvg_2.40.21.bb @@ -25,6 +25,9 @@ SRC_URI += "file://gtk-option.patch \ SRC_URI[archive.sha256sum] = "f7628905f1cada84e87e2b14883ed57d8094dca3281d5bcb24ece4279e9a92ba" +# Issue only on windows +CVE_CHECK_WHITELIST += "CVE-2018-1000041" + CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders" PACKAGECONFIG ??= "gdkpixbuf" diff --git a/poky/meta/recipes-graphics/builder/builder_0.1.bb b/poky/meta/recipes-graphics/builder/builder_0.1.bb index 0a64c31ab3..9d5cd8cde6 100644 --- a/poky/meta/recipes-graphics/builder/builder_0.1.bb +++ b/poky/meta/recipes-graphics/builder/builder_0.1.bb @@ -29,3 +29,5 @@ do_install () { chown builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh } +# -4178 is an unrelated 'builder' +CVE_CHECK_WHITELIST = "CVE-2008-4178" diff --git a/poky/meta/recipes-multimedia/libtiff/tiff_4.2.0.bb b/poky/meta/recipes-multimedia/libtiff/tiff_4.2.0.bb index ea8580a25e..6ca01af2fa 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff_4.2.0.bb +++ b/poky/meta/recipes-multimedia/libtiff/tiff_4.2.0.bb @@ -15,6 +15,10 @@ SRC_URI[sha256sum] = "eb0484e568ead8fa23b513e9b0041df7e327f4ee2d22db5a533929dfc1 # exclude betas UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" +# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 +# and 4.3.0 doesn't have the issue +CVE_CHECK_WHITELIST += "CVE-2015-7313" + inherit autotools multilib_header CACHED_CONFIGUREVARS = "ax_cv_check_gl_libgl=no" |