diff options
| author | Patrick Williams <patrick@stwcx.xyz> | 2021-07-13 20:29:41 +0300 |
|---|---|---|
| committer | Patrick Williams <patrick@stwcx.xyz> | 2021-07-13 20:36:25 +0300 |
| commit | bcc346ef66ded507480d46242dc88c4e73ca2aa7 (patch) | |
| tree | 6a0019a842ca6fa02e0fab5fb928b9504276e58a | |
| parent | e849b5038b885b344296b7c8ba379e340f309935 (diff) | |
| download | openbmc-bcc346ef66ded507480d46242dc88c4e73ca2aa7.tar.xz | |
subtree updates
meta-security: c6b1eec0e5..5050d1267a:
Armin Kuster (1):
tpm-tools: fix build issue
poky: fd33741e27..da0ce760c5:
Alejandro Hernandez Samaniego (1):
baremetal-image: Fix post process command rootfs_update_timestamp
Alexander Kanavin (3):
bind: upgrade 9.16.12 -> 9.16.13
devtool upgrade: rebase override-only patches as well
libgcrypt: upgrade 1.9.2 -> 1.9.3
Andrea Adami (1):
kernel.bbclass: fix do_sizecheck() comparison
Anuj Mittal (1):
curl: fix build when proxy is not enabled in PACKAGECONFIG
Bruce Ashfield (25):
linux-yocto/5.10: update to v5.10.35
linux-yocto/5.4: update to v5.4.117
linux-yocto/5.10: ktypes/standard: disable obsolete crypto options by default
linux-yocto/5.10: update to v5.10.36
linux-yocto/5.4: update to v5.4.118
linux-yocto/5.10: update to v5.10.37
linux-yocto/5.4: update to v5.4.119
linux-yocto/5.10: update to v5.10.38
linux-yocto/5.4: update to v5.4.120
linux-yocto/5.10: update to v5.10.41
linux-yocto/5.4: update to v5.4.123
linux-yocto/5.4: update to v5.4.124
linux-yocto/5.4: update to v5.4.125
linux-yocto/5.10: update to v5.10.42
linux-yocto/5.10: update to v5.10.43
linux-yocto/5.10: cgroup1: fix leaked context root causing sporadic NULL deref in LTP
linux-yocto/5.10: update to v5.10.46
linux-yocto/5.10: features/nft_tables: refresh config options
linux-yocto/5.4: update to v5.4.128
linux-yocto/5.10: rcu: Fix stall-warning deadlock due to non-release of rcu_node ->lock
kern-tools: add dropped options to audit output
kern-tools: Kconfiglib: add support for bare 'modules' keyword
kernel-devsrc: adjust NM and OBJTOOL variables for target
lttng-modules: update to v2.12.6
bsps/5.10: update to v5.10.43
Changqing Li (1):
pkgconfig: update SRC_URI
Daniel McGregor (2):
sstate: Ignore sstate signing key
lib/oe/gpg_sign.py: Fix gpg verification
Guillaume Champagne (1):
image-live.bbclass: order do_bootimg after do_rootfs
Harald Brinkmann (1):
bitbake: fetch/svn: Fix parsing revision of SVN repos with redirects
Joshua Watt (1):
classes/reproducible_build: Use atomic rename for SDE file
Kai Kang (2):
valgrind: fix a typo
libx11: fix CVE-2021-31535
Khem Raj (1):
linuxloader: Be aware of riscv32 ldso
Michael Ho (1):
sstate.bbclass: fix errors about read-only sstate mirrors
Ming Liu (1):
uboot-sign.bbclass: fix some install commands
Nikolay Papenkov (1):
flex: correct license information
Peter Kjellerstedt (2):
util-linux.inc: Do not modify BPN
native.bbclass: Do not remove "-native" in the middle of recipe names
Richard Purdie (14):
ltp: Disable problematic tests causing autobuilder hangs
grub2: Add CVE whitelist entries for issues fixed in 2.06
grub: Exclude CVE-2019-14865 from cve-check
cve-extra-exclusions.inc: add exclusion list for intractable CVE's
xinetd: Exclude CVE-2013-4342 from cve-check
bind: upgrade 9.16.13 -> 9.16.15
oeqa/runtime/rpm: Drop log message counting test component
linux-firmware: upgrade 20210315 -> 20210511
lttng-tools: upgrade 2.12.3 -> 2.12.4
perf: Use python3targetconfig to ensure we use target libraries
package_pkgdata: Avoid task hash mismatches for generic task changes
selftest/fetch: Avoid occasional selftest failure from poor temp file name choice
kernel: Fix interaction when packaging disabled
kernel-devicetree: Fix interaction when packaging disabled
Ross Burton (2):
package_rpm: pass XZ_THREADS to rpm
avahi: apply fix for CVE-2021-3468
Sakib Sajal (1):
qemu: Exclude CVE-2020-3550[4/5/6] from cve-check
Scott Weaver (1):
bitbake: fetch2: add check for empty SRC_URI hash string
Stefan Ghinea (1):
boost: fix do_fetch failure
Steve Sakoman (1):
expat: set CVE_PRODUCT
Tony Tascioglu (5):
libxml2: Fix CVE-2021-3518
libxml2: Fix CVE-2021-3541
valgrind: Improve non-deterministic ptest reliability
valgrind: remove buggy ptest from arm64
valgrind: Actually install list of non-deterministic ptests
Trevor Gamblin (5):
bind: upgrade 9.16.15 -> 9.16.16
curl: fix CVE-2021-22890
curl: fix CVE-2021-22876
python3: upgrade 3.9.4 -> 3.9.5
curl: cleanup CVE patches for hardknott
Zqiang (1):
ifupdown: Skip wrong test item
jbouchard (1):
Use the label provided when formating a dos partition
meta-openembedded: cf5bd6a830..c51e79dd85:
Alexander Vickberg (1):
hostapd: fix building with CONFIG_TLS=internal
Andrea Adami (3):
initramfs-kexecboot-image: support cases where machines override IMAGE_FSTYPES
initramfs-debug-image: support cases where machines override IMAGE_FSTYPES
rapidjson: remove stale LIB_INSTALL_DIR
Andreas Müller (1):
libgtop: tidy up recipe
Andrej Kozemcak (1):
squid: upgrade 4.14 -> 4.15
Changqing Li (1):
libgtop: fix do_compile error
Chen Qi (1):
minifi-cpp: set CLEANBROKEN to 1
Geoff Parker (1):
cifs-utils: set ROOTSBINDIR to /usr/sbin if DISTRO_FEATURES has usrmerge
Khem Raj (3):
opencv: Disable tbb on riscv/musl
mongodb: Update to 4.4.6-rc0
mongodb: Change PV to 4.4.6
Leon Anavi (5):
python3-cerberus: Upgrade 1.3.3 -> 1.3.4
python3-robotframework: Upgrade 4.0.1 -> 4.0.2
python3-rfc3339-validator: Upgrade 0.1.3 -> 0.1.4
python3-pymongo: Upgrade 3.11.3 -> 3.11.4
python3-django: Upgrade 3.2.3 -> 3.2.4
Marek Vasut (1):
nss: Fix build on Centos 7
Olivier Georget (1):
libpfm4 4.10.1 : enable arm64 host platform
Ovidiu Panait (1):
libeigen: update LICENSE information
Peter Kjellerstedt (2):
net-snmp: A little clean up
net-snmp: Support building for native
Saul Wold (2):
opencv: remove tbb packageconfig for powerpc
sysdig: disable building for ppc
Sekine Shigeki (2):
add CVE-2011-2411 to allowlist
ntp: add CVE-2016-9312 to allowlist
Stefan Ghinea (1):
thunar: fix CVE-2021-32563
Trevor Gamblin (5):
python3-django: upgrade 2.2.20 -> 2.2.22
python3-django: upgrade 3.2 -> 3.2.2
python3-django: upgrade 2.2.22 -> 2.2.23
python3-django: upgrade 3.2.2 -> 3.2.3
python3-django: upgrade 2.2.23 -> 2.2.24
Yi Zhao (1):
minifi-cpp: set correct python processor directory in configure file
ito-yuichi@fujitsu.com (2):
cyrus-sasl: add CVE-2020-8032 to allowlist
dovecot: add CVE-2016-4983 to allowlist
wangmy (10):
uftrace: Fix a plthook crash on aarch64 with binutils2.35.1 and later versions on aarch64
exiv2: Fix CVE-2021-29457
exiv2: Fix CVE-2021-29458
exiv2: Fix CVE-2021-29463
exiv2: Fix CVE-2021-3482
exiv2: Fix CVE-2021-29464
exiv2: Fix CVE-2021-29470
exiv2: Fix CVE-2021-29473
libsdl: Fix CVE-2019-13616
trace-cmd: Conflict resolution
zangrc (2):
postgresql: upgrade 13.2 -> 13.3
wireshark: upgrade 3.4.5 -> 3.4.6
zhengruoqin (1):
net-snmp: upgrade 5.9 -> 5.9.1
meta-raspberrypi: 11209a4981..064f5404ea:
Andrei Gherzan (1):
layer.conf: Define LAYERDEPENDS
Martin Jansa (3):
linux-raspberrypi: allow to change the yocto-kernel-cache branch with LINUX_RPI_KMETA_BRANCH
linux-raspberrypi-dev: drop protocol=git and add LINUX_RPI_KMETA_BRANCH
linux-raspberrypi-dev: use static SRCREV when not selected with PREFERRED_PROVIDER_virtual/kernel
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I1323b4d2f742e7c82b51f25cb74d2196167da023
138 files changed, 2822 insertions, 1765 deletions
diff --git a/meta-openembedded/meta-gnome/recipes-gnome/libgtop/libgtop/0001-fix-compile-error-for-cross-compile.patch b/meta-openembedded/meta-gnome/recipes-gnome/libgtop/libgtop/0001-fix-compile-error-for-cross-compile.patch new file mode 100644 index 0000000000..1bd6e101b5 --- /dev/null +++ b/meta-openembedded/meta-gnome/recipes-gnome/libgtop/libgtop/0001-fix-compile-error-for-cross-compile.patch @@ -0,0 +1,37 @@ +From e865a93000913b4597607289356114cd159f4e28 Mon Sep 17 00:00:00 2001 +From: Your Name <you@example.com> +Date: Fri, 21 May 2021 03:02:29 +0000 +Subject: [PATCH] fix compile error for cross compile + +On some distros, such as fedora32, cross compile failed with following +error since host library is used. undefined reference to +`stat64@GLIBC_2.33' + +According doc of ld, set searchdir begins with "=", but not hardcoded +locations. + +Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/libgtop/-/merge_requests/26] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + configure.ac | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 472f44b..ed6a4d7 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -270,8 +270,8 @@ AC_ARG_ENABLE(fatal-warnings, + [Define to enable fatal warnings])) + + dnl These definitions are expanded in make. +-LIBGTOP_LIBS='-L$(libdir)' +-LIBGTOP_INCS='-I$(includedir)/libgtop-2.0' ++LIBGTOP_LIBS='-L=$(libdir)' ++LIBGTOP_INCS='-I=$(includedir)/libgtop-2.0' + + if test x$libgtop_have_sysinfo = xyes ; then + LIBGTOP_INCS="$LIBGTOP_INCS -DHAVE_LIBGTOP_SYSINFO" +-- +2.26.2 + diff --git a/meta-openembedded/meta-gnome/recipes-gnome/libgtop/libgtop_2.40.0.bb b/meta-openembedded/meta-gnome/recipes-gnome/libgtop/libgtop_2.40.0.bb index f0c9cdb0e2..6d9398f4e4 100644 --- a/meta-openembedded/meta-gnome/recipes-gnome/libgtop/libgtop_2.40.0.bb +++ b/meta-openembedded/meta-gnome/recipes-gnome/libgtop/libgtop_2.40.0.bb @@ -1,4 +1,4 @@ -SUMMARY = "LibGTop2" +SUMMARY = "A library for collecting system monitoring data" LICENSE = "GPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552" @@ -8,9 +8,8 @@ inherit gnomebase lib_package gtk-doc gobject-introspection gettext upstream-ver inherit features_check REQUIRED_DISTRO_FEATURES = "x11" -SRC_URI[archive.md5sum] = "c6d67325cd97b2208b41e07e6cc7b947" +SRC_URI += "file://0001-fix-compile-error-for-cross-compile.patch" + SRC_URI[archive.sha256sum] = "78f3274c0c79c434c03655c1b35edf7b95ec0421430897fb1345a98a265ed2d4" DEPENDS = "glib-2.0 libxau" - -EXTRA_OEMAKE += "LIBGTOP_LIBS=" diff --git a/meta-openembedded/meta-initramfs/recipes-core/images/initramfs-debug-image.bb b/meta-openembedded/meta-initramfs/recipes-core/images/initramfs-debug-image.bb index c3dcd2b821..601056b7e5 100644 --- a/meta-openembedded/meta-initramfs/recipes-core/images/initramfs-debug-image.bb +++ b/meta-openembedded/meta-initramfs/recipes-core/images/initramfs-debug-image.bb @@ -11,7 +11,12 @@ IMAGE_FEATURES = "" export IMAGE_BASENAME = "initramfs-debug-image" IMAGE_LINGUAS = "" -IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" +# Some BSPs use IMAGE_FSTYPES_<machine override> which would override +# an assignment to IMAGE_FSTYPES so we need anon python +python () { + d.setVar("IMAGE_FSTYPES", d.getVar("INITRAMFS_FSTYPES")) +} + inherit core-image IMAGE_ROOTFS_SIZE = "8192" diff --git a/meta-openembedded/meta-initramfs/recipes-core/images/initramfs-kexecboot-image.bb b/meta-openembedded/meta-initramfs/recipes-core/images/initramfs-kexecboot-image.bb index 9a686f366f..dd082ba529 100644 --- a/meta-openembedded/meta-initramfs/recipes-core/images/initramfs-kexecboot-image.bb +++ b/meta-openembedded/meta-initramfs/recipes-core/images/initramfs-kexecboot-image.bb @@ -1,9 +1,13 @@ SUMMARY = "Initramfs image for kexecboot kernel" DESCRIPTION = "This image provides kexecboot (linux as bootloader) and helpers." -inherit image +# Some BSPs use IMAGE_FSTYPES_<machine override> which would override +# an assignment to IMAGE_FSTYPES so we need anon python +python () { + d.setVar("IMAGE_FSTYPES", d.getVar("INITRAMFS_FSTYPES")) +} -IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" +inherit image # avoid circular dependencies EXTRA_IMAGEDEPENDS = "" diff --git a/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb b/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb index 166bf57279..018c748390 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb @@ -44,6 +44,10 @@ SRC_URI[sha256sum] = "7dcfc2aaaac565b959068788e6a43fc79ce2a03e7d523f5843f7a9fddf UPSTREAM_CHECK_REGEX = "samba\-(?P<pver>4\.10(\.\d+)+).tar.gz" inherit systemd waf-samba cpan-base perlnative update-rc.d + +# CVE-2011-2411 is valnerble only on HP NonStop Servers. +CVE_CHECK_WHITELIST += "CVE-2011-2411" + # remove default added RDEPENDS on perl RDEPENDS_${PN}_remove = "perl" diff --git a/meta-openembedded/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb b/meta-openembedded/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb index 33de8ca7e2..c4b41ace8c 100644 --- a/meta-openembedded/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb +++ b/meta-openembedded/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb @@ -96,3 +96,6 @@ FILES_${PN}-dbg += "${libdir}/sasl2/.debug" FILES_${PN}-staticdev += "${libdir}/sasl2/*.a" INSANE_SKIP_${PN} += "dev-so" + +# CVE-2020-8032 affects only openSUSE +CVE_CHECK_WHITELIST += "CVE-2020-8032" diff --git a/meta-openembedded/meta-networking/recipes-daemons/squid/files/0001-Fix-build-on-Fedora-Rawhide-772.patch b/meta-openembedded/meta-networking/recipes-daemons/squid/files/0001-Fix-build-on-Fedora-Rawhide-772.patch index 28a410c26f..ff51f53448 100644 --- a/meta-openembedded/meta-networking/recipes-daemons/squid/files/0001-Fix-build-on-Fedora-Rawhide-772.patch +++ b/meta-openembedded/meta-networking/recipes-daemons/squid/files/0001-Fix-build-on-Fedora-Rawhide-772.patch @@ -11,10 +11,8 @@ Upstream-Status: Backport [https://github.com/kraj/squid/commit/1f8b5f0e1cc27634 src/Makefile.am | 4 ++++ src/ip/QosConfig.cc | 1 + src/ipc/mem/PageStack.cc | 1 + - src/proxyp/Parser.cc | 1 + - src/security/ServerOptions.cc | 2 ++ src/ssl/helper.cc | 2 ++ - 6 files changed, 11 insertions(+) + 4 files changed, 8 insertions(+) --- a/src/Makefile.am +++ b/src/Makefile.am @@ -70,17 +68,6 @@ Upstream-Status: Backport [https://github.com/kraj/squid/commit/1f8b5f0e1cc27634 /// used to mark a stack slot available for storing free page offsets const Ipc::Mem::PageStack::Value Writable = 0; ---- a/src/security/ServerOptions.cc -+++ b/src/security/ServerOptions.cc -@@ -24,6 +24,8 @@ - #endif - #endif - -+#include <limits> -+ - Security::ServerOptions & - Security::ServerOptions::operator =(const Security::ServerOptions &old) { - if (this != &old) { --- a/src/ssl/helper.cc +++ b/src/ssl/helper.cc @@ -19,6 +19,8 @@ @@ -92,14 +79,4 @@ Upstream-Status: Backport [https://github.com/kraj/squid/commit/1f8b5f0e1cc27634 Ssl::CertValidationHelper::LruCache *Ssl::CertValidationHelper::HelperCache = nullptr; #if USE_SSL_CRTD ---- a/src/acl/ConnMark.cc -+++ b/src/acl/ConnMark.cc -@@ -16,6 +16,8 @@ - #include "http/Stream.h" - #include "sbuf/Stream.h" -+#include <limits> -+ - bool - Acl::ConnMark::empty() const - { diff --git a/meta-openembedded/meta-networking/recipes-daemons/squid/squid_4.14.bb b/meta-openembedded/meta-networking/recipes-daemons/squid/squid_4.15.bb index 6d154c87e0..8ba10674c9 100644 --- a/meta-openembedded/meta-networking/recipes-daemons/squid/squid_4.14.bb +++ b/meta-openembedded/meta-networking/recipes-daemons/squid/squid_4.15.bb @@ -29,7 +29,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.bz2 SRC_URI_remove_toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch" -SRC_URI[sha256sum] = "4ad08884f065f8e1dac166aa13db6a872cde419a1717dff4c82c2c5337ee5756" +SRC_URI[sha256sum] = "71635811e766ce8b155225a9e3c7757cfc7ff93df26b28d82e5e6fc021b9a605" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://errors/COPYRIGHT;md5=0e03cd976052c45697ad5d96e7dff8dc \ diff --git a/meta-openembedded/meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-5.7.2-fix-engineBoots-value-on-SIGHUP.patch b/meta-openembedded/meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-5.7.2-fix-engineBoots-value-on-SIGHUP.patch index da6d80ef4a..022eb958f3 100644 --- a/meta-openembedded/meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-5.7.2-fix-engineBoots-value-on-SIGHUP.patch +++ b/meta-openembedded/meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-5.7.2-fix-engineBoots-value-on-SIGHUP.patch @@ -1,6 +1,6 @@ -From b6a3d6c8af35f1ef27b80b0516742fce89f4eb29 Mon Sep 17 00:00:00 2001 -From: Marian Florea <marian.florea@windriver.com> -Date: Thu, 20 Jul 2017 16:55:24 +0800 +From 1e3178835217ba89aa355e2b6b88e490f17be16d Mon Sep 17 00:00:00 2001 +From: Zheng Ruoqin <zhengrq.fnst@fujitsu.com> +Date: Wed, 9 Jun 2021 15:47:30 +0900 Subject: [PATCH] net snmp: fix engineBoots value on SIGHUP Upstream-Status: Pending @@ -14,17 +14,17 @@ Signed-off-by: Li Zhou <li.zhou@windriver.com> 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/agent/snmpd.c b/agent/snmpd.c -index ae73eda..66b4560 100644 +index 1af439f..355b510 100644 --- a/agent/snmpd.c +++ b/agent/snmpd.c -@@ -1207,6 +1207,7 @@ receive(void) +@@ -1208,6 +1208,7 @@ receive(void) snmp_log(LOG_INFO, "NET-SNMP version %s restarted\n", netsnmp_get_version()); update_config(); -+ snmp_store(app_name); ++ snmp_store(app_name); send_easy_trap(SNMP_TRAP_ENTERPRISESPECIFIC, 3); - #if HAVE_SIGHOLD - sigrelse(SIGHUP); + #if HAVE_SIGPROCMASK + ret = sigprocmask(SIG_UNBLOCK, &set, NULL); diff --git a/snmplib/snmpv3.c b/snmplib/snmpv3.c index 29c2a0f..ada961c 100644 --- a/snmplib/snmpv3.c @@ -41,3 +41,6 @@ index 29c2a0f..ada961c 100644 engineBoots = 1; } +-- +2.25.1 + diff --git a/meta-openembedded/meta-networking/recipes-protocols/net-snmp/net-snmp_5.9.bb b/meta-openembedded/meta-networking/recipes-protocols/net-snmp/net-snmp_5.9.1.bb index d9040c1647..7c3d5babd8 100644 --- a/meta-openembedded/meta-networking/recipes-protocols/net-snmp/net-snmp_5.9.bb +++ b/meta-openembedded/meta-networking/recipes-protocols/net-snmp/net-snmp_5.9.1.bb @@ -5,7 +5,8 @@ LICENSE = "BSD & MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=9d100a395a38584f2ec18a8275261687" -DEPENDS = "openssl libnl pciutils" +DEPENDS = "openssl" +DEPENDS_append_class-target = " pciutils" SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \ file://init \ @@ -27,7 +28,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \ file://reproducibility-have-printcap.patch \ file://0001-ac_add_search_path.m4-keep-consistent-between-32bit.patch \ " -SRC_URI[sha256sum] = "04303a66f85d6d8b16d3cc53bde50428877c82ab524e17591dfceaeb94df6071" +SRC_URI[sha256sum] = "eb7fd4a44de6cddbffd9a92a85ad1309e5c1054fb9d5a7dd93079c8953f48c3f" UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/net-snmp/files/net-snmp/" UPSTREAM_CHECK_REGEX = "/net-snmp/(?P<pver>\d+(\.\d+)+)/" @@ -41,24 +42,23 @@ CCACHE = "" TARGET_CC_ARCH += "${LDFLAGS}" -PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} des smux" +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6 systemd', d)} des smux" +PACKAGECONFIG[des] = "--enable-des, --disable-des" PACKAGECONFIG[elfutils] = "--with-elf, --without-elf, elfutils" +PACKAGECONFIG[ipv6] = "--enable-ipv6, --disable-ipv6" PACKAGECONFIG[libnl] = "--with-nl, --without-nl, libnl" - -PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,," - -PACKAGECONFIG[perl] = "--enable-embedded-perl --with-perl-modules=yes, --disable-embedded-perl --with-perl-modules=no,\ - perl," -PACKAGECONFIG[des] = "--enable-des,--disable-des" +PACKAGECONFIG[perl] = "--enable-embedded-perl --with-perl-modules=yes, --disable-embedded-perl --with-perl-modules=no, perl" PACKAGECONFIG[smux] = "" - -EXTRA_OECONF = "--enable-shared \ - --disable-manuals \ - --with-defaults \ - --with-install-prefix=${D} \ - --with-persistent-directory=${localstatedir}/lib/net-snmp \ - ${@oe.utils.conditional('SITEINFO_ENDIANNESS', 'le', '--with-endianness=little', '--with-endianness=big', d)} \ - --with-mib-modules='${MIB_MODULES}' \ +PACKAGECONFIG[systemd] = "--with-systemd, --without-systemd" + +EXTRA_OECONF = " \ + --enable-shared \ + --disable-manuals \ + --with-defaults \ + --with-install-prefix=${D} \ + --with-persistent-directory=${localstatedir}/lib/net-snmp \ + --with-endianness=${@oe.utils.conditional('SITEINFO_ENDIANNESS', 'le', 'little', 'big', d)} \ + --with-mib-modules='${MIB_MODULES}' \ " MIB_MODULES = "" @@ -73,8 +73,10 @@ CACHED_CONFIGUREVARS = " \ ac_cv_file__etc_printcap=no \ NETSNMP_CONFIGURE_OPTIONS= \ " -export PERLPROG="${bindir}/env perl" +PERLPROG = "${bindir}/env perl" +PERLPROG_class-native = "${bindir_native}/env perl" PERLPROG_append = "${@bb.utils.contains('PACKAGECONFIG', 'perl', ' -I${WORKDIR}', '', d)}" +export PERLPROG HAS_PERL = "${@bb.utils.contains('PACKAGECONFIG', 'perl', '1', '0', d)}" @@ -117,7 +119,7 @@ do_install_append() { install -d ${D}${systemd_unitdir}/system install -m 0644 ${WORKDIR}/snmpd.service ${D}${systemd_unitdir}/system install -m 0644 ${WORKDIR}/snmptrapd.service ${D}${systemd_unitdir}/system - sed -e "s@^NSC_SRCDIR=.*@NSC_SRCDIR=.@g" \ + sed -e "s@^NSC_SRCDIR=.*@NSC_SRCDIR=.@g" \ -i ${D}${bindir}/net-snmp-create-v3-user sed -e 's@^NSC_SRCDIR=.*@NSC_SRCDIR=.@g' \ -e 's@[^ ]*-fdebug-prefix-map=[^ "]*@@g' \ @@ -127,11 +129,14 @@ do_install_append() { -e 's@[^ ]*--with-install-prefix=[^ "]*@@g' \ -e 's@[^ ]*PKG_CONFIG_PATH=[^ "]*@@g' \ -e 's@[^ ]*PKG_CONFIG_LIBDIR=[^ "]*@@g' \ - -e 's@${STAGING_DIR_HOST}@@g' \ -i ${D}${bindir}/net-snmp-config - sed -e 's@${STAGING_DIR_HOST}@@g' \ - -i ${D}${libdir}/pkgconfig/netsnmp*.pc + # ${STAGING_DIR_HOST} is empty for native builds, and the sed command below + # will result in errors if run for native. + if [ "${STAGING_DIR_HOST}" ]; then + sed -e 's@${STAGING_DIR_HOST}@@g' \ + -i ${D}${bindir}/net-snmp-config ${D}${libdir}/pkgconfig/netsnmp*.pc + fi sed -e "s@^NSC_INCLUDEDIR=.*@NSC_INCLUDEDIR=\$\{includedir\}@g" \ -e "s@^NSC_LIBDIR=-L.*@NSC_LIBDIR=-L\$\{libdir\}@g" \ @@ -232,8 +237,6 @@ INITSCRIPT_PACKAGES = "${PN}-server-snmpd" INITSCRIPT_NAME_${PN}-server-snmpd = "snmpd" INITSCRIPT_PARAMS_${PN}-server-snmpd = "start 90 2 3 4 5 . stop 60 0 1 6 ." -EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemd', '--without-systemd', d)}" - SYSTEMD_PACKAGES = "${PN}-server-snmpd \ ${PN}-server-snmptrapd" @@ -273,3 +276,5 @@ RCONFLICTS_${PN}-server-snmptrapd += "${PN}-server-snmptrapd-systemd" LEAD_SONAME = "libnetsnmp.so" MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/net-snmp-config" + +BBCLASSEXTEND = "native" diff --git a/meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.13.bb b/meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.13.bb index 41a9b8e76a..bf8b18043a 100644 --- a/meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.13.bb +++ b/meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.13.bb @@ -22,10 +22,21 @@ PACKAGECONFIG[pam] = "--enable-pam --with-pamdir=${base_libdir}/security,--disab inherit autotools pkgconfig +do_configure_prepend() { + # want installed to /usr/sbin rather than /sbin to be DISTRO_FEATURES usrmerge compliant + # must override ROOTSBINDIR (default '/sbin'), + # setting --exec-prefix or --prefix in EXTRA_OECONF does not work + if ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','fakse',d)}; then + export ROOTSBINDIR=${sbindir} + fi +} + do_install_append() { - # Remove empty /usr/bin and /usr/sbin directories since the mount helper - # is installed to /sbin - rmdir --ignore-fail-on-non-empty ${D}${bindir} ${D}${sbindir} + if ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','false','true',d)}; then + # Remove empty /usr/bin and /usr/sbin directories since the mount helper + # is installed to /sbin + rmdir --ignore-fail-on-non-empty ${D}${bindir} ${D}${sbindir} + fi } FILES_${PN} += "${base_libdir}/security" diff --git a/meta-openembedded/meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb b/meta-openembedded/meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb index c0f2863dbf..f767eb8430 100644 --- a/meta-openembedded/meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb +++ b/meta-openembedded/meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb @@ -71,3 +71,6 @@ FILES_${PN} += "${libdir}/dovecot/*plugin.so \ FILES_${PN}-staticdev += "${libdir}/dovecot/*/*.a" FILES_${PN}-dev += "${libdir}/dovecot/libdovecot*.so" FILES_${PN}-dbg += "${libdir}/dovecot/*/.debug" + +# CVE-2016-4983 affects only postinstall script on specific distribution +CVE_CHECK_WHITELIST += "CVE-2016-4983" diff --git a/meta-openembedded/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb b/meta-openembedded/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb index 7e168825e0..e668113c50 100644 --- a/meta-openembedded/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb +++ b/meta-openembedded/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb @@ -26,6 +26,9 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g SRC_URI[sha256sum] = "f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19" +# CVE-2016-9312 is only for windows. +CVE_CHECK_WHITELIST += "CVE-2016-9312" + inherit autotools update-rc.d useradd systemd pkgconfig # The ac_cv_header_readline_history is to stop ntpdc depending on either diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.5.bb b/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.6.bb index f440328027..6acd849f89 100644 --- a/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.5.bb +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.6.bb @@ -19,7 +19,7 @@ SRC_URI += " \ UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" -SRC_URI[sha256sum] = "de1aafd100a1e1207c850d180e97dd91ab8da0f5eb6beec545f725cdb145d333" +SRC_URI[sha256sum] = "12a678208f8cb009e6b9d96026e41a6ef03c7ad086b9e1029f42053b249b4628" PE = "1" diff --git a/meta-openembedded/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb/0001-kms-message-bump-libmongocrypto-to-v1.0.4.patch b/meta-openembedded/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb/0001-kms-message-bump-libmongocrypto-to-v1.0.4.patch deleted file mode 100644 index df4cee2b42..0000000000 --- a/meta-openembedded/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb/0001-kms-message-bump-libmongocrypto-to-v1.0.4.patch +++ /dev/null @@ -1,714 +0,0 @@ -From 44272ce47e768e090263df5cb9cb7ce17e544ad3 Mon Sep 17 00:00:00 2001 -From: Vincent Prince <vincent.prince.external@saftbatteries.com> -Date: Tue, 15 Sep 2020 11:40:15 +0200 -Subject: [PATCH] kms-message: bump libmongocrypto to v1.0.4 - -This fixes compilation with alpinelinux -see https://github.com/mongodb/libmongocrypt/pull/89 - -Upstream-Status: Pending - -Signed-off-by: Vincent Prince <vincent.prince.fr@gmail.com> ---- - .../kms-message/THIRD_PARTY_NOTICES | 2 +- - src/third_party/kms-message/src/hexlify.c | 21 +---- - src/third_party/kms-message/src/hexlify.h | 2 - - .../kms-message/src/kms_crypto_apple.c | 5 + - .../kms-message/src/kms_crypto_libcrypto.c | 94 +++++++++++++++++++ - .../kms-message/src/kms_crypto_none.c | 4 + - .../kms-message/src/kms_crypto_windows.c | 4 + - .../kms-message/src/kms_decrypt_request.c | 2 +- - .../kms-message/src/kms_encrypt_request.c | 2 +- - src/third_party/kms-message/src/kms_kv_list.c | 11 ++- - .../kms-message/src/kms_message/kms_message.h | 2 + - .../src/kms_message/kms_message_defines.h | 10 ++ - src/third_party/kms-message/src/kms_port.c | 33 +++++++ - src/third_party/kms-message/src/kms_port.h | 27 +++--- - src/third_party/kms-message/src/kms_request.c | 41 +++++--- - .../kms-message/src/kms_request_str.c | 13 ++- - .../kms-message/src/kms_request_str.h | 5 - - .../kms-message/src/kms_response_parser.c | 26 ++++- - .../scripts/kms_message_get_sources.sh | 2 +- - 19 files changed, 244 insertions(+), 62 deletions(-) - create mode 100644 src/third_party/kms-message/src/kms_crypto_libcrypto.c - create mode 100644 src/third_party/kms-message/src/kms_port.c - -diff --git a/src/third_party/kms-message/THIRD_PARTY_NOTICES b/src/third_party/kms-message/THIRD_PARTY_NOTICES -index 3fc095170c..4110c1b91e 100644 ---- a/src/third_party/kms-message/THIRD_PARTY_NOTICES -+++ b/src/third_party/kms-message/THIRD_PARTY_NOTICES -@@ -1,4 +1,4 @@ --License notice for common-b64.c -+License notice for kms_b64.c - ------------------------------------------------------------------------------- - - ISC License -diff --git a/src/third_party/kms-message/src/hexlify.c b/src/third_party/kms-message/src/hexlify.c -index be9ee030b9..941fc93d1b 100644 ---- a/src/third_party/kms-message/src/hexlify.c -+++ b/src/third_party/kms-message/src/hexlify.c -@@ -24,6 +24,8 @@ char * - hexlify (const uint8_t *buf, size_t len) - { - char *hex_chars = malloc (len * 2 + 1); -+ KMS_ASSERT (hex_chars); -+ - char *p = hex_chars; - size_t i; - -@@ -35,22 +37,3 @@ hexlify (const uint8_t *buf, size_t len) - - return hex_chars; - } -- --uint8_t * --unhexlify (const char *hex_chars, size_t *len) --{ -- uint8_t *buf; -- uint8_t *pos; -- -- *len = strlen (hex_chars) / 2; -- buf = malloc (*len); -- pos = buf; -- -- while (*hex_chars) { -- KMS_ASSERT (1 == sscanf (hex_chars, "%2hhx", pos)); -- pos++; -- hex_chars += 2; -- } -- -- return buf; --} -diff --git a/src/third_party/kms-message/src/hexlify.h b/src/third_party/kms-message/src/hexlify.h -index e0096eb6ca..a6a504ebe8 100644 ---- a/src/third_party/kms-message/src/hexlify.h -+++ b/src/third_party/kms-message/src/hexlify.h -@@ -19,5 +19,3 @@ - - char * - hexlify (const uint8_t *buf, size_t len); --uint8_t * --unhexlify (const char *hex_chars, size_t *len); -diff --git a/src/third_party/kms-message/src/kms_crypto_apple.c b/src/third_party/kms-message/src/kms_crypto_apple.c -index 61da0a6288..a26e0d65e8 100644 ---- a/src/third_party/kms-message/src/kms_crypto_apple.c -+++ b/src/third_party/kms-message/src/kms_crypto_apple.c -@@ -16,9 +16,12 @@ - - #include "kms_crypto.h" - -+#ifdef KMS_MESSAGE_ENABLE_CRYPTO_COMMON_CRYPTO -+ - #include <CommonCrypto/CommonDigest.h> - #include <CommonCrypto/CommonHMAC.h> - -+ - int - kms_crypto_init () - { -@@ -54,3 +57,5 @@ kms_sha256_hmac (void *unused_ctx, - CCHmac (kCCHmacAlgSHA256, key_input, key_len, input, len, hash_out); - return true; - } -+ -+#endif /* KMS_MESSAGE_ENABLE_CRYPTO_COMMON_CRYPTO */ -diff --git a/src/third_party/kms-message/src/kms_crypto_libcrypto.c b/src/third_party/kms-message/src/kms_crypto_libcrypto.c -new file mode 100644 -index 0000000000..6f25657fdd ---- /dev/null -+++ b/src/third_party/kms-message/src/kms_crypto_libcrypto.c -@@ -0,0 +1,94 @@ -+/* -+ * Copyright 2018-present MongoDB, Inc. -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); -+ * you may not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+ -+#include "kms_crypto.h" -+ -+#ifdef KMS_MESSAGE_ENABLE_CRYPTO_LIBCRYPTO -+ -+#include <openssl/sha.h> -+#include <openssl/evp.h> -+#include <openssl/hmac.h> -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ -+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) -+static EVP_MD_CTX * -+EVP_MD_CTX_new (void) -+{ -+ return calloc (sizeof (EVP_MD_CTX), 1); -+} -+ -+static void -+EVP_MD_CTX_free (EVP_MD_CTX *ctx) -+{ -+ EVP_MD_CTX_cleanup (ctx); -+ free (ctx); -+} -+#endif -+ -+int -+kms_crypto_init () -+{ -+ return 0; -+} -+ -+void -+kms_crypto_cleanup () -+{ -+} -+ -+bool -+kms_sha256 (void *unused_ctx, -+ const char *input, -+ size_t len, -+ unsigned char *hash_out) -+{ -+ EVP_MD_CTX *digest_ctxp = EVP_MD_CTX_new (); -+ bool rval = false; -+ -+ if (1 != EVP_DigestInit_ex (digest_ctxp, EVP_sha256 (), NULL)) { -+ goto cleanup; -+ } -+ -+ if (1 != EVP_DigestUpdate (digest_ctxp, input, len)) { -+ goto cleanup; -+ } -+ -+ rval = (1 == EVP_DigestFinal_ex (digest_ctxp, hash_out, NULL)); -+ -+cleanup: -+ EVP_MD_CTX_free (digest_ctxp); -+ -+ return rval; -+} -+ -+bool -+kms_sha256_hmac (void *unused_ctx, -+ const char *key_input, -+ size_t key_len, -+ const char *input, -+ size_t len, -+ unsigned char *hash_out) -+{ -+ return HMAC (EVP_sha256 (), -+ key_input, -+ key_len, -+ (unsigned char *) input, -+ len, -+ hash_out, -+ NULL) != NULL; -+} -+ -+#endif /* KMS_MESSAGE_ENABLE_CRYPTO_LIBCRYPTO */ -diff --git a/src/third_party/kms-message/src/kms_crypto_none.c b/src/third_party/kms-message/src/kms_crypto_none.c -index 9ef2147687..94da5abd88 100644 ---- a/src/third_party/kms-message/src/kms_crypto_none.c -+++ b/src/third_party/kms-message/src/kms_crypto_none.c -@@ -16,6 +16,8 @@ - - #include "kms_crypto.h" - -+#ifndef KMS_MESSAGE_ENABLE_CRYPTO -+ - int - kms_crypto_init () - { -@@ -48,3 +50,5 @@ kms_sha256_hmac (void *unused_ctx, - /* only gets called if hooks were mistakenly not set */ - return false; - } -+ -+#endif /* KMS_MESSAGE_ENABLE_CRYPTO */ -diff --git a/src/third_party/kms-message/src/kms_crypto_windows.c b/src/third_party/kms-message/src/kms_crypto_windows.c -index ccdc7e095d..8177b0ddc0 100644 ---- a/src/third_party/kms-message/src/kms_crypto_windows.c -+++ b/src/third_party/kms-message/src/kms_crypto_windows.c -@@ -16,6 +16,8 @@ - - #include "kms_crypto.h" - -+#ifdef KMS_MESSAGE_ENABLE_CRYPTO_CNG -+ - // tell windows.h not to include a bunch of headers we don't need: - #define WIN32_LEAN_AND_MEAN - -@@ -130,3 +132,5 @@ cleanup: - - return status == STATUS_SUCCESS ? 1 : 0; - } -+ -+#endif /* KMS_MESSAGE_ENABLE_CRYPTO_CNG */ -diff --git a/src/third_party/kms-message/src/kms_decrypt_request.c b/src/third_party/kms-message/src/kms_decrypt_request.c -index 06faa43119..f1ca282768 100644 ---- a/src/third_party/kms-message/src/kms_decrypt_request.c -+++ b/src/third_party/kms-message/src/kms_decrypt_request.c -@@ -48,7 +48,7 @@ kms_decrypt_request_new (const uint8_t *ciphertext_blob, - if (!(b64 = malloc (b64_len))) { - KMS_ERROR (request, - "Could not allocate %d bytes for base64-encoding payload", -- b64_len); -+ (int) b64_len); - goto done; - } - -diff --git a/src/third_party/kms-message/src/kms_encrypt_request.c b/src/third_party/kms-message/src/kms_encrypt_request.c -index b5f4d6436e..24b064d95f 100644 ---- a/src/third_party/kms-message/src/kms_encrypt_request.c -+++ b/src/third_party/kms-message/src/kms_encrypt_request.c -@@ -47,7 +47,7 @@ kms_encrypt_request_new (const uint8_t *plaintext, - if (!(b64 = malloc (b64_len))) { - KMS_ERROR (request, - "Could not allocate %d bytes for base64-encoding payload", -- b64_len); -+ (int) b64_len); - goto done; - } - -diff --git a/src/third_party/kms-message/src/kms_kv_list.c b/src/third_party/kms-message/src/kms_kv_list.c -index 2d6845a1aa..0cff3dc2c6 100644 ---- a/src/third_party/kms-message/src/kms_kv_list.c -+++ b/src/third_party/kms-message/src/kms_kv_list.c -@@ -17,6 +17,7 @@ - - #include "kms_kv_list.h" - #include "kms_message/kms_message.h" -+#include "kms_message_private.h" - #include "kms_request_str.h" - #include "kms_port.h" - #include "sort.h" -@@ -39,9 +40,12 @@ kms_kv_list_t * - kms_kv_list_new (void) - { - kms_kv_list_t *lst = malloc (sizeof (kms_kv_list_t)); -+ KMS_ASSERT (lst); - - lst->size = 16; - lst->kvs = malloc (lst->size * sizeof (kms_kv_t)); -+ KMS_ASSERT (lst->kvs); -+ - lst->len = 0; - - return lst; -@@ -72,6 +76,7 @@ kms_kv_list_add (kms_kv_list_t *lst, - if (lst->len == lst->size) { - lst->size *= 2; - lst->kvs = realloc (lst->kvs, lst->size * sizeof (kms_kv_t)); -+ KMS_ASSERT (lst->kvs); - } - - kv_init (&lst->kvs[lst->len], key, value); -@@ -84,7 +89,7 @@ kms_kv_list_find (const kms_kv_list_t *lst, const char *key) - size_t i; - - for (i = 0; i < lst->len; i++) { -- if (0 == strcasecmp (lst->kvs[i].key->str, key)) { -+ if (0 == kms_strcasecmp (lst->kvs[i].key->str, key)) { - return &lst->kvs[i]; - } - } -@@ -119,8 +124,12 @@ kms_kv_list_dup (const kms_kv_list_t *lst) - } - - dup = malloc (sizeof (kms_kv_list_t)); -+ KMS_ASSERT (dup); -+ - dup->size = dup->len = lst->len; - dup->kvs = malloc (lst->len * sizeof (kms_kv_t)); -+ KMS_ASSERT (dup->kvs); -+ - - for (i = 0; i < lst->len; i++) { - kv_init (&dup->kvs[i], lst->kvs[i].key, lst->kvs[i].value); -diff --git a/src/third_party/kms-message/src/kms_message/kms_message.h b/src/third_party/kms-message/src/kms_message/kms_message.h -index 6ea95dd04c..8048528f2e 100644 ---- a/src/third_party/kms-message/src/kms_message/kms_message.h -+++ b/src/third_party/kms-message/src/kms_message/kms_message.h -@@ -17,6 +17,8 @@ - #ifndef KMS_MESSAGE_H - #define KMS_MESSAGE_H - -+#include <sys/types.h> -+ - #include "kms_message_defines.h" - #include "kms_request_opt.h" - #include "kms_request.h" -diff --git a/src/third_party/kms-message/src/kms_message/kms_message_defines.h b/src/third_party/kms-message/src/kms_message/kms_message_defines.h -index a4d019bd77..a539d531ef 100644 ---- a/src/third_party/kms-message/src/kms_message/kms_message_defines.h -+++ b/src/third_party/kms-message/src/kms_message/kms_message_defines.h -@@ -53,4 +53,14 @@ kms_message_cleanup (void); - } /* extern "C" */ - #endif - -+#ifdef _MSC_VER -+#include <basetsd.h> -+#pragma warning(disable : 4142) -+#ifndef _SSIZE_T_DEFINED -+#define _SSIZE_T_DEFINED -+typedef SSIZE_T ssize_t; -+#endif -+#pragma warning(default : 4142) -+#endif -+ - #endif /* KMS_MESSAGE_DEFINES_H */ -diff --git a/src/third_party/kms-message/src/kms_port.c b/src/third_party/kms-message/src/kms_port.c -new file mode 100644 -index 0000000000..ee9e6ed9c9 ---- /dev/null -+++ b/src/third_party/kms-message/src/kms_port.c -@@ -0,0 +1,33 @@ -+/* -+ * Copyright 2020-present MongoDB, Inc. -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); -+ * you may not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+ -+#include "kms_port.h" -+#if defined(_WIN32) -+#include <stdlib.h> -+#include <string.h> -+char * kms_strndup (const char *src, size_t len) -+{ -+ char *dst = (char *) malloc (len + 1); -+ if (!dst) { -+ return 0; -+ } -+ -+ memcpy (dst, src, len); -+ dst[len] = '\0'; -+ -+ return dst; -+} -+#endif -\ No newline at end of file -diff --git a/src/third_party/kms-message/src/kms_port.h b/src/third_party/kms-message/src/kms_port.h -index c3cbbac369..2123a99dc9 100644 ---- a/src/third_party/kms-message/src/kms_port.h -+++ b/src/third_party/kms-message/src/kms_port.h -@@ -15,21 +15,18 @@ - * limitations under the License. - */ - --#if defined(_WIN32) --#define strcasecmp _stricmp -- --inline char * --strndup (const char *src, size_t len) --{ -- char *dst = (char *) malloc (len + 1); -- if (!dst) { -- return 0; -- } -- -- memcpy (dst, src, len); -- dst[len] = '\0'; -+#ifndef KMS_PORT_H -+#define KMS_PORT_H - -- return dst; --} -+#include <stddef.h> - -+#if defined(_WIN32) -+#define kms_strcasecmp _stricmp -+char * -+kms_strndup (const char *src, size_t len); -+#else -+#define kms_strndup strndup -+#define kms_strcasecmp strcasecmp - #endif -+ -+#endif /* KMS_PORT_H */ -\ No newline at end of file -diff --git a/src/third_party/kms-message/src/kms_request.c b/src/third_party/kms-message/src/kms_request.c -index fa2d487123..ac2b07ea6b 100644 ---- a/src/third_party/kms-message/src/kms_request.c -+++ b/src/third_party/kms-message/src/kms_request.c -@@ -61,6 +61,7 @@ kms_request_new (const char *method, - kms_request_t *request = calloc (1, sizeof (kms_request_t)); - const char *question_mark; - -+ KMS_ASSERT (request); - /* parsing may set failed to true */ - request->failed = false; - -@@ -92,10 +93,14 @@ kms_request_new (const char *method, - request->header_fields = kms_kv_list_new (); - request->auto_content_length = true; - -- kms_request_set_date (request, NULL); -+ if (!kms_request_set_date (request, NULL)) { -+ return request; -+ } - - if (opt && opt->connection_close) { -- kms_request_add_header_field (request, "Connection", "close"); -+ if (!kms_request_add_header_field (request, "Connection", "close")) { -+ return request; -+ } - } - - if (opt && opt->crypto.sha256) { -@@ -164,7 +169,9 @@ kms_request_set_date (kms_request_t *request, const struct tm *tm) - kms_request_str_set_chars (request->date, buf, sizeof "YYYYmmDD" - 1); - kms_request_str_set_chars (request->datetime, buf, sizeof AMZ_DT_FORMAT - 1); - kms_kv_list_del (request->header_fields, "X-Amz-Date"); -- kms_request_add_header_field (request, "X-Amz-Date", buf); -+ if (!kms_request_add_header_field (request, "X-Amz-Date", buf)) { -+ return false; -+ } - - return true; - } -@@ -309,7 +316,8 @@ append_canonical_headers (kms_kv_list_t *lst, kms_request_str_t *str) - * values in headers that have multiple values." */ - for (i = 0; i < lst->len; i++) { - kv = &lst->kvs[i]; -- if (previous_key && 0 == strcasecmp (previous_key->str, kv->key->str)) { -+ if (previous_key && -+ 0 == kms_strcasecmp (previous_key->str, kv->key->str)) { - /* duplicate header */ - kms_request_str_append_char (str, ','); - kms_request_str_append_stripped (str, kv->value); -@@ -339,12 +347,13 @@ append_signed_headers (kms_kv_list_t *lst, kms_request_str_t *str) - - for (i = 0; i < lst->len; i++) { - kv = &lst->kvs[i]; -- if (previous_key && 0 == strcasecmp (previous_key->str, kv->key->str)) { -+ if (previous_key && -+ 0 == kms_strcasecmp (previous_key->str, kv->key->str)) { - /* duplicate header */ - continue; - } - -- if (0 == strcasecmp (kv->key->str, "connection")) { -+ if (0 == kms_strcasecmp (kv->key->str, "connection")) { - continue; - } - -@@ -412,7 +421,8 @@ finalize (kms_request_t *request) - static int - cmp_header_field_names (const void *a, const void *b) - { -- return strcasecmp (((kms_kv_t *) a)->key->str, ((kms_kv_t *) b)->key->str); -+ return kms_strcasecmp (((kms_kv_t *) a)->key->str, -+ ((kms_kv_t *) b)->key->str); - } - - static kms_kv_list_t * -@@ -447,6 +457,7 @@ kms_request_get_canonical (kms_request_t *request) - kms_request_str_append_newline (canonical); - normalized = kms_request_str_path_normalized (request->path); - kms_request_str_append_escaped (canonical, normalized, false); -+ kms_request_str_destroy (normalized); - kms_request_str_append_newline (canonical); - append_canonical_query (request, canonical); - kms_request_str_append_newline (canonical); -@@ -454,12 +465,14 @@ kms_request_get_canonical (kms_request_t *request) - append_canonical_headers (lst, canonical); - kms_request_str_append_newline (canonical); - append_signed_headers (lst, canonical); -- kms_request_str_append_newline (canonical); -- kms_request_str_append_hashed ( -- &request->crypto, canonical, request->payload); -- -- kms_request_str_destroy (normalized); - kms_kv_list_destroy (lst); -+ kms_request_str_append_newline (canonical); -+ if (!kms_request_str_append_hashed ( -+ &request->crypto, canonical, request->payload)) { -+ KMS_ERROR (request, "could not generate hash"); -+ kms_request_str_destroy (canonical); -+ return NULL; -+ } - - return kms_request_str_detach (canonical); - } -@@ -514,6 +527,10 @@ kms_request_get_string_to_sign (kms_request_t *request) - kms_request_str_append_chars (sts, "/aws4_request\n", -1); - - creq = kms_request_str_wrap (kms_request_get_canonical (request), -1); -+ if (!creq) { -+ goto done; -+ } -+ - if (!kms_request_str_append_hashed (&request->crypto, sts, creq)) { - goto done; - } -diff --git a/src/third_party/kms-message/src/kms_request_str.c b/src/third_party/kms-message/src/kms_request_str.c -index 0f7c19c972..65207d2f4f 100644 ---- a/src/third_party/kms-message/src/kms_request_str.c -+++ b/src/third_party/kms-message/src/kms_request_str.c -@@ -51,10 +51,13 @@ kms_request_str_t * - kms_request_str_new (void) - { - kms_request_str_t *s = malloc (sizeof (kms_request_str_t)); -+ KMS_ASSERT (s); - - s->len = 0; - s->size = 16; - s->str = malloc (s->size); -+ KMS_ASSERT (s->str); -+ - s->str[0] = '\0'; - - return s; -@@ -64,11 +67,15 @@ kms_request_str_t * - kms_request_str_new_from_chars (const char *chars, ssize_t len) - { - kms_request_str_t *s = malloc (sizeof (kms_request_str_t)); -+ KMS_ASSERT (s); -+ - size_t actual_len; - - actual_len = len < 0 ? strlen (chars) : (size_t) len; - s->size = actual_len + 1; - s->str = malloc (s->size); -+ KMS_ASSERT (s->str); -+ - memcpy (s->str, chars, actual_len); - s->str[actual_len] = '\0'; - s->len = actual_len; -@@ -86,6 +93,8 @@ kms_request_str_wrap (char *chars, ssize_t len) - } - - s = malloc (sizeof (kms_request_str_t)); -+ KMS_ASSERT (s); -+ - - s->str = chars; - s->len = len < 0 ? strlen (chars) : (size_t) len; -@@ -148,8 +157,10 @@ kms_request_str_t * - kms_request_str_dup (kms_request_str_t *str) - { - kms_request_str_t *dup = malloc (sizeof (kms_request_str_t)); -+ KMS_ASSERT (dup); -+ - -- dup->str = strndup (str->str, str->len); -+ dup->str = kms_strndup (str->str, str->len); - dup->len = str->len; - dup->size = str->len + 1; - -diff --git a/src/third_party/kms-message/src/kms_request_str.h b/src/third_party/kms-message/src/kms_request_str.h -index f053a595aa..0898f59067 100644 ---- a/src/third_party/kms-message/src/kms_request_str.h -+++ b/src/third_party/kms-message/src/kms_request_str.h -@@ -25,11 +25,6 @@ - #include <stdint.h> - #include <string.h> - --#if defined(_WIN32) --#include <basetsd.h> --typedef SSIZE_T ssize_t; --#endif // _WIN32 -- - typedef struct { - char *str; - size_t len; -diff --git a/src/third_party/kms-message/src/kms_response_parser.c b/src/third_party/kms-message/src/kms_response_parser.c -index 31e4868a68..6f86fac854 100644 ---- a/src/third_party/kms-message/src/kms_response_parser.c -+++ b/src/third_party/kms-message/src/kms_response_parser.c -@@ -1,7 +1,7 @@ - #include "kms_message/kms_response_parser.h" - #include "kms_message_private.h" - --#include "kms_message_private.h" -+#include <errno.h> - #include <limits.h> - #include <stdio.h> - #include <stdlib.h> -@@ -24,6 +24,7 @@ _parser_init (kms_response_parser_t *parser) - parser->raw_response = kms_request_str_new (); - parser->content_length = -1; - parser->response = calloc (1, sizeof (kms_response_t)); -+ KMS_ASSERT (parser->response); - parser->response->headers = kms_kv_list_new (); - parser->state = PARSING_STATUS_LINE; - parser->start = 0; -@@ -34,6 +35,8 @@ kms_response_parser_t * - kms_response_parser_new (void) - { - kms_response_parser_t *parser = malloc (sizeof (kms_response_parser_t)); -+ KMS_ASSERT (parser); -+ - _parser_init (parser); - return parser; - } -@@ -59,11 +62,26 @@ static bool - _parse_int (const char *str, int *result) - { - char *endptr = NULL; -+ int64_t long_result; - -- *result = (int) strtol (str, &endptr, 10); -- if (*endptr) { -+ errno = 0; -+ long_result = strtol (str, &endptr, 10); -+ if (endptr == str) { -+ /* No digits were parsed. Consider this an error */ -+ return false; -+ } -+ if (endptr != NULL && *endptr != '\0') { -+ /* endptr points to the first invalid character. */ -+ return false; -+ } -+ if (errno == EINVAL || errno == ERANGE) { -+ return false; -+ } -+ if (long_result > INT32_MAX || long_result < INT32_MIN) { - return false; - } -+ *result = (int) long_result; -+ - return true; - } - -@@ -72,6 +90,8 @@ static bool - _parse_int_from_view (const char *str, int start, int end, int *result) - { - char *num_str = malloc (end - start + 1); -+ KMS_ASSERT (num_str); -+ - bool ret; - - strncpy (num_str, str + start, end - start); -diff --git a/src/third_party/scripts/kms_message_get_sources.sh b/src/third_party/scripts/kms_message_get_sources.sh -index 6ad2fbb0e6..52ce21b9dd 100755 ---- a/src/third_party/scripts/kms_message_get_sources.sh -+++ b/src/third_party/scripts/kms_message_get_sources.sh -@@ -18,7 +18,7 @@ if grep -q Microsoft /proc/version; then - fi - - NAME=libmongocrypt --REVISION=59c8c17bbdfa1cf0fdec60cfdde73a437a868221 -+REVISION=052f7fc610f0cea83a2adf3dd263a5ff04833371 - - if grep -q Microsoft /proc/version; then - SRC_ROOT=$(wslpath -u $(powershell.exe -Command "Get-ChildItem Env:TEMP | Get-Content | Write-Host")) --- -2.24.0 - diff --git a/meta-openembedded/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb b/meta-openembedded/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb index b78255a049..fcabf81327 100644 --- a/meta-openembedded/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb +++ b/meta-openembedded/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb @@ -11,11 +11,10 @@ DEPENDS = "openssl libpcap zlib boost curl python3 \ inherit scons dos2unix siteinfo python3native systemd useradd -PV = "4.4.4" -#v4.4.4 -SRCREV = "8db30a63db1a9d84bdcad0c83369623f708e0397" +PV = "4.4.6" +#v4.4.6 +SRCREV = "72e66213c2c3eab37d9358d5e78ad7f5c1d0d0d7" SRC_URI = "git://github.com/mongodb/mongo.git;branch=v4.4 \ - file://0001-kms-message-bump-libmongocrypto-to-v1.0.4.patch \ file://0001-Tell-scons-to-use-build-settings-from-environment-va.patch \ file://0001-Use-long-long-instead-of-int64_t.patch \ file://0001-Use-__GLIBC__-to-control-use-of-gnu_get_libc_version.patch \ diff --git a/meta-openembedded/meta-oe/licenses/MINPACK b/meta-openembedded/meta-oe/licenses/MINPACK new file mode 100644 index 0000000000..132cc3f33f --- /dev/null +++ b/meta-openembedded/meta-oe/licenses/MINPACK @@ -0,0 +1,51 @@ +Minpack Copyright Notice (1999) University of Chicago. All rights reserved + +Redistribution and use in source and binary forms, with or +without modification, are permitted provided that the +following conditions are met: + +1. Redistributions of source code must retain the above +copyright notice, this list of conditions and the following +disclaimer. + +2. Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following +disclaimer in the documentation and/or other materials +provided with the distribution. + +3. The end-user documentation included with the +redistribution, if any, must include the following +acknowledgment: + + "This product includes software developed by the + University of Chicago, as Operator of Argonne National + Laboratory. + +Alternately, this acknowledgment may appear in the software +itself, if and wherever such third-party acknowledgments +normally appear. + +4. WARRANTY DISCLAIMER. THE SOFTWARE IS SUPPLIED "AS IS" +WITHOUT WARRANTY OF ANY KIND. THE COPYRIGHT HOLDER, THE +UNITED STATES, THE UNITED STATES DEPARTMENT OF ENERGY, AND +THEIR EMPLOYEES: (1) DISCLAIM ANY WARRANTIES, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES +OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE +OR NON-INFRINGEMENT, (2) DO NOT ASSUME ANY LEGAL LIABILITY +OR RESPONSIBILITY FOR THE ACCURACY, COMPLETENESS, OR +USEFULNESS OF THE SOFTWARE, (3) DO NOT REPRESENT THAT USE OF +THE SOFTWARE WOULD NOT INFRINGE PRIVATELY OWNED RIGHTS, (4) +DO NOT WARRANT THAT THE SOFTWARE WILL FUNCTION +UNINTERRUPTED, THAT IT IS ERROR-FREE OR THAT ANY ERRORS WILL +BE CORRECTED. + +5. LIMITATION OF LIABILITY. IN NO EVENT WILL THE COPYRIGHT +HOLDER, THE UNITED STATES, THE UNITED STATES DEPARTMENT OF +ENERGY, OR THEIR EMPLOYEES: BE LIABLE FOR ANY INDIRECT, +INCIDENTAL, CONSEQUENTIAL, SPECIAL OR PUNITIVE DAMAGES OF +ANY KIND OR NATURE, INCLUDING BUT NOT LIMITED TO LOSS OF +PROFITS OR LOSS OF DATA, FOR ANY REASON WHATSOEVER, WHETHER +SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT +(INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, +EVEN IF ANY OF SAID PARTIES HAS BEEN WARNED OF THE +POSSIBILITY OF SUCH LOSS OR DAMAGES. diff --git a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch new file mode 100644 index 0000000000..1bedb4f753 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch @@ -0,0 +1,45 @@ +From 14fab0772db19297c82dd1b8612c9335369dce41 Mon Sep 17 00:00:00 2001 +From: Alexander Vickberg <wickbergster@gmail.com> +Date: Mon, 17 May 2021 17:54:13 +0200 +Subject: [PATCH] Prepare for CVE-2021-30004.patch + +Without this building fails for CONFIG_TLS=internal + +Signed-off-by: Alexander Vickberg <wickbergster@gmail.com> +--- + src/tls/asn1.h | 6 ++++++ + src/utils/includes.h | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/src/tls/asn1.h b/src/tls/asn1.h +index 6bd7df5..77b94ef 100644 +--- a/src/tls/asn1.h ++++ b/src/tls/asn1.h +@@ -66,6 +66,12 @@ void asn1_oid_to_str(const struct asn1_oid *oid, char *buf, size_t len); + unsigned long asn1_bit_string_to_long(const u8 *buf, size_t len); + int asn1_oid_equal(const struct asn1_oid *a, const struct asn1_oid *b); + ++static inline bool asn1_is_null(const struct asn1_hdr *hdr) ++{ ++ return hdr->class == ASN1_CLASS_UNIVERSAL && ++ hdr->tag == ASN1_TAG_NULL; ++} ++ + extern struct asn1_oid asn1_sha1_oid; + extern struct asn1_oid asn1_sha256_oid; + +diff --git a/src/utils/includes.h b/src/utils/includes.h +index 75513fc..741fc9c 100644 +--- a/src/utils/includes.h ++++ b/src/utils/includes.h +@@ -18,6 +18,7 @@ + + #include <stdlib.h> + #include <stddef.h> ++#include <stdbool.h> + #include <stdio.h> + #include <stdarg.h> + #include <string.h> +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb index e586018685..a9780bc6db 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb @@ -11,6 +11,7 @@ SRC_URI = " \ file://defconfig \ file://init \ file://hostapd.service \ + file://0001-Prepare-for-CVE-2021-30004.patch.patch \ file://CVE-2019-16275.patch \ file://CVE-2019-5061.patch \ file://CVE-2021-0326.patch \ diff --git a/meta-openembedded/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch b/meta-openembedded/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch index 970d750b13..45f283a02b 100644 --- a/meta-openembedded/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch +++ b/meta-openembedded/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch @@ -16,7 +16,7 @@ Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com> +++ b/configure.in @@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch un - AC_INIT([PostgreSQL], [13.2], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) + AC_INIT([PostgreSQL], [13.3], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) -m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required. -Untested combinations of 'autoconf' and PostgreSQL versions are not diff --git a/meta-openembedded/meta-oe/recipes-dbs/postgresql/postgresql_13.2.bb b/meta-openembedded/meta-oe/recipes-dbs/postgresql/postgresql_13.3.bb index ca8a6c7cee..862dd61bd6 100644 --- a/meta-openembedded/meta-oe/recipes-dbs/postgresql/postgresql_13.2.bb +++ b/meta-openembedded/meta-oe/recipes-dbs/postgresql/postgresql_13.3.bb @@ -9,4 +9,4 @@ SRC_URI += "\ file://0001-configure.in-bypass-autoconf-2.69-version-check.patch \ " -SRC_URI[sha256sum] = "5fd7fcd08db86f5b2aed28fcfaf9ae0aca8e9428561ac547764c2a2b0f41adfc" +SRC_URI[sha256sum] = "3cd9454fa8c7a6255b6743b767700925ead1b9ab0d7a0f9dcb1151010f8eb4a1" diff --git a/meta-openembedded/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb b/meta-openembedded/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb index 5b5c8b2570..ac803294e0 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb @@ -14,7 +14,7 @@ S = "${WORKDIR}/git" inherit cmake -EXTRA_OECMAKE += "-DRAPIDJSON_BUILD_DOC=OFF -DRAPIDJSON_BUILD_TESTS=OFF -DRAPIDJSON_BUILD_EXAMPLES=OFF -DLIB_INSTALL_DIR:STRING=${libdir}" +EXTRA_OECMAKE += "-DRAPIDJSON_BUILD_DOC=OFF -DRAPIDJSON_BUILD_TESTS=OFF -DRAPIDJSON_BUILD_EXAMPLES=OFF" # RapidJSON is a header-only C++ library, so the main package will be empty. diff --git a/meta-openembedded/meta-oe/recipes-devtools/uftrace/uftrace/0001-Fix-error-on-aarch64-with-binutils2.35.1.patch b/meta-openembedded/meta-oe/recipes-devtools/uftrace/uftrace/0001-Fix-error-on-aarch64-with-binutils2.35.1.patch deleted file mode 100644 index ac17cf433f..0000000000 --- a/meta-openembedded/meta-oe/recipes-devtools/uftrace/uftrace/0001-Fix-error-on-aarch64-with-binutils2.35.1.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 0bc502989822506af308a559ac1cd52af82cac03 Mon Sep 17 00:00:00 2001 -From: Lei Maohui <leimaohui@cn.fujitsu.com> -Date: Wed, 14 Apr 2021 09:35:35 +0900 -Subject: [PATCH] Fix error on aarch64 with binutils2.35.1. - -WARN: child terminated by signal: 11: Segmentation fault - -Upstream-status: Pending - -Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com> ---- - arch/aarch64/mcount-arch.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/aarch64/mcount-arch.h b/arch/aarch64/mcount-arch.h -index 69efe521..60c2c1ba 100644 ---- a/arch/aarch64/mcount-arch.h -+++ b/arch/aarch64/mcount-arch.h -@@ -31,7 +31,7 @@ struct mcount_arch_context { - double d[ARCH_MAX_FLOAT_REGS]; - }; - --#define ARCH_PLT0_SIZE 32 -+#define ARCH_PLT0_SIZE 16 - #define ARCH_PLTHOOK_ADDR_OFFSET 0 - - struct mcount_disasm_engine; diff --git a/meta-openembedded/meta-oe/recipes-devtools/uftrace/uftrace/0001-aarch64-Fix-a-plthook-crash-on-aarch64-with-binutils.patch b/meta-openembedded/meta-oe/recipes-devtools/uftrace/uftrace/0001-aarch64-Fix-a-plthook-crash-on-aarch64-with-binutils.patch new file mode 100644 index 0000000000..bf997d6e4b --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/uftrace/uftrace/0001-aarch64-Fix-a-plthook-crash-on-aarch64-with-binutils.patch @@ -0,0 +1,47 @@ +From 0851278471472c6be69a936cc3698aa50a646ffd Mon Sep 17 00:00:00 2001 +From: Lei Maohui <leimaohui@cn.fujitsu.com> +Date: Wed, 12 May 2021 17:06:31 +0900 +Subject: [PATCH] aarch64: Fix a plthook crash on aarch64 with binutils2.35.1 + and later versions + +plthook is always crashed in Ubuntu 20.10 aarch64, which uses binutils 2.35.1. +Since the `plt_entsize` is not automatically set in this version, we have to +explicitly set the value. + +This patch fixes the following problem. + + $ uname -m + aarch64 + + $ cat /etc/os-release | grep PRETTY_NAME + PRETTY_NAME="Ubuntu 20.10" + + $ gcc -pg tests/s-abc.c + + $ uftrace record a.out + WARN: child terminated by signal: 7: Bus error + +Fixed: #1254 + +Upstream-status: submitted [Sent to https://github.com/namhyung/uftrace/pull/1248] + +Signed-off-by: Lei Maohui <leimaohui@fujitsu.com> +--- + utils/symbol.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/utils/symbol.c b/utils/symbol.c +index 29a1d295..01e52dab 100644 +--- a/utils/symbol.c ++++ b/utils/symbol.c +@@ -560,6 +560,7 @@ int load_elf_dynsymtab(struct symtab *dsymtab, struct uftrace_elf_data *elf, + } + else if (elf->ehdr.e_machine == EM_AARCH64) { + plt_addr += 16; /* AARCH64 PLT0 size is 32 */ ++ plt_entsize = 16; + } + else if (elf->ehdr.e_machine == EM_386) { + plt_entsize += 12; +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb b/meta-openembedded/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb index 4b4fc831c3..a04fccca75 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb @@ -13,7 +13,7 @@ inherit autotools PV .= "+git${SRCPV}" SRCREV = "d648bbffedef529220896283fb59e35531c13804" SRC_URI = "git://github.com/namhyung/${BPN} \ - file://0001-Fix-error-on-aarch64-with-binutils2.35.1.patch \ + file://0001-aarch64-Fix-a-plthook-crash-on-aarch64-with-binutils.patch \ " S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-oe/recipes-extended/minifi-cpp/minifi-cpp_0.7.0.bb b/meta-openembedded/meta-oe/recipes-extended/minifi-cpp/minifi-cpp_0.7.0.bb index 322b58477d..68d83eb008 100644 --- a/meta-openembedded/meta-oe/recipes-extended/minifi-cpp/minifi-cpp_0.7.0.bb +++ b/meta-openembedded/meta-oe/recipes-extended/minifi-cpp/minifi-cpp_0.7.0.bb @@ -88,6 +88,7 @@ do_install() { install -d ${D}${MINIFI_BIN} install -d ${D}${MINIFI_HOME}/conf install -m 755 -d ${D}${localstatedir}/lib/minifi + install -m 755 -d ${D}${libexecdir}/minifi-python cp -a ${WORKDIR}/minifi-install/usr/bin/* ${D}${MINIFI_BIN}/ cp -a ${WORKDIR}/minifi-install/usr/conf/* ${D}${MINIFI_HOME}/conf/ @@ -101,6 +102,8 @@ do_install() { ${D}${MINIFI_HOME}/conf/minifi.properties sed -i 's|nifi.flow.configuration.file=.*|nifi.flow.configuration.file='${MINIFI_HOME}'/conf/config.yml|g' \ ${D}${MINIFI_HOME}/conf/minifi.properties + sed -i 's|nifi.python.processor.dir=.*|nifi.python.processor.dir=${libexecdir}/minifi-python|g' \ + ${D}${MINIFI_HOME}/conf/minifi.properties sed -i 's|export MINIFI_HOME=.*|export MINIFI_HOME='${MINIFI_HOME}'|g' ${D}${MINIFI_BIN}/minifi.sh sed -i 's|bin_dir=${MINIFI_HOME}/bin|bin_dir='${MINIFI_BIN}'|g' ${D}${MINIFI_BIN}/minifi.sh @@ -135,3 +138,5 @@ pkg_postinst_${PN}() { fi fi } + +CLEANBROKEN = "1" diff --git a/meta-openembedded/meta-oe/recipes-extended/sysdig/sysdig_git.bb b/meta-openembedded/meta-oe/recipes-extended/sysdig/sysdig_git.bb index d9da190578..f1b77070c1 100644 --- a/meta-openembedded/meta-oe/recipes-extended/sysdig/sysdig_git.bb +++ b/meta-openembedded/meta-oe/recipes-extended/sysdig/sysdig_git.bb @@ -14,6 +14,7 @@ JIT_mipsarchn32 = "" JIT_mipsarchn64 = "" JIT_riscv64 = "" JIT_riscv32 = "" +JIT_powerpc = "" DEPENDS += "libb64 lua${JIT} zlib c-ares grpc-native grpc curl ncurses jsoncpp tbb jq openssl elfutils protobuf protobuf-native jq-native" RDEPENDS_${PN} = "bash" @@ -49,3 +50,4 @@ COMPATIBLE_HOST_libc-musl = "null" COMPATIBLE_HOST_mips = "null" COMPATIBLE_HOST_riscv64 = "null" COMPATIBLE_HOST_riscv32 = "null" +COMPATIBLE_HOST_powerpc = "null" diff --git a/meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch b/meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch new file mode 100644 index 0000000000..2db67966cf --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch @@ -0,0 +1,27 @@ +From 97fefd050976bbbfca9608499f6a7d9fb86e70db Mon Sep 17 00:00:00 2001 +From: Sam Lantinga <slouken@libsdl.org> +Date: Tue, 30 Jul 2019 11:00:00 -0700 +Subject: [PATCH] Fixed bug 4538 - validate image size when loading BMP files +--- + src/video/SDL_bmp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c +index 8eadc5f..5b5e12c 100644 +--- a/src/video/SDL_bmp.c ++++ b/src/video/SDL_bmp.c +@@ -143,6 +143,11 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) + (void) biYPelsPerMeter; + (void) biClrImportant; + ++ if (biWidth <= 0 || biHeight == 0) { ++ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight); ++ was_error = SDL_TRUE; ++ goto done; ++ } + if (biHeight < 0) { + topDown = SDL_TRUE; + biHeight = -biHeight; +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb b/meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb index 7a01908322..d91a1856b4 100644 --- a/meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb +++ b/meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb @@ -27,6 +27,7 @@ SRC_URI = "http://www.libsdl.org/release/SDL-${PV}.tar.gz \ file://CVE-2019-7637.patch \ file://CVE-2019-7638.patch \ file://CVE-2019-7576.patch \ + file://CVE-2019-13616.patch \ " UPSTREAM_CHECK_REGEX = "SDL-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta-openembedded/meta-oe/recipes-kernel/libpfm/libpfm4_4.10.1.bb b/meta-openembedded/meta-oe/recipes-kernel/libpfm/libpfm4_4.10.1.bb index ff56d48043..6da0f5d9a0 100644 --- a/meta-openembedded/meta-oe/recipes-kernel/libpfm/libpfm4_4.10.1.bb +++ b/meta-openembedded/meta-oe/recipes-kernel/libpfm/libpfm4_4.10.1.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=0de488f3bd4424e308e2e399cb99c788" SECTION = "devel" -COMPATIBLE_HOST = "powerpc64" +COMPATIBLE_HOST = "powerpc64|aarch64" SRC_URI = "${SOURCEFORGE_MIRROR}/perfmon2/${BPN}/libpfm-${PV}.tar.gz \ file://0001-Include-poll.h-instead-of-sys-poll.h.patch \ @@ -24,6 +24,7 @@ EXTRA_OEMAKE = "DESTDIR=\"${D}\" PREFIX=\"${prefix}\" LIBDIR=\"${libdir}\" LDCON EXTRA_OEMAKE_append_powerpc = " ARCH=\"powerpc\"" EXTRA_OEMAKE_append_powerpc64 = " ARCH=\"powerpc\" BITMODE=\"64\"" EXTRA_OEMAKE_append_powerpc64le = " ARCH=\"powerpc\" BITMODE=\"64\"" +EXTRA_OEMAKE_append_aarch64 = " ARCH=\"arm64\"" S = "${WORKDIR}/libpfm-${PV}" diff --git a/meta-openembedded/meta-oe/recipes-kernel/trace-cmd/trace-cmd_2.9.1.bb b/meta-openembedded/meta-oe/recipes-kernel/trace-cmd/trace-cmd_2.9.1.bb index d39afff8e4..906ca2c1f3 100644 --- a/meta-openembedded/meta-oe/recipes-kernel/trace-cmd/trace-cmd_2.9.1.bb +++ b/meta-openembedded/meta-oe/recipes-kernel/trace-cmd/trace-cmd_2.9.1.bb @@ -12,6 +12,8 @@ S = "${WORKDIR}/git" do_install() { oe_runmake etcdir=${sysconfdir} DESTDIR=${D} install + mkdir -p ${D}${libdir}/traceevent/plugins/${BPN} + mv ${D}/${libdir}/traceevent/plugins/*.so ${D}${libdir}/traceevent/plugins/${BPN}/ } FILES_${PN} += "${libdir}/traceevent/plugins" diff --git a/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch b/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch new file mode 100644 index 0000000000..e5d069487c --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch @@ -0,0 +1,26 @@ +From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001 +From: Pydera <pydera@mailbox.org> +Date: Thu, 8 Apr 2021 17:36:16 +0200 +Subject: [PATCH] Fix out of buffer access in #1529 + +--- + src/jp2image.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 88ab9b2d6..12025f966 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -776,9 +776,10 @@ static void boxes_check(size_t b,size_t m) + #endif + box.length = (uint32_t) (io_->size() - io_->tell() + 8); + } +- if (box.length == 1) ++ if (box.length < 8) + { +- // FIXME. Special case. the real box size is given in another place. ++ // box is broken, so there is nothing we can do here ++ throw Error(kerCorruptedMetadata); + } + + // Read whole box : Box header + Box data (not fixed size - can be null). diff --git a/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch b/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch new file mode 100644 index 0000000000..285f6fe4ce --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch @@ -0,0 +1,37 @@ +From 9b7a19f957af53304655ed1efe32253a1b11a8d0 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <kevinbackhouse@github.com> +Date: Fri, 9 Apr 2021 13:37:48 +0100 +Subject: [PATCH] Fix integer overflow. +--- + src/crwimage_int.cpp | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp +index aefaf22..2e3e507 100644 +--- a/src/crwimage_int.cpp ++++ b/src/crwimage_int.cpp +@@ -559,7 +559,7 @@ namespace Exiv2 { + void CiffComponent::setValue(DataBuf buf) + { + if (isAllocated_) { +- delete pData_; ++ delete[] pData_; + pData_ = 0; + size_ = 0; + } +@@ -1167,7 +1167,11 @@ namespace Exiv2 { + pCrwMapping->crwDir_); + if (edX != edEnd || edY != edEnd || edO != edEnd) { + uint32_t size = 28; +- if (cc && cc->size() > size) size = cc->size(); ++ if (cc) { ++ if (cc->size() < size) ++ throw Error(kerCorruptedMetadata); ++ size = cc->size(); ++ } + DataBuf buf(size); + std::memset(buf.pData_, 0x0, buf.size_); + if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8); +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch b/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch new file mode 100644 index 0000000000..5ab64a7d3e --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch @@ -0,0 +1,120 @@ +From 783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <kevinbackhouse@github.com> +Date: Mon, 19 Apr 2021 18:06:00 +0100 +Subject: [PATCH] Improve bound checking in WebPImage::doWriteMetadata() + +--- + src/webpimage.cpp | 41 ++++++++++++++++++++++++++++++----------- + 1 file changed, 30 insertions(+), 11 deletions(-) + +diff --git a/src/webpimage.cpp b/src/webpimage.cpp +index 4ddec544c..fee110bca 100644 +--- a/src/webpimage.cpp ++++ b/src/webpimage.cpp +@@ -145,7 +145,7 @@ namespace Exiv2 { + DataBuf chunkId(WEBP_TAG_SIZE+1); + chunkId.pData_ [WEBP_TAG_SIZE] = '\0'; + +- io_->read(data, WEBP_TAG_SIZE * 3); ++ readOrThrow(*io_, data, WEBP_TAG_SIZE * 3, Exiv2::kerCorruptedMetadata); + uint64_t filesize = Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian); + + /* Set up header */ +@@ -185,13 +185,20 @@ namespace Exiv2 { + case we have any exif or xmp data, also check + for any chunks with alpha frame/layer set */ + while ( !io_->eof() && (uint64_t) io_->tell() < filesize) { +- io_->read(chunkId.pData_, WEBP_TAG_SIZE); +- io_->read(size_buff, WEBP_TAG_SIZE); +- long size = Exiv2::getULong(size_buff, littleEndian); ++ readOrThrow(*io_, chunkId.pData_, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata); ++ readOrThrow(*io_, size_buff, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata); ++ const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian); ++ ++ // Check that `size_u32` is safe to cast to `long`. ++ enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()), ++ Exiv2::kerCorruptedMetadata); ++ const long size = static_cast<long>(size_u32); + DataBuf payload(size); +- io_->read(payload.pData_, payload.size_); +- byte c; +- if ( payload.size_ % 2 ) io_->read(&c,1); ++ readOrThrow(*io_, payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata); ++ if ( payload.size_ % 2 ) { ++ byte c; ++ readOrThrow(*io_, &c, 1, Exiv2::kerCorruptedMetadata); ++ } + + /* Chunk with information about features + used in the file. */ +@@ -199,6 +206,7 @@ namespace Exiv2 { + has_vp8x = true; + } + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X) && !has_size) { ++ enforce(size >= 10, Exiv2::kerCorruptedMetadata); + has_size = true; + byte size_buf[WEBP_TAG_SIZE]; + +@@ -227,6 +235,7 @@ namespace Exiv2 { + } + #endif + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8) && !has_size) { ++ enforce(size >= 10, Exiv2::kerCorruptedMetadata); + has_size = true; + byte size_buf[2]; + +@@ -244,11 +253,13 @@ namespace Exiv2 { + + /* Chunk with with lossless image data. */ + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_alpha) { ++ enforce(size >= 5, Exiv2::kerCorruptedMetadata); + if ((payload.pData_[4] & WEBP_VP8X_ALPHA_BIT) == WEBP_VP8X_ALPHA_BIT) { + has_alpha = true; + } + } + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_size) { ++ enforce(size >= 5, Exiv2::kerCorruptedMetadata); + has_size = true; + byte size_buf_w[2]; + byte size_buf_h[3]; +@@ -276,11 +287,13 @@ namespace Exiv2 { + + /* Chunk with animation frame. */ + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_alpha) { ++ enforce(size >= 6, Exiv2::kerCorruptedMetadata); + if ((payload.pData_[5] & 0x2) == 0x2) { + has_alpha = true; + } + } + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_size) { ++ enforce(size >= 12, Exiv2::kerCorruptedMetadata); + has_size = true; + byte size_buf[WEBP_TAG_SIZE]; + +@@ -309,16 +322,22 @@ namespace Exiv2 { + + io_->seek(12, BasicIo::beg); + while ( !io_->eof() && (uint64_t) io_->tell() < filesize) { +- io_->read(chunkId.pData_, 4); +- io_->read(size_buff, 4); ++ readOrThrow(*io_, chunkId.pData_, 4, Exiv2::kerCorruptedMetadata); ++ readOrThrow(*io_, size_buff, 4, Exiv2::kerCorruptedMetadata); ++ ++ const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian); + +- long size = Exiv2::getULong(size_buff, littleEndian); ++ // Check that `size_u32` is safe to cast to `long`. ++ enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()), ++ Exiv2::kerCorruptedMetadata); ++ const long size = static_cast<long>(size_u32); + + DataBuf payload(size); +- io_->read(payload.pData_, size); ++ readOrThrow(*io_, payload.pData_, size, Exiv2::kerCorruptedMetadata); + if ( io_->tell() % 2 ) io_->seek(+1,BasicIo::cur); // skip pad + + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X)) { ++ enforce(size >= 1, Exiv2::kerCorruptedMetadata); + if (has_icc){ + payload.pData_[0] |= WEBP_VP8X_ICC_BIT; + } else { diff --git a/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch b/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch new file mode 100644 index 0000000000..f0c482450c --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch @@ -0,0 +1,72 @@ +From 61734d8842cb9cc59437463e3bac54d6231d9487 Mon Sep 17 00:00:00 2001 +From: Wang Mingyu <wangmy@fujitsu.com> +Date: Tue, 18 May 2021 10:52:54 +0900 +Subject: [PATCH] modify + +Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> +--- + src/jp2image.cpp | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 52723a4..0ac4f50 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -643,11 +643,11 @@ static void boxes_check(size_t b,size_t m) + void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf) + { + DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space +- int outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? +- int inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? ++ long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? ++ long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? + Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_; +- int32_t length = getLong((byte*)&pBox->length, bigEndian); +- int32_t count = sizeof (Jp2BoxHeader); ++ uint32_t length = getLong((byte*)&pBox->length, bigEndian); ++ uint32_t count = sizeof (Jp2BoxHeader); + char* p = (char*) boxBuf.pData_; + bool bWroteColor = false ; + +@@ -664,6 +664,7 @@ static void boxes_check(size_t b,size_t m) + #ifdef EXIV2_DEBUG_MESSAGES + std::cout << "Jp2Image::encodeJp2Header subbox: "<< toAscii(subBox.type) << " length = " << subBox.length << std::endl; + #endif ++ enforce(subBox.length <= length - count, Exiv2::kerCorruptedMetadata); + count += subBox.length; + newBox.type = subBox.type; + } else { +@@ -672,12 +673,13 @@ static void boxes_check(size_t b,size_t m) + count = length; + } + +- int32_t newlen = subBox.length; ++ uint32_t newlen = subBox.length; + if ( newBox.type == kJp2BoxTypeColorHeader ) { + bWroteColor = true ; + if ( ! iccProfileDefined() ) { + const char* pad = "\x01\x00\x00\x00\x00\x00\x10\x00\x00\x05\x1cuuid"; + uint32_t psize = 15; ++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata); + ul2Data((byte*)&newBox.length,psize ,bigEndian); + ul2Data((byte*)&newBox.type ,newBox.type,bigEndian); + ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox)); +@@ -686,6 +688,7 @@ static void boxes_check(size_t b,size_t m) + } else { + const char* pad = "\0x02\x00\x00"; + uint32_t psize = 3; ++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata); + ul2Data((byte*)&newBox.length,psize+iccProfile_.size_,bigEndian); + ul2Data((byte*)&newBox.type,newBox.type,bigEndian); + ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox) ); +@@ -694,6 +697,7 @@ static void boxes_check(size_t b,size_t m) + newlen = psize + iccProfile_.size_; + } + } else { ++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata); + ::memcpy(output.pData_+outlen,boxBuf.pData_+inlen,subBox.length); + } + +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch b/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch new file mode 100644 index 0000000000..eedf9d79aa --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch @@ -0,0 +1,32 @@ +From 6628a69c036df2aa036290e6cd71767c159c79ed Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <kevinbackhouse@github.com> +Date: Wed, 21 Apr 2021 12:06:04 +0100 +Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header +--- + src/jp2image.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index b424225..349a9f0 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m) + DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space + long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? + long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? ++ enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata); + Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_; + uint32_t length = getLong((byte*)&pBox->length, bigEndian); ++ enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata); + uint32_t count = sizeof (Jp2BoxHeader); + char* p = (char*) boxBuf.pData_; + bool bWroteColor = false ; + + while ( count < length || !bWroteColor ) { ++ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata); + Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ; + + // copy data. pointer could be into a memory mapped file which we will decode! +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch b/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch new file mode 100644 index 0000000000..4afedf8e59 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch @@ -0,0 +1,21 @@ +From e6a0982f7cd9282052b6e3485a458d60629ffa0b Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <kevinbackhouse@github.com> +Date: Fri, 23 Apr 2021 11:44:44 +0100 +Subject: [PATCH] Add bounds check in Jp2Image::doWriteMetadata(). + +--- + src/jp2image.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 1694fed27..ca8c9ddbb 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -908,6 +908,7 @@ static void boxes_check(size_t b,size_t m) + + case kJp2BoxTypeUuid: + { ++ enforce(boxBuf.size_ >= 24, Exiv2::kerCorruptedMetadata); + if(memcmp(boxBuf.pData_ + 8, kJp2UuidExif, 16) == 0) + { + #ifdef EXIV2_DEBUG_MESSAGES diff --git a/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch b/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch new file mode 100644 index 0000000000..e7c5e1b656 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch @@ -0,0 +1,54 @@ +From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001 +From: Robin Mills <robin@clanmills.com> +Date: Mon, 5 Apr 2021 20:33:25 +0100 +Subject: [PATCH] fix_1522_jp2image_exif_asan + +--- + src/jp2image.cpp | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index eb31cea4a..88ab9b2d6 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -28,6 +28,7 @@ + #include "image.hpp" + #include "image_int.hpp" + #include "basicio.hpp" ++#include "enforce.hpp" + #include "error.hpp" + #include "futils.hpp" + #include "types.hpp" +@@ -353,7 +354,7 @@ static void boxes_check(size_t b,size_t m) + if (io_->error()) throw Error(kerFailedToReadImageData); + if (bufRead != rawData.size_) throw Error(kerInputDataReadFailed); + +- if (rawData.size_ > 0) ++ if (rawData.size_ > 8) // "II*\0long" + { + // Find the position of Exif header in bytes array. + long pos = ( (rawData.pData_[0] == rawData.pData_[1]) +@@ -497,6 +498,7 @@ static void boxes_check(size_t b,size_t m) + position = io_->tell(); + box.length = getLong((byte*)&box.length, bigEndian); + box.type = getLong((byte*)&box.type, bigEndian); ++ enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata); + + if (bPrint) { + out << Internal::stringFormat("%8ld | %8ld | ", (size_t)(position - sizeof(box)), +@@ -581,12 +583,13 @@ static void boxes_check(size_t b,size_t m) + throw Error(kerInputDataReadFailed); + + if (bPrint) { +- out << Internal::binaryToString(makeSlice(rawData, 0, 40)); ++ out << Internal::binaryToString( ++ makeSlice(rawData, 0, rawData.size_>40?40:rawData.size_)); + out.flush(); + } + lf(out, bLF); + +- if (bIsExif && bRecursive && rawData.size_ > 0) { ++ if (bIsExif && bRecursive && rawData.size_ > 8) { // "II*\0long" + if ((rawData.pData_[0] == rawData.pData_[1]) && + (rawData.pData_[0] == 'I' || rawData.pData_[0] == 'M')) { + BasicIo::AutoPtr p = BasicIo::AutoPtr(new MemIo(rawData.pData_, rawData.size_)); diff --git a/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index ed1e8de5c2..d5d9e62ff2 100644 --- a/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb @@ -9,7 +9,14 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994 # Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either inherit dos2unix -SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch" +SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \ + file://CVE-2021-29457.patch \ + file://CVE-2021-29458.patch \ + file://CVE-2021-29463.patch \ + file://CVE-2021-29464.patch \ + file://CVE-2021-29470.patch \ + file://CVE-2021-29473.patch \ + file://CVE-2021-3482.patch" S = "${WORKDIR}/${BPN}-${PV}-Source" diff --git a/meta-openembedded/meta-oe/recipes-support/libeigen/libeigen_3.3.7.bb b/meta-openembedded/meta-oe/recipes-support/libeigen/libeigen_3.3.7.bb index 6ce318d0b5..fe15f2eb2e 100644 --- a/meta-openembedded/meta-oe/recipes-support/libeigen/libeigen_3.3.7.bb +++ b/meta-openembedded/meta-oe/recipes-support/libeigen/libeigen_3.3.7.bb @@ -1,8 +1,13 @@ DESCRIPTION = "Eigen is a C++ template library for linear algebra: matrices, vectors, numerical solvers, and related algorithms." AUTHOR = "Benoît Jacob and Gaël Guennebaud and others" HOMEPAGE = "http://eigen.tuxfamily.org/" -LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING.MPL2;md5=815ca599c9df247a0c7f619bab123dad" +LICENSE = "MPL-2.0 & Apache-2.0 & BSD-3-Clause & GPLv3 & LGPLv2.1 & MINPACK" +LIC_FILES_CHKSUM = "file://COPYING.MPL2;md5=815ca599c9df247a0c7f619bab123dad \ + file://COPYING.BSD;md5=543367b8e11f07d353ef894f71b574a0 \ + file://COPYING.GPL;md5=d32239bcb673463ab874e80d47fae504 \ + file://COPYING.LGPL;md5=4fbd65380cdd255951079008b364516c \ + file://COPYING.MINPACK;md5=5fe4603e80ef7390306f51ef74449bbd \ +" SRC_URI = "git://gitlab.com/libeigen/eigen.git;protocol=http;nobranch=1" diff --git a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.64.bb b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.64.bb index 1863db131b..9c4c03df99 100644 --- a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.64.bb +++ b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.64.bb @@ -49,6 +49,8 @@ TUNE_CCARGS_remove = "-mcpu=cortex-a55+crc -mcpu=cortex-a55 -mcpu=cortex-a55+crc TARGET_CC_ARCH += "${LDFLAGS}" +CFLAGS_append_class-native = " -D_XOPEN_SOURCE " + do_configure_prepend_libc-musl () { sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk } diff --git a/meta-openembedded/meta-oe/recipes-support/opencv/opencv_4.5.2.bb b/meta-openembedded/meta-oe/recipes-support/opencv/opencv_4.5.2.bb index 311355bd7a..226bad5778 100644 --- a/meta-openembedded/meta-oe/recipes-support/opencv/opencv_4.5.2.bb +++ b/meta-openembedded/meta-oe/recipes-support/opencv/opencv_4.5.2.bb @@ -106,6 +106,12 @@ PACKAGECONFIG ??= "gapi python3 eigen jpeg png tiff v4l libv4l gstreamer samples ${@bb.utils.contains("DISTRO_FEATURES", "x11", "gtk", "", d)} \ ${@bb.utils.contains("LICENSE_FLAGS_WHITELIST", "commercial", "libav", "", d)}" +# TBB does not build for powerpc so disable that package config +PACKAGECONFIG_remove_powerpc = "tbb" +# tbb now needs getcontect/setcontext which is not there for all arches on musl +PACKAGECONFIG_remove_libc-musl_riscv64 = "tbb" +PACKAGECONFIG_remove_libc-musl_riscv32 = "tbb" + PACKAGECONFIG[gapi] = "-DWITH_ADE=ON -Dade_DIR=${STAGING_LIBDIR},-DWITH_ADE=OFF,ade" PACKAGECONFIG[amdblas] = "-DWITH_OPENCLAMDBLAS=ON,-DWITH_OPENCLAMDBLAS=OFF,libclamdblas," PACKAGECONFIG[amdfft] = "-DWITH_OPENCLAMDFFT=ON,-DWITH_OPENCLAMDFFT=OFF,libclamdfft," diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-cerberus_1.3.3.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-cerberus_1.3.4.bb index fa0bbb0aad..95934c6e42 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-cerberus_1.3.3.bb +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-cerberus_1.3.4.bb @@ -4,8 +4,10 @@ SECTION = "devel/python" LICENSE = "ISC" LIC_FILES_CHKSUM = "file://LICENSE;md5=48f8e9432d0dac5e0e7a18211a0bacdb" +RDEPENDS_${PN} += "python3-setuptools" + # The PyPI package uses a capital letter so we have to specify this explicitly PYPI_PACKAGE = "Cerberus" inherit pypi setuptools3 -SRC_URI[sha256sum] = "eec10585c33044fb7c69650bc5b68018dac0443753337e2b07684ee0f3c83329" +SRC_URI[sha256sum] = "d1b21b3954b2498d9a79edf16b3170a3ac1021df88d197dc2ce5928ba519237c" diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.20.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.20.bb deleted file mode 100644 index 905d022a4f..0000000000 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.20.bb +++ /dev/null @@ -1,9 +0,0 @@ -require python-django.inc -inherit setuptools3 - -SRC_URI[md5sum] = "947060d96ccc0a05e8049d839e541b25" -SRC_URI[sha256sum] = "2569f9dc5f8e458a5e988b03d6b7a02bda59b006d6782f4ea0fd590ed7336a64" - -RDEPENDS_${PN} += "\ - ${PYTHON_PN}-sqlparse \ -" diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.24.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.24.bb new file mode 100644 index 0000000000..964ca6ba03 --- /dev/null +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.24.bb @@ -0,0 +1,9 @@ +require python-django.inc +inherit setuptools3 + +SRC_URI[md5sum] = "ebf3bbb7716a7b11029e860475b9a122" +SRC_URI[sha256sum] = "3339ff0e03dee13045aef6ae7b523edff75b6d726adf7a7a48f53d5a501f7db7" + +RDEPENDS_${PN} += "\ + ${PYTHON_PN}-sqlparse \ +" diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_3.2.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_3.2.4.bb index e147e2f9d1..52504885e5 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_3.2.bb +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_3.2.4.bb @@ -1,7 +1,7 @@ require python-django.inc inherit setuptools3 -SRC_URI[sha256sum] = "21f0f9643722675976004eb683c55d33c05486f94506672df3d6a141546f389d" +SRC_URI[sha256sum] = "66c9d8db8cc6fe938a28b7887c1596e42d522e27618562517cc8929eb7e7f296" RDEPENDS_${PN} += "\ ${PYTHON_PN}-sqlparse \ @@ -9,5 +9,5 @@ RDEPENDS_${PN} += "\ # Set DEFAULT_PREFERENCE so that the LTS version of django is built by # default. To build the 3.x branch, -# PREFERRED_VERSION_python3-django = "3.2" can be added to local.conf +# PREFERRED_VERSION_python3-django = "3.2.2" can be added to local.conf DEFAULT_PREFERENCE = "-1" diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-pymongo_3.11.3.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-pymongo_3.11.4.bb index 3549adce7c..0c07344cb4 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-pymongo_3.11.3.bb +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-pymongo_3.11.4.bb @@ -8,7 +8,7 @@ HOMEPAGE = "http://github.com/mongodb/mongo-python-driver" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327" -SRC_URI[sha256sum] = "db5098587f58fbf8582d9bda2462762b367207246d3e19623782fb449c3c5fcc" +SRC_URI[sha256sum] = "539d4cb1b16b57026999c53e5aab857fe706e70ae5310cc8c232479923f932e6" inherit pypi setuptools3 diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-rfc3339-validator_0.1.3.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-rfc3339-validator_0.1.4.bb index a07a094479..f1064f327d 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-rfc3339-validator_0.1.3.bb +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-rfc3339-validator_0.1.4.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a21b13b5a996f08f7e0b088aa38ce9c6" FILESEXTRAPATHS_prepend := "${THISDIR}/python-rfc3339-validator:" -SRC_URI[sha256sum] = "7a578aa0740e9ee2b48356fe1f347139190c4c72e27f303b3617054efd15df32" +SRC_URI[sha256sum] = "138a2abdf93304ad60530167e51d2dfb9549521a836871b88d7f4695d0022f6b" PYPI_PACKAGE = "rfc3339_validator" diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-robotframework_4.0.1.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-robotframework_4.0.2.bb index 3e5d67e0a4..67ebe3ee69 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-robotframework_4.0.1.bb +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-robotframework_4.0.2.bb @@ -13,7 +13,7 @@ inherit pypi setuptools3 PYPI_PACKAGE_EXT = "zip" -SRC_URI[sha256sum] = "9fa609ceb78f67b1476edce8a7011b16bf3ab41c0fb8c211de6c99955eaf9fde" +SRC_URI[sha256sum] = "efd39558219fddc86473d4d390aeaec60640d7a7567a15fd51c0576f20e46171" RDEPENDS_${PN} += " \ ${PYTHON_PN}-shell \ diff --git a/meta-openembedded/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch b/meta-openembedded/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch new file mode 100644 index 0000000000..f942f990bd --- /dev/null +++ b/meta-openembedded/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch @@ -0,0 +1,97 @@ +From 9165a61f95e43cc0b5abf9b98eee2818a0191e0b Mon Sep 17 00:00:00 2001 +From: Alexander Schwinn <alexxcons@xfce.org> +Date: Sat, 1 May 2021 00:40:44 +0200 +Subject: [PATCH 1/2] Dont execute files, passed via command line due to + security risks + +Instead open the containing folder and select the file. + +Fixes #121 + +Upstream-Status: Backport +CVE: CVE-2021-32563 + +Reference to upstream patch: +[https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + thunar/thunar-application.c | 25 +++++++++++++++++++++++-- + thunar/thunar-window.c | 4 +--- + thunar/thunar-window.h | 2 ++ + 3 files changed, 26 insertions(+), 5 deletions(-) + +diff --git a/thunar/thunar-application.c b/thunar/thunar-application.c +index df862fd..1243940 100644 +--- a/thunar/thunar-application.c ++++ b/thunar/thunar-application.c +@@ -1512,8 +1512,29 @@ thunar_application_process_files_finish (ThunarBrowser *browser, + } + else + { +- /* try to open the file or directory */ +- thunar_file_launch (target_file, screen, startup_id, &error); ++ if (thunar_file_is_directory (file)) ++ { ++ thunar_application_open_window (application, file, screen, startup_id, FALSE); ++ } ++ else ++ { ++ /* Note that for security reasons we do not execute files passed via command line */ ++ /* Lets rather open the containing directory and select the file */ ++ ThunarFile *parent = thunar_file_get_parent (file, NULL); ++ ++ if (G_LIKELY (parent != NULL)) ++ { ++ GList* files = NULL; ++ GtkWidget *window; ++ ++ window = thunar_application_open_window (application, parent, screen, startup_id, FALSE); ++ g_object_unref (parent); ++ ++ files = g_list_append (files, thunar_file_get_file (file)); ++ thunar_window_select_files (THUNAR_WINDOW (window), files); ++ g_list_free (files); ++ } ++ } + + /* remove the file from the list */ + application->files_to_launch = g_list_delete_link (application->files_to_launch, +diff --git a/thunar/thunar-window.c b/thunar/thunar-window.c +index b330a87..b234fd3 100644 +--- a/thunar/thunar-window.c ++++ b/thunar/thunar-window.c +@@ -243,8 +243,6 @@ static void thunar_window_update_go_menu (ThunarWindow + GtkWidget *menu); + static void thunar_window_update_help_menu (ThunarWindow *window, + GtkWidget *menu); +-static void thunar_window_select_files (ThunarWindow *window, +- GList *path_list); + static void thunar_window_binding_create (ThunarWindow *window, + gpointer src_object, + const gchar *src_prop, +@@ -891,7 +889,7 @@ thunar_window_screen_changed (GtkWidget *widget, + * + * Visually selects the files, given by the list + **/ +-static void ++void + thunar_window_select_files (ThunarWindow *window, + GList *files_to_selected) + { +diff --git a/thunar/thunar-window.h b/thunar/thunar-window.h +index 9cbcc85..3c1aad2 100644 +--- a/thunar/thunar-window.h ++++ b/thunar/thunar-window.h +@@ -126,6 +126,8 @@ void thunar_window_redirect_menu_tooltips_to_statusbar (Thu + GtkMenu *menu); + const XfceGtkActionEntry* thunar_window_get_action_entry (ThunarWindow *window, + ThunarWindowAction action); ++ void thunar_window_select_files (ThunarWindow *window, ++ GList *path_list); + G_END_DECLS; + + #endif /* !__THUNAR_WINDOW_H__ */ +-- +2.17.1 + diff --git a/meta-openembedded/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch b/meta-openembedded/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch new file mode 100644 index 0000000000..a22cdc6d8d --- /dev/null +++ b/meta-openembedded/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch @@ -0,0 +1,208 @@ +From 3b54d9d7dbd7fd16235e2141c43a7f18718f5664 Mon Sep 17 00:00:00 2001 +From: Alexander Schwinn <alexxcons@xfce.org> +Date: Fri, 7 May 2021 15:21:27 +0200 +Subject: [PATCH 2/2] Regression: Activating Desktop Icon does not Use Default + Application (Issue #575) + +- Introduced by 9165a61f (Dont execute files, passed via command line +due to security risks) +- Now via DBus files are executed, and via CLI, files are just selected + +Fixes #575 + +Upstream-Status: Backport +CVE: CVE-2021-32563 + +Reference to upstream patch: +[https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + thunar/thunar-application.c | 68 +++++++++++++++++++++--------------- + thunar/thunar-application.h | 9 ++++- + thunar/thunar-dbus-service.c | 2 +- + 3 files changed, 49 insertions(+), 30 deletions(-) + +diff --git a/thunar/thunar-application.c b/thunar/thunar-application.c +index 1243940..53d0b23 100644 +--- a/thunar/thunar-application.c ++++ b/thunar/thunar-application.c +@@ -182,37 +182,38 @@ struct _ThunarApplicationClass + + struct _ThunarApplication + { +- GtkApplication __parent__; ++ GtkApplication __parent__; + +- ThunarSessionClient *session_client; ++ ThunarSessionClient *session_client; + +- ThunarPreferences *preferences; +- GtkWidget *progress_dialog; ++ ThunarPreferences *preferences; ++ GtkWidget *progress_dialog; + +- ThunarThumbnailCache *thumbnail_cache; +- ThunarThumbnailer *thumbnailer; ++ ThunarThumbnailCache *thumbnail_cache; ++ ThunarThumbnailer *thumbnailer; + +- ThunarDBusService *dbus_service; ++ ThunarDBusService *dbus_service; + +- gboolean daemon; ++ gboolean daemon; + +- guint accel_map_save_id; +- GtkAccelMap *accel_map; ++ guint accel_map_save_id; ++ GtkAccelMap *accel_map; + +- guint show_dialogs_timer_id; ++ guint show_dialogs_timer_id; + + #ifdef HAVE_GUDEV +- GUdevClient *udev_client; ++ GUdevClient *udev_client; + +- GSList *volman_udis; +- guint volman_idle_id; +- guint volman_watch_id; ++ GSList *volman_udis; ++ guint volman_idle_id; ++ guint volman_watch_id; + #endif + +- GList *files_to_launch; ++ GList *files_to_launch; ++ ThunarApplicationProcessAction process_file_action; + +- guint dbus_owner_id_xfce; +- guint dbus_owner_id_fdo; ++ guint dbus_owner_id_xfce; ++ guint dbus_owner_id_fdo; + }; + + +@@ -279,6 +280,7 @@ thunar_application_init (ThunarApplication *application) + * in the primary instance anyways */ + + application->files_to_launch = NULL; ++ application->process_file_action = THUNAR_APPLICATION_SELECT_FILES; + application->progress_dialog = NULL; + application->preferences = NULL; + +@@ -531,7 +533,7 @@ thunar_application_command_line (GApplication *gapp, + } + else if (filenames != NULL) + { +- if (!thunar_application_process_filenames (application, cwd, filenames, NULL, NULL, &error)) ++ if (!thunar_application_process_filenames (application, cwd, filenames, NULL, NULL, &error, THUNAR_APPLICATION_SELECT_FILES)) + { + /* we failed to process the filenames or the bulk rename failed */ + g_application_command_line_printerr (command_line, "Thunar: %s\n", error->message); +@@ -539,7 +541,7 @@ thunar_application_command_line (GApplication *gapp, + } + else if (!daemon) + { +- if (!thunar_application_process_filenames (application, cwd, cwd_list, NULL, NULL, &error)) ++ if (!thunar_application_process_filenames (application, cwd, cwd_list, NULL, NULL, &error, THUNAR_APPLICATION_SELECT_FILES)) + { + /* we failed to process the filenames or the bulk rename failed */ + g_application_command_line_printerr (command_line, "Thunar: %s\n", error->message); +@@ -1512,7 +1514,12 @@ thunar_application_process_files_finish (ThunarBrowser *browser, + } + else + { +- if (thunar_file_is_directory (file)) ++ if (application->process_file_action == THUNAR_APPLICATION_LAUNCH_FILES) ++ { ++ /* try to launch the file / open the directory */ ++ thunar_file_launch (target_file, screen, startup_id, &error); ++ } ++ else if (thunar_file_is_directory (file)) + { + thunar_application_open_window (application, file, screen, startup_id, FALSE); + } +@@ -1603,18 +1610,20 @@ thunar_application_process_files (ThunarApplication *application) + * @startup_id : startup id to finish startup notification and properly focus the + * window when focus stealing is enabled or %NULL. + * @error : return location for errors or %NULL. ++ * @action : action to invoke on the files + * + * Tells @application to process the given @filenames and launch them appropriately. + * + * Return value: %TRUE on success, %FALSE if @error is set. + **/ + gboolean +-thunar_application_process_filenames (ThunarApplication *application, +- const gchar *working_directory, +- gchar **filenames, +- GdkScreen *screen, +- const gchar *startup_id, +- GError **error) ++thunar_application_process_filenames (ThunarApplication *application, ++ const gchar *working_directory, ++ gchar **filenames, ++ GdkScreen *screen, ++ const gchar *startup_id, ++ GError **error, ++ ThunarApplicationProcessAction action) + { + ThunarFile *file; + GError *derror = NULL; +@@ -1686,7 +1695,10 @@ thunar_application_process_filenames (ThunarApplication *application, + + /* start processing files if we have any to launch */ + if (application->files_to_launch != NULL) +- thunar_application_process_files (application); ++ { ++ application->process_file_action = action; ++ thunar_application_process_files (application); ++ } + + /* free the file list */ + g_list_free (file_list); +diff --git a/thunar/thunar-application.h b/thunar/thunar-application.h +index 547cb70..8c180e8 100644 +--- a/thunar/thunar-application.h ++++ b/thunar/thunar-application.h +@@ -31,6 +31,12 @@ G_BEGIN_DECLS; + typedef struct _ThunarApplicationClass ThunarApplicationClass; + typedef struct _ThunarApplication ThunarApplication; + ++typedef enum ++{ ++ THUNAR_APPLICATION_LAUNCH_FILES, ++ THUNAR_APPLICATION_SELECT_FILES ++} ThunarApplicationProcessAction; ++ + #define THUNAR_TYPE_APPLICATION (thunar_application_get_type ()) + #define THUNAR_APPLICATION(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), THUNAR_TYPE_APPLICATION, ThunarApplication)) + #define THUNAR_APPLICATION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), THUNAR_TYPE_APPLICATION, ThunarApplicationClass)) +@@ -74,7 +80,8 @@ gboolean thunar_application_process_filenames (ThunarAppli + gchar **filenames, + GdkScreen *screen, + const gchar *startup_id, +- GError **error); ++ GError **error, ++ ThunarApplicationProcessAction action); + + void thunar_application_rename_file (ThunarApplication *application, + ThunarFile *file, +diff --git a/thunar/thunar-dbus-service.c b/thunar/thunar-dbus-service.c +index 2d27642..4205a2b 100644 +--- a/thunar/thunar-dbus-service.c ++++ b/thunar/thunar-dbus-service.c +@@ -991,7 +991,7 @@ thunar_dbus_service_launch_files (ThunarDBusFileManager *object, + { + /* let the application process the filenames */ + application = thunar_application_get (); +- thunar_application_process_filenames (application, working_directory, filenames, screen, startup_id, &error); ++ thunar_application_process_filenames (application, working_directory, filenames, screen, startup_id, &error, THUNAR_APPLICATION_LAUNCH_FILES); + g_object_unref (G_OBJECT (application)); + + /* release the screen */ +-- +2.17.1 + diff --git a/meta-openembedded/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb b/meta-openembedded/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb index 128043d19b..7bef08ed95 100644 --- a/meta-openembedded/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb +++ b/meta-openembedded/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb @@ -8,6 +8,10 @@ inherit xfce gobject-introspection features_check mime-xdg REQUIRED_DISTRO_FEATURES = "x11" +SRC_URI += "file://CVE-2021-32563-1.patch \ + file://CVE-2021-32563-2.patch \ + " + SRC_URI[sha256sum] = "cb531d3fe67196a43ca04979ef271ece7858bbc80c15b0ee4323c1252a1a02b7" PACKAGECONFIG ??= "" diff --git a/meta-raspberrypi/conf/layer.conf b/meta-raspberrypi/conf/layer.conf index 0f081960be..2518379ae7 100644 --- a/meta-raspberrypi/conf/layer.conf +++ b/meta-raspberrypi/conf/layer.conf @@ -10,6 +10,7 @@ BBFILE_PATTERN_raspberrypi := "^${LAYERDIR}/" BBFILE_PRIORITY_raspberrypi = "9" LAYERSERIES_COMPAT_raspberrypi = "hardknott honister" +LAYERDEPENDS_raspberrypi = "core" # Additional license directories. LICENSE_PATH += "${LAYERDIR}/files/custom-licenses" diff --git a/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-dev.bb b/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-dev.bb index ff8ce79935..0dfa4519f4 100644 --- a/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-dev.bb +++ b/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-dev.bb @@ -7,15 +7,21 @@ python __anonymous() { LINUX_VERSION ?= "5.10.y" LINUX_RPI_BRANCH ?= "rpi-5.10.y" +LINUX_RPI_KMETA_BRANCH ?= "yocto-5.10" -SRCREV_machine = "${AUTOREV}" -SRCREV_meta = "${AUTOREV}" +# Set default SRCREVs. Both the machine and meta SRCREVs are statically set +# to the as in 5.10 recipe, and hence prevent network access during parsing. If +# linux-yocto-dev is the preferred provider, they will be overridden to +# AUTOREV in following anonymous python routine and resolved when the +# variables are finalized. +SRCREV_machine ?= '${@oe.utils.conditional("PREFERRED_PROVIDER_virtual/kernel", "linux-raspberrypi-dev", "${AUTOREV}", "89399e6e7e33d6260a954603ca03857df594ffd3", d)}' +SRCREV_meta ?= '${@oe.utils.conditional("PREFERRED_PROVIDER_virtual/kernel", "linux-raspberrypi-dev", "${AUTOREV}", "a19886b00ea7d874fdd60d8e3435894bb16e6434", d)}' KMETA = "kernel-meta" SRC_URI = " \ - git://github.com/raspberrypi/linux.git;name=machine;protocol=git;branch=${LINUX_RPI_BRANCH} \ - git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=master;destsuffix=${KMETA} \ + git://github.com/raspberrypi/linux.git;name=machine;branch=${LINUX_RPI_BRANCH} \ + git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=${LINUX_RPI_KMETA_BRANCH};destsuffix=${KMETA} \ file://powersave.cfg \ file://android-drivers.cfg \ " diff --git a/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_5.10.bb b/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_5.10.bb index 9fef701e23..7394817da0 100644 --- a/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_5.10.bb +++ b/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_5.10.bb @@ -1,5 +1,6 @@ LINUX_VERSION ?= "5.10.25" LINUX_RPI_BRANCH ?= "rpi-5.10.y" +LINUX_RPI_KMETA_BRANCH ?= "yocto-5.10" SRCREV_machine = "d1fd8a5727908bb677c003d2ae977e9d935a6f94" SRCREV_meta = "5833ca701711d487c9094bd1efc671e8ef7d001e" @@ -8,7 +9,7 @@ KMETA = "kernel-meta" SRC_URI = " \ git://github.com/raspberrypi/linux.git;name=machine;branch=${LINUX_RPI_BRANCH} \ - git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA} \ + git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=${LINUX_RPI_KMETA_BRANCH};destsuffix=${KMETA} \ file://powersave.cfg \ file://android-drivers.cfg \ " diff --git a/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_5.4.bb b/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_5.4.bb index ba97ed56e4..3432283724 100644 --- a/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_5.4.bb +++ b/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_5.4.bb @@ -1,5 +1,6 @@ LINUX_VERSION ?= "5.4.83" LINUX_RPI_BRANCH ?= "rpi-5.4.y" +LINUX_RPI_KMETA_BRANCH ?= "yocto-5.4" SRCREV_machine = "08ae2dd9e7dc89c20bff823a3ef045de09bfd090" SRCREV_meta = "d676bf5ff7b7071e14f44498d2482c0a596f14cd" @@ -8,7 +9,7 @@ KMETA = "kernel-meta" SRC_URI = " \ git://github.com/raspberrypi/linux.git;name=machine;branch=${LINUX_RPI_BRANCH} \ - git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA} \ + git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=${LINUX_RPI_KMETA_BRANCH};destsuffix=${KMETA} \ file://0001-Revert-selftests-bpf-Skip-perf-hw-events-test-if-the.patch \ file://0002-Revert-selftests-bpf-Fix-perf_buffer-test-on-systems.patch \ file://powersave.cfg \ diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb index 8aeb8ac4b0..9e0a6862b1 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb +++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb @@ -9,16 +9,16 @@ SECTION = "tpm" LICENSE = "CPL-1.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9" -DEPENDS = "libtspi openssl" +DEPENDS = "libtspi openssl perl" DEPENDS_class-native = "trousers-native" SRCREV = "bf43837575c5f7d31865562dce7778eae970052e" SRC_URI = " \ - git://git.code.sf.net/p/trousers/tpm-tools \ - file://tpm-tools-extendpcr.patch \ - file://04-fix-FTBFS-clang.patch \ - file://openssl1.1_fix.patch \ - " + git://git.code.sf.net/p/trousers/tpm-tools \ + file://tpm-tools-extendpcr.patch \ + file://04-fix-FTBFS-clang.patch \ + file://openssl1.1_fix.patch \ + " inherit autotools-brokensep gettext diff --git a/poky/bitbake/lib/bb/fetch2/__init__.py b/poky/bitbake/lib/bb/fetch2/__init__.py index cf0201c490..c8e91262a9 100644 --- a/poky/bitbake/lib/bb/fetch2/__init__.py +++ b/poky/bitbake/lib/bb/fetch2/__init__.py @@ -562,6 +562,9 @@ def verify_checksum(ud, d, precomputed={}): checksum_expected = getattr(ud, "%s_expected" % checksum_id) + if checksum_expected == '': + checksum_expected = None + return { "id": checksum_id, "name": checksum_name, @@ -612,7 +615,7 @@ def verify_checksum(ud, d, precomputed={}): for ci in checksum_infos: if ci["expected"] and ci["expected"] != ci["data"]: - messages.append("File: '%s' has %s checksum %s when %s was " \ + messages.append("File: '%s' has %s checksum '%s' when '%s' was " \ "expected" % (ud.localpath, ci["id"], ci["data"], ci["expected"])) bad_checksum = ci["data"] diff --git a/poky/bitbake/lib/bb/fetch2/svn.py b/poky/bitbake/lib/bb/fetch2/svn.py index 8856ef1c62..80102b44f2 100644 --- a/poky/bitbake/lib/bb/fetch2/svn.py +++ b/poky/bitbake/lib/bb/fetch2/svn.py @@ -86,7 +86,7 @@ class Svn(FetchMethod): if command == "info": svncmd = "%s info %s %s://%s/%s/" % (ud.basecmd, " ".join(options), proto, svnroot, ud.module) elif command == "log1": - svncmd = "%s log --limit 1 %s %s://%s/%s/" % (ud.basecmd, " ".join(options), proto, svnroot, ud.module) + svncmd = "%s log --limit 1 --quiet %s %s://%s/%s/" % (ud.basecmd, " ".join(options), proto, svnroot, ud.module) else: suffix = "" diff --git a/poky/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.10.bbappend b/poky/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.10.bbappend index bc2b3bf576..f8362b6635 100644 --- a/poky/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.10.bbappend +++ b/poky/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.10.bbappend @@ -7,17 +7,17 @@ KMACHINE_genericx86 ?= "common-pc" KMACHINE_genericx86-64 ?= "common-pc-64" KMACHINE_beaglebone-yocto ?= "beaglebone" -SRCREV_machine_genericx86 ?= "8c516ced69f41563404ada0bea315a55bcf1df6f" -SRCREV_machine_genericx86-64 ?= "8c516ced69f41563404ada0bea315a55bcf1df6f" -SRCREV_machine_edgerouter ?= "965ab3ab746ae8a1158617b6302d9c218ffbbb66" -SRCREV_machine_beaglebone-yocto ?= "8c516ced69f41563404ada0bea315a55bcf1df6f" +SRCREV_machine_genericx86 ?= "ab49d2db98bdee2c8c6e17fb59ded9e5292b0f41" +SRCREV_machine_genericx86-64 ?= "ab49d2db98bdee2c8c6e17fb59ded9e5292b0f41" +SRCREV_machine_edgerouter ?= "274d63799465eebfd201b3e8251f16d29e93a978" +SRCREV_machine_beaglebone-yocto ?= "ab49d2db98bdee2c8c6e17fb59ded9e5292b0f41" COMPATIBLE_MACHINE_genericx86 = "genericx86" COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64" COMPATIBLE_MACHINE_edgerouter = "edgerouter" COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto" -LINUX_VERSION_genericx86 = "5.10.21" -LINUX_VERSION_genericx86-64 = "5.10.21" -LINUX_VERSION_edgerouter = "5.10.21" -LINUX_VERSION_beaglebone-yocto = "5.10.21" +LINUX_VERSION_genericx86 = "5.10.43" +LINUX_VERSION_genericx86-64 = "5.10.43" +LINUX_VERSION_edgerouter = "5.10.43" +LINUX_VERSION_beaglebone-yocto = "5.10.43" diff --git a/poky/meta/classes/baremetal-image.bbclass b/poky/meta/classes/baremetal-image.bbclass index b0f5e885b5..bc888f6223 100644 --- a/poky/meta/classes/baremetal-image.bbclass +++ b/poky/meta/classes/baremetal-image.bbclass @@ -50,6 +50,10 @@ python do_rootfs(){ if os.path.lexists(manifest_link): os.remove(manifest_link) os.symlink(os.path.basename(manifest_name), manifest_link) + # A lot of postprocess commands assume the existence of rootfs/etc + sysconfdir = d.getVar("IMAGE_ROOTFS") + d.getVar('sysconfdir') + bb.utils.mkdirhier(sysconfdir) + execute_pre_post_process(d, d.getVar('ROOTFS_POSTPROCESS_COMMAND')) } diff --git a/poky/meta/classes/image-live.bbclass b/poky/meta/classes/image-live.bbclass index 8b08305cdb..fd876ed8e1 100644 --- a/poky/meta/classes/image-live.bbclass +++ b/poky/meta/classes/image-live.bbclass @@ -261,4 +261,4 @@ python do_bootimg() { do_bootimg[subimages] = "hddimg iso" do_bootimg[imgsuffix] = "." -addtask bootimg before do_image_complete +addtask bootimg before do_image_complete after do_rootfs diff --git a/poky/meta/classes/kernel-devicetree.bbclass b/poky/meta/classes/kernel-devicetree.bbclass index d4f8864200..27a4905ac6 100644 --- a/poky/meta/classes/kernel-devicetree.bbclass +++ b/poky/meta/classes/kernel-devicetree.bbclass @@ -1,8 +1,11 @@ # Support for device tree generation -PACKAGES_append = " \ - ${KERNEL_PACKAGE_NAME}-devicetree \ - ${@[d.getVar('KERNEL_PACKAGE_NAME') + '-image-zimage-bundle', ''][d.getVar('KERNEL_DEVICETREE_BUNDLE') != '1']} \ -" +python () { + if not bb.data.inherits_class('nopackages', d): + d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-devicetree") + if d.getVar('KERNEL_DEVICETREE_BUNDLE') == '1': + d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-image-zimage-bundle") +} + FILES_${KERNEL_PACKAGE_NAME}-devicetree = "/${KERNEL_IMAGEDEST}/*.dtb /${KERNEL_IMAGEDEST}/*.dtbo" FILES_${KERNEL_PACKAGE_NAME}-image-zimage-bundle = "/${KERNEL_IMAGEDEST}/zImage-*.dtb.bin" diff --git a/poky/meta/classes/kernel.bbclass b/poky/meta/classes/kernel.bbclass index 8693ab86be..846b19663b 100644 --- a/poky/meta/classes/kernel.bbclass +++ b/poky/meta/classes/kernel.bbclass @@ -92,6 +92,8 @@ python __anonymous () { imagedest = d.getVar('KERNEL_IMAGEDEST') for type in types.split(): + if bb.data.inherits_class('nopackages', d): + continue typelower = type.lower() d.appendVar('PACKAGES', ' %s-image-%s' % (kname, typelower)) d.setVar('FILES_' + kname + '-image-' + typelower, '/' + imagedest + '/' + type + '-${KERNEL_VERSION_NAME}' + ' /' + imagedest + '/' + type) @@ -714,7 +716,7 @@ do_sizecheck() { at_least_one_fits= for imageType in ${KERNEL_IMAGETYPES} ; do size=`du -ks ${B}/${KERNEL_OUTPUT_DIR}/$imageType | awk '{print $1}'` - if [ $size -ge ${KERNEL_IMAGE_MAXSIZE} ]; then + if [ $size -gt ${KERNEL_IMAGE_MAXSIZE} ]; then bbwarn "This kernel $imageType (size=$size(K) > ${KERNEL_IMAGE_MAXSIZE}(K)) is too big for your device." else at_least_one_fits=y diff --git a/poky/meta/classes/linuxloader.bbclass b/poky/meta/classes/linuxloader.bbclass index 30925ac87d..1b64be6405 100644 --- a/poky/meta/classes/linuxloader.bbclass +++ b/poky/meta/classes/linuxloader.bbclass @@ -52,6 +52,8 @@ def get_glibc_loader(d): dynamic_loader = "${base_libdir}/ld-linux-aarch64${ARMPKGSFX_ENDIAN_64}.so.1" elif targetarch.startswith("riscv64"): dynamic_loader = "${base_libdir}/ld-linux-riscv64-lp64${@['d', ''][d.getVar('TARGET_FPU') == 'soft']}.so.1" + elif targetarch.startswith("riscv32"): + dynamic_loader = "${base_libdir}/ld-linux-riscv32-ilp32${@['d', ''][d.getVar('TARGET_FPU') == 'soft']}.so.1" return dynamic_loader def get_linuxloader(d): diff --git a/poky/meta/classes/native.bbclass b/poky/meta/classes/native.bbclass index a0838e41b9..561cc23f68 100644 --- a/poky/meta/classes/native.bbclass +++ b/poky/meta/classes/native.bbclass @@ -119,6 +119,7 @@ python native_virtclass_handler () { pn = e.data.getVar("PN") if not pn.endswith("-native"): return + bpn = e.data.getVar("BPN") # Set features here to prevent appends and distro features backfill # from modifying native distro features @@ -146,7 +147,10 @@ python native_virtclass_handler () { elif "-cross-" in dep: newdeps.append(dep.replace("-cross", "-native")) elif not dep.endswith("-native"): - newdeps.append(dep.replace("-native", "") + "-native") + # Replace ${PN} with ${BPN} in the dependency to make sure + # dependencies on, e.g., ${PN}-foo become ${BPN}-foo-native + # rather than ${BPN}-native-foo-native. + newdeps.append(dep.replace(pn, bpn) + "-native") else: newdeps.append(dep) d.setVar(varname, " ".join(newdeps), parsing=True) @@ -166,7 +170,7 @@ python native_virtclass_handler () { if prov.find(pn) != -1: nprovides.append(prov) elif not prov.endswith("-native"): - nprovides.append(prov.replace(prov, prov + "-native")) + nprovides.append(prov + "-native") else: nprovides.append(prov) e.data.setVar("PROVIDES", ' '.join(nprovides)) diff --git a/poky/meta/classes/package_pkgdata.bbclass b/poky/meta/classes/package_pkgdata.bbclass index 18b7ed62e0..a1ea8fc041 100644 --- a/poky/meta/classes/package_pkgdata.bbclass +++ b/poky/meta/classes/package_pkgdata.bbclass @@ -162,6 +162,6 @@ python package_prepare_pkgdata() { } package_prepare_pkgdata[cleandirs] = "${WORKDIR_PKGDATA}" -package_prepare_pkgdata[vardepsexclude] += "MACHINE_ARCH PACKAGE_EXTRA_ARCHS SDK_ARCH BUILD_ARCH SDK_OS BB_TASKDEPDATA" +package_prepare_pkgdata[vardepsexclude] += "MACHINE_ARCH PACKAGE_EXTRA_ARCHS SDK_ARCH BUILD_ARCH SDK_OS BB_TASKDEPDATA SSTATETASKS" diff --git a/poky/meta/classes/package_rpm.bbclass b/poky/meta/classes/package_rpm.bbclass index 84a9a6dd12..86706da842 100644 --- a/poky/meta/classes/package_rpm.bbclass +++ b/poky/meta/classes/package_rpm.bbclass @@ -684,8 +684,8 @@ python do_package_rpm () { cmd = cmd + " --define '_use_internal_dependency_generator 0'" cmd = cmd + " --define '_binaries_in_noarch_packages_terminate_build 0'" cmd = cmd + " --define '_build_id_links none'" - cmd = cmd + " --define '_binary_payload w6T.xzdio'" - cmd = cmd + " --define '_source_payload w6T.xzdio'" + cmd = cmd + " --define '_binary_payload w6T%d.xzdio'" % int(d.getVar("XZ_THREADS")) + cmd = cmd + " --define '_source_payload w6T%d.xzdio'" % int(d.getVar("XZ_THREADS")) cmd = cmd + " --define 'clamp_mtime_to_source_date_epoch 1'" cmd = cmd + " --define 'use_source_date_epoch_as_buildtime 1'" cmd = cmd + " --define '_buildhost reproducible'" diff --git a/poky/meta/classes/reproducible_build.bbclass b/poky/meta/classes/reproducible_build.bbclass index f06e00d70d..1277764fab 100644 --- a/poky/meta/classes/reproducible_build.bbclass +++ b/poky/meta/classes/reproducible_build.bbclass @@ -77,17 +77,16 @@ python create_source_date_epoch_stamp() { import oe.reproducible epochfile = d.getVar('SDE_FILE') - # If it exists we need to regenerate as the sources may have changed - if os.path.isfile(epochfile): - bb.debug(1, "Deleting existing SOURCE_DATE_EPOCH from: %s" % epochfile) - os.remove(epochfile) + tmp_file = "%s.new" % epochfile source_date_epoch = oe.reproducible.get_source_date_epoch(d, d.getVar('S')) bb.debug(1, "SOURCE_DATE_EPOCH: %d" % source_date_epoch) bb.utils.mkdirhier(d.getVar('SDE_DIR')) - with open(epochfile, 'w') as f: + with open(tmp_file, 'w') as f: f.write(str(source_date_epoch)) + + os.rename(tmp_file, epochfile) } def get_source_date_epoch_value(d): @@ -97,7 +96,7 @@ def get_source_date_epoch_value(d): epochfile = d.getVar('SDE_FILE') source_date_epoch = int(d.getVar('SOURCE_DATE_EPOCH_FALLBACK')) - if os.path.isfile(epochfile): + try: with open(epochfile, 'r') as f: s = f.read() try: @@ -110,7 +109,7 @@ def get_source_date_epoch_value(d): bb.warn("SOURCE_DATE_EPOCH value '%s' is invalid. Reverting to SOURCE_DATE_EPOCH_FALLBACK" % s) source_date_epoch = int(d.getVar('SOURCE_DATE_EPOCH_FALLBACK')) bb.debug(1, "SOURCE_DATE_EPOCH: %d" % source_date_epoch) - else: + except FileNotFoundError: bb.debug(1, "Cannot find %s. SOURCE_DATE_EPOCH will default to %d" % (epochfile, source_date_epoch)) d.setVar('__CACHED_SOURCE_DATE_EPOCH', str(source_date_epoch)) diff --git a/poky/meta/classes/sstate.bbclass b/poky/meta/classes/sstate.bbclass index 79588df2cd..3ab6328f91 100644 --- a/poky/meta/classes/sstate.bbclass +++ b/poky/meta/classes/sstate.bbclass @@ -703,9 +703,15 @@ def sstate_package(ss, d): os.utime(siginfo, None) except PermissionError: pass + except OSError as e: + # Handle read-only file systems gracefully + if e.errno != errno.EROFS: + raise e return +sstate_package[vardepsexclude] += "SSTATE_SIG_KEY" + def pstaging_fetch(sstatefetch, d): import bb.fetch2 @@ -1143,6 +1149,10 @@ python sstate_eventhandler() { os.utime(siginfo, None) except PermissionError: pass + except OSError as e: + # Handle read-only file systems gracefully + if e.errno != errno.EROFS: + raise e } diff --git a/poky/meta/classes/uboot-sign.bbclass b/poky/meta/classes/uboot-sign.bbclass index d11882f90f..ba48f24b10 100644 --- a/poky/meta/classes/uboot-sign.bbclass +++ b/poky/meta/classes/uboot-sign.bbclass @@ -196,10 +196,9 @@ concat_spl_dtb() { # signing, and kernel will deploy UBOOT_DTB_BINARY after signs it. install_helper() { if [ -f "${UBOOT_DTB_BINARY}" ]; then - install -d ${D}${datadir} # UBOOT_DTB_BINARY is a symlink to UBOOT_DTB_IMAGE, so we # need both of them. - install ${UBOOT_DTB_BINARY} ${D}${datadir}/${UBOOT_DTB_IMAGE} + install -Dm 0644 ${UBOOT_DTB_BINARY} ${D}${datadir}/${UBOOT_DTB_IMAGE} ln -sf ${UBOOT_DTB_IMAGE} ${D}${datadir}/${UBOOT_DTB_BINARY} else bbwarn "${UBOOT_DTB_BINARY} not found" @@ -209,14 +208,13 @@ install_helper() { # Install SPL dtb and u-boot nodtb to datadir, install_spl_helper() { if [ -f "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then - install -d ${D}${datadir} - install ${SPL_DIR}/${SPL_DTB_BINARY} ${D}${datadir}/${SPL_DTB_IMAGE} + install -Dm 0644 ${SPL_DIR}/${SPL_DTB_BINARY} ${D}${datadir}/${SPL_DTB_IMAGE} ln -sf ${SPL_DTB_IMAGE} ${D}${datadir}/${SPL_DTB_BINARY} else bbwarn "${SPL_DTB_BINARY} not found" fi if [ -f "${UBOOT_NODTB_BINARY}" ] ; then - install ${UBOOT_NODTB_BINARY} ${D}${datadir}/${UBOOT_NODTB_IMAGE} + install -Dm 0644 ${UBOOT_NODTB_BINARY} ${D}${datadir}/${UBOOT_NODTB_IMAGE} ln -sf ${UBOOT_NODTB_IMAGE} ${D}${datadir}/${UBOOT_NODTB_BINARY} else bbwarn "${UBOOT_NODTB_BINARY} not found" diff --git a/poky/meta/conf/distro/include/cve-extra-exclusions.inc b/poky/meta/conf/distro/include/cve-extra-exclusions.inc new file mode 100644 index 0000000000..561386b706 --- /dev/null +++ b/poky/meta/conf/distro/include/cve-extra-exclusions.inc @@ -0,0 +1,45 @@ +# This file contains a list of CVE's where resolution has proven to be impractical +# or there is no reasonable action the Yocto Project can take to resolve the issue. +# It contains all the information we are aware of about an issue and analysis about +# why we believe it can't be fixed/handled. Additional information is welcome through +# patches to the file. +# +# Include this file in your local.conf or distro.conf to exclude these CVE's +# from the cve-check results or add to the bitbake command with: +# -R conf/distro/include/cve-extra-exclusions.inc +# +# The file is not included by default since users should review this data to ensure +# it matches their expectations and usage of the project. +# +# We may also include "in-flight" information about current/ongoing CVE work with +# the aim of sharing that work and ensuring we don't duplicate it. +# + + +# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 +# CVE is more than 20 years old with no resolution evident +# broken links in CVE database references make resolution impractical +CVE_CHECK_WHITELIST += "CVE-2000-0006" + +# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238 +# The issue here is spoofing of domain names using characters from other character sets. +# There has been much discussion amongst the epiphany and webkit developers and +# whilst there are improvements about how domains are handled and displayed to the user +# there is unlikely ever to be a single fix to webkit or epiphany which addresses this +# problem. Whitelisted as there isn't any mitigation or fix or way to progress this further +# we can seem to take. +CVE_CHECK_WHITELIST += "CVE-2005-0238" + +# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756 +# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server +# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 +# Upstream don't see it as a security issue, ftp servers shouldn't be passing +# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar +CVE_CHECK_WHITELIST += "CVE-2010-4756" + +# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509 +# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511 +# The encoding/xml package in go can potentially be used for security exploits if not used correctly +# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything +# exposing this interface in an exploitable way +CVE_CHECK_WHITELIST += "CVE-2020-29509 CVE-2020-29511" diff --git a/poky/meta/lib/oe/gpg_sign.py b/poky/meta/lib/oe/gpg_sign.py index 7634d7ef1d..492f096eaa 100644 --- a/poky/meta/lib/oe/gpg_sign.py +++ b/poky/meta/lib/oe/gpg_sign.py @@ -111,7 +111,7 @@ class LocalSigner(object): def verify(self, sig_file): """Verify signature""" - cmd = self.gpg_cmd + [" --verify", "--no-permission-warning"] + cmd = self.gpg_cmd + ["--verify", "--no-permission-warning"] if self.gpg_path: cmd += ["--homedir", self.gpg_path] diff --git a/poky/meta/lib/oeqa/runtime/cases/rpm.py b/poky/meta/lib/oeqa/runtime/cases/rpm.py index 8e18b426f8..7a9d62c003 100644 --- a/poky/meta/lib/oeqa/runtime/cases/rpm.py +++ b/poky/meta/lib/oeqa/runtime/cases/rpm.py @@ -141,13 +141,4 @@ class RpmInstallRemoveTest(OERuntimeTestCase): self.tc.target.run('rm -f %s' % self.dst) - # if using systemd this should ensure all entries are flushed to /var - status, output = self.target.run("journalctl --sync") - # Get the amount of entries in the log file - status, output = self.target.run(check_log_cmd) - msg = 'Failed to get the final size of the log file.' - self.assertEqual(0, status, msg=msg) - # Check that there's enough of them - self.assertGreaterEqual(int(output), 80, - 'Cound not find sufficient amount of rpm entries in /var/log/messages, found {} entries'.format(output)) diff --git a/poky/meta/lib/oeqa/selftest/cases/fetch.py b/poky/meta/lib/oeqa/selftest/cases/fetch.py index 67e85d3e4c..cd15f65129 100644 --- a/poky/meta/lib/oeqa/selftest/cases/fetch.py +++ b/poky/meta/lib/oeqa/selftest/cases/fetch.py @@ -55,25 +55,26 @@ MIRRORS_forcevariable = "git://.*/.* http://downloads.yoctoproject.org/mirror/so class Dependencies(OESelftestTestCase): - def write_recipe(self, content): - f = tempfile.NamedTemporaryFile(mode="wt", suffix=".bb") - f.write(content) - f.flush() + def write_recipe(self, content, tempdir): + f = os.path.join(tempdir, "test.bb") + with open(f, "w") as fd: + fd.write(content) return f def test_dependencies(self): """ Verify that the correct dependencies are generated for specific SRC_URI entries. """ - with bb.tinfoil.Tinfoil() as tinfoil: + + with bb.tinfoil.Tinfoil() as tinfoil, tempfile.TemporaryDirectory(prefix="selftest-fetch") as tempdir: tinfoil.prepare(config_only=False, quiet=2) r = """ LICENSE="CLOSED" SRC_URI="http://example.com/tarball.zip" """ - f = self.write_recipe(textwrap.dedent(r)) - d = tinfoil.parse_recipe_file(f.name) + f = self.write_recipe(textwrap.dedent(r), tempdir) + d = tinfoil.parse_recipe_file(f) self.assertIn("wget-native", d.getVarFlag("do_fetch", "depends")) self.assertIn("unzip-native", d.getVarFlag("do_unpack", "depends")) @@ -82,8 +83,8 @@ class Dependencies(OESelftestTestCase): LICENSE="CLOSED" SRC_URI="https://example.com/tarball;downloadfilename=something.zip" """ - f = self.write_recipe(textwrap.dedent(r)) - d = tinfoil.parse_recipe_file(f.name) + f = self.write_recipe(textwrap.dedent(r), tempdir) + d = tinfoil.parse_recipe_file(f) self.assertIn("wget-native", d.getVarFlag("do_fetch", "depends")) self.assertIn("unzip-native", d.getVarFlag("do_unpack", "depends") or "") @@ -91,8 +92,8 @@ class Dependencies(OESelftestTestCase): LICENSE="CLOSED" SRC_URI="ftp://example.com/tarball.lz" """ - f = self.write_recipe(textwrap.dedent(r)) - d = tinfoil.parse_recipe_file(f.name) + f = self.write_recipe(textwrap.dedent(r), tempdir) + d = tinfoil.parse_recipe_file(f) self.assertIn("wget-native", d.getVarFlag("do_fetch", "depends")) self.assertIn("lzip-native", d.getVarFlag("do_unpack", "depends")) @@ -100,6 +101,6 @@ class Dependencies(OESelftestTestCase): LICENSE="CLOSED" SRC_URI="git://example.com/repo" """ - f = self.write_recipe(textwrap.dedent(r)) - d = tinfoil.parse_recipe_file(f.name) + f = self.write_recipe(textwrap.dedent(r), tempdir) + d = tinfoil.parse_recipe_file(f) self.assertIn("git-native", d.getVarFlag("do_fetch", "depends")) diff --git a/poky/meta/recipes-bsp/grub/grub2.inc b/poky/meta/recipes-bsp/grub/grub2.inc index 6de683ee1c..3c6b434c2d 100644 --- a/poky/meta/recipes-bsp/grub/grub2.inc +++ b/poky/meta/recipes-bsp/grub/grub2.inc @@ -27,6 +27,16 @@ SRC_URI[sha256sum] = "2c87f1f21e2ab50043e6cd9163c08f1b6c3a6171556bf23ff9ed65b074 REALPV = "2.06~rc1" PV = "2.04+${REALPV}" +# Fixed in 2.06~rc1, can be removed for 2.06 final +CVE_CHECK_WHITELIST += "\ + CVE-2020-14308 CVE-2020-14309 CVE-2020-14310 CVE-2020-14311 CVE-2020-10713 \ + CVE-2020-14372 CVE-2020-15705 CVE-2020-15706 CVE-2020-15707 \ + CVE-2020-25632 CVE-2020-25647 CVE-2020-27749 CVE-2020-27779 \ + CVE-2021-3418 CVE-2021-20225 CVE-2021-20233" + +# Applies only to RHEL +CVE_CHECK_WHITELIST += "CVE-2019-14865" + S = "${WORKDIR}/grub-${REALPV}" UPSTREAM_CHECK_URI = "${GNU_MIRROR}/grub" diff --git a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb index 23c0e8d823..a07cdbd03c 100644 --- a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -24,6 +24,7 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV} file://99avahi-autoipd \ file://initscript.patch \ file://0001-Fix-opening-etc-resolv.conf-error.patch \ + file://handle-hup.patch \ " UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" diff --git a/poky/meta/recipes-connectivity/avahi/files/handle-hup.patch b/poky/meta/recipes-connectivity/avahi/files/handle-hup.patch new file mode 100644 index 0000000000..26632e5443 --- /dev/null +++ b/poky/meta/recipes-connectivity/avahi/files/handle-hup.patch @@ -0,0 +1,41 @@ +CVE: CVE-2021-3468 +Upstream-Status: Submitted [https://github.com/lathiat/avahi/pull/330] +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001 +From: Riccardo Schirone <sirmy15@gmail.com> +Date: Fri, 26 Mar 2021 11:50:24 +0100 +Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in + client_work + +If a client fills the input buffer, client_work() disables the +AVAHI_WATCH_IN event, thus preventing the function from executing the +`read` syscall the next times it is called. However, if the client then +terminates the connection, the socket file descriptor receives a HUP +event, which is not handled, thus the kernel keeps marking the HUP event +as occurring. While iterating over the file descriptors that triggered +an event, the client file descriptor will keep having the HUP event and +the client_work() function is always called with AVAHI_WATCH_HUP but +without nothing being done, thus entering an infinite loop. + +See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938 +--- + avahi-daemon/simple-protocol.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c +index 3e0ebb11..6c0274d6 100644 +--- a/avahi-daemon/simple-protocol.c ++++ b/avahi-daemon/simple-protocol.c +@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv + } + } + ++ if (events & AVAHI_WATCH_HUP) { ++ client_free(c); ++ return; ++ } ++ + c->server->poll_api->watch_update( + watch, + (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) | diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/0001-avoid-start-failure-with-bind-user.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.16/0001-avoid-start-failure-with-bind-user.patch index 8db96ec049..8db96ec049 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/0001-avoid-start-failure-with-bind-user.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/0001-avoid-start-failure-with-bind-user.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.16/0001-named-lwresd-V-and-start-log-hide-build-options.patch index 5bcc16c9b2..5bcc16c9b2 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/0001-named-lwresd-V-and-start-log-hide-build-options.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/0001-named-lwresd-V-and-start-log-hide-build-options.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/bind-ensure-searching-for-json-headers-searches-sysr.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.16/bind-ensure-searching-for-json-headers-searches-sysr.patch index f9cdc7ca4d..f9cdc7ca4d 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/bind-ensure-searching-for-json-headers-searches-sysr.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/bind-ensure-searching-for-json-headers-searches-sysr.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/bind9 b/poky/meta/recipes-connectivity/bind/bind-9.16.16/bind9 index 968679ff7f..968679ff7f 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/bind9 +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/bind9 diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/conf.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.16/conf.patch index aad345f9fc..aad345f9fc 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/conf.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/conf.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/generate-rndc-key.sh b/poky/meta/recipes-connectivity/bind/bind-9.16.16/generate-rndc-key.sh index 633e29c0e6..633e29c0e6 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/generate-rndc-key.sh +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/generate-rndc-key.sh diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/init.d-add-support-for-read-only-rootfs.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.16/init.d-add-support-for-read-only-rootfs.patch index 11db95ede1..11db95ede1 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/init.d-add-support-for-read-only-rootfs.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/init.d-add-support-for-read-only-rootfs.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/make-etc-initd-bind-stop-work.patch b/poky/meta/recipes-connectivity/bind/bind-9.16.16/make-etc-initd-bind-stop-work.patch index 146f3e35db..146f3e35db 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/make-etc-initd-bind-stop-work.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/make-etc-initd-bind-stop-work.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.16.12/named.service b/poky/meta/recipes-connectivity/bind/bind-9.16.16/named.service index cda56ef015..cda56ef015 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.16.12/named.service +++ b/poky/meta/recipes-connectivity/bind/bind-9.16.16/named.service diff --git a/poky/meta/recipes-connectivity/bind/bind_9.16.12.bb b/poky/meta/recipes-connectivity/bind/bind_9.16.16.bb index 09f77038fa..27aa6221ba 100644 --- a/poky/meta/recipes-connectivity/bind/bind_9.16.12.bb +++ b/poky/meta/recipes-connectivity/bind/bind_9.16.16.bb @@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ file://0001-avoid-start-failure-with-bind-user.patch \ " -SRC_URI[sha256sum] = "9914af9311fd349cab441097898d94fb28d0bfd9bf6ed04fe1f97f042644da7f" +SRC_URI[sha256sum] = "6c913902adf878e7dc5e229cea94faefc9d40f44775a30213edd08860f761d7b" UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" # stay at 9.16 follow the ESV versions divisible by 4 diff --git a/poky/meta/recipes-core/expat/expat_2.2.10.bb b/poky/meta/recipes-core/expat/expat_2.2.10.bb index fa263775b3..a54d832e52 100644 --- a/poky/meta/recipes-core/expat/expat_2.2.10.bb +++ b/poky/meta/recipes-core/expat/expat_2.2.10.bb @@ -25,3 +25,5 @@ do_install_ptest_class-target() { } BBCLASSEXTEND += "native nativesdk" + +CVE_PRODUCT = "expat libexpat" diff --git a/poky/meta/recipes-core/ifupdown/files/0001-ifupdown-skip-wrong-test-case.patch b/poky/meta/recipes-core/ifupdown/files/0001-ifupdown-skip-wrong-test-case.patch new file mode 100644 index 0000000000..c751e4fab0 --- /dev/null +++ b/poky/meta/recipes-core/ifupdown/files/0001-ifupdown-skip-wrong-test-case.patch @@ -0,0 +1,32 @@ +From 98243deface88614e3f332c4a85d04a9abce55ff Mon Sep 17 00:00:00 2001 +From: Zqiang <qiang.zhang@windriver.com> +Date: Mon, 19 Apr 2021 14:15:45 +0800 +Subject: [PATCH] ifupdown: skip wrong test case + +The test parameters of testcase(12-15) file is not right, +it triggers a test failure, these test items are invalid +and are skipped directly. + +Upstream-Status: Inappropriate [oe-core specific] + +Signed-off-by: Zqiang <qiang.zhang@windriver.com> +--- + tests/testbuild-linux | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/testbuild-linux b/tests/testbuild-linux +index 1181ea0..5f148eb 100755 +--- a/tests/testbuild-linux ++++ b/tests/testbuild-linux +@@ -3,7 +3,7 @@ + dir=tests/linux + + result=true +-for test in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do ++for test in 1 2 3 4 5 6 7 8 9 10 11 16 17 18; do + if [ -e $dir/testcase.$test ]; then + args="$(cat $dir/testcase.$test | sed -n 's/^# RUN: //p')" + else +-- +2.17.1 + diff --git a/poky/meta/recipes-core/ifupdown/files/tweak-ptest-script.patch b/poky/meta/recipes-core/ifupdown/files/tweak-ptest-script.patch index d7600cf243..ea88a9086a 100644 --- a/poky/meta/recipes-core/ifupdown/files/tweak-ptest-script.patch +++ b/poky/meta/recipes-core/ifupdown/files/tweak-ptest-script.patch @@ -3,9 +3,12 @@ Tweak tests of ifupdown to make it work with oe-core ptest framework. Upstream-Status: Inappropriate [oe-core specific] Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- + tests/testbuild-linux | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/tests/testbuild-linux b/tests/testbuild-linux -index 1181ea0..d5c1814 100755 +index 5f148eb..d9b1698 100755 --- a/tests/testbuild-linux +++ b/tests/testbuild-linux @@ -1,6 +1,7 @@ @@ -16,8 +19,8 @@ index 1181ea0..d5c1814 100755 +dir=$curdir/linux result=true - for test in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do -@@ -12,7 +13,7 @@ for test in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do + for test in 1 2 3 4 5 6 7 8 9 10 11 16 17 18; do +@@ -12,7 +13,7 @@ for test in 1 2 3 4 5 6 7 8 9 10 11 16 17 18; do echo "Testcase $test: $args" exitcode=0 @@ -26,7 +29,7 @@ index 1181ea0..d5c1814 100755 >$dir/up-res-out.$test 2>$dir/up-res-err.$test || exitcode=$? (echo "exit code: $exitcode"; -@@ -20,7 +21,7 @@ for test in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do +@@ -20,7 +21,7 @@ for test in 1 2 3 4 5 6 7 8 9 10 11 16 17 18; do echo "====stderr===="; cat $dir/up-res-err.$test) > $dir/up-res.$test exitcode=0 @@ -35,7 +38,7 @@ index 1181ea0..d5c1814 100755 >$dir/down-res-out.$test 2>$dir/down-res-err.$test || exitcode=$? (echo "exit code: $exitcode"; -@@ -28,9 +29,9 @@ for test in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do +@@ -28,9 +29,9 @@ for test in 1 2 3 4 5 6 7 8 9 10 11 16 17 18; do echo "====stderr===="; cat $dir/down-res-err.$test) > $dir/down-res.$test if diff -ub $dir/up.$test $dir/up-res.$test && diff -ub $dir/down.$test $dir/down-res.$test; then @@ -47,3 +50,5 @@ index 1181ea0..d5c1814 100755 result=false fi echo "==========" +-- +2.17.1 diff --git a/poky/meta/recipes-core/ifupdown/ifupdown_0.8.36.bb b/poky/meta/recipes-core/ifupdown/ifupdown_0.8.36.bb index c0a90a3972..0daf50acab 100644 --- a/poky/meta/recipes-core/ifupdown/ifupdown_0.8.36.bb +++ b/poky/meta/recipes-core/ifupdown/ifupdown_0.8.36.bb @@ -13,6 +13,7 @@ SRC_URI = "git://salsa.debian.org/debian/ifupdown.git;protocol=https \ file://0001-Define-FNM_EXTMATCH-for-musl.patch \ file://0001-Makefile-do-not-use-dpkg-for-determining-OS-type.patch \ file://run-ptest \ + file://0001-ifupdown-skip-wrong-test-case.patch \ ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'file://tweak-ptest-script.patch', '', d)} \ " SRCREV = "c73226073e2b13970ca613b20a13b9c0253bf9da" diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch new file mode 100644 index 0000000000..3d4d3a0237 --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch @@ -0,0 +1,216 @@ +From 0f9817c75b50a77c6aeb8f36801966fdadad229a Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Wed, 10 Jun 2020 16:34:52 +0200 +Subject: [PATCH 1/2] Don't recurse into xi:include children in + xmlXIncludeDoProcess + +Otherwise, nested xi:include nodes might result in a use-after-free +if XML_PARSE_NOXINCNODE is specified. + +Found with libFuzzer and ASan. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/0f9817c75b50a77c6aeb8f36801966fdadad229a] +CVE: CVE-2021-3518 + +This patch brings in the necessary files to allow the 2nd patch that fixes the CVE to be applied. + +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> +--- + result/XInclude/fallback3.xml | 8 ++++++++ + result/XInclude/fallback3.xml.err | 0 + result/XInclude/fallback3.xml.rdr | 25 +++++++++++++++++++++++++ + result/XInclude/fallback4.xml | 10 ++++++++++ + result/XInclude/fallback4.xml.err | 0 + result/XInclude/fallback4.xml.rdr | 29 +++++++++++++++++++++++++++++ + test/XInclude/docs/fallback3.xml | 9 +++++++++ + test/XInclude/docs/fallback4.xml | 7 +++++++ + xinclude.c | 24 ++++++++++-------------- + 9 files changed, 98 insertions(+), 14 deletions(-) + create mode 100644 result/XInclude/fallback3.xml + create mode 100644 result/XInclude/fallback3.xml.err + create mode 100644 result/XInclude/fallback3.xml.rdr + create mode 100644 result/XInclude/fallback4.xml + create mode 100644 result/XInclude/fallback4.xml.err + create mode 100644 result/XInclude/fallback4.xml.rdr + create mode 100644 test/XInclude/docs/fallback3.xml + create mode 100644 test/XInclude/docs/fallback4.xml + +diff --git a/result/XInclude/fallback3.xml b/result/XInclude/fallback3.xml +new file mode 100644 +index 0000000..b423551 +--- /dev/null ++++ b/result/XInclude/fallback3.xml +@@ -0,0 +1,8 @@ ++<?xml version="1.0"?> ++<a> ++ <doc xml:base="../ents/something.xml"> ++<p>something</p> ++<p>really</p> ++<p>simple</p> ++</doc> ++</a> +diff --git a/result/XInclude/fallback3.xml.err b/result/XInclude/fallback3.xml.err +new file mode 100644 +index 0000000..e69de29 +diff --git a/result/XInclude/fallback3.xml.rdr b/result/XInclude/fallback3.xml.rdr +new file mode 100644 +index 0000000..aa2f137 +--- /dev/null ++++ b/result/XInclude/fallback3.xml.rdr +@@ -0,0 +1,25 @@ ++0 1 a 0 0 ++1 14 #text 0 1 ++ ++1 1 doc 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 something ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 really ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 simple ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++1 15 doc 0 0 ++1 14 #text 0 1 ++ ++0 15 a 0 0 +diff --git a/result/XInclude/fallback4.xml b/result/XInclude/fallback4.xml +new file mode 100644 +index 0000000..9883fd5 +--- /dev/null ++++ b/result/XInclude/fallback4.xml +@@ -0,0 +1,10 @@ ++<?xml version="1.0"?> ++<a> ++ ++ <doc xml:base="../ents/something.xml"> ++<p>something</p> ++<p>really</p> ++<p>simple</p> ++</doc> ++ ++</a> +diff --git a/result/XInclude/fallback4.xml.err b/result/XInclude/fallback4.xml.err +new file mode 100644 +index 0000000..e69de29 +diff --git a/result/XInclude/fallback4.xml.rdr b/result/XInclude/fallback4.xml.rdr +new file mode 100644 +index 0000000..628b951 +--- /dev/null ++++ b/result/XInclude/fallback4.xml.rdr +@@ -0,0 +1,29 @@ ++0 1 a 0 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 doc 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 something ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 really ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 simple ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++1 15 doc 0 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++0 15 a 0 0 +diff --git a/test/XInclude/docs/fallback3.xml b/test/XInclude/docs/fallback3.xml +new file mode 100644 +index 0000000..0c8b6c9 +--- /dev/null ++++ b/test/XInclude/docs/fallback3.xml +@@ -0,0 +1,9 @@ ++<a> ++ <xi:include href="../ents/something.xml" xmlns:xi="http://www.w3.org/2001/XInclude"> ++ <xi:fallback> ++ <xi:include href="c.xml"> ++ <xi:fallback>There is no c.xml ... </xi:fallback> ++ </xi:include> ++ </xi:fallback> ++ </xi:include> ++</a> +diff --git a/test/XInclude/docs/fallback4.xml b/test/XInclude/docs/fallback4.xml +new file mode 100644 +index 0000000..b500a63 +--- /dev/null ++++ b/test/XInclude/docs/fallback4.xml +@@ -0,0 +1,7 @@ ++<a> ++ <xi:include href="c.xml" xmlns:xi="http://www.w3.org/2001/XInclude"> ++ <xi:fallback> ++ <xi:include href="../ents/something.xml"/> ++ </xi:fallback> ++ </xi:include> ++</a> +diff --git a/xinclude.c b/xinclude.c +index 001e992..6ec5d31 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -2382,21 +2382,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + * First phase: lookup the elements in the document + */ + cur = tree; +- if (xmlXIncludeTestNode(ctxt, cur) == 1) +- xmlXIncludePreProcessNode(ctxt, cur); + while ((cur != NULL) && (cur != tree->parent)) { + /* TODO: need to work on entities -> stack */ +- if ((cur->children != NULL) && +- (cur->children->type != XML_ENTITY_DECL) && +- (cur->children->type != XML_XINCLUDE_START) && +- (cur->children->type != XML_XINCLUDE_END)) { +- cur = cur->children; +- if (xmlXIncludeTestNode(ctxt, cur)) +- xmlXIncludePreProcessNode(ctxt, cur); +- } else if (cur->next != NULL) { ++ if (xmlXIncludeTestNode(ctxt, cur) == 1) { ++ xmlXIncludePreProcessNode(ctxt, cur); ++ } else if ((cur->children != NULL) && ++ (cur->children->type != XML_ENTITY_DECL) && ++ (cur->children->type != XML_XINCLUDE_START) && ++ (cur->children->type != XML_XINCLUDE_END)) { ++ cur = cur->children; ++ continue; ++ } ++ if (cur->next != NULL) { + cur = cur->next; +- if (xmlXIncludeTestNode(ctxt, cur)) +- xmlXIncludePreProcessNode(ctxt, cur); + } else { + if (cur == tree) + break; +@@ -2406,8 +2404,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + break; /* do */ + if (cur->next != NULL) { + cur = cur->next; +- if (xmlXIncludeTestNode(ctxt, cur)) +- xmlXIncludePreProcessNode(ctxt, cur); + break; /* do */ + } + } while (cur != NULL); +-- +2.23.0 + diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch new file mode 100644 index 0000000000..de5fc0e8cb --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch @@ -0,0 +1,45 @@ +From 1098c30a040e72a4654968547f415be4e4c40fe7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Thu, 22 Apr 2021 19:26:28 +0200 +Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd` + +The --dropdtd option can leave dangling pointers in entity reference +nodes. Make sure to skip these nodes when processing XIncludes. + +This also avoids scanning entity declarations and even modifying +them inadvertently during XInclude processing. + +Move from a block list to an allow list approach to avoid descending +into other node types that can't contain elements. + +Fixes #237. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7] +CVE: CVE-2021-3518 + +[OP: adjusted context] +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> +--- + xinclude.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/xinclude.c b/xinclude.c +index 6ec5d31..b8eebcc 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -2387,9 +2387,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + if (xmlXIncludeTestNode(ctxt, cur) == 1) { + xmlXIncludePreProcessNode(ctxt, cur); + } else if ((cur->children != NULL) && +- (cur->children->type != XML_ENTITY_DECL) && +- (cur->children->type != XML_XINCLUDE_START) && +- (cur->children->type != XML_XINCLUDE_END)) { ++ ((cur->type == XML_DOCUMENT_NODE) || ++ (cur->type == XML_ELEMENT_NODE))) { + cur = cur->children; + continue; + } +-- +2.23.0 + diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch new file mode 100644 index 0000000000..3b86278ac4 --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch @@ -0,0 +1,73 @@ +From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Thu, 13 May 2021 14:55:12 +0200 +Subject: [PATCH] Patch for security issue CVE-2021-3541 + +This is relapted to parameter entities expansion and following +the line of the billion laugh attack. Somehow in that path the +counting of parameters was missed and the normal algorithm based +on entities "density" was useless. + +CVE: CVE-2021-3541 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e] + +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> + +--- + parser.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/parser.c b/parser.c +index f5e5e169..c9312fa4 100644 +--- a/parser.c ++++ b/parser.c +@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + xmlEntityPtr ent, size_t replacement) + { + size_t consumed = 0; ++ int i; + + if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE)) + return (0); +@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + rep = NULL; + } + } ++ ++ /* ++ * Prevent entity exponential check, not just replacement while ++ * parsing the DTD ++ * The check is potentially costly so do that only once in a thousand ++ */ ++ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) && ++ (ctxt->nbentities % 1024 == 0)) { ++ for (i = 0;i < ctxt->inputNr;i++) { ++ consumed += ctxt->inputTab[i]->consumed + ++ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base); ++ } ++ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) { ++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); ++ ctxt->instate = XML_PARSER_EOF; ++ return (1); ++ } ++ consumed = 0; ++ } ++ ++ ++ + if (replacement != 0) { + if (replacement < XML_MAX_TEXT_LENGTH) + return(0); +@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + xmlChar start[4]; + xmlCharEncoding enc; + ++ if (xmlParserEntityCheck(ctxt, 0, entity, 0)) ++ return; ++ + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && +-- +2.25.1 + diff --git a/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb b/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb index b850164285..ce4f9a3340 100644 --- a/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb @@ -26,7 +26,10 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ file://fix-python39.patch \ file://CVE-2021-3517.patch \ file://CVE-2021-3516.patch \ + file://CVE-2021-3518-0001.patch \ + file://CVE-2021-3518-0002.patch \ file://CVE-2021-3537.patch \ + file://CVE-2021-3541.patch \ " SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" diff --git a/poky/meta/recipes-core/util-linux/util-linux.inc b/poky/meta/recipes-core/util-linux/util-linux.inc index cbf6102ee0..6b47f417aa 100644 --- a/poky/meta/recipes-core/util-linux/util-linux.inc +++ b/poky/meta/recipes-core/util-linux/util-linux.inc @@ -27,8 +27,7 @@ LIC_FILES_CHKSUM = "file://README.licensing;md5=0fd5c050c6187d2bf0a4492b7f4e33da FILESEXTRAPATHS_prepend := "${THISDIR}/util-linux:" MAJOR_VERSION = "${@'.'.join(d.getVar('PV').split('.')[0:2])}" -BPN = "util-linux" -SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${MAJOR_VERSION}/${BP}.tar.xz \ +SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-linux-${PV}.tar.xz \ file://configure-sbindir.patch \ file://runuser.pamd \ file://runuser-l.pamd \ diff --git a/poky/meta/recipes-devtools/flex/flex_2.6.4.bb b/poky/meta/recipes-devtools/flex/flex_2.6.4.bb index 1d43d2228a..54e7e01729 100644 --- a/poky/meta/recipes-devtools/flex/flex_2.6.4.bb +++ b/poky/meta/recipes-devtools/flex/flex_2.6.4.bb @@ -3,12 +3,14 @@ DESCRIPTION = "Flex is a fast lexical analyser generator. Flex is a tool for ge lexical patterns in text." HOMEPAGE = "http://sourceforge.net/projects/flex/" SECTION = "devel" -LICENSE = "BSD-2-Clause" +LICENSE = "BSD-3-Clause & LGPL-2.0+" +LICENSE_${PN}-libfl = "BSD-3-Clause" DEPENDS = "${@bb.utils.contains('PTEST_ENABLED', '1', 'bison-native flex-native', '', d)}" BBCLASSEXTEND = "native nativesdk" -LIC_FILES_CHKSUM = "file://COPYING;md5=e4742cf92e89040b39486a6219b68067" +LIC_FILES_CHKSUM = "file://COPYING;md5=e4742cf92e89040b39486a6219b68067 \ + file://src/gettext.h;beginline=1;endline=17;md5=9c05dda2f58d89b850c399cf22e1a00c" SRC_URI = "https://github.com/westes/flex/releases/download/v${PV}/flex-${PV}.tar.gz \ file://run-ptest \ diff --git a/poky/meta/recipes-devtools/pkgconfig/pkgconfig_git.bb b/poky/meta/recipes-devtools/pkgconfig/pkgconfig_git.bb index 52ef2a9779..7bf68082b2 100644 --- a/poky/meta/recipes-devtools/pkgconfig/pkgconfig_git.bb +++ b/poky/meta/recipes-devtools/pkgconfig/pkgconfig_git.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" SRCREV = "edf8e6f0ea77ede073f07bff0d2ae1fc7a38103b" PV = "0.29.2+git${SRCPV}" -SRC_URI = "git://anongit.freedesktop.org/pkg-config \ +SRC_URI = "git://gitlab.freedesktop.org/pkg-config/pkg-config.git;branch=master;protocol=https \ file://pkg-config-esdk.in \ file://pkg-config-native.in \ file://fix-glib-configure-libtool-usage.patch \ diff --git a/poky/meta/recipes-devtools/python/python3_3.9.4.bb b/poky/meta/recipes-devtools/python/python3_3.9.5.bb index cb371ceed7..82177f4a18 100644 --- a/poky/meta/recipes-devtools/python/python3_3.9.4.bb +++ b/poky/meta/recipes-devtools/python/python3_3.9.5.bb @@ -38,7 +38,7 @@ SRC_URI_append_class-native = " \ file://12-distutils-prefix-is-inside-staging-area.patch \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[sha256sum] = "4b0e6644a76f8df864ae24ac500a51bbf68bd098f6a173e27d3b61cdca9aa134" +SRC_URI[sha256sum] = "0c5a140665436ec3dbfbb79e2dfb6d192655f26ef4a29aeffcb6d1820d716d83" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index fbda0c9174..3921546df7 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -76,6 +76,15 @@ CVE_CHECK_WHITELIST += "CVE-2007-0998" # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 CVE_CHECK_WHITELIST += "CVE-2018-18438" +# Following CVE's affect ESP (NCR53C90) part of chip STP2000 (Master I/O). +# On Sparc32 it is the NCR89C100 part of the chip. +# On Macintosh Quadra it is NCR53C96. +# Both are not supported by yocto. +# Reference: https://www.openwall.com/lists/oss-security/2021/04/16/3 +CVE_CHECK_WHITELIST += "CVE-2020-35504" +CVE_CHECK_WHITELIST += "CVE-2020-35505" +CVE_CHECK_WHITELIST += "CVE-2020-35506" + COMPATIBLE_HOST_mipsarchn32 = "null" COMPATIBLE_HOST_mipsarchn64 = "null" diff --git a/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 b/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 index 93bfd45a4e..ccbb59cf7e 100644 --- a/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 +++ b/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 @@ -233,3 +233,4 @@ memcheck/tests/wrapmalloc memcheck/tests/wrapmallocstatic memcheck/tests/writev1 memcheck/tests/xml1 +memcheck/tests/linux/stack_changes diff --git a/poky/meta/recipes-devtools/valgrind/valgrind/run-ptest b/poky/meta/recipes-devtools/valgrind/valgrind/run-ptest index f37780ef6a..a19944f285 100755 --- a/poky/meta/recipes-devtools/valgrind/valgrind/run-ptest +++ b/poky/meta/recipes-devtools/valgrind/valgrind/run-ptest @@ -31,12 +31,19 @@ if [ "$arch" = "aarch64" ]; then done fi +echo "Run flaky tests using taskset to limit them to a single core." +for i in `cat taskset_nondeterministic_tests`; do + taskset 0x00000001 perl tests/vg_regtest --valgrind=${VALGRIND_BIN} --valgrind-lib=${VALGRIND_LIBEXECDIR} --yocto-ptest $i 2>&1|tee -a ${LOG} + mv $i.vgtest $i.IGNORE +done + + cd ${VALGRIND_LIB}/ptest && ./tests/vg_regtest \ --valgrind=${VALGRIND_BIN} \ --valgrind-lib=${VALGRIND_LIB} \ --yocto-ptest \ gdbserver_tests ${TOOLS} ${EXP_TOOLS} \ - 2>&1|tee ${LOG} + 2>&1|tee -a ${LOG} cd ${VALGRIND_LIB}/ptest && \ ./tests/post_regtest_checks $(pwd) \ @@ -55,6 +62,11 @@ for i in `cat remove-for-all`; do mv $i.IGNORE $i.vgtest; done +echo "Restore flaky and other non-deterministic tests" +for i in `cat taskset_nondeterministic_tests`; do + mv $i.IGNORE $i.vgtest; +done + echo "Failed test details..." failed_tests=`grep FAIL: ${LOG} | awk '{print $2}'` for test in $failed_tests; do diff --git a/poky/meta/recipes-devtools/valgrind/valgrind/taskset_nondeterministic_tests b/poky/meta/recipes-devtools/valgrind/valgrind/taskset_nondeterministic_tests new file mode 100644 index 0000000000..e15100ade7 --- /dev/null +++ b/poky/meta/recipes-devtools/valgrind/valgrind/taskset_nondeterministic_tests @@ -0,0 +1,2 @@ +helgrind/tests/hg05_race2 +helgrind/tests/tc09_bad_unlock diff --git a/poky/meta/recipes-devtools/valgrind/valgrind_3.16.1.bb b/poky/meta/recipes-devtools/valgrind/valgrind_3.16.1.bb index 2b1d185575..b48d96f8a3 100644 --- a/poky/meta/recipes-devtools/valgrind/valgrind_3.16.1.bb +++ b/poky/meta/recipes-devtools/valgrind/valgrind_3.16.1.bb @@ -18,6 +18,7 @@ SRC_URI = "https://sourceware.org/pub/valgrind/valgrind-${PV}.tar.bz2 \ file://run-ptest \ file://remove-for-aarch64 \ file://remove-for-all \ + file://taskset_nondeterministic_tests \ file://0004-Fix-out-of-tree-builds.patch \ file://0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch \ file://0001-Remove-tests-that-fail-to-build-on-some-PPC32-config.patch \ @@ -123,7 +124,7 @@ VALGRINDARCH_mipsel = "mips32" VALGRINDARCH_mips64el = "mips64" VALGRINDARCH_powerpc = "ppc" VALGRINDARCH_powerpc64 = "ppc64" -VALGRINDARCH_powerpc64el = "ppc64le" +VALGRINDARCH_powerpc64le = "ppc64le" INHIBIT_PACKAGE_STRIP_FILES = "${PKGD}${libdir}/valgrind/vgpreload_memcheck-${VALGRINDARCH}-linux.so" @@ -189,6 +190,7 @@ do_install_ptest() { cp ${B}/config.h ${D}${PTEST_PATH} install -D ${WORKDIR}/remove-for-aarch64 ${D}${PTEST_PATH} install -D ${WORKDIR}/remove-for-all ${D}${PTEST_PATH} + install -D ${WORKDIR}/taskset_nondeterministic_tests ${D}${PTEST_PATH} # Add an executable need by none/tests/bigcode mkdir ${D}${PTEST_PATH}/perf diff --git a/poky/meta/recipes-extended/ltp/ltp/disable_hanging_tests.patch b/poky/meta/recipes-extended/ltp/ltp/disable_hanging_tests.patch new file mode 100644 index 0000000000..113ac0fefe --- /dev/null +++ b/poky/meta/recipes-extended/ltp/ltp/disable_hanging_tests.patch @@ -0,0 +1,45 @@ +This patch disables tests which we've found "hang" on our infrastructure. + +cgroup_xattr: +https://autobuilder.yoctoproject.org/typhoon/#/builders/95/builds/1926 (x86) +https://autobuilder.yoctoproject.org/typhoon/#/builders/95/builds/1898 (x86) +https://autobuilder.yoctoproject.org/typhoon/#/builders/95/builds/1916 (x86) + +proc01: +https://autobuilder.yoctoproject.org/typhoon/#/builders/96/builds/1748 (arm) +https://autobuilder.yoctoproject.org/typhoon/#/builders/96/builds/1781 (arm) +(in the latter was trying to read /proc/kmsg) +(the above test looks horrible anyway) + +Upstream-Status: Inappropriate [OE Configuration] +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> + +Index: git/runtest/controllers +=================================================================== +--- git.orig/runtest/controllers ++++ git/runtest/controllers +@@ -352,8 +352,6 @@ cpuset_memory_spread cpuset_memory_sprea + + cpuset_regression_test cpuset_regression_test.sh + +-cgroup_xattr cgroup_xattr +- + pids_1_1 pids.sh 1 1 0 + pids_1_2 pids.sh 1 2 0 + pids_1_10 pids.sh 1 10 0 +Index: git/runtest/fs +=================================================================== +--- git.orig/runtest/fs ++++ git/runtest/fs +@@ -64,11 +64,6 @@ writetest01 writetest + #Also run the fs_di (Data Integrity tests) + fs_di fs_di -d $TMPDIR + +-# Read every file in /proc. Not likely to crash, but does enough +-# to disturb the kernel. A good kernel latency killer too. +-# Was not sure why it should reside in runtest/crashme and won't get tested ever +-proc01 proc01 -m 128 +- + read_all_dev read_all -d /dev -p -q -r 3 + read_all_proc read_all -d /proc -q -r 3 + read_all_sys read_all -d /sys -q -r 3 diff --git a/poky/meta/recipes-extended/ltp/ltp_20210121.bb b/poky/meta/recipes-extended/ltp/ltp_20210121.bb index d98c9fdc25..17adbf43f0 100644 --- a/poky/meta/recipes-extended/ltp/ltp_20210121.bb +++ b/poky/meta/recipes-extended/ltp/ltp_20210121.bb @@ -42,6 +42,7 @@ SRC_URI = "git://github.com/linux-test-project/ltp.git \ file://0001-open_posix_testsuite-generate-makefiles.sh-Avoid-inc.patch \ file://0002-Makefile-Avoid-wildcard-determinism-issues.patch \ file://0003-syscalls-swapon-swapoff-Move-common-library-to-libs.patch \ + file://disable_hanging_tests.patch \ " S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/poky/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb index 2787b270fa..69d5b2f83b 100644 --- a/poky/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb +++ b/poky/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb @@ -19,6 +19,9 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4" S = "${WORKDIR}/git" +# https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision +CVE_CHECK_WHITELIST += "CVE-2013-4342" + inherit autotools update-rc.d systemd pkgconfig SYSTEMD_SERVICE_${PN} = "xinetd.service" diff --git a/poky/meta/recipes-graphics/xorg-lib/libx11/fix-CVE-2021-31535.patch b/poky/meta/recipes-graphics/xorg-lib/libx11/fix-CVE-2021-31535.patch new file mode 100644 index 0000000000..2ec5cc1688 --- /dev/null +++ b/poky/meta/recipes-graphics/xorg-lib/libx11/fix-CVE-2021-31535.patch @@ -0,0 +1,320 @@ +From 8d2e02ae650f00c4a53deb625211a0527126c605 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb <matthieu@herrb.eu> +Date: Fri, 19 Feb 2021 15:30:39 +0100 +Subject: [PATCH] Reject string longer than USHRT_MAX before sending them on + the wire + +The X protocol uses CARD16 values to represent the length so +this would overflow. + +CVE-2021-31535 + +Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> + +CVE: CVE-2021-31535 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02a] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- + src/Font.c | 4 +++- + src/FontInfo.c | 3 +++ + src/FontNames.c | 3 +++ + src/GetColor.c | 4 ++++ + src/LoadFont.c | 4 ++++ + src/LookupCol.c | 6 ++++-- + src/ParseCol.c | 3 +++ + src/QuExt.c | 5 +++++ + src/SetFPath.c | 6 ++++++ + src/SetHints.c | 7 +++++++ + src/StNColor.c | 3 +++ + src/StName.c | 7 ++++++- + 12 files changed, 51 insertions(+), 4 deletions(-) + +diff --git a/src/Font.c b/src/Font.c +index d4ebdaca..1cd89cca 100644 +--- a/src/Font.c ++++ b/src/Font.c +@@ -102,6 +102,8 @@ XFontStruct *XLoadQueryFont( + XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy); + #endif + ++ if (strlen(name) >= USHRT_MAX) ++ return NULL; + if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0)) + return font_result; + LockDisplay(dpy); +@@ -663,7 +665,7 @@ int _XF86LoadQueryLocaleFont( + if (!name) + return 0; + l = (int) strlen(name); +- if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-') ++ if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX) + return 0; + charset = NULL; + /* next three lines stolen from _XkbGetCharset() */ +diff --git a/src/FontInfo.c b/src/FontInfo.c +index 694efa10..6644b3fa 100644 +--- a/src/FontInfo.c ++++ b/src/FontInfo.c +@@ -58,6 +58,9 @@ XFontStruct **info) /* RETURN */ + register xListFontsReq *req; + int j; + ++ if (strlen(pattern) >= USHRT_MAX) ++ return NULL; ++ + LockDisplay(dpy); + GetReq(ListFontsWithInfo, req); + req->maxNames = maxNames; +diff --git a/src/FontNames.c b/src/FontNames.c +index 30912925..458d80c9 100644 +--- a/src/FontNames.c ++++ b/src/FontNames.c +@@ -51,6 +51,9 @@ int *actualCount) /* RETURN */ + register xListFontsReq *req; + unsigned long rlen = 0; + ++ if (strlen(pattern) >= USHRT_MAX) ++ return NULL; ++ + LockDisplay(dpy); + GetReq(ListFonts, req); + req->maxNames = maxNames; +diff --git a/src/GetColor.c b/src/GetColor.c +index d088497f..c8178067 100644 +--- a/src/GetColor.c ++++ b/src/GetColor.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <stdio.h> + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */ + XcmsColor cmsColor_exact; + Status ret; + ++ if (strlen(colorname) >= USHRT_MAX) ++ return (0); ++ + #ifdef XCMS + /* + * Let's Attempt to use Xcms and i18n approach to Parse Color +diff --git a/src/LoadFont.c b/src/LoadFont.c +index 0a3809a8..3996436f 100644 +--- a/src/LoadFont.c ++++ b/src/LoadFont.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include "Xlibint.h" + + Font +@@ -38,6 +39,9 @@ XLoadFont ( + Font fid; + register xOpenFontReq *req; + ++ if (strlen(name) >= USHRT_MAX) ++ return (0); ++ + if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid)) + return fid; + +diff --git a/src/LookupCol.c b/src/LookupCol.c +index 9608d512..cd9b1368 100644 +--- a/src/LookupCol.c ++++ b/src/LookupCol.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <stdio.h> + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -46,6 +47,9 @@ XLookupColor ( + XcmsCCC ccc; + XcmsColor cmsColor_exact; + ++ n = (int) strlen (spec); ++ if (n >= USHRT_MAX) ++ return 0; + #ifdef XCMS + /* + * Let's Attempt to use Xcms and i18n approach to Parse Color +@@ -77,8 +81,6 @@ XLookupColor ( + * Xcms and i18n methods failed, so lets pass it to the server + * for parsing. + */ +- +- n = (int) strlen (spec); + LockDisplay(dpy); + GetReq (LookupColor, req); + req->cmap = cmap; +diff --git a/src/ParseCol.c b/src/ParseCol.c +index 2691df36..7a84a17b 100644 +--- a/src/ParseCol.c ++++ b/src/ParseCol.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <stdio.h> + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -47,6 +48,8 @@ XParseColor ( + + if (!spec) return(0); + n = (int) strlen (spec); ++ if (n >= USHRT_MAX) ++ return(0); + if (*spec == '#') { + /* + * RGB +diff --git a/src/QuExt.c b/src/QuExt.c +index 2021dca4..4cb99fcf 100644 +--- a/src/QuExt.c ++++ b/src/QuExt.c +@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> ++#include <stdbool.h> + #include "Xlibint.h" + + Bool +@@ -40,6 +42,9 @@ XQueryExtension( + xQueryExtensionReply rep; + register xQueryExtensionReq *req; + ++ if (strlen(name) >= USHRT_MAX) ++ return false; ++ + LockDisplay(dpy); + GetReq(QueryExtension, req); + req->nbytes = name ? (CARD16) strlen(name) : 0; +diff --git a/src/SetFPath.c b/src/SetFPath.c +index 7d12f18c..13fce49e 100644 +--- a/src/SetFPath.c ++++ b/src/SetFPath.c +@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group. + + #ifdef HAVE_CONFIG_H + #include <config.h> ++#include <limits.h> + #endif + #include "Xlibint.h" + +@@ -49,6 +50,11 @@ XSetFontPath ( + req->nFonts = ndirs; + for (i = 0; i < ndirs; i++) { + n = (int) ((size_t) n + (safestrlen (directories[i]) + 1)); ++ if (n >= USHRT_MAX) { ++ UnlockDisplay(dpy); ++ SyncHandle(); ++ return 0; ++ } + } + nbytes = (n + 3) & ~3; + req->length += nbytes >> 2; +diff --git a/src/SetHints.c b/src/SetHints.c +index e81aa9d3..61cb0684 100644 +--- a/src/SetHints.c ++++ b/src/SetHints.c +@@ -49,6 +49,7 @@ SOFTWARE. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <X11/Xlibint.h> + #include <X11/Xutil.h> + #include "Xatomtype.h" +@@ -214,6 +215,8 @@ XSetCommand ( + register char *buf, *bp; + for (i = 0, nbytes = 0; i < argc; i++) { + nbytes += safestrlen(argv[i]) + 1; ++ if (nbytes >= USHRT_MAX) ++ return 1; + } + if ((bp = buf = Xmalloc(nbytes))) { + /* copy arguments into single buffer */ +@@ -256,6 +259,8 @@ XSetStandardProperties ( + + if (name != NULL) XStoreName (dpy, w, name); + ++ if (safestrlen(icon_string) >= USHRT_MAX) ++ return 1; + if (icon_string != NULL) { + XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, + PropModeReplace, +@@ -298,6 +303,8 @@ XSetClassHint( + + len_nm = safestrlen(classhint->res_name); + len_cl = safestrlen(classhint->res_class); ++ if (len_nm + len_cl >= USHRT_MAX) ++ return 1; + if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) { + if (len_nm) { + strcpy(s, classhint->res_name); +diff --git a/src/StNColor.c b/src/StNColor.c +index 3b50401b..16dc9cbc 100644 +--- a/src/StNColor.c ++++ b/src/StNColor.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <stdio.h> + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -46,6 +47,8 @@ int flags) /* DoRed, DoGreen, DoBlue */ + XcmsColor cmsColor_exact; + XColor scr_def; + ++ if (strlen(name) >= USHRT_MAX) ++ return 0; + #ifdef XCMS + /* + * Let's Attempt to use Xcms approach to Parse Color +diff --git a/src/StName.c b/src/StName.c +index 58b5a5a6..04bb3aa6 100644 +--- a/src/StName.c ++++ b/src/StName.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <X11/Xlibint.h> + #include <X11/Xatom.h> + +@@ -36,7 +37,9 @@ XStoreName ( + Window w, + _Xconst char *name) + { +- return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, ++ if (strlen(name) >= USHRT_MAX) ++ return 0; ++ return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */ + 8, PropModeReplace, (_Xconst unsigned char *)name, + name ? (int) strlen(name) : 0); + } +@@ -47,6 +50,8 @@ XSetIconName ( + Window w, + _Xconst char *icon_name) + { ++ if (strlen(icon_name) >= USHRT_MAX) ++ return 0; + return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, + PropModeReplace, (_Xconst unsigned char *)icon_name, + icon_name ? (int) strlen(icon_name) : 0); +-- +GitLab + diff --git a/poky/meta/recipes-graphics/xorg-lib/libx11_1.7.0.bb b/poky/meta/recipes-graphics/xorg-lib/libx11_1.7.0.bb index 3faee6e497..c6429cbbac 100644 --- a/poky/meta/recipes-graphics/xorg-lib/libx11_1.7.0.bb +++ b/poky/meta/recipes-graphics/xorg-lib/libx11_1.7.0.bb @@ -11,8 +11,9 @@ FILESEXTRAPATHS =. "${FILE_DIRNAME}/libx11:" PE = "1" SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \ - file://disable_tests.patch \ - " + file://disable_tests.patch \ + file://fix-CVE-2021-31535.patch \ + " SRC_URI[sha256sum] = "36c8f93b6595437c8cfbc9f08618bcb3041cbd303e140a0013f88e4c2977cb54" diff --git a/poky/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb b/poky/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb index 1d900d85fa..e967f485c1 100644 --- a/poky/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb +++ b/poky/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://tools/kgit;beginline=5;endline=9;md5=9c30e971d435e249 DEPENDS = "git-native" -SRCREV = "8f6aaab7f64c6de30d267e31a73f7c3bb30125a9" +SRCREV = "d220b063852245fdd16b9731a395ace525f932d6" PR = "r12" PV = "0.2+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210315.bb b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb index bd1f177209..ed6e78175a 100644 --- a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210315.bb +++ b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb @@ -132,7 +132,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ file://LICENCE.xc4000;md5=0ff51d2dc49fce04814c9155081092f0 \ file://LICENCE.xc5000;md5=1e170c13175323c32c7f4d0998d53f66 \ file://LICENCE.xc5000c;md5=12b02efa3049db65d524aeb418dd87ca \ - file://WHENCE;md5=e21a8cbddc1612bce56f06fe154a0743 \ + file://WHENCE;md5=727d0d4e2d420f41d89d098f6322e779 \ " # These are not common licenses, set NO_GENERIC_LICENSE for them @@ -205,7 +205,7 @@ PE = "1" SRC_URI = "${KERNELORG_MIRROR}/linux/kernel/firmware/${BPN}-${PV}.tar.xz" -SRC_URI[sha256sum] = "a2348f03492713dca9aef202496c6e58f5e63ee5bec6a7bdfcf8b18ce7155e70" +SRC_URI[sha256sum] = "2aa6ae8b9808408f9811ac38f00c188e53e984a2b3990254f6c9c02c1ab13417" inherit allarch diff --git a/poky/meta/recipes-kernel/linux/kernel-devsrc.bb b/poky/meta/recipes-kernel/linux/kernel-devsrc.bb index 455c836527..84e99233e6 100644 --- a/poky/meta/recipes-kernel/linux/kernel-devsrc.bb +++ b/poky/meta/recipes-kernel/linux/kernel-devsrc.bb @@ -272,6 +272,8 @@ do_install() { sed -i 's/ifneq "$(CC)" ".*-linux-.*gcc.*$/ifneq "$(CC)" "gcc"/' "$kerneldir/build/include/config/auto.conf.cmd" sed -i 's/ifneq "$(LD)" ".*-linux-.*ld.bfd.*$/ifneq "$(LD)" "ld"/' "$kerneldir/build/include/config/auto.conf.cmd" sed -i 's/ifneq "$(AR)" ".*-linux-.*ar.*$/ifneq "$(AR)" "ar"/' "$kerneldir/build/include/config/auto.conf.cmd" + sed -i 's/ifneq "$(OBJCOPY)" ".*-linux-.*objcopy.*$/ifneq "$(OBJCOPY)" "objcopy"/' "$kerneldir/build/include/config/auto.conf.cmd" + sed -i 's/ifneq "$(NM)" ".*-linux-.*nm.*$/ifneq "$(NM)" "nm"/' "$kerneldir/build/include/config/auto.conf.cmd" sed -i 's/ifneq "$(HOSTCXX)" ".*$/ifneq "$(HOSTCXX)" "g++"/' "$kerneldir/build/include/config/auto.conf.cmd" sed -i 's/ifneq "$(HOSTCC)" ".*$/ifneq "$(HOSTCC)" "gcc"/' "$kerneldir/build/include/config/auto.conf.cmd" sed -i 's/ifneq "$(CC_VERSION_TEXT)".*\(gcc.*\)"/ifneq "$(CC_VERSION_TEXT)" "\1"/' "$kerneldir/build/include/config/auto.conf.cmd" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb index 08314ea03e..f511f233b6 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "400fbf5b14a0c88afb7c31d65be56fb9d6214c81" -SRCREV_meta ?= "38eb7ca3f4b59339c57a04c310f20809b198fa91" +SRCREV_machine ?= "4a59bc57b2be77da9394b10eb37067da7d63b7a4" +SRCREV_meta ?= "b969f83647833d21d8826c4667492f58895213c3" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.10.34" +LINUX_VERSION ?= "5.10.46" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb index f82c6b335b..3e97058f68 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "b62ae8bedb024e67e7c5cda51840454a4170c858" -SRCREV_meta ?= "b89df7433ea8124d3092805391b78808df4147a7" +SRCREV_machine ?= "f3ac47f313e4ce608b3567c006f61d1d8b820ae2" +SRCREV_meta ?= "78949176d073f5cf04c9e0c4be699e39528f2880" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.4.116" +LINUX_VERSION ?= "5.4.128" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb index 8bd674f116..f5ade2992c 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.10.34" +LINUX_VERSION ?= "5.10.46" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine_qemuarm ?= "bf33b78f5136873b6d2ec6274908cf688341bc9e" -SRCREV_machine ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a" -SRCREV_meta ?= "38eb7ca3f4b59339c57a04c310f20809b198fa91" +SRCREV_machine_qemuarm ?= "dd1f9602f3e4e9dc177421ba12ce073ad2099a58" +SRCREV_machine ?= "139fe7d68413054f850e206ab749f97a968867a8" +SRCREV_meta ?= "b969f83647833d21d8826c4667492f58895213c3" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb index 1c3fe73ae5..2eb5ebdbbd 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.4.116" +LINUX_VERSION ?= "5.4.128" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine_qemuarm ?= "80bd6016a9bdaed4b66ddffffa8c8e62d7c1f8a6" -SRCREV_machine ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85" -SRCREV_meta ?= "b89df7433ea8124d3092805391b78808df4147a7" +SRCREV_machine_qemuarm ?= "987d6fd6c916297cde5cc7e988c28ef1e458f1cf" +SRCREV_machine ?= "befa5fba9b9f972f68acc891f2ca143d6b3e4011" +SRCREV_meta ?= "78949176d073f5cf04c9e0c4be699e39528f2880" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb index 2e7a452495..dd4aef7f89 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb @@ -13,17 +13,17 @@ KBRANCH_qemux86 ?= "v5.10/standard/base" KBRANCH_qemux86-64 ?= "v5.10/standard/base" KBRANCH_qemumips64 ?= "v5.10/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "78e8e722eec4434024c5db3e0d59da0b128c7647" -SRCREV_machine_qemuarm64 ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a" -SRCREV_machine_qemumips ?= "b5c0852a90709e77f7a3d185d1745e6a1f66b77c" -SRCREV_machine_qemuppc ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a" -SRCREV_machine_qemuriscv64 ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a" -SRCREV_machine_qemuriscv32 ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a" -SRCREV_machine_qemux86 ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a" -SRCREV_machine_qemux86-64 ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a" -SRCREV_machine_qemumips64 ?= "bf264e264d2141a4fb61d515573c27935e67ecfa" -SRCREV_machine ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a" -SRCREV_meta ?= "38eb7ca3f4b59339c57a04c310f20809b198fa91" +SRCREV_machine_qemuarm ?= "17e89ca08f67fdcbaf0a3ae4c429602f76463923" +SRCREV_machine_qemuarm64 ?= "139fe7d68413054f850e206ab749f97a968867a8" +SRCREV_machine_qemumips ?= "bdcaaee7b7ce0e865670a2cee55b1974eb67357b" +SRCREV_machine_qemuppc ?= "139fe7d68413054f850e206ab749f97a968867a8" +SRCREV_machine_qemuriscv64 ?= "139fe7d68413054f850e206ab749f97a968867a8" +SRCREV_machine_qemuriscv32 ?= "139fe7d68413054f850e206ab749f97a968867a8" +SRCREV_machine_qemux86 ?= "139fe7d68413054f850e206ab749f97a968867a8" +SRCREV_machine_qemux86-64 ?= "139fe7d68413054f850e206ab749f97a968867a8" +SRCREV_machine_qemumips64 ?= "2f11a726a60ad9e8a48de6bc2101a993b461e8d1" +SRCREV_machine ?= "139fe7d68413054f850e206ab749f97a968867a8" +SRCREV_meta ?= "b969f83647833d21d8826c4667492f58895213c3" # remap qemuarm to qemuarma15 for the 5.8 kernel # KMACHINE_qemuarm ?= "qemuarma15" @@ -32,7 +32,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "5.10.34" +LINUX_VERSION ?= "5.10.46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb index 5245530229..5a7e9f0a35 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb @@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base" KBRANCH_qemux86-64 ?= "v5.4/standard/base" KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "e71df0530eefcac1b3248329e385bcefbad6336e" -SRCREV_machine_qemuarm64 ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85" -SRCREV_machine_qemumips ?= "07445052fdd15e60b30dc5ae9d162c2e6bba47d1" -SRCREV_machine_qemuppc ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85" -SRCREV_machine_qemuriscv64 ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85" -SRCREV_machine_qemux86 ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85" -SRCREV_machine_qemux86-64 ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85" -SRCREV_machine_qemumips64 ?= "b36d79d6f2aaf9dadec352f611e7b9becf2b9a55" -SRCREV_machine ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85" -SRCREV_meta ?= "b89df7433ea8124d3092805391b78808df4147a7" +SRCREV_machine_qemuarm ?= "69874edb0838e4d26002a8d30e14a5e1b355e397" +SRCREV_machine_qemuarm64 ?= "befa5fba9b9f972f68acc891f2ca143d6b3e4011" +SRCREV_machine_qemumips ?= "1bfafb3ce048d4a30aca35e847168855980f5dbc" +SRCREV_machine_qemuppc ?= "befa5fba9b9f972f68acc891f2ca143d6b3e4011" +SRCREV_machine_qemuriscv64 ?= "befa5fba9b9f972f68acc891f2ca143d6b3e4011" +SRCREV_machine_qemux86 ?= "befa5fba9b9f972f68acc891f2ca143d6b3e4011" +SRCREV_machine_qemux86-64 ?= "befa5fba9b9f972f68acc891f2ca143d6b3e4011" +SRCREV_machine_qemumips64 ?= "2a0ea1bced3f4b8ebebb19debc19b7930a4924a8" +SRCREV_machine ?= "befa5fba9b9f972f68acc891f2ca143d6b3e4011" +SRCREV_meta ?= "78949176d073f5cf04c9e0c4be699e39528f2880" # remap qemuarm to qemuarma15 for the 5.4 kernel # KMACHINE_qemuarm ?= "qemuarma15" @@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" -LINUX_VERSION ?= "5.4.116" +LINUX_VERSION ?= "5.4.128" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0001-Fix-memory-leaks-on-event-destroy.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0001-Fix-memory-leaks-on-event-destroy.patch deleted file mode 100644 index 21da932a75..0000000000 --- a/poky/meta/recipes-kernel/lttng/lttng-modules/0001-Fix-memory-leaks-on-event-destroy.patch +++ /dev/null @@ -1,58 +0,0 @@ -From b3fdf78b15beb940918da1e41eb68e24ba31bb87 Mon Sep 17 00:00:00 2001 -From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> -Date: Wed, 3 Mar 2021 10:10:16 -0500 -Subject: [PATCH 1/4] Fix: memory leaks on event destroy - -Both filter runtime and event enabler ref objects are owned by the -event, but are not freed upon destruction of the event object, thus -leaking memory. - -Upstream-status: backport - -Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> -Change-Id: Ice9b1c18b47584838aea2b965494d3c8391f4c84 ---- - lttng-events.c | 7 +++++++ - lttng-events.h | 1 + - 2 files changed, 8 insertions(+) - -diff --git a/lttng-events.c b/lttng-events.c -index f3398adc..984bd341 100644 ---- a/lttng-events.c -+++ b/lttng-events.c -@@ -919,6 +919,8 @@ int _lttng_event_unregister(struct lttng_event *event) - static - void _lttng_event_destroy(struct lttng_event *event) - { -+ struct lttng_enabler_ref *enabler_ref, *tmp_enabler_ref; -+ - switch (event->instrumentation) { - case LTTNG_KERNEL_TRACEPOINT: - lttng_event_put(event->desc); -@@ -944,6 +946,11 @@ void _lttng_event_destroy(struct lttng_event *event) - } - list_del(&event->list); - lttng_destroy_context(event->ctx); -+ lttng_free_event_filter_runtime(event); -+ /* Free event enabler refs */ -+ list_for_each_entry_safe(enabler_ref, tmp_enabler_ref, -+ &event->enablers_ref_head, node) -+ kfree(enabler_ref); - kmem_cache_free(event_cache, event); - } - -diff --git a/lttng-events.h b/lttng-events.h -index 1b9ab167..13b6abf5 100644 ---- a/lttng-events.h -+++ b/lttng-events.h -@@ -716,6 +716,7 @@ int lttng_enabler_attach_bytecode(struct lttng_enabler *enabler, - struct lttng_kernel_filter_bytecode __user *bytecode); - void lttng_enabler_event_link_bytecode(struct lttng_event *event, - struct lttng_enabler *enabler); -+void lttng_free_event_filter_runtime(struct lttng_event *event); - - int lttng_probes_init(void); - --- -2.19.1 - diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0002-Fix-filter-interpreter-early-exits-on-uninitialized-.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0002-Fix-filter-interpreter-early-exits-on-uninitialized-.patch deleted file mode 100644 index 609690f05c..0000000000 --- a/poky/meta/recipes-kernel/lttng/lttng-modules/0002-Fix-filter-interpreter-early-exits-on-uninitialized-.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 23a2f61ffc6a656f136fa2044c0c3b8f79766779 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?J=C3=A9r=C3=A9mie=20Galarneau?= - <jeremie.galarneau@efficios.com> -Date: Wed, 3 Mar 2021 18:52:19 -0500 -Subject: [PATCH 2/4] Fix: filter interpreter early-exits on uninitialized - value -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -I observed that syscall filtering on string arguments wouldn't work on -my development machines, both running 5.11.2-arch1-1 (Arch Linux). - -For instance, enabling the tracing of the `openat()` syscall with the -'filename == "/proc/cpuinfo"' filter would not produce events even -though matching events were present in another session that had no -filtering active. The same problem occurred with `execve()`. - -I tried a couple of kernel versions before (5.11.1 and 5.10.13, if -memory serves me well) and I had the same problem. Meanwhile, I couldn't -reproduce the problem on various Debian machines (the LTTng CI) nor on a -fresh Ubuntu 20.04 with both the stock kernel and with an updated 5.11.2 -kernel. - -I built the lttng-modules with the interpreter debugging printout and -saw the following warning: - LTTng: [debug bytecode in /home/jgalar/EfficiOS/src/lttng-modules/src/lttng-bytecode-interpreter.c:bytecode_interpret@1508] Bytecode warning: loading a NULL string. - -After a shedload (yes, a _shed_load) of digging, I figured that the -problem was hidden in plain sight near that logging statement. - -In the `BYTECODE_OP_LOAD_FIELD_REF_USER_STRING` operation, the 'ax' -register's 'user_str' is initialized with the stack value (the user -space string's address in our case). However, a NULL check is performed -against the register's 'str' member. - -I initialy suspected that both members would be part of the same union -and alias each-other, but they are actually contiguous in a structure. - -On the unaffected machines, I could confirm that the `str` member was -uninitialized to a non-zero value causing the condition to evaluate to -false. - -Francis Deslauriers reproduced the problem by initializing the -interpreter stack to zero. - -I am unsure of the exact kernel configuration option that reveals this -issue on Arch Linux, but my kernel has the following option enabled: - -CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL: - Zero-initialize any stack variables that may be passed by reference - and had not already been explicitly initialized. This is intended to - eliminate all classes of uninitialized stack variable exploits and - information exposures. - -I have not tried to build without this enabled as, anyhow, this seems -to be a legitimate issue. - -I have spotted what appears to be an identical problem in -`BYTECODE_OP_LOAD_FIELD_REF_USER_SEQUENCE` and corrected it. However, -I have not exercised that code path. - -The commit that introduced this problem is 5b4ad89. - -The debug print-out of the `BYTECODE_OP_LOAD_FIELD_REF_USER_STRING` -operation is modified to print the user string (truncated to 31 chars). - -Upstream-status: backport - -Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com> -Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> -Change-Id: I2da3c31b9e3ce0e1b164cf3d2711c0893cbec273 ---- - lttng-filter-interpreter.c | 41 ++++++++++++++++++++++++++++++++++---- - 1 file changed, 37 insertions(+), 4 deletions(-) - -diff --git a/lttng-filter-interpreter.c b/lttng-filter-interpreter.c -index 5d572437..6e5a5139 100644 ---- a/lttng-filter-interpreter.c -+++ b/lttng-filter-interpreter.c -@@ -22,7 +22,7 @@ LTTNG_STACK_FRAME_NON_STANDARD(lttng_filter_interpret_bytecode); - * to handle user-space read. - */ - static --char get_char(struct estack_entry *reg, size_t offset) -+char get_char(const struct estack_entry *reg, size_t offset) - { - if (unlikely(offset >= reg->u.s.seq_len)) - return '\0'; -@@ -593,6 +593,39 @@ end: - return ret; - } - -+#ifdef DEBUG -+ -+#define DBG_USER_STR_CUTOFF 32 -+ -+/* -+ * In debug mode, print user string (truncated, if necessary). -+ */ -+static inline -+void dbg_load_ref_user_str_printk(const struct estack_entry *user_str_reg) -+{ -+ size_t pos = 0; -+ char last_char; -+ char user_str[DBG_USER_STR_CUTOFF]; -+ -+ pagefault_disable(); -+ do { -+ last_char = get_char(user_str_reg, pos); -+ user_str[pos] = last_char; -+ pos++; -+ } while (last_char != '\0' && pos < sizeof(user_str)); -+ pagefault_enable(); -+ -+ user_str[sizeof(user_str) - 1] = '\0'; -+ dbg_printk("load field ref user string: '%s%s'\n", user_str, -+ last_char != '\0' ? "[...]" : ""); -+} -+#else -+static inline -+void dbg_load_ref_user_str_printk(const struct estack_entry *user_str_reg) -+{ -+} -+#endif -+ - /* - * Return 0 (discard), or raise the 0x1 flag (log event). - * Currently, other flags are kept for future extensions and have no -@@ -1313,7 +1346,7 @@ uint64_t lttng_filter_interpret_bytecode(void *filter_data, - estack_push(stack, top, ax, bx); - estack_ax(stack, top)->u.s.user_str = - *(const char * const *) &filter_stack_data[ref->offset]; -- if (unlikely(!estack_ax(stack, top)->u.s.str)) { -+ if (unlikely(!estack_ax(stack, top)->u.s.user_str)) { - dbg_printk("Filter warning: loading a NULL string.\n"); - ret = -EINVAL; - goto end; -@@ -1322,7 +1355,7 @@ uint64_t lttng_filter_interpret_bytecode(void *filter_data, - estack_ax(stack, top)->u.s.literal_type = - ESTACK_STRING_LITERAL_TYPE_NONE; - estack_ax(stack, top)->u.s.user = 1; -- dbg_printk("ref load string %s\n", estack_ax(stack, top)->u.s.str); -+ dbg_load_ref_user_str_printk(estack_ax(stack, top)); - next_pc += sizeof(struct load_op) + sizeof(struct field_ref); - PO; - } -@@ -1340,7 +1373,7 @@ uint64_t lttng_filter_interpret_bytecode(void *filter_data, - estack_ax(stack, top)->u.s.user_str = - *(const char **) (&filter_stack_data[ref->offset - + sizeof(unsigned long)]); -- if (unlikely(!estack_ax(stack, top)->u.s.str)) { -+ if (unlikely(!estack_ax(stack, top)->u.s.user_str)) { - dbg_printk("Filter warning: loading a NULL sequence.\n"); - ret = -EINVAL; - goto end; --- -2.19.1 - diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0003-fix-mm-tracing-record-slab-name-for-kmem_cache_free-.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0003-fix-mm-tracing-record-slab-name-for-kmem_cache_free-.patch deleted file mode 100644 index 71f99b80a3..0000000000 --- a/poky/meta/recipes-kernel/lttng/lttng-modules/0003-fix-mm-tracing-record-slab-name-for-kmem_cache_free-.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 49c603ef2dc6969f4454f0d849af00ee24bb7f04 Mon Sep 17 00:00:00 2001 -From: Michael Jeanson <mjeanson@efficios.com> -Date: Thu, 4 Mar 2021 16:50:12 -0500 -Subject: [PATCH 3/4] fix: mm, tracing: record slab name for kmem_cache_free() - (v5.12) - -See upstream commit: - - commit 3544de8ee6e4817278b15fe08658de49abf58954 - Author: Jacob Wen <jian.w.wen@oracle.com> - Date: Wed Feb 24 12:00:55 2021 -0800 - - mm, tracing: record slab name for kmem_cache_free() - - Currently, a trace record generated by the RCU core is as below. - - ... kmem_cache_free: call_site=rcu_core+0x1fd/0x610 ptr=00000000f3b49a66 - - It doesn't tell us what the RCU core has freed. - - This patch adds the slab name to trace_kmem_cache_free(). - The new format is as follows. - - ... kmem_cache_free: call_site=rcu_core+0x1fd/0x610 ptr=0000000037f79c8d name=dentry - ... kmem_cache_free: call_site=rcu_core+0x1fd/0x610 ptr=00000000f78cb7b5 name=sock_inode_cache - ... kmem_cache_free: call_site=rcu_core+0x1fd/0x610 ptr=0000000018768985 name=pool_workqueue - ... kmem_cache_free: call_site=rcu_core+0x1fd/0x610 ptr=000000006a6cb484 name=radix_tree_node - - We can use it to understand what the RCU core is going to free. For - example, some users maybe interested in when the RCU core starts - freeing reclaimable slabs like dentry to reduce memory pressure. - - Link: https://lkml.kernel.org/r/20201216072804.8838-1-jian.w.wen@oracle.com - -Upstream-status: backport - -Signed-off-by: Michael Jeanson <mjeanson@efficios.com> -Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> -Change-Id: I1ee2fc476614cadcc8d3ac5d8feddc7910e1aa3a ---- - instrumentation/events/lttng-module/kmem.h | 27 ++++++++++++++++++++++ - 1 file changed, 27 insertions(+) - -diff --git a/instrumentation/events/lttng-module/kmem.h b/instrumentation/events/lttng-module/kmem.h -index b134620a..d787ea54 100644 ---- a/instrumentation/events/lttng-module/kmem.h -+++ b/instrumentation/events/lttng-module/kmem.h -@@ -87,6 +87,32 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(kmem_alloc_node, kmem_cache_alloc_node, - TP_ARGS(call_site, ptr, bytes_req, bytes_alloc, gfp_flags, node) - ) - -+#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,12,0)) -+LTTNG_TRACEPOINT_EVENT(kfree, -+ -+ TP_PROTO(unsigned long call_site, const void *ptr), -+ -+ TP_ARGS(call_site, ptr), -+ -+ TP_FIELDS( -+ ctf_integer_hex(unsigned long, call_site, call_site) -+ ctf_integer_hex(const void *, ptr, ptr) -+ ) -+) -+ -+LTTNG_TRACEPOINT_EVENT(kmem_cache_free, -+ -+ TP_PROTO(unsigned long call_site, const void *ptr, const char *name), -+ -+ TP_ARGS(call_site, ptr, name), -+ -+ TP_FIELDS( -+ ctf_integer_hex(unsigned long, call_site, call_site) -+ ctf_integer_hex(const void *, ptr, ptr) -+ ctf_string(name, name) -+ ) -+) -+#else - LTTNG_TRACEPOINT_EVENT_CLASS(kmem_free, - - TP_PROTO(unsigned long call_site, const void *ptr), -@@ -114,6 +140,7 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(kmem_free, kmem_cache_free, - - TP_ARGS(call_site, ptr) - ) -+#endif - - #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(3,3,0)) - LTTNG_TRACEPOINT_EVENT_MAP(mm_page_free, kmem_mm_page_free, --- -2.19.1 - diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0004-Fix-kretprobe-null-ptr-deref-on-session-destroy.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0004-Fix-kretprobe-null-ptr-deref-on-session-destroy.patch deleted file mode 100644 index 8a839c2b43..0000000000 --- a/poky/meta/recipes-kernel/lttng/lttng-modules/0004-Fix-kretprobe-null-ptr-deref-on-session-destroy.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 92cc3e7f76a545a2cd4828576971f1eea83f4e68 Mon Sep 17 00:00:00 2001 -From: Francis Deslauriers <francis.deslauriers@efficios.com> -Date: Wed, 17 Mar 2021 10:40:56 -0400 -Subject: [PATCH 4/4] Fix: kretprobe: null ptr deref on session destroy - -The `filter_bytecode_runtime_head` list is currently not initialized for -the return event of the kretprobe. This caused a kernel null ptr -dereference when destroying a session. It can reproduced with the -following commands: - - lttng create - lttng enable-event -k --function=lttng_test_filter_event_write my_event - lttng start - lttng stop - lttng destroy - -Upstream-status: backport - -Signed-off-by: Francis Deslauriers <francis.deslauriers@efficios.com> -Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> -Change-Id: I1162ce8b10dd7237a26331531f048346b984eee7 ---- - lttng-events.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/lttng-events.c b/lttng-events.c -index 984bd341..3450fa40 100644 ---- a/lttng-events.c -+++ b/lttng-events.c -@@ -704,6 +704,8 @@ struct lttng_event *_lttng_event_create(struct lttng_channel *chan, - event_return->enabled = 0; - event_return->registered = 1; - event_return->instrumentation = itype; -+ INIT_LIST_HEAD(&event_return->bytecode_runtime_head); -+ INIT_LIST_HEAD(&event_return->enablers_ref_head); - /* - * Populate lttng_event structure before kretprobe registration. - */ --- -2.19.1 - diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0005-fix-block-add-a-disk_uevent-helper-v5.12.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0005-fix-block-add-a-disk_uevent-helper-v5.12.patch deleted file mode 100644 index 3a2280ccdc..0000000000 --- a/poky/meta/recipes-kernel/lttng/lttng-modules/0005-fix-block-add-a-disk_uevent-helper-v5.12.patch +++ /dev/null @@ -1,305 +0,0 @@ -From 17cd2dc91cb82ed342b0da699f2b1a70c1bf6a03 Mon Sep 17 00:00:00 2001 -From: Michael Jeanson <mjeanson@efficios.com> -Date: Mon, 15 Mar 2021 14:54:02 -0400 -Subject: [PATCH 2/4] fix: block: add a disk_uevent helper (v5.12) - -See upstream commit: - - commit bc359d03c7ec1bf3b86d03bafaf6bbb21e6414fd - Author: Christoph Hellwig <hch@lst.de> - Date: Sun Jan 24 11:02:39 2021 +0100 - - block: add a disk_uevent helper - - Add a helper to call kobject_uevent for the disk and all partitions, and - unexport the disk_part_iter_* helpers that are now only used in the core - block code. - -Upstream-status: Backport [2.12.6] - -Change-Id: If6e8797049642ab382d5699660ee1dd734e92c90 -Signed-off-by: Michael Jeanson <mjeanson@efficios.com> -Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> ---- - Makefile | 1 + - lttng-statedump-impl.c | 34 +++++++++---- - src/wrapper/genhd.c | 111 +++++++++++++++++++++++++++++++++++++++++ - wrapper/genhd.h | 62 +++++++++++++++++++++++ - 4 files changed, 198 insertions(+), 10 deletions(-) - create mode 100644 src/wrapper/genhd.c - -diff --git a/Makefile b/Makefile -index a9aff3f1..34043cfb 100644 ---- a/Makefile -+++ b/Makefile -@@ -80,6 +80,7 @@ ifneq ($(KERNELRELEASE),) - wrapper/kallsyms.o \ - wrapper/irqdesc.o \ - wrapper/fdtable.o \ -+ wrapper/genhd.o \ - lttng-wrapper-impl.o - - ifneq ($(CONFIG_HAVE_SYSCALL_TRACEPOINTS),) -diff --git a/lttng-statedump-impl.c b/lttng-statedump-impl.c -index 60b937c9..5511c7e8 100644 ---- a/lttng-statedump-impl.c -+++ b/lttng-statedump-impl.c -@@ -250,13 +250,17 @@ int lttng_enumerate_block_devices(struct lttng_session *session) - struct device_type *ptr_disk_type; - struct class_dev_iter iter; - struct device *dev; -+ int ret = 0; - - ptr_block_class = wrapper_get_block_class(); -- if (!ptr_block_class) -- return -ENOSYS; -+ if (!ptr_block_class) { -+ ret = -ENOSYS; -+ goto end; -+ } - ptr_disk_type = wrapper_get_disk_type(); - if (!ptr_disk_type) { -- return -ENOSYS; -+ ret = -ENOSYS; -+ goto end; - } - class_dev_iter_init(&iter, ptr_block_class, NULL, ptr_disk_type); - while ((dev = class_dev_iter_next(&iter))) { -@@ -272,22 +276,32 @@ int lttng_enumerate_block_devices(struct lttng_session *session) - (disk->flags & GENHD_FL_SUPPRESS_PARTITION_INFO)) - continue; - -- disk_part_iter_init(&piter, disk, DISK_PITER_INCL_PART0); -- while ((part = disk_part_iter_next(&piter))) { -+ /* -+ * The original 'disk_part_iter_init' returns void, but our -+ * wrapper can fail to lookup the original symbol. -+ */ -+ if (wrapper_disk_part_iter_init(&piter, disk, DISK_PITER_INCL_PART0) < 0) { -+ ret = -ENOSYS; -+ goto iter_exit; -+ } -+ -+ while ((part = wrapper_disk_part_iter_next(&piter))) { - char name_buf[BDEVNAME_SIZE]; - - if (lttng_get_part_name(disk, part, name_buf) == -ENOSYS) { -- disk_part_iter_exit(&piter); -- class_dev_iter_exit(&iter); -- return -ENOSYS; -+ wrapper_disk_part_iter_exit(&piter); -+ ret = -ENOSYS; -+ goto iter_exit; - } - trace_lttng_statedump_block_device(session, - lttng_get_part_devt(part), name_buf); - } -- disk_part_iter_exit(&piter); -+ wrapper_disk_part_iter_exit(&piter); - } -+iter_exit: - class_dev_iter_exit(&iter); -- return 0; -+end: -+ return ret; - } - - #ifdef CONFIG_INET -diff --git a/src/wrapper/genhd.c b/src/wrapper/genhd.c -new file mode 100644 -index 00000000..a5a6c410 ---- /dev/null -+++ b/src/wrapper/genhd.c -@@ -0,0 +1,111 @@ -+/* SPDX-License-Identifier: (GPL-2.0-only OR LGPL-2.1-only) -+ * -+ * wrapper/genhd.c -+ * -+ * Wrapper around disk_part_iter_(init|next|exit). Using KALLSYMS to get the -+ * addresses when available, else we need to have a kernel that exports this -+ * function to GPL modules. This export was removed in 5.12. -+ * -+ * Copyright (C) 2021 Michael Jeanson <mjeanson@efficios.com> -+ */ -+ -+#include <lttng/kernel-version.h> -+#include <linux/module.h> -+#include <wrapper/genhd.h> -+ -+#if (defined(CONFIG_KALLSYMS) && \ -+ (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,12,0))) -+ -+#include <wrapper/kallsyms.h> -+ -+static -+void (*disk_part_iter_init_sym)(struct disk_part_iter *piter, struct gendisk *disk, -+ unsigned int flags); -+ -+static -+LTTNG_DISK_PART_TYPE *(*disk_part_iter_next_sym)(struct disk_part_iter *piter); -+ -+static -+void (*disk_part_iter_exit_sym)(struct disk_part_iter *piter); -+ -+/* -+ * This wrapper has an 'int' return type instead of the original 'void', to be -+ * able to report the symbol lookup failure to the caller. -+ * -+ * Return 0 on success, -1 on error. -+ */ -+int wrapper_disk_part_iter_init(struct disk_part_iter *piter, struct gendisk *disk, -+ unsigned int flags) -+{ -+ if (!disk_part_iter_init_sym) -+ disk_part_iter_init_sym = (void *) kallsyms_lookup_funcptr("disk_part_iter_init"); -+ -+ if (disk_part_iter_init_sym) { -+ disk_part_iter_init_sym(piter, disk, flags); -+ } else { -+ printk_once(KERN_WARNING "LTTng: disk_part_iter_init symbol lookup failed.\n"); -+ return -1; -+ } -+ return 0; -+} -+EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_init); -+ -+LTTNG_DISK_PART_TYPE *wrapper_disk_part_iter_next(struct disk_part_iter *piter) -+{ -+ if (!disk_part_iter_next_sym) -+ disk_part_iter_next_sym = (void *) kallsyms_lookup_funcptr("disk_part_iter_next"); -+ -+ if (disk_part_iter_next_sym) { -+ return disk_part_iter_next_sym(piter); -+ } else { -+ printk_once(KERN_WARNING "LTTng: disk_part_iter_next symbol lookup failed.\n"); -+ return NULL; -+ } -+} -+EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_next); -+ -+/* -+ * We don't return an error on symbol lookup failure here because there is -+ * nothing the caller can do to cleanup the iterator. -+ */ -+void wrapper_disk_part_iter_exit(struct disk_part_iter *piter) -+{ -+ if (!disk_part_iter_exit_sym) -+ disk_part_iter_exit_sym = (void *) kallsyms_lookup_funcptr("disk_part_iter_exit"); -+ -+ if (disk_part_iter_exit_sym) { -+ disk_part_iter_exit_sym(piter); -+ } else { -+ printk_once(KERN_WARNING "LTTng: disk_part_iter_exit symbol lookup failed.\n"); -+ } -+} -+EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_exit); -+ -+#else -+ -+/* -+ * This wrapper has an 'int' return type instead of the original 'void', so the -+ * kallsyms variant can report the symbol lookup failure to the caller. -+ * -+ * This variant always succeeds and returns 0. -+ */ -+int wrapper_disk_part_iter_init(struct disk_part_iter *piter, struct gendisk *disk, -+ unsigned int flags) -+{ -+ disk_part_iter_init(piter, disk, flags); -+ return 0; -+} -+EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_init); -+ -+LTTNG_DISK_PART_TYPE *wrapper_disk_part_iter_next(struct disk_part_iter *piter) -+{ -+ return disk_part_iter_next(piter); -+} -+EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_next); -+ -+void wrapper_disk_part_iter_exit(struct disk_part_iter *piter) -+{ -+ disk_part_iter_exit(piter); -+} -+EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_exit); -+#endif -diff --git a/wrapper/genhd.h b/wrapper/genhd.h -index 98feb57b..6bae239d 100644 ---- a/wrapper/genhd.h -+++ b/wrapper/genhd.h -@@ -13,6 +13,13 @@ - #define _LTTNG_WRAPPER_GENHD_H - - #include <linux/genhd.h> -+#include <lttng/kernel-version.h> -+ -+#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0)) -+#define LTTNG_DISK_PART_TYPE struct block_device -+#else -+#define LTTNG_DISK_PART_TYPE struct hd_struct -+#endif - - #ifdef CONFIG_KALLSYMS_ALL - -@@ -94,4 +101,59 @@ struct device_type *wrapper_get_disk_type(void) - - #endif - -+/* -+ * This wrapper has an 'int' return type instead of the original 'void', to be -+ * able to report the symbol lookup failure to the caller. -+ * -+ * Return 0 on success, -1 on error. -+ */ -+int wrapper_disk_part_iter_init(struct disk_part_iter *piter, struct gendisk *disk, -+ unsigned int flags); -+LTTNG_DISK_PART_TYPE *wrapper_disk_part_iter_next(struct disk_part_iter *piter); -+void wrapper_disk_part_iter_exit(struct disk_part_iter *piter); -+ -+/* -+ * Canary function to check for 'disk_part_iter_init()' at compile time. -+ * -+ * From 'include/linux/genhd.h': -+ * -+ * extern void disk_part_iter_init(struct disk_part_iter *piter, -+ * struct gendisk *disk, unsigned int flags); -+ * -+ */ -+static inline -+void __canary__disk_part_iter_init(struct disk_part_iter *piter, struct gendisk *disk, -+ unsigned int flags) -+{ -+ disk_part_iter_init(piter, disk, flags); -+} -+ -+/* -+ * Canary function to check for 'disk_part_iter_next()' at compile time. -+ * -+ * From 'include/linux/genhd.h': -+ * -+ * struct block_device *disk_part_iter_next(struct disk_part_iter *piter); -+ * -+ */ -+static inline -+LTTNG_DISK_PART_TYPE *__canary__disk_part_iter_next(struct disk_part_iter *piter) -+{ -+ return disk_part_iter_next(piter); -+} -+ -+/* -+ * Canary function to check for 'disk_part_iter_exit()' at compile time. -+ * -+ * From 'include/linux/genhd.h': -+ * -+ * extern void disk_part_iter_exit(struct disk_part_iter *piter); -+ * -+ */ -+static inline -+void __canary__disk_part_iter_exit(struct disk_part_iter *piter) -+{ -+ return disk_part_iter_exit(piter); -+} -+ - #endif /* _LTTNG_WRAPPER_GENHD_H */ --- -2.25.1 - diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0006-fix-backport-block-add-a-disk_uevent-helper-v5.12.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0006-fix-backport-block-add-a-disk_uevent-helper-v5.12.patch deleted file mode 100644 index e32b3e7a2e..0000000000 --- a/poky/meta/recipes-kernel/lttng/lttng-modules/0006-fix-backport-block-add-a-disk_uevent-helper-v5.12.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 127135b6a45d5fca828815c62308f72de97e5739 Mon Sep 17 00:00:00 2001 -From: Michael Jeanson <mjeanson@efficios.com> -Date: Thu, 15 Apr 2021 13:56:24 -0400 -Subject: [PATCH 3/4] fix backport: block: add a disk_uevent helper (v5.12) - -Upstream-Status: Backport [2.12.6] - -Signed-off-by: Michael Jeanson <mjeanson@efficios.com> -Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> -Change-Id: I717162069990577abe78e5e7fed28816f32b2c84 ---- - {src/wrapper => wrapper}/genhd.c | 2 +- - wrapper/genhd.h | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - rename {src/wrapper => wrapper}/genhd.c (98%) - -diff --git a/src/wrapper/genhd.c b/wrapper/genhd.c -similarity index 98% -rename from src/wrapper/genhd.c -rename to wrapper/genhd.c -index a5a6c410..cbec06f7 100644 ---- a/src/wrapper/genhd.c -+++ b/wrapper/genhd.c -@@ -9,7 +9,7 @@ - * Copyright (C) 2021 Michael Jeanson <mjeanson@efficios.com> - */ - --#include <lttng/kernel-version.h> -+#include <lttng-kernel-version.h> - #include <linux/module.h> - #include <wrapper/genhd.h> - -diff --git a/wrapper/genhd.h b/wrapper/genhd.h -index 6bae239d..1b4a4201 100644 ---- a/wrapper/genhd.h -+++ b/wrapper/genhd.h -@@ -13,7 +13,7 @@ - #define _LTTNG_WRAPPER_GENHD_H - - #include <linux/genhd.h> --#include <lttng/kernel-version.h> -+#include <lttng-kernel-version.h> - - #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0)) - #define LTTNG_DISK_PART_TYPE struct block_device --- -2.25.1 - diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0007-fix-mm-tracing-kfree-event-name-mismatching-with-pro.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0007-fix-mm-tracing-kfree-event-name-mismatching-with-pro.patch deleted file mode 100644 index dfc9427dca..0000000000 --- a/poky/meta/recipes-kernel/lttng/lttng-modules/0007-fix-mm-tracing-kfree-event-name-mismatching-with-pro.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 853d5903a200d8a15b3f38780ddaea5c92fa1a03 Mon Sep 17 00:00:00 2001 -From: He Zhe <zhe.he@windriver.com> -Date: Mon, 19 Apr 2021 09:09:28 +0000 -Subject: [PATCH 4/4] fix: mm, tracing: kfree event name mismatching with - provider kmem (v5.12) - -a8bc8ae5c932 ("fix: mm, tracing: record slab name for kmem_cache_free() (v5.12)") -introduces the following call trace for kfree. This is caused by mismatch -between kfree event and its provider kmem. - -This patch maps kfree to kmem_kfree. - -WARNING: CPU: 2 PID: 42294 at src/lttng-probes.c:81 fixup_lazy_probes+0xb0/0x1b0 [lttng_tracer] -CPU: 2 PID: 42294 Comm: modprobe Tainted: G O 5.12.0-rc6-yoctodev-standard #1 -Hardware name: Intel Corporation JACOBSVILLE/JACOBSVILLE, BIOS JBVLCRB2.86B.0014.P20.2004020248 04/02/2020 -RIP: 0010:fixup_lazy_probes+0xb0/0x1b0 [lttng_tracer] -Code: 75 28 83 c3 01 3b 5d c4 74 22 48 8b 4d d0 48 63 - c3 4c 89 e2 4c 89 f6 48 8b 04 c1 4c 8b 38 4c 89 - ff e8 64 9f 4b de 85 c0 74 c3 <0f> 0b 48 8b 05 bf - f2 1e 00 48 8d 50 e8 48 3d f0 a0 98 c0 75 18 eb -RSP: 0018:ffffb976807bfbe0 EFLAGS: 00010286 -RAX: 00000000ffffffff RBX: 0000000000000004 RCX: 0000000000000004 -RDX: 0000000000000066 RSI: ffffffffc03c10a7 RDI: ffffffffc03c11a1 -RBP: ffffb976807bfc28 R08: 0000000000000000 R09: 0000000000000001 -R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000004 -R13: ffffffffc03c2000 R14: ffffffffc03c10a7 R15: ffffffffc03c11a1 -FS: 00007f0ef9533740(0000) GS:ffffa100faa00000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 0000561e8f0aa000 CR3: 000000015b318000 CR4: 0000000000350ee0 -Call Trace: - lttng_probe_register+0x38/0xe0 [lttng_tracer] - ? __event_probe__module_load+0x520/0x520 [lttng_probe_module] - __lttng_events_init__module+0x15/0x20 [lttng_probe_module] - do_one_initcall+0x68/0x310 - ? kmem_cache_alloc_trace+0x2ad/0x4c0 - ? do_init_module+0x28/0x280 - do_init_module+0x62/0x280 - load_module+0x26e4/0x2920 - ? kernel_read_file+0x22e/0x290 - __do_sys_finit_module+0xb1/0xf0 - __x64_sys_finit_module+0x1a/0x20 - do_syscall_64+0x38/0x50 - entry_SYSCALL_64_after_hwframe+0x44/0xae - -Upstream-Status: Backport [2.12.6] - -Signed-off-by: He Zhe <zhe.he@windriver.com> -Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> -Change-Id: I00e8ee2b8c35f6f8602c88295f5113fbbd139709 ---- - instrumentation/events/lttng-module/kmem.h | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/instrumentation/events/lttng-module/kmem.h b/instrumentation/events/lttng-module/kmem.h -index d787ea54..c9edee61 100644 ---- a/instrumentation/events/lttng-module/kmem.h -+++ b/instrumentation/events/lttng-module/kmem.h -@@ -88,7 +88,9 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(kmem_alloc_node, kmem_cache_alloc_node, - ) - - #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,12,0)) --LTTNG_TRACEPOINT_EVENT(kfree, -+LTTNG_TRACEPOINT_EVENT_MAP(kfree, -+ -+ kmem_kfree, - - TP_PROTO(unsigned long call_site, const void *ptr), - --- -2.25.1 - diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules_2.12.5.bb b/poky/meta/recipes-kernel/lttng/lttng-modules_2.12.6.bb index 1a01cb0c01..1dff2b05f7 100644 --- a/poky/meta/recipes-kernel/lttng/lttng-modules_2.12.5.bb +++ b/poky/meta/recipes-kernel/lttng/lttng-modules_2.12.6.bb @@ -11,16 +11,9 @@ include lttng-platforms.inc SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \ file://Makefile-Do-not-fail-if-CONFIG_TRACEPOINTS-is-not-en.patch \ - file://0001-Fix-memory-leaks-on-event-destroy.patch \ - file://0002-Fix-filter-interpreter-early-exits-on-uninitialized-.patch \ - file://0003-fix-mm-tracing-record-slab-name-for-kmem_cache_free-.patch \ - file://0004-Fix-kretprobe-null-ptr-deref-on-session-destroy.patch \ - file://0005-fix-block-add-a-disk_uevent-helper-v5.12.patch \ - file://0006-fix-backport-block-add-a-disk_uevent-helper-v5.12.patch \ - file://0007-fix-mm-tracing-kfree-event-name-mismatching-with-pro.patch \ " -SRC_URI[sha256sum] = "c4d1a1b42c728e37b6b7947ae16563a011c4b297311aa04d56f9a1791fb5a30a" +SRC_URI[sha256sum] = "95ac2a2cf92d85d23ffbdaca6a1ec0d7c167211d1e0fb850ab90004a3f475eaa" export INSTALL_MOD_DIR="kernel/lttng-modules" diff --git a/poky/meta/recipes-kernel/lttng/lttng-tools_2.12.3.bb b/poky/meta/recipes-kernel/lttng/lttng-tools_2.12.4.bb index 6132daf1a1..133d7561b8 100644 --- a/poky/meta/recipes-kernel/lttng/lttng-tools_2.12.3.bb +++ b/poky/meta/recipes-kernel/lttng/lttng-tools_2.12.4.bb @@ -15,7 +15,7 @@ include lttng-platforms.inc DEPENDS = "liburcu popt libxml2 util-linux" RDEPENDS_${PN} = "libgcc" RRECOMMENDS_${PN} += "${LTTNGMODULES}" -RDEPENDS_${PN}-ptest += "make perl bash gawk babeltrace procps perl-module-overloading coreutils util-linux kmod ${LTTNGMODULES} sed python3-core" +RDEPENDS_${PN}-ptest += "make perl bash gawk babeltrace procps perl-module-overloading coreutils util-linux kmod ${LTTNGMODULES} sed python3-core grep" RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils" RDEPENDS_${PN}-ptest_append_libc-musl = " musl-utils" # babelstats.pl wants getopt-long @@ -39,7 +39,7 @@ SRC_URI = "https://lttng.org/files/lttng-tools/lttng-tools-${PV}.tar.bz2 \ file://determinism.patch \ " -SRC_URI[sha256sum] = "2890da230edd523fcf497e9eb28133b7606d64fa01bcbffadbfcba42104db153" +SRC_URI[sha256sum] = "d729f8c2373a41194f171aeb0da0a9bb35ac181f31afa7e260786d19a500dea1" inherit autotools ptest pkgconfig useradd python3-dir manpages systemd @@ -69,7 +69,10 @@ do_install_append () { } do_install_ptest () { - for f in Makefile tests/Makefile tests/utils/utils.sh tests/regression/tools/save-load/*.lttng tests/regression/tools/save-load/configuration/load-42*.lttng tests/regression/tools/health/test_health.sh tests/regression/tools/metadata/utils.sh tests/regression/tools/rotation/rotate_utils.sh; do + for f in Makefile tests/Makefile tests/utils/utils.sh tests/regression/tools/save-load/*.lttng \ + tests/regression/tools/save-load/configuration/load-42*.lttng tests/regression/tools/health/test_health.sh \ + tests/regression/tools/metadata/utils.sh tests/regression/tools/rotation/rotate_utils.sh \ + tests/regression/tools/base-path/*.lttng; do install -D "${B}/$f" "${D}${PTEST_PATH}/$f" done diff --git a/poky/meta/recipes-kernel/perf/perf.bb b/poky/meta/recipes-kernel/perf/perf.bb index 28d0c6a2a2..563556c291 100644 --- a/poky/meta/recipes-kernel/perf/perf.bb +++ b/poky/meta/recipes-kernel/perf/perf.bb @@ -48,7 +48,7 @@ PROVIDES = "virtual/perf" inherit linux-kernel-base kernel-arch manpages # needed for building the tools/perf Python bindings -inherit ${@bb.utils.contains('PACKAGECONFIG', 'scripting', 'python3native', '', d)} +inherit ${@bb.utils.contains('PACKAGECONFIG', 'scripting', 'python3targetconfig', '', d)} inherit python3-dir export PYTHON_SITEPACKAGES_DIR diff --git a/poky/meta/recipes-support/boost/boost-1.75.0.inc b/poky/meta/recipes-support/boost/boost-1.75.0.inc index e5a8488c58..bc70c73739 100644 --- a/poky/meta/recipes-support/boost/boost-1.75.0.inc +++ b/poky/meta/recipes-support/boost/boost-1.75.0.inc @@ -11,7 +11,7 @@ BOOST_VER = "${@"_".join(d.getVar("PV").split("."))}" BOOST_MAJ = "${@"_".join(d.getVar("PV").split(".")[0:2])}" BOOST_P = "boost_${BOOST_VER}" -SRC_URI = "https://dl.bintray.com/boostorg/release/${PV}/source/${BOOST_P}.tar.bz2" +SRC_URI = "https://boostorg.jfrog.io/artifactory/main/release/${PV}/source/${BOOST_P}.tar.bz2" SRC_URI[sha256sum] = "953db31e016db7bb207f11432bef7df100516eeb746843fa0486a222e3fd49cb" UPSTREAM_CHECK_URI = "http://www.boost.org/users/download/" diff --git a/poky/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch b/poky/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch new file mode 100644 index 0000000000..1e0e18cf12 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch @@ -0,0 +1,517 @@ +From e499142d377b56c7606437d14c99d3cb27aba9fd Mon Sep 17 00:00:00 2001 +From: Trevor Gamblin <trevor.gamblin@windriver.com> +Date: Tue, 1 Jun 2021 09:50:20 -0400 +Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid() + +To make sure we set and extract the correct session. + +Reported-by: Mingtao Yang +Bug: https://curl.se/docs/CVE-2021-22890.html + +CVE: CVE-2021-22890 + +Upstream-Status: Backport +(https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844) + +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> +--- + lib/vtls/bearssl.c | 8 +++++-- + lib/vtls/gtls.c | 12 ++++++---- + lib/vtls/mbedtls.c | 12 ++++++---- + lib/vtls/mesalink.c | 14 ++++++++---- + lib/vtls/openssl.c | 54 +++++++++++++++++++++++++++++++++----------- + lib/vtls/schannel.c | 10 ++++---- + lib/vtls/sectransp.c | 10 ++++---- + lib/vtls/vtls.c | 12 +++++++--- + lib/vtls/vtls.h | 2 ++ + lib/vtls/wolfssl.c | 29 ++++++++++++++---------- + 10 files changed, 112 insertions(+), 51 deletions(-) + +diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c +index 29b08c0e6..0432dfadc 100644 +--- a/lib/vtls/bearssl.c ++++ b/lib/vtls/bearssl.c +@@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, + void *session; + + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &session, NULL, sockindex)) { + br_ssl_engine_set_session_parameters(&backend->ctx.eng, session); + infof(data, "BearSSL: re-using session ID\n"); + } +@@ -571,10 +572,13 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data, + br_ssl_engine_get_session_parameters(&backend->ctx.eng, session); + Curl_ssl_sessionid_lock(data); + incache = !(Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, + &oldsession, NULL, sockindex)); + if(incache) + Curl_ssl_delsessionid(data, oldsession); +- ret = Curl_ssl_addsessionid(data, conn, session, 0, sockindex); ++ ret = Curl_ssl_addsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ session, 0, sockindex); + Curl_ssl_sessionid_unlock(data); + if(ret) { + free(session); +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 3ddee1974..28ca528a6 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -733,6 +733,7 @@ gtls_connect_step1(struct Curl_easy *data, + + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, + &ssl_sessionid, &ssl_idsize, sockindex)) { + /* we got a session id, use it! */ + gnutls_session_set_data(session, ssl_sessionid, ssl_idsize); +@@ -1292,8 +1293,9 @@ gtls_connect_step3(struct Curl_easy *data, + gnutls_session_get_data(session, connect_sessionid, &connect_idsize); + + Curl_ssl_sessionid_lock(data); +- incache = !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, +- sockindex)); ++ incache = !(Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)); + if(incache) { + /* there was one before in the cache, so instead of risking that the + previous one was rejected, we just kill that and store the new */ +@@ -1301,8 +1303,10 @@ gtls_connect_step3(struct Curl_easy *data, + } + + /* store this session id */ +- result = Curl_ssl_addsessionid(data, conn, connect_sessionid, +- connect_idsize, sockindex); ++ result = Curl_ssl_addsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ connect_sessionid, connect_idsize, ++ sockindex); + Curl_ssl_sessionid_unlock(data); + if(result) { + free(connect_sessionid); +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index fc3a948d1..bd0e0802e 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -463,7 +463,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, + void *old_session = NULL; + + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ &old_session, NULL, sockindex)) { + ret = mbedtls_ssl_set_session(&backend->ssl, old_session); + if(ret) { + Curl_ssl_sessionid_unlock(data); +@@ -724,6 +726,7 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn, + int ret; + mbedtls_ssl_session *our_ssl_sessionid; + void *old_ssl_sessionid = NULL; ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; + + our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session)); + if(!our_ssl_sessionid) +@@ -742,11 +745,12 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn, + + /* If there's already a matching session in the cache, delete it */ + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex)) ++ if(!Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL, ++ sockindex)) + Curl_ssl_delsessionid(data, old_ssl_sessionid); + +- retcode = Curl_ssl_addsessionid(data, conn, +- our_ssl_sessionid, 0, sockindex); ++ retcode = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, ++ 0, sockindex); + Curl_ssl_sessionid_unlock(data); + if(retcode) { + mbedtls_ssl_session_free(our_ssl_sessionid); +diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c +index b6d1005ec..ad807d3ba 100644 +--- a/lib/vtls/mesalink.c ++++ b/lib/vtls/mesalink.c +@@ -261,7 +261,9 @@ mesalink_connect_step1(struct Curl_easy *data, + void *ssl_sessionid = NULL; + + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { + /* we got a session id, use it! */ + if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { + Curl_ssl_sessionid_unlock(data); +@@ -345,13 +347,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) + bool incache; + SSL_SESSION *our_ssl_sessionid; + void *old_ssl_sessionid = NULL; ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; + + our_ssl_sessionid = SSL_get_session(BACKEND->handle); + + Curl_ssl_sessionid_lock(data); + incache = +- !(Curl_ssl_getsessionid(data, conn, +- &old_ssl_sessionid, NULL, sockindex)); ++ !(Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL, ++ sockindex)); + if(incache) { + if(old_ssl_sessionid != our_ssl_sessionid) { + infof(data, "old SSL session ID is stale, removing\n"); +@@ -361,8 +364,9 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) + } + + if(!incache) { +- result = Curl_ssl_addsessionid( +- data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); ++ result = ++ Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, 0, ++ sockindex); + if(result) { + Curl_ssl_sessionid_unlock(data); + failf(data, "failed to store ssl session"); +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 784d9f70e..8304264d3 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -391,12 +391,23 @@ static int ossl_get_ssl_conn_index(void) + */ + static int ossl_get_ssl_sockindex_index(void) + { +- static int ssl_ex_data_sockindex_index = -1; +- if(ssl_ex_data_sockindex_index < 0) { +- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, +- NULL); ++ static int sockindex_index = -1; ++ if(sockindex_index < 0) { ++ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + } +- return ssl_ex_data_sockindex_index; ++ return sockindex_index; ++} ++ ++/* Return an extra data index for proxy boolean. ++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). ++ */ ++static int ossl_get_proxy_index(void) ++{ ++ static int proxy_index = -1; ++ if(proxy_index < 0) { ++ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); ++ } ++ return proxy_index; + } + + static int passwd_callback(char *buf, int num, int encrypting, +@@ -1172,7 +1183,7 @@ static int ossl_init(void) + + /* Initialize the extra data indexes */ + if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 || +- ossl_get_ssl_sockindex_index() < 0) ++ ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0) + return 0; + + return 1; +@@ -2455,8 +2466,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) + int data_idx = ossl_get_ssl_data_index(); + int connectdata_idx = ossl_get_ssl_conn_index(); + int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); ++ bool isproxy; + +- if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0) ++ if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) + return 0; + + conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); +@@ -2469,13 +2482,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) + sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); + sockindex = (int)(sockindex_ptr - conn->sock); + ++ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; ++ + if(SSL_SET_OPTION(primary.sessionid)) { + bool incache; + void *old_ssl_sessionid = NULL; + + Curl_ssl_sessionid_lock(data); +- incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, +- sockindex)); ++ if(isproxy) ++ incache = FALSE; ++ else ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, ++ &old_ssl_sessionid, NULL, sockindex)); + if(incache) { + if(old_ssl_sessionid != ssl_sessionid) { + infof(data, "old SSL session ID is stale, removing\n"); +@@ -2485,8 +2503,8 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) + } + + if(!incache) { +- if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid, +- 0 /* unknown size */, sockindex)) { ++ if(!Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid, ++ 0 /* unknown size */, sockindex)) { + /* the session has been put into the session cache */ + res = 1; + } +@@ -3212,17 +3230,27 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + int data_idx = ossl_get_ssl_data_index(); + int connectdata_idx = ossl_get_ssl_conn_index(); + int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); + +- if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0) { ++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && ++ proxy_idx >= 0) { + /* Store the data needed for the "new session" callback. + * The sockindex is stored as a pointer to an array element. */ + SSL_set_ex_data(backend->handle, data_idx, data); + SSL_set_ex_data(backend->handle, connectdata_idx, conn); + SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); ++#ifndef CURL_DISABLE_PROXY ++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: ++ NULL); ++#else ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL); ++#endif ++ + } + + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { + /* we got a session id, use it! */ + if(!SSL_set_session(backend->handle, ssl_sessionid)) { + Curl_ssl_sessionid_unlock(data); +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index 0668f98f2..bd27ba0bf 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -496,6 +496,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, + if(SSL_SET_OPTION(primary.sessionid)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, + (void **)&old_cred, NULL, sockindex)) { + BACKEND->cred = old_cred; + DEBUGF(infof(data, "schannel: re-using existing credential handle\n")); +@@ -1337,8 +1338,9 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + SECURITY_STATUS sspi_status = SEC_E_OK; + CERT_CONTEXT *ccert_context = NULL; ++ bool isproxy = SSL_IS_PROXY(); + #ifdef DEBUGBUILD +- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : ++ const char * const hostname = isproxy ? conn->http_proxy.host.name : + conn->host.name; + #endif + #ifdef HAS_ALPN +@@ -1414,8 +1416,8 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, + struct Curl_schannel_cred *old_cred = NULL; + + Curl_ssl_sessionid_lock(data); +- incache = !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, NULL, +- sockindex)); ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, (void **)&old_cred, ++ NULL, sockindex)); + if(incache) { + if(old_cred != BACKEND->cred) { + DEBUGF(infof(data, +@@ -1426,7 +1428,7 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, + } + } + if(!incache) { +- result = Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred, ++ result = Curl_ssl_addsessionid(data, conn, isproxy, BACKEND->cred, + sizeof(struct Curl_schannel_cred), + sockindex); + if(result) { +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c +index 9a8f7de8d..6d1ea7e7b 100644 +--- a/lib/vtls/sectransp.c ++++ b/lib/vtls/sectransp.c +@@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); + #ifndef CURL_DISABLE_PROXY +- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : ++ bool isproxy = SSL_IS_PROXY(); ++ const char * const hostname = isproxy ? conn->http_proxy.host.name : + conn->host.name; + const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; + #else ++ const isproxy = FALSE; + const char * const hostname = conn->host.name; + const long int port = conn->remote_port; + #endif +@@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, + #ifdef USE_NGHTTP2 + if(data->set.httpversion >= CURL_HTTP_VERSION_2 + #ifndef CURL_DISABLE_PROXY +- && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) ++ && (!isproxy || !conn->bits.tunnel_proxy) + #endif + ) { + CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID)); +@@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, + size_t ssl_sessionid_len; + + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid, ++ if(!Curl_ssl_getsessionid(data, conn, isproxy, (void **)&ssl_sessionid, + &ssl_sessionid_len, sockindex)) { + /* we got a session id, use it! */ + err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len); +@@ -1981,7 +1983,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, + return CURLE_SSL_CONNECT_ERROR; + } + +- result = Curl_ssl_addsessionid(data, conn, ssl_sessionid, ++ result = Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid, + ssl_sessionid_len, sockindex); + Curl_ssl_sessionid_unlock(data); + if(result) { +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index b8ab7494f..8ccc1f2e4 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -367,6 +367,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data) + */ + bool Curl_ssl_getsessionid(struct Curl_easy *data, + struct connectdata *conn, ++ const bool isProxy, + void **ssl_sessionid, + size_t *idsize, /* set 0 if unknown */ + int sockindex) +@@ -377,7 +378,6 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, + bool no_match = TRUE; + + #ifndef CURL_DISABLE_PROXY +- const bool isProxy = CONNECT_PROXY_SSL(); + struct ssl_primary_config * const ssl_config = isProxy ? + &conn->proxy_ssl_config : + &conn->ssl_config; +@@ -389,10 +389,15 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, + struct ssl_primary_config * const ssl_config = &conn->ssl_config; + const char * const name = conn->host.name; + int port = conn->remote_port; +- (void)sockindex; + #endif ++ (void)sockindex; + *ssl_sessionid = NULL; + ++#ifdef CURL_DISABLE_PROXY ++ if(isProxy) ++ return TRUE; ++#endif ++ + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); + + if(!SSL_SET_OPTION(primary.sessionid)) +@@ -480,6 +485,7 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid) + */ + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + struct connectdata *conn, ++ bool isProxy, + void *ssl_sessionid, + size_t idsize, + int sockindex) +@@ -492,7 +498,6 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + int conn_to_port; + long *general_age; + #ifndef CURL_DISABLE_PROXY +- const bool isProxy = CONNECT_PROXY_SSL(); + struct ssl_primary_config * const ssl_config = isProxy ? + &conn->proxy_ssl_config : + &conn->ssl_config; +@@ -505,6 +510,7 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + const char *hostname = conn->host.name; + (void)sockindex; + #endif ++ (void)sockindex; + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); + + clone_host = strdup(hostname); +diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h +index 9666682ec..4dc29794c 100644 +--- a/lib/vtls/vtls.h ++++ b/lib/vtls/vtls.h +@@ -222,6 +222,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data); + */ + bool Curl_ssl_getsessionid(struct Curl_easy *data, + struct connectdata *conn, ++ const bool isproxy, + void **ssl_sessionid, + size_t *idsize, /* set 0 if unknown */ + int sockindex); +@@ -232,6 +233,7 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, + */ + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + struct connectdata *conn, ++ const bool isProxy, + void *ssl_sessionid, + size_t idsize, + int sockindex); +diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c +index e1fa45926..f1b12b1d8 100644 +--- a/lib/vtls/wolfssl.c ++++ b/lib/vtls/wolfssl.c +@@ -516,7 +516,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, + void *ssl_sessionid = NULL; + + Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { ++ if(!Curl_ssl_getsessionid(data, conn, ++ SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { + /* we got a session id, use it! */ + if(!SSL_set_session(backend->handle, ssl_sessionid)) { + char error_buffer[WOLFSSL_MAX_ERROR_SZ]; +@@ -774,21 +776,24 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn, + void *old_ssl_sessionid = NULL; + + our_ssl_sessionid = SSL_get_session(backend->handle); +- +- Curl_ssl_sessionid_lock(data); +- incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, +- sockindex)); +- if(incache) { +- if(old_ssl_sessionid != our_ssl_sessionid) { +- infof(data, "old SSL session ID is stale, removing\n"); +- Curl_ssl_delsessionid(data, old_ssl_sessionid); +- incache = FALSE; ++ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; ++ ++ if(our_ssl_sessionid) { ++ Curl_ssl_sessionid_lock(data); ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, ++ &old_ssl_sessionid, NULL, sockindex)); ++ if(incache) { ++ if(old_ssl_sessionid != our_ssl_sessionid) { ++ infof(data, "old SSL session ID is stale, removing\n"); ++ Curl_ssl_delsessionid(data, old_ssl_sessionid); ++ incache = FALSE; ++ } + } + } + + if(!incache) { +- result = Curl_ssl_addsessionid(data, conn, our_ssl_sessionid, +- 0 /* unknown size */, sockindex); ++ result = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, ++ 0, sockindex); + if(result) { + Curl_ssl_sessionid_unlock(data); + failf(data, "failed to store ssl session"); +-- +2.31.1 + diff --git a/poky/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch b/poky/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch new file mode 100644 index 0000000000..c02c9bed68 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/0002-transfer-strip-credentials-from-the-auto-referer-hea.patch @@ -0,0 +1,155 @@ +From 21f6cf63939111d8d76d3a4c07f2cd2fe6cb78f8 Mon Sep 17 00:00:00 2001 +From: Trevor Gamblin <trevor.gamblin@windriver.com> +Date: Tue, 1 Jun 2021 09:59:20 -0400 +Subject: [PATCH 2/2] transfer: strip credentials from the auto-referer header + field + +Added test 2081 to verify. + +CVE: CVE-2021-22876 + +Upstream-Status: Backport +(https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c) + +Bug: https://curl.se/docs/CVE-2021-22876.html + +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> +--- + lib/transfer.c | 25 ++++++++++++++-- + tests/data/Makefile.inc | 2 +- + tests/data/test2081 | 66 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 90 insertions(+), 3 deletions(-) + create mode 100644 tests/data/test2081 + +diff --git a/lib/transfer.c b/lib/transfer.c +index 2f29b29d8..c641a1d47 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1565,6 +1565,9 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->set.followlocation++; /* count location-followers */ + + if(data->set.http_auto_referer) { ++ CURLU *u; ++ char *referer; ++ + /* We are asked to automatically set the previous URL as the referer + when we get the next URL. We pick the ->url field, which may or may + not be 100% correct */ +@@ -1574,9 +1577,27 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->change.referer_alloc = FALSE; + } + +- data->change.referer = strdup(data->change.url); +- if(!data->change.referer) ++ /* Make a copy of the URL without crenditals and fragment */ ++ u = curl_url(); ++ if(!u) ++ return CURLE_OUT_OF_MEMORY; ++ ++ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_USER, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); ++ if(!uc) ++ uc = curl_url_get(u, CURLUPART_URL, &referer, 0); ++ ++ curl_url_cleanup(u); ++ ++ if(uc || referer == NULL) + return CURLE_OUT_OF_MEMORY; ++ ++ data->change.referer = referer; + data->change.referer_alloc = TRUE; /* yes, free this later */ + } + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 5ebf049b8..e08cfc7ee 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -223,7 +223,7 @@ test2064 test2065 test2066 test2067 test2068 test2069 \ + test2064 test2065 test2066 test2067 test2068 test2069 test2070 \ + test2071 test2072 test2073 test2074 test2075 test2076 test2077 \ + test2078 \ +-test2080 \ ++test2080 test2081\ + test2100 \ + \ + test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 \ +diff --git a/tests/data/test2081 b/tests/data/test2081 +new file mode 100644 +index 000000000..7e74f5766 +--- /dev/null ++++ b/tests/data/test2081 +@@ -0,0 +1,66 @@ ++<testcase> ++<info> ++<keywords> ++HTTP ++HTTP GET ++referer ++followlocation ++--write-out ++</keywords> ++</info> ++ ++# Server-side ++<reply> ++<data nocheck="yes"> ++HTTP/1.1 301 This is a weirdo text message swsclose ++Location: data/%TESTNUMBER0002.txt?coolsite=yes ++Content-Length: 62 ++Connection: close ++ ++This server reply is for testing a simple Location: following ++</data> ++</reply> ++ ++# Client-side ++<client> ++<server> ++http ++</server> ++ <name> ++Automatic referrer credential and anchor stripping check ++ </name> ++ <command> ++http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --location --referer ';auto' --write-out '%{referer}\n' ++</command> ++</client> ++ ++# Verify data after the test has been "shot" ++<verify> ++<errorcode> ++52 ++</errorcode> ++<protocol> ++GET /we/want/our/%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic dXNlcjpwYXNz ++User-Agent: curl/%VERSION ++Accept: */* ++ ++GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=yes HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic dXNlcjpwYXNz ++User-Agent: curl/%VERSION ++Accept: */* ++Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER ++ ++</protocol> ++<stdout> ++HTTP/1.1 301 This is a weirdo text message swsclose ++Location: data/%TESTNUMBER0002.txt?coolsite=yes ++Content-Length: 62 ++Connection: close ++ ++http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER ++</stdout> ++</verify> ++</testcase> +-- +2.31.1 + diff --git a/poky/meta/recipes-support/curl/curl/vtls-fix-addsessionid.patch b/poky/meta/recipes-support/curl/curl/vtls-fix-addsessionid.patch new file mode 100644 index 0000000000..a4b9cb8931 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/vtls-fix-addsessionid.patch @@ -0,0 +1,31 @@ +From 2c26eeef12f0204fb85d6bf40b4e7a1e2ddcdf24 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 29 Mar 2021 12:50:57 +0200 +Subject: [PATCH] vtls: fix addsessionid for non-proxy builds + +Follow-up to b09c8ee15771c61 +Fixes #6812 +Closes #6811 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/2c26eeef12f0204fb85d6bf40b4e7a1e2ddcdf24] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +--- + lib/vtls/vtls.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 95fd6356285f..2e07df0a0462 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -504,11 +504,8 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + const char *hostname = isProxy ? conn->http_proxy.host.name : + conn->host.name; + #else +- /* proxy support disabled */ +- const bool isProxy = FALSE; + struct ssl_primary_config * const ssl_config = &conn->ssl_config; + const char *hostname = conn->host.name; +- (void)sockindex; + #endif + (void)sockindex; + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); diff --git a/poky/meta/recipes-support/curl/curl/vtls-fix-warning.patch b/poky/meta/recipes-support/curl/curl/vtls-fix-warning.patch new file mode 100644 index 0000000000..113b6fd116 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/vtls-fix-warning.patch @@ -0,0 +1,40 @@ +From b31d9ccfc2da288900e6857ad8d048c612328cac Mon Sep 17 00:00:00 2001 +From: Jay Satiro <raysatiro@yahoo.com> +Date: Sun, 20 Jun 2021 16:42:58 -0400 +Subject: [PATCH] vtls: fix warning due to function prototype mismatch + +b09c8ee changed the function prototype. Caught by Visual Studio. + +Upstream-Status: Backport [https://github.com/curl/curl/commit/b31d9ccfc2da288900e6857ad8d048c612328cac] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +--- + lib/vtls/vtls.c | 2 +- + lib/vtls/vtls.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 82883c9c55e2..fe43703bf8b8 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -497,7 +497,7 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid) + */ + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + struct connectdata *conn, +- bool isProxy, ++ const bool isProxy, + void *ssl_sessionid, + size_t idsize, + int sockindex) +diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h +index a0585c9cec4c..f1a9b8033ae5 100644 +--- a/lib/vtls/vtls.h ++++ b/lib/vtls/vtls.h +@@ -247,7 +247,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data); + */ + bool Curl_ssl_getsessionid(struct Curl_easy *data, + struct connectdata *conn, +- const bool isproxy, ++ const bool isProxy, + void **ssl_sessionid, + size_t *idsize, /* set 0 if unknown */ + int sockindex); diff --git a/poky/meta/recipes-support/curl/curl_7.75.0.bb b/poky/meta/recipes-support/curl/curl_7.75.0.bb index 7666c7b608..f7a8202bc9 100644 --- a/poky/meta/recipes-support/curl/curl_7.75.0.bb +++ b/poky/meta/recipes-support/curl/curl_7.75.0.bb @@ -11,6 +11,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b" SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://0001-replace-krb5-config-with-pkg-config.patch \ + file://0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch \ + file://0002-transfer-strip-credentials-from-the-auto-referer-hea.patch \ + file://vtls-fix-addsessionid.patch \ + file://vtls-fix-warning.patch \ " SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026" diff --git a/poky/meta/recipes-support/libgcrypt/libgcrypt_1.9.2.bb b/poky/meta/recipes-support/libgcrypt/libgcrypt_1.9.3.bb index 34735ea5d7..fd3d8e09f2 100644 --- a/poky/meta/recipes-support/libgcrypt/libgcrypt_1.9.2.bb +++ b/poky/meta/recipes-support/libgcrypt/libgcrypt_1.9.3.bb @@ -14,7 +14,7 @@ LICENSE_dumpsexp-dev = "GPLv3+" LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \ file://COPYING.LIB;md5=bbb461211a33b134d42ed5ee802b37ff \ - file://LICENSES;md5=2dae15d91a37cfde72fe9eae75f8ea14 \ + file://LICENSES;md5=42fa35a25e138166cc40588387f9159d \ " DEPENDS = "libgpg-error" @@ -27,7 +27,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ file://0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch \ file://0001-Makefile.am-add-a-missing-space.patch \ " -SRC_URI[sha256sum] = "b2c10d091513b271e47177274607b1ffba3d95b188bbfa8797f948aec9053c5a" +SRC_URI[sha256sum] = "97ebe4f94e2f7e35b752194ce15a0f3c66324e0ff6af26659bbfb5ff2ec328fd" # Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro. CVE_CHECK_WHITELIST += "CVE-2018-12433 CVE-2018-12438" diff --git a/poky/scripts/lib/devtool/upgrade.py b/poky/scripts/lib/devtool/upgrade.py index 5a057e95f5..4605355681 100644 --- a/poky/scripts/lib/devtool/upgrade.py +++ b/poky/scripts/lib/devtool/upgrade.py @@ -260,21 +260,20 @@ def _extract_new_source(newpv, srctree, no_patch, srcrev, srcbranch, branch, kee logger.warning('By user choice, the following patches will NOT be applied to the new source tree:\n %s' % '\n '.join([os.path.basename(patch) for patch in patches])) else: __run('git checkout devtool-patched -b %s' % branch) - skiptag = False - try: - __run('git rebase %s' % rev) - except bb.process.ExecutionError as e: - skiptag = True - if 'conflict' in e.stdout: - logger.warning('Command \'%s\' failed:\n%s\n\nYou will need to resolve conflicts in order to complete the upgrade.' % (e.command, e.stdout.rstrip())) - else: - logger.warning('Command \'%s\' failed:\n%s' % (e.command, e.stdout)) - if not skiptag: - if uri.startswith('git://') or uri.startswith('gitsm://'): - suffix = 'new' - else: - suffix = newpv - __run('git tag -f devtool-patched-%s' % suffix) + (stdout, _) = __run('git branch --list devtool-override-*') + branches_to_rebase = [branch] + stdout.split() + for b in branches_to_rebase: + logger.info("Rebasing {} onto {}".format(b, rev)) + __run('git checkout %s' % b) + try: + __run('git rebase %s' % rev) + except bb.process.ExecutionError as e: + if 'conflict' in e.stdout: + logger.warning('Command \'%s\' failed:\n%s\n\nYou will need to resolve conflicts in order to complete the upgrade.' % (e.command, e.stdout.rstrip())) + __run('git rebase --abort') + else: + logger.warning('Command \'%s\' failed:\n%s' % (e.command, e.stdout)) + __run('git checkout %s' % branch) if tmpsrctree: if keep_temp: diff --git a/poky/scripts/lib/wic/plugins/source/bootimg-pcbios.py b/poky/scripts/lib/wic/plugins/source/bootimg-pcbios.py index f2639e7004..32e47f1831 100644 --- a/poky/scripts/lib/wic/plugins/source/bootimg-pcbios.py +++ b/poky/scripts/lib/wic/plugins/source/bootimg-pcbios.py @@ -186,8 +186,10 @@ class BootimgPcbiosPlugin(SourcePlugin): # dosfs image, created by mkdosfs bootimg = "%s/boot%s.img" % (cr_workdir, part.lineno) - dosfs_cmd = "mkdosfs -n boot -i %s -S 512 -C %s %d" % \ - (part.fsuuid, bootimg, blocks) + label = part.label if part.label else "boot" + + dosfs_cmd = "mkdosfs -n %s -i %s -S 512 -C %s %d" % \ + (label, part.fsuuid, bootimg, blocks) exec_native_cmd(dosfs_cmd, native_sysroot) mcopy_cmd = "mcopy -i %s -s %s/* ::/" % (bootimg, hdddir) |