diff options
| author | Patrick Williams <patrick@stwcx.xyz> | 2021-05-27 09:23:47 +0300 |
|---|---|---|
| committer | Patrick Williams <patrick@stwcx.xyz> | 2021-05-27 09:29:33 +0300 |
| commit | eee7d70a4dbbd89645098df2397aa3f4e5d8baa0 (patch) | |
| tree | 6d5e9c8499e6106fd31b902694ad519941460ed8 /meta-openembedded | |
| parent | 776d5d2fd95e177490624f4f2f1b2f91a20a3e77 (diff) | |
| download | openbmc-eee7d70a4dbbd89645098df2397aa3f4e5d8baa0.tar.xz | |
subtree updates
meta-openembedded: 346681e7bf..11eae11452:
Aditya.Tayade (1):
neon: Add ptest
Andrei Gherzan (1):
nss: Fix warnings generated by getcwd
Andrej Kozemcak (1):
libupnp: Fix CVE-2020-13848
Armin Kuster (3):
wireguard: fix build issue with updated 5.4 kernel
nostromo: Blacklist and exclude from world builds
packagegroup-meta-webserver: remove nostromo from pkg grp
Clément Péron (1):
nodejs: 12.20.2 -> 12.21.0
Khem Raj (1):
linuxptp: Fix cross build
Marek Vasut (1):
freerdp: Add missing libxkbcommon WL dependency
Martin Jansa (9):
opencv: refresh patches with devtool to apply cleanly
ceres-solver: prevent fetching git hook during do_configure
packagegroup-meta-oe: include nodejs without meta-python2 conditional
packagegroup-meta-oe: move the packages depending on meta-python2 to separate packages
packagegroup-meta-oe: add guider
uml-utilities: fix installed-vs-shipped with usrmerge
telepathy-glib: respect GI_DATA_ENABLED when enabling vala-bindings
libyui: switch to libyui-old repo which still has this SRCREV
ostree: switch from default master branch to main to fix do_fetch failure
Mingli Yu (2):
hostapd: fix CVE-2019-5061
hostapd: fix CVE-2021-0326 and CVE-2021-27803
Neetika Singh (1):
opencv: Security fixes
Peace Lee (2):
guider: Upgrade to 3.9.7
Update commit for version 3.9.7
Rahul Taya (1):
nghttp2: Add fix for CVE-2020-11080
Saloni Jain (1):
fuse: Whitelisted CVE-2019-14860
Sana Kazi (1):
mdns: Whitelisted CVE-2007-0613 for mdns
Sean Nyekjaer (1):
nodejs: 12.20.1 -> 12.20.2
Stefan Ghinea (1):
hostapd: fix CVE-2021-30004
changqing.li@windriver.com (1):
thin-provisioning-tools: switch branch from master to main
poky: d20ef1f5a5..6ebb33bdac:
Alejandro Hernandez Samaniego (1):
devtool: Fix do_kernel_configme task
Alexander Kanavin (11):
selftest/reproducible: enable world reproducibility test
selftest/reproducible: add an exclusion list for items that are not yet reproducible
selftest/reproducible: track unusued entries in the exclusion list
oeqa: tear down oeqa decorators if one of them raises an exception in setup
meta/lib/oeqa/core/tests/cases/timeout.py: add a testcase for the previous fix
diffoscope: add native libraries to LD_LIBRARY_PATH
Revert "oeqa: Set LD_LIBRARY_PATH when executing native commands"
ovmf: update to 202002
ovmf: update to 202005
ovmf: update edk2-stable202005 -> edk2-stable202008
linux-firmware: upgrade 20210208 -> 20210315
Anatol Belski (2):
glibc: Pull latest 2.31 HEAD
tar: Fix CVE-2021-20193
Anton D. Kachalov (1):
run-postinsts: do not remove postinsts directory.
Anuj Mittal (1):
lsb-release: fix reproducibility failure
Bruce Ashfield (14):
linux-yocto/5.4: update to v5.4.99
linux-yocto/5.4: update to v5.4.101
linux-yocto/5.4: update to v5.4.103
linux-yocto/5.4: update to v5.4.105
linux-yocto/5.4: update to v5.4.107
linux-yocto/5.4: update to v5.4.109
linux-yocto/5.4: update to v5.4.111
linux-yocto/5.4: update to v5.4.112
linux-yocto/5.4: fix arm defconfig warnings
linux-yocto/5.4: update to v5.4.114
linux-yocto/5.4: update to v5.4.116
perf: fix python-audit RDEPENDS
make-mod-scripts: add HOSTCXX definitions and gmp-native dependency
linux-yocto/5.4: qemuppc32: reduce serial shutdown issues
Catalin Enache (1):
connman: fix CVE-2021-26675, CVE-2021-26676
Charlie Davies (1):
bitbake-bblayers/create: Fix incorrect priority help message
Chee Yang Lee (1):
initrdscripts: init-install-efi.sh install extra files for ESP
Chen Qi (4):
python3-jinja2: set CVE_PRODUCT
cups: use /run instead /var/run in systemd's unit file
populate_sdk_ext: record METADATA_REVISION
db: update CVE_PRODUCT
Christophe Chapuis (1):
rootfs.py: find .ko.gz and .ko.xz kernel modules as well
Christopher Larson (2):
buildhistory: add missing vardepsexcludes
image,populate_sdk_base: move 'func' flag setting for sdk command vars
Denys Dmytriyenko (1):
maintainers: update own email address
Diego Santa Cruz (1):
iputils: fix various arping regressions
Diego Sueiro (1):
oeqa/selftest/bblayers: Add test case for bitbake-layers layerindex-show-depends
Dorinda (7):
meta/recipes-rt: Add HOMEPAGE / DESCRIPTION
meta-skeleton: Add HOMEPAGE / DESCRIPTION
meta/recipes-extended: Add HOMEPAGE / DESCRIPTION
meta/recipes-support: Add HOMEPAGE / DESCRIPTION
meta/recipes-kernel: Add HOMEPAGE / DESCRIPTION
meta/recipes-multimedia: Add HOMEPAGE / DESCRIPTION
meta/recipes-graphics: Add HOMEPAGE / DESCRIPTION
Dorinda Bassey (3):
meta/recipes-devtools: Add HOMEPAGE / DESCRIPTION
meta-selftest: Add HOMEPAGE / DESCRIPTION
devshell.bbclass: Exceptions displayed within devpyshell
Douglas Royds (4):
cmake: Fully-qualified path to ar
externalsrc: Detect code changes in submodules
Revert "externalsrc: Detect code changes in submodules"
externalsrc: Detect code changes in submodules
Florian Bezdeka (1):
wic: Warn if an ext filesystem affected by the Y2038 problem is used
Gavin Li (1):
kmod: do not symlink config.guess/config.sub during autoreconf
Guillaume Champagne (1):
image-live.bbclass: optional depends when ROOTFS empty
He Zhe (1):
cryptodev-module: Backport a patch to fix build failure with kernel v5.8
Jan Brzezanski (1):
bitbake: Force parser shutdown after catching an exception
Jon Mason (1):
runqemu: use "raw" instead of "bin" for ovmf
Jose Quaresma (1):
ptest-runner: libgcc must be installed for pthread_cancel to work
Joshua Watt (1):
classes/image: Use xargs to set file timestamps
Kai Uwe Broulik (1):
gstreamer1.0-plugins-good: on wayland qt5 needs qtwayland
Khem Raj (6):
oeqa/pam: Need shadow installed for the tests
rxvt-unicode: Do not use throw specifications
dtc: Fix array-bounds error
documentation-audit.sh: Fix typo in specifying LICENSE_FLAGS_WHITELIST
ca-certificates: Fix openssl runtime cert dependencies
cml1.bbclass: Return sorted list of cfg files
Konrad Weihmann (1):
cve-update-db-native: skip on empty cpe23Uri
Lee Chee Yang (7):
cve-update-db-native: consider version suffix when update CVE db
cve-check: CVE_VERSION_SUFFIX to work with patched release
binutils: fix CVE-2021-3487
subversion: fix CVE-2020-17525
qemu: fix CVE-2021-3392
tiff: fix CVE-2020-35523 CVE-2020-35524
python3-jinja2: 2.11.2 -> 2.11.3
Li Wang (1):
linux-dummy: add empty dependent packages
Marek Vasut (1):
linux-firmware: Package RSI 911x WiFi firmware
Mark Hatle (2):
populate_sdk_ext: Avoid copying and producing .pyc files
kernel.bbclass: Remove do_install[prefunc] no longer needed
Martin Jansa (2):
iso-codes: fix protocol in SRC_URI
wpa-supplicant: update CVE-2021-27803.patch
Meh Mbeh Ida Delphine (6):
recipes-gnome: Add missing HOMEPAGE and DESCRIPTION for recipes
recipes-graphics: Add missing HOMEPAGE and DESCRIPTION for recipes.
recipes-kernel: Add missing HOMEPAGE and DESCRIPTION for recipes.
recipes-multimedia: Add missing HOMEPAGE and DESCRIPTION for recipes.
recipes-sato: Add missing HOMEPAGE and DESCRIPTION for recipes
recipes-support: Add missing HOMEPAGE and DESCRIPTION for recipes
Michael Opdenacker (1):
sanity.bbclass: mention CONNECTIVITY_CHECK_URIS in network failure message
Michael Trensch (1):
linux-firmware: Fix packaging
Mike Crowe (1):
curl: Patch CVE-2021-22876 & CVE-2021-22890
Mikko Rapeli (3):
openssl: update to 1.1.1k to fix CVE-2021-3450 and CVE-2021-3449
bitbake: bitbake: tests/fetch: fix test execution without .gitconfig
bitbake: bitbake: tests/fetch: remove write protected files too
Mingli Yu (3):
libtool: make sure autoheader run before autoconf
libtool: make sure autoheader run before automake
groff: not ship /usr/bin/grap2graph
Minjae Kim (3):
wpa-supplicant: fix CVE-2021-27803
qemu: fix CVE-2021-20203
git: fix CVE-2021-21300
Naveen Saini (1):
cryptodev-module: fix build failure with kernel v5.10
Niels Avonds (1):
bitbake: fetch/gitsm: Fix crash when using git LFS and submodules
Peter Budny (1):
lib/oe/terminal: Fix tmux new-session on older tmux versions (<1.9)
Peter Morrow (2):
goarch: map target os to windows for mingw* TARGET_OS
go_1.14: don't set -buildmode=pie when building for windows targets
Petr Vorel (1):
scripts/verify-bashisms: Update checkbashisms.pl URL
Purushottam Choudhary (1):
shadow: whitelist CVE-2013-4235
Reto Schneider (2):
license_image.bbclass: Detect broken symlinks
license_image.bbclass: Fix symlink to generic license files
Richard Purdie (44):
libid3tag: Fix reproducibility issue
syslinux: Fix reproducibility issues
swig: Fix reproducibility issue
efivar: Fix reproducibility issue
selftest/reproducible: Add ability to pull some objects from sstate
build-appliance-image: Drop kernel module handling
bitbake: runqueue: Fix task execution corruption issue
bitbake: runqueue: Add setscene task overlap sanity check
selftest/wic: Fix dependency issue in rawcopy test
build-appliance-image: Update to dunfell head revision
selftest/reproducible: Sort the unused exclusion list
diffoscope: Upgrade 136 -> 168
diffoscope: Upgrade 168 -> 172
oeqa/selftest: Hardcode test assumptions about heartbeat event timings
oeqa/selftest: Ensure packages classes are set correctly for maintainers test
sanity: Add error check for '%' in build path
sanity: Further improve directory sanity tests
pseudo: Upgrade to add trailing slashes ignore path fix
yocto-check-layer: Avoid bug when iterating and autoadding dependencies
bitbake: runqueue: Fix deferred task issues
yocto-uninative: Update to 3.1 which includes a patchelf fix
pybootchart/draw: Avoid divide by zero error
glibc: Document and whitelist CVE-2019-1010022-25
qemu: Exclude CVE-2017-5957 from cve-check
qemu: Exclude CVE-2007-0998 from cve-check
qemu: Exclude CVE-2018-18438 from cve-check
jquery: Exclude CVE-2007-2379 from cve-check
logrotate: Exclude CVE-2011-1548,1549,1550 from cve-check
openssh: Exclude CVE-2007-2768 from cve-check
openssh: Exclude CVE-2008-3844 from cve-check
unzip: Exclude CVE-2008-0888 from cve-check
cpio: Exclude CVE-2010-4226 from cve-check
ghostscript: Exclude CVE-2013-6629 from cve-check
bluez: Exclude CVE-2020-12352 CVE-2020-24490 from cve-check
tiff: Exclude CVE-2015-7313 from cve-check
coreutils: Exclude CVE-2016-2781 from cve-check
librsvg: Exclude CVE-2018-1000041 from cve-check
avahi: Exclude CVE-2021-26720 from cve-check
oeqa/qemurunner: Improve logging thread exit handling for qemu shutdown test
oeqa/qemurunner: Fix binary vs str issue
oeqa/qemurunner: Improve handling of run_serial for shutdown commands
Revert "cml1.bbclass: Return sorted list of cfg files"
sstate: Handle manifest 'corruption' issue
build-appliance-image: Update to dunfell head revision
Robert P. J. Day (4):
bitbake-whatchanged: change ending quote to proper period
bitbake.conf: correct description of HOSTTOOLS_DIR
image.bbclass: fix comment "pacackages" -> "packages"
meta/lib/oe/rootfs.py: Fix typo "Restoreing" -> "Restoring"
Romain Naour (1):
dejagnu: needs expect at runtime
Ross Burton (7):
ptest-packagelists: remove libinput-ptest
insane: don't check for a warning string that is never output
insane: clean up some more warning messages
cairo: backport patch for CVE-2020-35492
libnotify: whitelist CVE-2013-7381 (specific to the NodeJS bindings)
builder: whitelist CVE-2008-4178 (a different builder)
bitbake: providers: selected version not available should be a warning
Stefan Ghinea (2):
wpa-supplicant: fix CVE-2021-30004
boost: fix do_fetch failure
Stefan Schmidt (1):
systemd-conf: do not ask for DHCP if configured on kernel command line
Steve Sakoman (11):
Revert "sstatesig.py: show an error instead of warning when sstate manifest isn't found"
documentation: prepare for 3.1.7 release
poky.conf: Bump version for 3.1.7 release
selftest/reproducible: adjust exclusion list for dunfell
lib/package_manager: Use shutil.copy instead of bb.utils.copyfile for intercepts
reproducible.py: add quilt-ptest and valgrind-ptest
poky-tiny.conf: set PREFERRED_VERSION_linux-yocto-tiny to 5.4%
ref-system-requirements.rst: Add Fedora 33 to list of supported distros
documentation: prepare for 3.1.8 release
poky.conf: Add fedora33 as a supported distro
poky.conf: Bump version for 3.1.8 release
Vinay Kumar (1):
Binutils: Fix CVE-2021-20197
Yanfei Xu (1):
parselogs: ignore floppy error on qemu-system-x86 at boot stage
Yann Dirson (1):
linux-firmware: include all relevant files in -bcm4356
Yi Fan Yu (2):
valgrind: Increase timeout duration 30 -> 90 s
libevent: Increase ptest timing tolerance 50 ms -> 100 ms
Zhang Qiang (1):
kernel.bbclass: Configuration for environment with HOSTCXX
zhengruoqin (1):
wireless-regdb: upgrade 2020.11.20 -> 2021.04.21
meta-security: c74cc97641..93232ae6d5:
Armin Kuster (1):
kas-security-base: drop DL_DIR
Ming Liu (12):
ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
initramfs-framework-ima: fix a wrong path
ima-evm-keys: add recipe
initramfs-framework-ima: RDEPENDS on ima-evm-keys
meta: refactor IMA/EVM sign rootfs
README.md: update according to the refactoring in ima-evm-rootfs.bbclass
initramfs-framework-ima: let ima_enabled return 0
ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic
ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic
ima-evm-keys: add file-checksums to IMA_EVM_X509
meta: drop IMA_POLICY from policy recipes
initramfs-framework-ima: introduce IMA_FORCE
Omer Akram (4):
Update apparmor to 2.13.6
backport cross-compile python binding fix
Use C preprocessor from the yocto build environment
tests: correctly escape # in Makefile
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ibb369f72ca2601f5582a5608d6bdd516d90bea2a
Diffstat (limited to 'meta-openembedded')
45 files changed, 2335 insertions, 111 deletions
diff --git a/meta-openembedded/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb b/meta-openembedded/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb index 95e870691c..49682b3cd4 100644 --- a/meta-openembedded/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb +++ b/meta-openembedded/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb @@ -19,6 +19,11 @@ SRC_URI = "https://github.com/libfuse/libfuse/releases/download/${BP}/${BP}.tar. SRC_URI[md5sum] = "8000410aadc9231fd48495f7642f3312" SRC_URI[sha256sum] = "d0e69d5d608cc22ff4843791ad097f554dd32540ddc9bed7638cc6fea7c1b4b5" +# CVE-2019-14860 is a REDHAT specific issue and was addressed for REDHAT Fuse products on Red Hat Fuse 7.4.1 and Red Hat Fuse 7.5.0. +# REDHAT has also released the fix and updated their security advisories after significant releases. +CVE_PRODUCT = "fuse" +CVE_CHECK_WHITELIST += "CVE-2019-14860" + UPSTREAM_CHECK_URI = "https://github.com/libfuse/libfuse/releases" UPSTREAM_CHECK_REGEX = "fuse\-(?P<pver>2(\.\d+)+).tar.gz" diff --git a/meta-openembedded/meta-multimedia/recipes-connectivity/libupnp/files/CVE-2020-13848.patch b/meta-openembedded/meta-multimedia/recipes-connectivity/libupnp/files/CVE-2020-13848.patch new file mode 100644 index 0000000000..695a2c94f0 --- /dev/null +++ b/meta-openembedded/meta-multimedia/recipes-connectivity/libupnp/files/CVE-2020-13848.patch @@ -0,0 +1,75 @@ +From c805c1de1141cb22f74c0d94dd5664bda37398e0 Mon Sep 17 00:00:00 2001 +From: Marcelo Roberto Jimenez <marcelo.jimenez@gmail.com> +Date: Thu, 4 Jun 2020 12:03:03 -0300 +Subject: [PATCH] Fixes #177: NULL pointer dereference in + FindServiceControlURLPath + +Also fixes its dual bug in FindServiceEventURLPath. + +Reference: +https://nvd.nist.gov/vuln/detail/CVE-2020-13848 + +Upstream-Status: Accepted [https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0] +CVE: CVE-2020-13848 +Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com> + +--- + ChangeLog | 6 ++++++ + upnp/src/genlib/service_table/service_table.c | 16 ++++++++++------ + 2 files changed, 16 insertions(+), 6 deletions(-) +diff --git a/ChangeLog b/ChangeLog +index 4a956fc..265d268 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -2,6 +2,12 @@ + Version 1.8.4 + ******************************************************************************* + ++2020-06-04 Patrik Lantz pjlantz(at)github ++ ++ Fixes #177 ++ ++ NULL pointer dereference in FindServiceControlURLPath ++ + 2017-11-17 Marcelo Jimenez <mroberto(at)users.sourceforge.net> + + GitHub #57 - 1.8.3 broke ABI without changing SONAME +diff --git a/upnp/src/genlib/service_table/service_table.c b/upnp/src/genlib/service_table/service_table.c +index 98c2c0f..f3ee4e5 100644 +--- a/upnp/src/genlib/service_table/service_table.c ++++ b/upnp/src/genlib/service_table/service_table.c +@@ -300,12 +300,11 @@ FindServiceEventURLPath( service_table * table, + uri_type parsed_url; + uri_type parsed_url_in; + +- if( ( table ) +- && +- ( parse_uri( eventURLPath, +- strlen( eventURLPath ), +- &parsed_url_in ) == HTTP_SUCCESS ) ) { +- ++ if (!table || !eventURLPath) { ++ return NULL; ++ } ++ if (parse_uri(eventURLPath, strlen(eventURLPath), &parsed_url_in) == ++ HTTP_SUCCESS) { + finger = table->serviceList; + while( finger ) { + if( finger->eventURL ) +@@ -352,11 +351,11 @@ FindServiceControlURLPath( service_table * table, + uri_type parsed_url; + uri_type parsed_url_in; + +- if( ( table ) +- && +- ( parse_uri +- ( controlURLPath, strlen( controlURLPath ), +- &parsed_url_in ) == HTTP_SUCCESS ) ) { ++ if (!table || !controlURLPath) { ++ return NULL; ++ } ++ if (parse_uri(controlURLPath, strlen(controlURLPath), &parsed_url_in) == ++ HTTP_SUCCESS) { + finger = table->serviceList; + while( finger ) { + if( finger->controlURL ) diff --git a/meta-openembedded/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb b/meta-openembedded/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb index 339c07cd96..828e351be6 100644 --- a/meta-openembedded/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb +++ b/meta-openembedded/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb @@ -12,7 +12,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=394a0f17b97f33426275571e15920434" PV = "1.8.4+git${SRCPV}" # release-1.8.4 SRCREV = "d5a01fc9895daae98a0c5a8c7d3afce46add529d" -SRC_URI = "git://github.com/mrjimenez/pupnp.git;protocol=https" +SRC_URI = "git://github.com/mrjimenez/pupnp.git;protocol=https \ + file://CVE-2020-13848.patch" S="${WORKDIR}/git" diff --git a/meta-openembedded/meta-networking/recipes-kernel/wireguard/files/0001-compat-icmp_ndo_send-functions-were-backported-exten.patch b/meta-openembedded/meta-networking/recipes-kernel/wireguard/files/0001-compat-icmp_ndo_send-functions-were-backported-exten.patch new file mode 100644 index 0000000000..f01cfe4e1c --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-kernel/wireguard/files/0001-compat-icmp_ndo_send-functions-were-backported-exten.patch @@ -0,0 +1,32 @@ +From 122f06bfd8fc7b06a0899fa9adc4ce8e06900d98 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" <Jason@zx2c4.com> +Date: Sun, 7 Mar 2021 08:14:33 -0700 +Subject: [PATCH] compat: icmp_ndo_send functions were backported extensively + +Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> + +Upstream-Status: Backport + +Fixes build with 5.4.103 update. +/include/linux/icmpv6.h:56:6: note: previous declaration of 'icmpv6_ndo_send' was here +| 56 | void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info); + +Signed-of-by: Armin Kuster <akuster808@gmail.com> + +--- + src/compat/compat.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: src/compat/compat.h +=================================================================== +--- src.orig/compat/compat.h ++++ src/compat/compat.h +@@ -946,7 +946,7 @@ static inline int skb_ensure_writable(st + } + #endif + +-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0) ++#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0) && LINUX_VERSION_CODE >= KERNEL_VERSION(5, 5, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 102) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 20, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 178) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 223) && LINUX_VERSION_CODE > KERNEL_VERSION(4, 10, 0)) || LINUX_VERSION_CODE < KERNEL_VERSION(4, 9, 259) || defined(ISRHEL8) || defined(ISUBUNTU1804) + #if IS_ENABLED(CONFIG_NF_NAT) + #include <linux/ip.h> + #include <linux/icmpv6.h> diff --git a/meta-openembedded/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb b/meta-openembedded/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb index e8891c4428..6ed988bafa 100644 --- a/meta-openembedded/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb +++ b/meta-openembedded/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb @@ -3,7 +3,8 @@ require wireguard.inc SRCREV = "43f57dac7b8305024f83addc533c9eede6509129" SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat \ - file://0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch" + file://0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch \ + file://0001-compat-icmp_ndo_send-functions-were-backported-exten.patch " inherit module kernel-module-split diff --git a/meta-openembedded/meta-networking/recipes-protocols/mdns/mdns_878.270.2.bb b/meta-openembedded/meta-networking/recipes-protocols/mdns/mdns_878.270.2.bb index 0f8dc92df3..ce31233264 100644 --- a/meta-openembedded/meta-networking/recipes-protocols/mdns/mdns_878.270.2.bb +++ b/meta-openembedded/meta-networking/recipes-protocols/mdns/mdns_878.270.2.bb @@ -26,6 +26,19 @@ SRC_URI = "https://opensource.apple.com/tarballs/mDNSResponder/mDNSResponder-${P SRC_URI[md5sum] = "4e139a8e1133349006b0436291c9e29b" SRC_URI[sha256sum] = "2cef0ee9900504c5277fb81de0a28e6c0835fe482ebecf1067c6864f5c4eda74" +# CVE-2007-0613 is not applicable as it only affects Apple products +# i.e. ichat,mdnsresponder, instant message framework and MacOS. +# Also, https://www.exploit-db.com/exploits/3230 shows the part of code +# affected by CVE-2007-0613 which is not preset in upstream source code. +# Hence, CVE-2007-0613 does not affect other Yocto implementations and +# is not reported for other distros can be marked whitelisted. +# Links: +# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 +# https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 +# https://security-tracker.debian.org/tracker/CVE-2007-0613 +# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 +CVE_CHECK_WHITELIST += "CVE-2007-0613" + PARALLEL_MAKE = "" S = "${WORKDIR}/mDNSResponder-${PV}/mDNSPosix" diff --git a/meta-openembedded/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch b/meta-openembedded/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch new file mode 100644 index 0000000000..ca181bb4b2 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch @@ -0,0 +1,31 @@ +From f8da73bd042f810f34d19f9eae02b46d870af394 Mon Sep 17 00:00:00 2001 +From: James M Snell <jasnell@gmail.com> +Date: Sun, 19 Apr 2020 09:12:24 -0700 +Subject: [PATCH] Earlier check for settings flood + +CVE: CVE-2020-11080 +Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394.patch] +Comment: No hunk refreshed +Affects-version: < v1.41.0 +Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com> +--- + lib/nghttp2_session.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: nghttp2-1.40.0/lib/nghttp2_session.c +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_session.c ++++ nghttp2-1.40.0/lib/nghttp2_session.c +@@ -5678,6 +5678,12 @@ ssize_t nghttp2_session_mem_recv(nghttp2 + break; + } + ++ /* Check the settings flood counter early to be safe */ ++ if (session->obq_flood_counter_ >= session->max_outbound_ack && ++ !(iframe->frame.hd.flags & NGHTTP2_FLAG_ACK)) { ++ return NGHTTP2_ERR_FLOODED; ++ } ++ + iframe->state = NGHTTP2_IB_READ_SETTINGS; + + if (iframe->payloadleft) { diff --git a/meta-openembedded/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch b/meta-openembedded/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch new file mode 100644 index 0000000000..d3c57e9a80 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch @@ -0,0 +1,308 @@ +From 336a98feb0d56b9ac54e12736b18785c27f75090 Mon Sep 17 00:00:00 2001 +From: James M Snell <jasnell@gmail.com> +Date: Fri, 17 Apr 2020 16:53:51 -0700 +Subject: [PATCH] Implement max settings option + +CVE: CVE-2020-11080 +Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090.patch] +Comment: No hunks refreshed +Affects-version: < v1.41.0 +Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com> +--- + doc/CMakeLists.txt | 1 + + doc/Makefile.am | 1 + + lib/includes/nghttp2/nghttp2.h | 23 +++++++++++++ + lib/nghttp2_helper.c | 2 ++ + lib/nghttp2_option.c | 5 +++ + lib/nghttp2_option.h | 5 +++ + lib/nghttp2_session.c | 21 ++++++++++++ + lib/nghttp2_session.h | 2 ++ + tests/main.c | 2 ++ + tests/nghttp2_session_test.c | 61 ++++++++++++++++++++++++++++++++++ + tests/nghttp2_session_test.h | 1 + + 11 files changed, 124 insertions(+) + +Index: nghttp2-1.40.0/doc/CMakeLists.txt +=================================================================== +--- nghttp2-1.40.0.orig/doc/CMakeLists.txt ++++ nghttp2-1.40.0/doc/CMakeLists.txt +@@ -42,6 +42,7 @@ set(APIDOCS + nghttp2_option_set_no_recv_client_magic.rst + nghttp2_option_set_peer_max_concurrent_streams.rst + nghttp2_option_set_user_recv_extension_type.rst ++ nghttp2_option_set_max_settings.rst + nghttp2_pack_settings_payload.rst + nghttp2_priority_spec_check_default.rst + nghttp2_priority_spec_default_init.rst +Index: nghttp2-1.40.0/lib/includes/nghttp2/nghttp2.h +=================================================================== +--- nghttp2-1.40.0.orig/lib/includes/nghttp2/nghttp2.h ++++ nghttp2-1.40.0/lib/includes/nghttp2/nghttp2.h +@@ -229,6 +229,13 @@ typedef struct { + #define NGHTTP2_CLIENT_MAGIC_LEN 24 + + /** ++ * @macro ++ * ++ * The default max number of settings per SETTINGS frame ++ */ ++#define NGHTTP2_DEFAULT_MAX_SETTINGS 32 ++ ++/** + * @enum + * + * Error codes used in this library. The code range is [-999, -500], +@@ -399,6 +406,11 @@ typedef enum { + */ + NGHTTP2_ERR_SETTINGS_EXPECTED = -536, + /** ++ * When a local endpoint receives too many settings entries ++ * in a single SETTINGS frame. ++ */ ++ NGHTTP2_ERR_TOO_MANY_SETTINGS = -537, ++ /** + * The errors < :enum:`NGHTTP2_ERR_FATAL` mean that the library is + * under unexpected condition and processing was terminated (e.g., + * out of memory). If application receives this error code, it must +@@ -2661,6 +2673,17 @@ NGHTTP2_EXTERN void nghttp2_option_set_m + + /** + * @function ++ * ++ * This function sets the maximum number of SETTINGS entries per ++ * SETTINGS frame that will be accepted. If more than those entries ++ * are received, the peer is considered to be misbehaving and session ++ * will be closed. The default value is 32. ++ */ ++NGHTTP2_EXTERN void nghttp2_option_set_max_settings(nghttp2_option *option, ++ size_t val); ++ ++/** ++ * @function + * + * Initializes |*session_ptr| for client use. The all members of + * |callbacks| are copied to |*session_ptr|. Therefore |*session_ptr| +Index: nghttp2-1.40.0/lib/nghttp2_helper.c +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_helper.c ++++ nghttp2-1.40.0/lib/nghttp2_helper.c +@@ -334,6 +334,8 @@ const char *nghttp2_strerror(int error_c + case NGHTTP2_ERR_FLOODED: + return "Flooding was detected in this HTTP/2 session, and it must be " + "closed"; ++ case NGHTTP2_ERR_TOO_MANY_SETTINGS: ++ return "SETTINGS frame contained more than the maximum allowed entries"; + default: + return "Unknown error code"; + } +Index: nghttp2-1.40.0/lib/nghttp2_option.c +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_option.c ++++ nghttp2-1.40.0/lib/nghttp2_option.c +@@ -121,3 +121,8 @@ void nghttp2_option_set_max_outbound_ack + option->opt_set_mask |= NGHTTP2_OPT_MAX_OUTBOUND_ACK; + option->max_outbound_ack = val; + } ++ ++void nghttp2_option_set_max_settings(nghttp2_option *option, size_t val) { ++ option->opt_set_mask |= NGHTTP2_OPT_MAX_SETTINGS; ++ option->max_settings = val; ++} +Index: nghttp2-1.40.0/lib/nghttp2_option.h +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_option.h ++++ nghttp2-1.40.0/lib/nghttp2_option.h +@@ -67,6 +67,7 @@ typedef enum { + NGHTTP2_OPT_MAX_DEFLATE_DYNAMIC_TABLE_SIZE = 1 << 9, + NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10, + NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11, ++ NGHTTP2_OPT_MAX_SETTINGS = 1 << 12, + } nghttp2_option_flag; + + /** +@@ -86,6 +87,10 @@ struct nghttp2_option { + */ + size_t max_outbound_ack; + /** ++ * NGHTTP2_OPT_MAX_SETTINGS ++ */ ++ size_t max_settings; ++ /** + * Bitwise OR of nghttp2_option_flag to determine that which fields + * are specified. + */ +Index: nghttp2-1.40.0/lib/nghttp2_session.c +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_session.c ++++ nghttp2-1.40.0/lib/nghttp2_session.c +@@ -458,6 +458,7 @@ static int session_new(nghttp2_session * + + (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN; + (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; ++ (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS; + + if (option) { + if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) && +@@ -521,6 +522,11 @@ static int session_new(nghttp2_session * + if (option->opt_set_mask & NGHTTP2_OPT_MAX_OUTBOUND_ACK) { + (*session_ptr)->max_outbound_ack = option->max_outbound_ack; + } ++ ++ if ((option->opt_set_mask & NGHTTP2_OPT_MAX_SETTINGS) && ++ option->max_settings) { ++ (*session_ptr)->max_settings = option->max_settings; ++ } + } + + rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater, +@@ -5694,6 +5700,16 @@ ssize_t nghttp2_session_mem_recv(nghttp2 + iframe->max_niv = + iframe->frame.hd.length / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH + 1; + ++ if (iframe->max_niv - 1 > session->max_settings) { ++ rv = nghttp2_session_terminate_session_with_reason( ++ session, NGHTTP2_ENHANCE_YOUR_CALM, ++ "SETTINGS: too many setting entries"); ++ if (nghttp2_is_fatal(rv)) { ++ return rv; ++ } ++ return (ssize_t)inlen; ++ } ++ + iframe->iv = nghttp2_mem_malloc(mem, sizeof(nghttp2_settings_entry) * + iframe->max_niv); + +@@ -7460,6 +7476,11 @@ static int nghttp2_session_upgrade_inter + if (settings_payloadlen % NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH) { + return NGHTTP2_ERR_INVALID_ARGUMENT; + } ++ /* SETTINGS frame contains too many settings */ ++ if (settings_payloadlen / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH ++ > session->max_settings) { ++ return NGHTTP2_ERR_TOO_MANY_SETTINGS; ++ } + rv = nghttp2_frame_unpack_settings_payload2(&iv, &niv, settings_payload, + settings_payloadlen, mem); + if (rv != 0) { +Index: nghttp2-1.40.0/lib/nghttp2_session.h +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_session.h ++++ nghttp2-1.40.0/lib/nghttp2_session.h +@@ -267,6 +267,8 @@ struct nghttp2_session { + /* The maximum length of header block to send. Calculated by the + same way as nghttp2_hd_deflate_bound() does. */ + size_t max_send_header_block_length; ++ /* The maximum number of settings accepted per SETTINGS frame. */ ++ size_t max_settings; + /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */ + uint32_t next_stream_id; + /* The last stream ID this session initiated. For client session, +Index: nghttp2-1.40.0/tests/main.c +=================================================================== +--- nghttp2-1.40.0.orig/tests/main.c ++++ nghttp2-1.40.0/tests/main.c +@@ -315,6 +315,8 @@ int main() { + test_nghttp2_session_set_local_window_size) || + !CU_add_test(pSuite, "session_cancel_from_before_frame_send", + test_nghttp2_session_cancel_from_before_frame_send) || ++ !CU_add_test(pSuite, "session_too_many_settings", ++ test_nghttp2_session_too_many_settings) || + !CU_add_test(pSuite, "session_removed_closed_stream", + test_nghttp2_session_removed_closed_stream) || + !CU_add_test(pSuite, "session_pause_data", +Index: nghttp2-1.40.0/tests/nghttp2_session_test.c +=================================================================== +--- nghttp2-1.40.0.orig/tests/nghttp2_session_test.c ++++ nghttp2-1.40.0/tests/nghttp2_session_test.c +@@ -10558,6 +10558,67 @@ void test_nghttp2_session_cancel_from_be + nghttp2_session_del(session); + } + ++void test_nghttp2_session_too_many_settings(void) { ++ nghttp2_session *session; ++ nghttp2_option *option; ++ nghttp2_session_callbacks callbacks; ++ nghttp2_frame frame; ++ nghttp2_bufs bufs; ++ nghttp2_buf *buf; ++ ssize_t rv; ++ my_user_data ud; ++ nghttp2_settings_entry iv[3]; ++ nghttp2_mem *mem; ++ nghttp2_outbound_item *item; ++ ++ mem = nghttp2_mem_default(); ++ frame_pack_bufs_init(&bufs); ++ ++ memset(&callbacks, 0, sizeof(nghttp2_session_callbacks)); ++ callbacks.on_frame_recv_callback = on_frame_recv_callback; ++ callbacks.send_callback = null_send_callback; ++ ++ nghttp2_option_new(&option); ++ nghttp2_option_set_max_settings(option, 1); ++ ++ nghttp2_session_client_new2(&session, &callbacks, &ud, option); ++ ++ CU_ASSERT(1 == session->max_settings); ++ ++ nghttp2_option_del(option); ++ ++ iv[0].settings_id = NGHTTP2_SETTINGS_HEADER_TABLE_SIZE; ++ iv[0].value = 3000; ++ ++ iv[1].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE; ++ iv[1].value = 16384; ++ ++ nghttp2_frame_settings_init(&frame.settings, NGHTTP2_FLAG_NONE, dup_iv(iv, 2), ++ 2); ++ ++ rv = nghttp2_frame_pack_settings(&bufs, &frame.settings); ++ ++ CU_ASSERT(0 == rv); ++ CU_ASSERT(nghttp2_bufs_len(&bufs) > 0); ++ ++ nghttp2_frame_settings_free(&frame.settings, mem); ++ ++ buf = &bufs.head->buf; ++ assert(nghttp2_bufs_len(&bufs) == nghttp2_buf_len(buf)); ++ ++ ud.frame_recv_cb_called = 0; ++ ++ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf)); ++ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv); ++ ++ item = nghttp2_session_get_next_ob_item(session); ++ CU_ASSERT(NGHTTP2_GOAWAY == item->frame.hd.type); ++ ++ nghttp2_bufs_reset(&bufs); ++ nghttp2_bufs_free(&bufs); ++ nghttp2_session_del(session); ++} ++ + static void + prepare_session_removed_closed_stream(nghttp2_session *session, + nghttp2_hd_deflater *deflater) { +Index: nghttp2-1.40.0/tests/nghttp2_session_test.h +=================================================================== +--- nghttp2-1.40.0.orig/tests/nghttp2_session_test.h ++++ nghttp2-1.40.0/tests/nghttp2_session_test.h +@@ -156,6 +156,7 @@ void test_nghttp2_session_repeated_prior + void test_nghttp2_session_repeated_priority_submission(void); + void test_nghttp2_session_set_local_window_size(void); + void test_nghttp2_session_cancel_from_before_frame_send(void); ++void test_nghttp2_session_too_many_settings(void); + void test_nghttp2_session_removed_closed_stream(void); + void test_nghttp2_session_pause_data(void); + void test_nghttp2_session_no_closed_streams(void); +Index: nghttp2-1.40.0/doc/Makefile.am +=================================================================== +--- nghttp2-1.40.0.orig/doc/Makefile.am ++++ nghttp2-1.40.0/doc/Makefile.am +@@ -69,6 +69,7 @@ APIDOCS= \ + nghttp2_option_set_peer_max_concurrent_streams.rst \ + nghttp2_option_set_user_recv_extension_type.rst \ + nghttp2_option_set_max_outbound_ack.rst \ ++ nghttp2_option_set_max_settings.rst \ + nghttp2_pack_settings_payload.rst \ + nghttp2_priority_spec_check_default.rst \ + nghttp2_priority_spec_default_init.rst \ diff --git a/meta-openembedded/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb b/meta-openembedded/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb index 9ed8c56420..b497058ca6 100644 --- a/meta-openembedded/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb +++ b/meta-openembedded/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb @@ -10,6 +10,8 @@ UPSTREAM_CHECK_URI = "https://github.com/nghttp2/nghttp2/releases" SRC_URI = "\ https://github.com/nghttp2/nghttp2/releases/download/v${PV}/nghttp2-${PV}.tar.xz \ file://0001-fetch-ocsp-response-use-python3.patch \ + file://CVE-2020-11080-1.patch \ + file://CVE-2020-11080-2.patch \ " SRC_URI[md5sum] = "8d1a6b96760254e4dd142d7176e8fb7c" SRC_URI[sha256sum] = "09fc43d428ff237138733c737b29fb1a7e49d49de06d2edbed3bc4cdcee69073" diff --git a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch new file mode 100644 index 0000000000..9214615d12 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch @@ -0,0 +1,854 @@ +From 018edec9b2bd3db20605117c32ff79c1e625c432 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Wed, 11 Sep 2019 12:34:28 +0300 +Subject: [PATCH] Remove IAPP functionality from hostapd + +IEEE Std 802.11F-2003 was withdrawn in 2006 and as such it has not been +maintained nor is there any expectation of the withdrawn trial-use +recommended practice to be maintained in the future. Furthermore, +implementation of IAPP in hostapd was not complete, i.e., only parts of +the recommended practice were included. The main item of some real use +long time ago was the Layer 2 Update frame to update bridges when a STA +roams within an ESS, but that functionality has, in practice, been moved +to kernel drivers to provide better integration with the networking +stack. + +CVE: CVE-2019-5061 + +Upstream-Status: Backport + +Signed-off-by: Jouni Malinen <j@w1.fi> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + hostapd/Android.mk | 5 - + hostapd/Makefile | 5 - + hostapd/android.config | 3 - + hostapd/config_file.c | 3 +- + hostapd/defconfig | 3 - + hostapd/hostapd.conf | 6 - + hostapd/main.c | 3 - + src/ap/Makefile | 2 - + src/ap/ap_config.h | 4 - + src/ap/hostapd.c | 14 - + src/ap/hostapd.h | 2 - + src/ap/iapp.c | 542 ---------------------- + src/ap/iapp.h | 39 -- + src/utils/wpa_debug.h | 1 - + 14 files changed, 1 insertion(+), 633 deletions(-) + delete mode 100644 src/ap/iapp.c + delete mode 100644 src/ap/iapp.h + +diff --git a/hostapd/Android.mk b/hostapd/Android.mk +index 3183323ef..a87ac8144 100644 +--- a/hostapd/Android.mk ++++ b/hostapd/Android.mk +@@ -205,11 +205,6 @@ endif + + L_CFLAGS += -DCONFIG_CTRL_IFACE -DCONFIG_CTRL_IFACE_UNIX + +-ifdef CONFIG_IAPP +-L_CFLAGS += -DCONFIG_IAPP +-OBJS += src/ap/iapp.c +-endif +- + ifdef CONFIG_RSN_PREAUTH + L_CFLAGS += -DCONFIG_RSN_PREAUTH + CONFIG_L2_PACKET=y +diff --git a/hostapd/Makefile b/hostapd/Makefile +index f7f4c785b..42bb9e4c8 100644 +--- a/hostapd/Makefile ++++ b/hostapd/Makefile +@@ -248,11 +248,6 @@ ifndef CONFIG_NO_CTRL_IFACE + CFLAGS += -DCONFIG_CTRL_IFACE + endif + +-ifdef CONFIG_IAPP +-CFLAGS += -DCONFIG_IAPP +-OBJS += ../src/ap/iapp.o +-endif +- + ifdef CONFIG_RSN_PREAUTH + CFLAGS += -DCONFIG_RSN_PREAUTH + CONFIG_L2_PACKET=y +diff --git a/hostapd/android.config b/hostapd/android.config +index efe252332..e2e6c7821 100644 +--- a/hostapd/android.config ++++ b/hostapd/android.config +@@ -38,9 +38,6 @@ CONFIG_DRIVER_NL80211_QCA=y + # Driver interface for no driver (e.g., RADIUS server only) + #CONFIG_DRIVER_NONE=y + +-# IEEE 802.11F/IAPP +-#CONFIG_IAPP=y +- + # WPA2/IEEE 802.11i RSN pre-authentication + #CONFIG_RSN_PREAUTH=y + +diff --git a/hostapd/config_file.c b/hostapd/config_file.c +index 680f17ee0..0d340d252 100644 +--- a/hostapd/config_file.c ++++ b/hostapd/config_file.c +@@ -2712,8 +2712,7 @@ static int hostapd_config_fill(struct hostapd_config *conf, + bss->eapol_key_index_workaround = atoi(pos); + #ifdef CONFIG_IAPP + } else if (os_strcmp(buf, "iapp_interface") == 0) { +- bss->ieee802_11f = 1; +- os_strlcpy(bss->iapp_iface, pos, sizeof(bss->iapp_iface)); ++ wpa_printf(MSG_INFO, "DEPRECATED: iapp_interface not used"); + #endif /* CONFIG_IAPP */ + } else if (os_strcmp(buf, "own_ip_addr") == 0) { + if (hostapd_parse_ip_addr(pos, &bss->own_ip_addr)) { +diff --git a/hostapd/defconfig b/hostapd/defconfig +index b1fb56c3b..1a3d9f9ba 100644 +--- a/hostapd/defconfig ++++ b/hostapd/defconfig +@@ -44,9 +44,6 @@ CONFIG_LIBNL32=y + # Driver interface for no driver (e.g., RADIUS server only) + #CONFIG_DRIVER_NONE=y + +-# IEEE 802.11F/IAPP +-CONFIG_IAPP=y +- + # WPA2/IEEE 802.11i RSN pre-authentication + CONFIG_RSN_PREAUTH=y + +diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf +index 6c96a760a..a3c698480 100644 +--- a/hostapd/hostapd.conf ++++ b/hostapd/hostapd.conf +@@ -41,7 +41,6 @@ interface=wlan0 + # bit 2 (4) = RADIUS + # bit 3 (8) = WPA + # bit 4 (16) = driver interface +-# bit 5 (32) = IAPP + # bit 6 (64) = MLME + # + # Levels (minimum value for logged events): +@@ -1243,11 +1242,6 @@ eap_server=0 + # Whether to enable ERP on the EAP server. + #eap_server_erp=1 + +-##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) ####################### +- +-# Interface to be used for IAPP broadcast packets +-#iapp_interface=eth0 +- + + ##### RADIUS client configuration ############################################# + # for IEEE 802.1X with external Authentication Server, IEEE 802.11 +diff --git a/hostapd/main.c b/hostapd/main.c +index 08896ffe2..8bfe24281 100644 +--- a/hostapd/main.c ++++ b/hostapd/main.c +@@ -81,9 +81,6 @@ static void hostapd_logger_cb(void *ctx, const u8 *addr, unsigned int module, + case HOSTAPD_MODULE_DRIVER: + module_str = "DRIVER"; + break; +- case HOSTAPD_MODULE_IAPP: +- module_str = "IAPP"; +- break; + case HOSTAPD_MODULE_MLME: + module_str = "MLME"; + break; +diff --git a/src/ap/Makefile b/src/ap/Makefile +index bd3f33b77..54e48a0dd 100644 +--- a/src/ap/Makefile ++++ b/src/ap/Makefile +@@ -18,7 +18,6 @@ CFLAGS += -DCONFIG_IEEE80211R_AP + CFLAGS += -DCONFIG_WPS + CFLAGS += -DCONFIG_PROXYARP + CFLAGS += -DCONFIG_IPV6 +-CFLAGS += -DCONFIG_IAPP + CFLAGS += -DCONFIG_AIRTIME_POLICY + + LIB_OBJS= \ +@@ -41,7 +40,6 @@ LIB_OBJS= \ + hostapd.o \ + hs20.o \ + hw_features.o \ +- iapp.o \ + ieee802_11_auth.o \ + ieee802_11.o \ + ieee802_11_ht.o \ +diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h +index e219160b0..17eb0682b 100644 +--- a/src/ap/ap_config.h ++++ b/src/ap/ap_config.h +@@ -325,10 +325,6 @@ struct hostapd_bss_config { + int erp_send_reauth_start; + char *erp_domain; + +- int ieee802_11f; /* use IEEE 802.11f (IAPP) */ +- char iapp_iface[IFNAMSIZ + 1]; /* interface used with IAPP broadcast +- * frames */ +- + enum macaddr_acl { + ACCEPT_UNLESS_DENIED = 0, + DENY_UNLESS_ACCEPTED = 1, +diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c +index ef988b634..bf7b1f89e 100644 +--- a/src/ap/hostapd.c ++++ b/src/ap/hostapd.c +@@ -28,7 +28,6 @@ + #include "accounting.h" + #include "ap_list.h" + #include "beacon.h" +-#include "iapp.h" + #include "ieee802_1x.h" + #include "ieee802_11_auth.h" + #include "vlan_init.h" +@@ -361,8 +360,6 @@ static void hostapd_free_hapd_data(struct hostapd_data *hapd) + hapd->beacon_set_done = 0; + + wpa_printf(MSG_DEBUG, "%s(%s)", __func__, hapd->conf->iface); +- iapp_deinit(hapd->iapp); +- hapd->iapp = NULL; + accounting_deinit(hapd); + hostapd_deinit_wpa(hapd); + vlan_deinit(hapd); +@@ -1296,13 +1293,6 @@ static int hostapd_setup_bss(struct hostapd_data *hapd, int first) + return -1; + } + +- if (conf->ieee802_11f && +- (hapd->iapp = iapp_init(hapd, conf->iapp_iface)) == NULL) { +- wpa_printf(MSG_ERROR, "IEEE 802.11F (IAPP) initialization " +- "failed."); +- return -1; +- } +- + #ifdef CONFIG_INTERWORKING + if (gas_serv_init(hapd)) { + wpa_printf(MSG_ERROR, "GAS server initialization failed"); +@@ -3056,10 +3046,6 @@ void hostapd_new_assoc_sta(struct hostapd_data *hapd, struct sta_info *sta, + hostapd_prune_associations(hapd, sta->addr); + ap_sta_clear_disconnect_timeouts(hapd, sta); + +- /* IEEE 802.11F (IAPP) */ +- if (hapd->conf->ieee802_11f) +- iapp_new_station(hapd->iapp, sta); +- + #ifdef CONFIG_P2P + if (sta->p2p_ie == NULL && !sta->no_p2p_set) { + sta->no_p2p_set = 1; +diff --git a/src/ap/hostapd.h b/src/ap/hostapd.h +index 5b859b8a9..2358d1664 100644 +--- a/src/ap/hostapd.h ++++ b/src/ap/hostapd.h +@@ -179,8 +179,6 @@ struct hostapd_data { + u64 acct_session_id; + struct radius_das_data *radius_das; + +- struct iapp_data *iapp; +- + struct hostapd_cached_radius_acl *acl_cache; + struct hostapd_acl_query_data *acl_queries; + +diff --git a/src/ap/iapp.c b/src/ap/iapp.c +deleted file mode 100644 +index 2556da30c..000000000 +--- a/src/ap/iapp.c ++++ /dev/null +@@ -1,542 +0,0 @@ +-/* +- * hostapd / IEEE 802.11F-2003 Inter-Access Point Protocol (IAPP) +- * Copyright (c) 2002-2007, Jouni Malinen <j@w1.fi> +- * +- * This software may be distributed under the terms of the BSD license. +- * See README for more details. +- * +- * Note: IEEE 802.11F-2003 was a experimental use specification. It has expired +- * and IEEE has withdrawn it. In other words, it is likely better to look at +- * using some other mechanism for AP-to-AP communication than extending the +- * implementation here. +- */ +- +-/* TODO: +- * Level 1: no administrative or security support +- * (e.g., static BSSID to IP address mapping in each AP) +- * Level 2: support for dynamic mapping of BSSID to IP address +- * Level 3: support for encryption and authentication of IAPP messages +- * - add support for MOVE-notify and MOVE-response (this requires support for +- * finding out IP address for previous AP using RADIUS) +- * - add support for Send- and ACK-Security-Block to speedup IEEE 802.1X during +- * reassociation to another AP +- * - implement counters etc. for IAPP MIB +- * - verify endianness of fields in IAPP messages; are they big-endian as +- * used here? +- * - RADIUS connection for AP registration and BSSID to IP address mapping +- * - TCP connection for IAPP MOVE, CACHE +- * - broadcast ESP for IAPP ADD-notify +- * - ESP for IAPP MOVE messages +- * - security block sending/processing +- * - IEEE 802.11 context transfer +- */ +- +-#include "utils/includes.h" +-#include <net/if.h> +-#include <sys/ioctl.h> +-#include <netpacket/packet.h> +- +-#include "utils/common.h" +-#include "utils/eloop.h" +-#include "common/ieee802_11_defs.h" +-#include "hostapd.h" +-#include "ap_config.h" +-#include "ieee802_11.h" +-#include "sta_info.h" +-#include "iapp.h" +- +- +-#define IAPP_MULTICAST "224.0.1.178" +-#define IAPP_UDP_PORT 3517 +-#define IAPP_TCP_PORT 3517 +- +-struct iapp_hdr { +- u8 version; +- u8 command; +- be16 identifier; +- be16 length; +- /* followed by length-6 octets of data */ +-} __attribute__ ((packed)); +- +-#define IAPP_VERSION 0 +- +-enum IAPP_COMMAND { +- IAPP_CMD_ADD_notify = 0, +- IAPP_CMD_MOVE_notify = 1, +- IAPP_CMD_MOVE_response = 2, +- IAPP_CMD_Send_Security_Block = 3, +- IAPP_CMD_ACK_Security_Block = 4, +- IAPP_CMD_CACHE_notify = 5, +- IAPP_CMD_CACHE_response = 6, +-}; +- +- +-/* ADD-notify - multicast UDP on the local LAN */ +-struct iapp_add_notify { +- u8 addr_len; /* ETH_ALEN */ +- u8 reserved; +- u8 mac_addr[ETH_ALEN]; +- be16 seq_num; +-} __attribute__ ((packed)); +- +- +-/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */ +-struct iapp_layer2_update { +- u8 da[ETH_ALEN]; /* broadcast */ +- u8 sa[ETH_ALEN]; /* STA addr */ +- be16 len; /* 6 */ +- u8 dsap; /* null DSAP address */ +- u8 ssap; /* null SSAP address, CR=Response */ +- u8 control; +- u8 xid_info[3]; +-} __attribute__ ((packed)); +- +- +-/* MOVE-notify - unicast TCP */ +-struct iapp_move_notify { +- u8 addr_len; /* ETH_ALEN */ +- u8 reserved; +- u8 mac_addr[ETH_ALEN]; +- u16 seq_num; +- u16 ctx_block_len; +- /* followed by ctx_block_len bytes */ +-} __attribute__ ((packed)); +- +- +-/* MOVE-response - unicast TCP */ +-struct iapp_move_response { +- u8 addr_len; /* ETH_ALEN */ +- u8 status; +- u8 mac_addr[ETH_ALEN]; +- u16 seq_num; +- u16 ctx_block_len; +- /* followed by ctx_block_len bytes */ +-} __attribute__ ((packed)); +- +-enum { +- IAPP_MOVE_SUCCESSFUL = 0, +- IAPP_MOVE_DENIED = 1, +- IAPP_MOVE_STALE_MOVE = 2, +-}; +- +- +-/* CACHE-notify */ +-struct iapp_cache_notify { +- u8 addr_len; /* ETH_ALEN */ +- u8 reserved; +- u8 mac_addr[ETH_ALEN]; +- u16 seq_num; +- u8 current_ap[ETH_ALEN]; +- u16 ctx_block_len; +- /* ctx_block_len bytes of context block followed by 16-bit context +- * timeout */ +-} __attribute__ ((packed)); +- +- +-/* CACHE-response - unicast TCP */ +-struct iapp_cache_response { +- u8 addr_len; /* ETH_ALEN */ +- u8 status; +- u8 mac_addr[ETH_ALEN]; +- u16 seq_num; +-} __attribute__ ((packed)); +- +-enum { +- IAPP_CACHE_SUCCESSFUL = 0, +- IAPP_CACHE_STALE_CACHE = 1, +-}; +- +- +-/* Send-Security-Block - unicast TCP */ +-struct iapp_send_security_block { +- u8 iv[8]; +- u16 sec_block_len; +- /* followed by sec_block_len bytes of security block */ +-} __attribute__ ((packed)); +- +- +-/* ACK-Security-Block - unicast TCP */ +-struct iapp_ack_security_block { +- u8 iv[8]; +- u8 new_ap_ack_authenticator[48]; +-} __attribute__ ((packed)); +- +- +-struct iapp_data { +- struct hostapd_data *hapd; +- u16 identifier; /* next IAPP identifier */ +- struct in_addr own, multicast; +- int udp_sock; +- int packet_sock; +-}; +- +- +-static void iapp_send_add(struct iapp_data *iapp, u8 *mac_addr, u16 seq_num) +-{ +- char buf[128]; +- struct iapp_hdr *hdr; +- struct iapp_add_notify *add; +- struct sockaddr_in addr; +- +- /* Send IAPP ADD-notify to remove possible association from other APs +- */ +- +- hdr = (struct iapp_hdr *) buf; +- hdr->version = IAPP_VERSION; +- hdr->command = IAPP_CMD_ADD_notify; +- hdr->identifier = host_to_be16(iapp->identifier++); +- hdr->length = host_to_be16(sizeof(*hdr) + sizeof(*add)); +- +- add = (struct iapp_add_notify *) (hdr + 1); +- add->addr_len = ETH_ALEN; +- add->reserved = 0; +- os_memcpy(add->mac_addr, mac_addr, ETH_ALEN); +- +- add->seq_num = host_to_be16(seq_num); +- +- os_memset(&addr, 0, sizeof(addr)); +- addr.sin_family = AF_INET; +- addr.sin_addr.s_addr = iapp->multicast.s_addr; +- addr.sin_port = htons(IAPP_UDP_PORT); +- if (sendto(iapp->udp_sock, buf, (char *) (add + 1) - buf, 0, +- (struct sockaddr *) &addr, sizeof(addr)) < 0) +- wpa_printf(MSG_INFO, "sendto[IAPP-ADD]: %s", strerror(errno)); +-} +- +- +-static void iapp_send_layer2_update(struct iapp_data *iapp, u8 *addr) +-{ +- struct iapp_layer2_update msg; +- +- /* Send Level 2 Update Frame to update forwarding tables in layer 2 +- * bridge devices */ +- +- /* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID) +- * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */ +- +- os_memset(msg.da, 0xff, ETH_ALEN); +- os_memcpy(msg.sa, addr, ETH_ALEN); +- msg.len = host_to_be16(6); +- msg.dsap = 0; /* NULL DSAP address */ +- msg.ssap = 0x01; /* NULL SSAP address, CR Bit: Response */ +- msg.control = 0xaf; /* XID response lsb.1111F101. +- * F=0 (no poll command; unsolicited frame) */ +- msg.xid_info[0] = 0x81; /* XID format identifier */ +- msg.xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */ +- msg.xid_info[2] = 1 << 1; /* XID sender's receive window size (RW) +- * FIX: what is correct RW with 802.11? */ +- +- if (send(iapp->packet_sock, &msg, sizeof(msg), 0) < 0) +- wpa_printf(MSG_INFO, "send[L2 Update]: %s", strerror(errno)); +-} +- +- +-/** +- * iapp_new_station - IAPP processing for a new STA +- * @iapp: IAPP data +- * @sta: The associated station +- */ +-void iapp_new_station(struct iapp_data *iapp, struct sta_info *sta) +-{ +- u16 seq = 0; /* TODO */ +- +- if (iapp == NULL) +- return; +- +- /* IAPP-ADD.request(MAC Address, Sequence Number, Timeout) */ +- hostapd_logger(iapp->hapd, sta->addr, HOSTAPD_MODULE_IAPP, +- HOSTAPD_LEVEL_DEBUG, "IAPP-ADD.request(seq=%d)", seq); +- iapp_send_layer2_update(iapp, sta->addr); +- iapp_send_add(iapp, sta->addr, seq); +- +- /* TODO: If this was reassociation: +- * IAPP-MOVE.request(MAC Address, Sequence Number, Old AP, +- * Context Block, Timeout) +- * TODO: Send IAPP-MOVE to the old AP; Map Old AP BSSID to +- * IP address */ +-} +- +- +-static void iapp_process_add_notify(struct iapp_data *iapp, +- struct sockaddr_in *from, +- struct iapp_hdr *hdr, int len) +-{ +- struct iapp_add_notify *add = (struct iapp_add_notify *) (hdr + 1); +- struct sta_info *sta; +- +- if (len != sizeof(*add)) { +- wpa_printf(MSG_INFO, "Invalid IAPP-ADD packet length %d (expected %lu)", +- len, (unsigned long) sizeof(*add)); +- return; +- } +- +- sta = ap_get_sta(iapp->hapd, add->mac_addr); +- +- /* IAPP-ADD.indication(MAC Address, Sequence Number) */ +- hostapd_logger(iapp->hapd, add->mac_addr, HOSTAPD_MODULE_IAPP, +- HOSTAPD_LEVEL_INFO, +- "Received IAPP ADD-notify (seq# %d) from %s:%d%s", +- be_to_host16(add->seq_num), +- inet_ntoa(from->sin_addr), ntohs(from->sin_port), +- sta ? "" : " (STA not found)"); +- +- if (!sta) +- return; +- +- /* TODO: could use seq_num to try to determine whether last association +- * to this AP is newer than the one advertised in IAPP-ADD. Although, +- * this is not really a reliable verification. */ +- +- hostapd_logger(iapp->hapd, add->mac_addr, HOSTAPD_MODULE_IAPP, +- HOSTAPD_LEVEL_DEBUG, +- "Removing STA due to IAPP ADD-notify"); +- ap_sta_disconnect(iapp->hapd, sta, NULL, 0); +-} +- +- +-/** +- * iapp_receive_udp - Process IAPP UDP frames +- * @sock: File descriptor for the socket +- * @eloop_ctx: IAPP data (struct iapp_data *) +- * @sock_ctx: Not used +- */ +-static void iapp_receive_udp(int sock, void *eloop_ctx, void *sock_ctx) +-{ +- struct iapp_data *iapp = eloop_ctx; +- int len, hlen; +- unsigned char buf[128]; +- struct sockaddr_in from; +- socklen_t fromlen; +- struct iapp_hdr *hdr; +- +- /* Handle incoming IAPP frames (over UDP/IP) */ +- +- fromlen = sizeof(from); +- len = recvfrom(iapp->udp_sock, buf, sizeof(buf), 0, +- (struct sockaddr *) &from, &fromlen); +- if (len < 0) { +- wpa_printf(MSG_INFO, "iapp_receive_udp - recvfrom: %s", +- strerror(errno)); +- return; +- } +- +- if (from.sin_addr.s_addr == iapp->own.s_addr) +- return; /* ignore own IAPP messages */ +- +- hostapd_logger(iapp->hapd, NULL, HOSTAPD_MODULE_IAPP, +- HOSTAPD_LEVEL_DEBUG, +- "Received %d byte IAPP frame from %s%s\n", +- len, inet_ntoa(from.sin_addr), +- len < (int) sizeof(*hdr) ? " (too short)" : ""); +- +- if (len < (int) sizeof(*hdr)) +- return; +- +- hdr = (struct iapp_hdr *) buf; +- hlen = be_to_host16(hdr->length); +- hostapd_logger(iapp->hapd, NULL, HOSTAPD_MODULE_IAPP, +- HOSTAPD_LEVEL_DEBUG, +- "RX: version=%d command=%d id=%d len=%d\n", +- hdr->version, hdr->command, +- be_to_host16(hdr->identifier), hlen); +- if (hdr->version != IAPP_VERSION) { +- wpa_printf(MSG_INFO, "Dropping IAPP frame with unknown version %d", +- hdr->version); +- return; +- } +- if (hlen > len) { +- wpa_printf(MSG_INFO, "Underflow IAPP frame (hlen=%d len=%d)", +- hlen, len); +- return; +- } +- if (hlen < len) { +- wpa_printf(MSG_INFO, "Ignoring %d extra bytes from IAPP frame", +- len - hlen); +- len = hlen; +- } +- +- switch (hdr->command) { +- case IAPP_CMD_ADD_notify: +- iapp_process_add_notify(iapp, &from, hdr, len - sizeof(*hdr)); +- break; +- case IAPP_CMD_MOVE_notify: +- /* TODO: MOVE is using TCP; so move this to TCP handler once it +- * is implemented.. */ +- /* IAPP-MOVE.indication(MAC Address, New BSSID, +- * Sequence Number, AP Address, Context Block) */ +- /* TODO: process */ +- break; +- default: +- wpa_printf(MSG_INFO, "Unknown IAPP command %d", hdr->command); +- break; +- } +-} +- +- +-struct iapp_data * iapp_init(struct hostapd_data *hapd, const char *iface) +-{ +- struct ifreq ifr; +- struct sockaddr_ll addr; +- int ifindex; +- struct sockaddr_in *paddr, uaddr; +- struct iapp_data *iapp; +- struct ip_mreqn mreq; +- int reuseaddr = 1; +- +- iapp = os_zalloc(sizeof(*iapp)); +- if (iapp == NULL) +- return NULL; +- iapp->hapd = hapd; +- iapp->udp_sock = iapp->packet_sock = -1; +- +- /* TODO: +- * open socket for sending and receiving IAPP frames over TCP +- */ +- +- iapp->udp_sock = socket(PF_INET, SOCK_DGRAM, 0); +- if (iapp->udp_sock < 0) { +- wpa_printf(MSG_INFO, "iapp_init - socket[PF_INET,SOCK_DGRAM]: %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- +- os_memset(&ifr, 0, sizeof(ifr)); +- os_strlcpy(ifr.ifr_name, iface, sizeof(ifr.ifr_name)); +- if (ioctl(iapp->udp_sock, SIOCGIFINDEX, &ifr) != 0) { +- wpa_printf(MSG_INFO, "iapp_init - ioctl(SIOCGIFINDEX): %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- ifindex = ifr.ifr_ifindex; +- +- if (ioctl(iapp->udp_sock, SIOCGIFADDR, &ifr) != 0) { +- wpa_printf(MSG_INFO, "iapp_init - ioctl(SIOCGIFADDR): %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- paddr = (struct sockaddr_in *) &ifr.ifr_addr; +- if (paddr->sin_family != AF_INET) { +- wpa_printf(MSG_INFO, "IAPP: Invalid address family %i (SIOCGIFADDR)", +- paddr->sin_family); +- iapp_deinit(iapp); +- return NULL; +- } +- iapp->own.s_addr = paddr->sin_addr.s_addr; +- +- if (ioctl(iapp->udp_sock, SIOCGIFBRDADDR, &ifr) != 0) { +- wpa_printf(MSG_INFO, "iapp_init - ioctl(SIOCGIFBRDADDR): %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- paddr = (struct sockaddr_in *) &ifr.ifr_addr; +- if (paddr->sin_family != AF_INET) { +- wpa_printf(MSG_INFO, "Invalid address family %i (SIOCGIFBRDADDR)", +- paddr->sin_family); +- iapp_deinit(iapp); +- return NULL; +- } +- inet_aton(IAPP_MULTICAST, &iapp->multicast); +- +- os_memset(&uaddr, 0, sizeof(uaddr)); +- uaddr.sin_family = AF_INET; +- uaddr.sin_port = htons(IAPP_UDP_PORT); +- +- if (setsockopt(iapp->udp_sock, SOL_SOCKET, SO_REUSEADDR, &reuseaddr, +- sizeof(reuseaddr)) < 0) { +- wpa_printf(MSG_INFO, +- "iapp_init - setsockopt[UDP,SO_REUSEADDR]: %s", +- strerror(errno)); +- /* +- * Ignore this and try to continue. This is fine for single +- * BSS cases, but may fail if multiple BSSes enable IAPP. +- */ +- } +- +- if (bind(iapp->udp_sock, (struct sockaddr *) &uaddr, +- sizeof(uaddr)) < 0) { +- wpa_printf(MSG_INFO, "iapp_init - bind[UDP]: %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- +- os_memset(&mreq, 0, sizeof(mreq)); +- mreq.imr_multiaddr = iapp->multicast; +- mreq.imr_address.s_addr = INADDR_ANY; +- mreq.imr_ifindex = 0; +- if (setsockopt(iapp->udp_sock, SOL_IP, IP_ADD_MEMBERSHIP, &mreq, +- sizeof(mreq)) < 0) { +- wpa_printf(MSG_INFO, "iapp_init - setsockopt[UDP,IP_ADD_MEMBERSHIP]: %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- +- iapp->packet_sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); +- if (iapp->packet_sock < 0) { +- wpa_printf(MSG_INFO, "iapp_init - socket[PF_PACKET,SOCK_RAW]: %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- +- os_memset(&addr, 0, sizeof(addr)); +- addr.sll_family = AF_PACKET; +- addr.sll_ifindex = ifindex; +- if (bind(iapp->packet_sock, (struct sockaddr *) &addr, +- sizeof(addr)) < 0) { +- wpa_printf(MSG_INFO, "iapp_init - bind[PACKET]: %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- +- if (eloop_register_read_sock(iapp->udp_sock, iapp_receive_udp, +- iapp, NULL)) { +- wpa_printf(MSG_INFO, "Could not register read socket for IAPP"); +- iapp_deinit(iapp); +- return NULL; +- } +- +- wpa_printf(MSG_INFO, "IEEE 802.11F (IAPP) using interface %s", iface); +- +- /* TODO: For levels 2 and 3: send RADIUS Initiate-Request, receive +- * RADIUS Initiate-Accept or Initiate-Reject. IAPP port should actually +- * be openned only after receiving Initiate-Accept. If Initiate-Reject +- * is received, IAPP is not started. */ +- +- return iapp; +-} +- +- +-void iapp_deinit(struct iapp_data *iapp) +-{ +- struct ip_mreqn mreq; +- +- if (iapp == NULL) +- return; +- +- if (iapp->udp_sock >= 0) { +- os_memset(&mreq, 0, sizeof(mreq)); +- mreq.imr_multiaddr = iapp->multicast; +- mreq.imr_address.s_addr = INADDR_ANY; +- mreq.imr_ifindex = 0; +- if (setsockopt(iapp->udp_sock, SOL_IP, IP_DROP_MEMBERSHIP, +- &mreq, sizeof(mreq)) < 0) { +- wpa_printf(MSG_INFO, "iapp_deinit - setsockopt[UDP,IP_DEL_MEMBERSHIP]: %s", +- strerror(errno)); +- } +- +- eloop_unregister_read_sock(iapp->udp_sock); +- close(iapp->udp_sock); +- } +- if (iapp->packet_sock >= 0) { +- eloop_unregister_read_sock(iapp->packet_sock); +- close(iapp->packet_sock); +- } +- os_free(iapp); +-} +diff --git a/src/ap/iapp.h b/src/ap/iapp.h +deleted file mode 100644 +index c22118342..000000000 +--- a/src/ap/iapp.h ++++ /dev/null +@@ -1,39 +0,0 @@ +-/* +- * hostapd / IEEE 802.11F-2003 Inter-Access Point Protocol (IAPP) +- * Copyright (c) 2002-2005, Jouni Malinen <j@w1.fi> +- * +- * This software may be distributed under the terms of the BSD license. +- * See README for more details. +- */ +- +-#ifndef IAPP_H +-#define IAPP_H +- +-struct iapp_data; +- +-#ifdef CONFIG_IAPP +- +-void iapp_new_station(struct iapp_data *iapp, struct sta_info *sta); +-struct iapp_data * iapp_init(struct hostapd_data *hapd, const char *iface); +-void iapp_deinit(struct iapp_data *iapp); +- +-#else /* CONFIG_IAPP */ +- +-static inline void iapp_new_station(struct iapp_data *iapp, +- struct sta_info *sta) +-{ +-} +- +-static inline struct iapp_data * iapp_init(struct hostapd_data *hapd, +- const char *iface) +-{ +- return NULL; +-} +- +-static inline void iapp_deinit(struct iapp_data *iapp) +-{ +-} +- +-#endif /* CONFIG_IAPP */ +- +-#endif /* IAPP_H */ +diff --git a/src/utils/wpa_debug.h b/src/utils/wpa_debug.h +index 1fe0b7db7..c94c4391f 100644 +--- a/src/utils/wpa_debug.h ++++ b/src/utils/wpa_debug.h +@@ -305,7 +305,6 @@ void hostapd_logger_register_cb(hostapd_logger_cb_func func); + #define HOSTAPD_MODULE_RADIUS 0x00000004 + #define HOSTAPD_MODULE_WPA 0x00000008 + #define HOSTAPD_MODULE_DRIVER 0x00000010 +-#define HOSTAPD_MODULE_IAPP 0x00000020 + #define HOSTAPD_MODULE_MLME 0x00000040 + + enum hostapd_logger_level { +-- +2.17.1 + diff --git a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch new file mode 100644 index 0000000000..54c405b539 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch @@ -0,0 +1,43 @@ +From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Mon, 9 Nov 2020 11:43:12 +0200 +Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group + client + +Parsing and copying of WPS secondary device types list was verifying +that the contents is not too long for the internal maximum in the case +of WPS messages, but similar validation was missing from the case of P2P +group information which encodes this information in a different +attribute. This could result in writing beyond the memory area assigned +for these entries and corrupting memory within an instance of struct +p2p_device. This could result in invalid operations and unexpected +behavior when trying to free pointers from that corrupted memory. + +CVE: CVE-2021-0326 + +Upstream-Status: Backport + +Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 +Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers") +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + src/p2p/p2p.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c +index 74b7b52ae..5cbfc217f 100644 +--- a/src/p2p/p2p.c ++++ b/src/p2p/p2p.c +@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev, + dev->info.config_methods = cli->config_methods; + os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8); + dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types; ++ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN) ++ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN; + os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types, + dev->info.wps_sec_dev_type_list_len); + } +-- +2.17.1 + diff --git a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch new file mode 100644 index 0000000000..fedff76b18 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch @@ -0,0 +1,54 @@ +From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Tue, 8 Dec 2020 23:52:50 +0200 +Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request + +p2p_add_device() may remove the oldest entry if there is no room in the +peer table for a new peer. This would result in any pointer to that +removed entry becoming stale. A corner case with an invalid PD Request +frame could result in such a case ending up using (read+write) freed +memory. This could only by triggered when the peer table has reached its +maximum size and the PD Request frame is received from the P2P Device +Address of the oldest remaining entry and the frame has incorrect P2P +Device Address in the payload. + +Fix this by fetching the dev pointer again after having called +p2p_add_device() so that the stale pointer cannot be used. + +CVE: CVE-2021-27803 + +Upstream-Status: Backport + +Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +--- + src/p2p/p2p_pd.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c +index 3994ec03f..05fd59349 100644 +--- a/src/p2p/p2p_pd.c ++++ b/src/p2p/p2p_pd.c +@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, + goto out; + } + ++ dev = p2p_get_device(p2p, sa); + if (!dev) { +- dev = p2p_get_device(p2p, sa); +- if (!dev) { +- p2p_dbg(p2p, +- "Provision Discovery device not found " +- MACSTR, MAC2STR(sa)); +- goto out; +- } ++ p2p_dbg(p2p, ++ "Provision Discovery device not found " ++ MACSTR, MAC2STR(sa)); ++ goto out; + } + } else if (msg.wfd_subelems) { + wpabuf_free(dev->info.wfd_subelems); +-- +2.17.1 + diff --git a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch new file mode 100644 index 0000000000..e2540fc26b --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch @@ -0,0 +1,123 @@ +From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 13 Mar 2021 18:19:31 +0200 +Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters + +The supported hash algorithms do not use AlgorithmIdentifier parameters. +However, there are implementations that include NULL parameters in +addition to ones that omit the parameters. Previous implementation did +not check the parameters value at all which supported both these cases, +but did not reject any other unexpected information. + +Use strict validation of digest algorithm parameters and reject any +unexpected value when validating a signature. This is needed to prevent +potential forging attacks. + +Signed-off-by: Jouni Malinen <j@w1.fi> + +Upstream-Status: Backport +CVE: CVE-2021-30004 + +Reference to upstream patch: +[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + src/tls/pkcs1.c | 21 +++++++++++++++++++++ + src/tls/x509v3.c | 20 ++++++++++++++++++++ + 2 files changed, 41 insertions(+) + +diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c +index 141ac50..e09db07 100644 +--- a/src/tls/pkcs1.c ++++ b/src/tls/pkcs1.c +@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo", ++ hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "PKCS #1: Unexpected digest algorithm parameters"); ++ os_free(decrypted); ++ return -1; ++ } + + if (!asn1_oid_equal(&oid, hash_alg)) { + char txt[100], txt2[100]; +diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c +index 1bd5aa0..bf2289f 100644 +--- a/src/tls/x509v3.c ++++ b/src/tls/x509v3.c +@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "X509: Unexpected digest algorithm parameters"); ++ os_free(data); ++ return -1; ++ } + + if (x509_sha1_oid(&oid)) { + if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) { +-- +2.17.1 + diff --git a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb index 68dc123702..e586018685 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb @@ -12,6 +12,10 @@ SRC_URI = " \ file://init \ file://hostapd.service \ file://CVE-2019-16275.patch \ + file://CVE-2019-5061.patch \ + file://CVE-2021-0326.patch \ + file://CVE-2021-27803.patch \ + file://CVE-2021-30004.patch \ " SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8" diff --git a/meta-openembedded/meta-oe/recipes-connectivity/linuxptp/linuxptp/Use-cross-cpp-in-incdefs.patch b/meta-openembedded/meta-oe/recipes-connectivity/linuxptp/linuxptp/Use-cross-cpp-in-incdefs.patch new file mode 100644 index 0000000000..876088649e --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/linuxptp/linuxptp/Use-cross-cpp-in-incdefs.patch @@ -0,0 +1,26 @@ +From 8a4cad5e2f2cbb6a34bdc6e877fe499502b8c4c8 Mon Sep 17 00:00:00 2001 +From: Marcel Ziswiler <marcel.ziswiler@toradex.com> +Date: Fri, 23 Dec 2016 18:12:29 +0100 +Subject: [PATCH] linuxptp: Use cross cpp in incdefs + +Use cross cpp incdefs.sh shell script since we are doing cross compiling +we need to ensure we use correct setttings from toolchain + +Upstream-Status: Inappropriate [OE-Specific] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + + makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/incdefs.sh ++++ b/incdefs.sh +@@ -27,7 +27,7 @@ user_flags() + printf " -D_GNU_SOURCE" + + # Get list of directories searched for header files. +- dirs=$(echo "" | ${CROSS_COMPILE}cpp -Wp,-v 2>&1 >/dev/null | grep ^" /") ++ dirs=$(${CPP} -Wp,-v -xc /dev/null 2>&1 >/dev/null | grep ^" /") + + # Look for clock_adjtime(). + for d in $dirs; do diff --git a/meta-openembedded/meta-oe/recipes-connectivity/linuxptp/linuxptp/no-incdefs-using-host-headers.patch b/meta-openembedded/meta-oe/recipes-connectivity/linuxptp/linuxptp/no-incdefs-using-host-headers.patch deleted file mode 100644 index 02dbb23465..0000000000 --- a/meta-openembedded/meta-oe/recipes-connectivity/linuxptp/linuxptp/no-incdefs-using-host-headers.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 8a4cad5e2f2cbb6a34bdc6e877fe499502b8c4c8 Mon Sep 17 00:00:00 2001 -From: Marcel Ziswiler <marcel.ziswiler@toradex.com> -Date: Fri, 23 Dec 2016 18:12:29 +0100 -Subject: [PATCH] linuxptp: no incdefs using host headers - -Avoid using host headers via incdefs.sh shell script. - -Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com> ---- - - makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/makefile b/makefile -index 8cdbd15..85174b8 100644 ---- a/makefile -+++ b/makefile -@@ -33,7 +33,7 @@ OBJECTS = $(OBJ) hwstamp_ctl.o phc2sys.o phc_ctl.o pmc.o pmc_common.o \ - SRC = $(OBJECTS:.o=.c) - DEPEND = $(OBJECTS:.o=.d) - srcdir := $(dir $(lastword $(MAKEFILE_LIST))) --incdefs := $(shell $(srcdir)/incdefs.sh) -+#incdefs := $(shell $(srcdir)/incdefs.sh) - version := $(shell $(srcdir)/version.sh $(srcdir)) - VPATH = $(srcdir) - --- -2.9.3 - diff --git a/meta-openembedded/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb b/meta-openembedded/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb index 930c6673dc..c989767790 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb @@ -4,15 +4,16 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" SRC_URI = "http://sourceforge.net/projects/linuxptp/files/v${PV}/linuxptp-${PV}.tgz \ file://build-Allow-CC-and-prefix-to-be-overriden.patch \ - file://no-incdefs-using-host-headers.patch \ + file://Use-cross-cpp-in-incdefs.patch \ file://time_t_maybe_long_long.patch \ " SRC_URI[md5sum] = "d8bb7374943bb747db7786ac26f17f11" SRC_URI[sha256sum] = "0a24d9401e87d4af023d201e234d91127d82c350daad93432106284aa9459c7d" -EXTRA_OEMAKE = "ARCH=${TARGET_ARCH} \ - EXTRA_CFLAGS='-D_GNU_SOURCE -DHAVE_CLOCK_ADJTIME -DHAVE_POSIX_SPAWN -DHAVE_ONESTEP_SYNC ${CFLAGS}'" +EXTRA_OEMAKE = "ARCH=${TARGET_ARCH} EXTRA_CFLAGS='${CFLAGS}'" + +export KBUILD_OUTPUT="${RECIPE_SYSROOT}" do_install () { install -d ${D}/${bindir} diff --git a/meta-openembedded/meta-oe/recipes-connectivity/telepathy/telepathy-glib_0.24.1.bb b/meta-openembedded/meta-oe/recipes-connectivity/telepathy/telepathy-glib_0.24.1.bb index 2b05c61a0d..4d4e841f62 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/telepathy/telepathy-glib_0.24.1.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/telepathy/telepathy-glib_0.24.1.bb @@ -12,7 +12,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e413d83db6ee8f2c8e6055719096a48e" inherit autotools pkgconfig gettext gobject-introspection vala -EXTRA_OECONF = "--enable-vala-bindings" +# Respect GI_DATA_ENABLED value when enabling vala-bindings: +# configure: error: GObject-Introspection must be enabled for Vala bindings +EXTRA_OECONF = "${@bb.utils.contains('GI_DATA_ENABLED', 'True', '--enable-vala-bindings', '--disable-vala-bindings', d)}" FILES_${PN} += "${datadir}/telepathy \ ${datadir}/dbus-1" diff --git a/meta-openembedded/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb b/meta-openembedded/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb index 8358e933d7..505d4efc1a 100644 --- a/meta-openembedded/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb +++ b/meta-openembedded/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb @@ -8,17 +8,21 @@ PACKAGES = ' \ packagegroup-meta-oe \ packagegroup-meta-oe-benchmarks \ packagegroup-meta-oe-connectivity \ + packagegroup-meta-oe-connectivity-python2 \ packagegroup-meta-oe-core \ packagegroup-meta-oe-crypto \ packagegroup-meta-oe-bsp \ packagegroup-meta-oe-dbs \ + packagegroup-meta-oe-dbs-python2 \ packagegroup-meta-oe-devtools \ packagegroup-meta-oe-extended \ + packagegroup-meta-oe-extended-python2 \ packagegroup-meta-oe-kernel \ packagegroup-meta-oe-multimedia \ packagegroup-meta-oe-navigation \ packagegroup-meta-oe-security \ packagegroup-meta-oe-support \ + packagegroup-meta-oe-support-python2 \ packagegroup-meta-oe-test \ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-meta-oe-gnome", "", d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-meta-oe-graphics", "", d)} \ @@ -28,17 +32,21 @@ PACKAGES = ' \ RDEPENDS_packagegroup-meta-oe = "\ packagegroup-meta-oe-benchmarks \ packagegroup-meta-oe-connectivity \ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "packagegroup-meta-oe-connectivity-python2", "", d)} \ packagegroup-meta-oe-core \ packagegroup-meta-oe-crypto \ packagegroup-meta-oe-bsp \ packagegroup-meta-oe-dbs \ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "packagegroup-meta-oe-dbs-python2", "", d)} \ packagegroup-meta-oe-devtools \ packagegroup-meta-oe-extended \ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "packagegroup-meta-oe-extended-python2", "", d)} \ packagegroup-meta-oe-kernel \ packagegroup-meta-oe-multimedia \ packagegroup-meta-oe-navigation \ packagegroup-meta-oe-security \ packagegroup-meta-oe-support \ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "packagegroup-meta-oe-support-python2", "", d)} \ packagegroup-meta-oe-test \ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-meta-oe-gnome", "", d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-meta-oe-graphics", "", d)} \ @@ -70,10 +78,13 @@ RDEPENDS_packagegroup-meta-oe-connectivity ="\ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "obex-data-server", "", d)} \ libmikmod \ obexftp openobex libnet \ - ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "telepathy-idle", "", d)} \ " RDEPENDS_packagegroup-meta-oe-connectivity_append_libc-glibc = " wvstreams wvdial" +RDEPENDS_packagegroup-meta-oe-connectivity-python2 = "\ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "telepathy-idle", "", d)} \ +" + # dracut needs dracut RDEPENDS_packagegroup-meta-oe-core ="\ dbus-daemon-proxy libdbus-c++ \ @@ -103,24 +114,26 @@ RDEPENDS_packagegroup-meta-oe-dbs ="\ leveldb libdbi mariadb mariadb-native \ postgresql psqlodbc rocksdb soci \ sqlite \ - ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "mysql-python", "", d)} \ " +RDEPENDS_packagegroup-meta-oe-dbs-python2 ="\ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "mysql-python", "", d)} \ +" + RDEPENDS_packagegroup-meta-oe-devtools ="\ android-tools android-tools-conf bootchart breakpad \ capnproto cgdb cscope ctags \ debootstrap dmalloc flatbuffers \ - giflib grpc icon-slicer iptraf-ng jq jsoncpp jsonrpc json-spirit \ + giflib grpc guider icon-slicer iptraf-ng jq jsoncpp jsonrpc json-spirit \ kconfig-frontends lemon libedit libgee libsombok3 \ libubox log4cplus lshw ltrace lua mcpp memstat mercurial \ - mpich msgpack-c nlohmann-json openocd pax-utils \ + mpich msgpack-c nlohmann-json nodejs openocd pax-utils \ ipc-run libdbd-mysql-perl libdbi-perl libio-pty-perl php \ protobuf protobuf-c \ rapidjson serialcheck sip3 tclap uftrace uw-imap valijson \ xmlrpc-c yajl yasm \ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "geany geany-plugins glade tk", "", d)} \ - ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "nodejs", "", d)} \ - " +" RDEPENDS_packagegroup-meta-oe-devtools_remove_armv5 = "uftrace nodejs" RDEPENDS_packagegroup-meta-oe-devtools_remove_mipsarch = "uftrace lshw" @@ -155,8 +168,7 @@ RDEPENDS_packagegroup-meta-oe-extended ="\ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "pam-ssh-agent-auth openwsman sblim-sfcb ", "", d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "polkit", "polkit polkit-group-rule-datetime ", "", d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "polkit", "polkit-group-rule-network ", "", d)} \ - ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "openlmi-tools", "", d)} \ - " +" RDEPENDS_packagegroup-meta-oe-extended_remove_mipsarch = "upm mraa tiptop" RDEPENDS_packagegroup-meta-oe-extended_remove_powerpc = "upm mraa" RDEPENDS_packagegroup-meta-oe-extended_remove_powerpc64 = "upm mraa" @@ -164,6 +176,10 @@ RDEPENDS_packagegroup-meta-oe-extended_remove_powerpc64le = "upm mraa" RDEPENDS_packagegroup-meta-oe-extended_remove_riscv64 = "upm mraa tiptop" RDEPENDS_packagegroup-meta-oe-extended_remove_riscv32 = "upm mraa tiptop" +RDEPENDS_packagegroup-meta-oe-extended-python2 ="\ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "openlmi-tools", "", d)} \ +" + RDEPENDS_packagegroup-meta-oe-gnome ="\ atkmm gnome-common gnome-doc-utils-stub gtkmm \ gtkmm3 pyxdg vte9 \ @@ -270,8 +286,11 @@ RDEPENDS_packagegroup-meta-oe-support ="\ procmail \ ${@bb.utils.contains("DISTRO_FEATURES", "polkit", "udisks2 upower", "", d)} \ ${NE10} \ +" + +RDEPENDS_packagegroup-meta-oe-support-python2 ="\ ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "lio-utils", "", d)} \ - " +" RDEPENDS_packagegroup-meta-oe-support_remove_arm ="numactl" RDEPENDS_packagegroup-meta-oe-support_remove_mipsarch = "gperftools" diff --git a/meta-openembedded/meta-oe/recipes-devtools/guider/guider_3.9.6.bb b/meta-openembedded/meta-oe/recipes-devtools/guider/guider_3.9.6.bb deleted file mode 100644 index f059002161..0000000000 --- a/meta-openembedded/meta-oe/recipes-devtools/guider/guider_3.9.6.bb +++ /dev/null @@ -1,39 +0,0 @@ -SUMMARY = "runtime performance analyzer" -HOMEPAGE = "https://github.com/iipeace/guider" -BUGTRACKER = "https://github.com/iipeace/guider/issues" -AUTHOR = "Peace Lee <ipeace5@gmail.com>" - -LICENSE = "GPLv2+" -LIC_FILES_CHKSUM = "file://LICENSE;md5=2c1c00f9d3ed9e24fa69b932b7e7aff2" - -PV = "3.9.6+git${SRCPV}" -PR = "r0" - -SRC_URI = "git://github.com/iipeace/${BPN}" -#SRCREV = "${AUTOREV}" -SRCREV = "fef25c41efb9bde0614ea477d0b90bd9565ae0b4" - -S = "${WORKDIR}/git" -R = "${RECIPE_SYSROOT}" - -inherit ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "distutils", "", d)} - -GUIDER_OBJ = "guider.pyc" -GUIDER_SCRIPT = "guider" - -do_install() { - python ${S}/setup.py install - - install -d ${D}${bindir} - install -v -m 0755 ${STAGING_BINDIR_NATIVE}/${GUIDER_SCRIPT} ${D}${bindir}/${GUIDER_SCRIPT} - - install -d ${D}${datadir}/${BPN} - install -v -m 0755 ${STAGING_LIBDIR_NATIVE}/python${PYTHON_BASEVERSION}/site-packages/${BPN}/${GUIDER_OBJ} ${D}${datadir}/${BPN}/${GUIDER_OBJ} -} - -RDEPENDS_${PN} = "python-ctypes python-shell \ - python-json python-subprocess" -python() { - if 'meta-python2' not in d.getVar('BBFILE_COLLECTIONS').split(): - raise bb.parse.SkipRecipe('Requires meta-python2 to be present.') -} diff --git a/meta-openembedded/meta-oe/recipes-devtools/guider/guider_3.9.7.bb b/meta-openembedded/meta-oe/recipes-devtools/guider/guider_3.9.7.bb new file mode 100644 index 0000000000..88fad936ba --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/guider/guider_3.9.7.bb @@ -0,0 +1,19 @@ +SUMMARY = "runtime performance analyzer" +HOMEPAGE = "https://github.com/iipeace/guider" +BUGTRACKER = "https://github.com/iipeace/guider/issues" +AUTHOR = "Peace Lee <ipeace5@gmail.com>" + +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://LICENSE;md5=2c1c00f9d3ed9e24fa69b932b7e7aff2" + +PV = "3.9.7+git${SRCPV}" + +SRC_URI = "git://github.com/iipeace/${BPN}" +SRCREV = "459b5189a46023fc98e19888b196bdc2674022fd" + +S = "${WORKDIR}/git" + +inherit setuptools3 + +RDEPENDS_${PN} = "python3 python3-core \ + python3-ctypes python3-shell python3-json" diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_12.20.1.bb b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_12.21.0.bb index 0673a3202d..b9e3821776 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_12.20.1.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_12.21.0.bb @@ -26,7 +26,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ SRC_URI_append_class-target = " \ file://0002-Using-native-binaries.patch \ " -SRC_URI[sha256sum] = "e00eee325d705b2bfa9929b7d061eb2315402d7e8548945eac9870bf84321853" +SRC_URI[sha256sum] = "052f37ace6f569b513b5a1154b2a45d3c4d8b07d7d7c807b79f1566db61e979d" S = "${WORKDIR}/node-v${PV}" diff --git a/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb b/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb index 43021c5342..86407459bf 100644 --- a/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb +++ b/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb @@ -22,7 +22,7 @@ DEPENDS = " \ PREMIRRORS = "" SRC_URI = " \ - gitsm://github.com/ostreedev/ostree \ + gitsm://github.com/ostreedev/ostree;branch=main \ file://run-ptest \ " SRCREV = "6ed48234ba579ff73eb128af237212b0a00f2057" diff --git a/meta-openembedded/meta-oe/recipes-extended/uml-utilities/uml-utilities_20040406.bb b/meta-openembedded/meta-oe/recipes-extended/uml-utilities/uml-utilities_20040406.bb index ed19d1e41a..de1fc3a1fe 100644 --- a/meta-openembedded/meta-oe/recipes-extended/uml-utilities/uml-utilities_20040406.bb +++ b/meta-openembedded/meta-oe/recipes-extended/uml-utilities/uml-utilities_20040406.bb @@ -16,12 +16,11 @@ PR = "r1" S = "${WORKDIR}/tools" do_compile() { - oe_runmake + oe_runmake LIB_DIR=${libdir}/uml } do_install() { oe_runmake install DESTDIR=${D} } -FILES_${PN} += "${exec_prefix}${nonarch_base_libdir}" -FILES_${PN}-dbg += "${exec_prefix}${nonarch_base_libdir}/uml/.debug" +FILES_${PN} += "${libdir}/uml" diff --git a/meta-openembedded/meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb b/meta-openembedded/meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb index 7c6f4c13d2..f3c112c3b8 100644 --- a/meta-openembedded/meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb +++ b/meta-openembedded/meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING.gpl-3;md5=d32239bcb673463ab874e80d47fae504 \ file://COPYING.lgpl-3;md5=e6a600fd5e1d9cbde2d983680233ad02 \ " -SRC_URI = "git://github.com/libyui/libyui.git \ +SRC_URI = "git://github.com/libyui/libyui-old.git \ file://0001-Fix-build-with-clang.patch \ file://0001-Use-relative-install-paths-for-CMake.patch \ " diff --git a/meta-openembedded/meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb b/meta-openembedded/meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb index ac463038aa..105610be5a 100644 --- a/meta-openembedded/meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb +++ b/meta-openembedded/meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb @@ -13,6 +13,14 @@ S = "${WORKDIR}/git" inherit cmake +do_configure_prepend() { + # otherwise https://github.com/ceres-solver/ceres-solver/blob/0b748597889f460764f6c980a00c6f502caa3875/cmake/AddGerritCommitHook.cmake#L68 + # will try to fetch https://ceres-solver-review.googlesource.com/tools/hooks/commit-msg durind do_configure + # which sometimes gets stuck (as there is no TIMEOUT set in DOWNLOAD) + # and we really don't need Gerrit's Change-Id tags when just building this + touch ${S}/.git/hooks/commit-msg +} + # We don't want path to eigen3 in ceres-solver RSS to be # used by components which use CeresConfig.cmake from their # own RSS diff --git a/meta-openembedded/meta-oe/recipes-support/freerdp/freerdp_git.bb b/meta-openembedded/meta-oe/recipes-support/freerdp/freerdp_git.bb index 7cafbb7993..82ef561fbe 100644 --- a/meta-openembedded/meta-oe/recipes-support/freerdp/freerdp_git.bb +++ b/meta-openembedded/meta-oe/recipes-support/freerdp/freerdp_git.bb @@ -40,7 +40,7 @@ PACKAGECONFIG ??= " \ X11_DEPS = "virtual/libx11 libxinerama libxext libxcursor libxv libxi libxrender libxfixes libxdamage libxrandr libxkbfile" PACKAGECONFIG[x11] = "-DWITH_X11=ON -DWITH_XINERAMA=ON -DWITH_XEXT=ON -DWITH_XCURSOR=ON -DWITH_XV=ON -DWITH_XI=ON -DWITH_XRENDER=ON -DWITH_XFIXES=ON -DWITH_XDAMAGE=ON -DWITH_XRANDR=ON -DWITH_XKBFILE=ON,-DWITH_X11=OFF,${X11_DEPS}" -PACKAGECONFIG[wayland] = "-DWITH_WAYLAND=ON,-DWITH_WAYLAND=OFF,wayland wayland-native" +PACKAGECONFIG[wayland] = "-DWITH_WAYLAND=ON,-DWITH_WAYLAND=OFF,wayland wayland-native libxkbcommon" PACKAGECONFIG[directfb] = "-DWITH_DIRECTFB=ON,-DWITH_DIRECTFB=OFF,directfb" PACKAGECONFIG[pam] = "-DWITH_PAM=ON,-DWITH_PAM=OFF,libpam" PACKAGECONFIG[pulseaudio] = "-DWITH_PULSEAUDIO=ON,-DWITH_PULSEAUDIO=OFF,pulseaudio" diff --git a/meta-openembedded/meta-oe/recipes-support/neon/neon/run-ptest b/meta-openembedded/meta-oe/recipes-support/neon/neon/run-ptest new file mode 100644 index 0000000000..602084a52c --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/neon/neon/run-ptest @@ -0,0 +1,25 @@ +#!/bin/sh + +set -eux + +rm -f debug.log child.log + +ulimit -c unlimited +ulimit -t 120 + +cd test +echo foobar > foobar.txt + +BASIC_TESTS="auth basic redirect request session socket string-tests \ + stubs uri-tests util-tests" +DAV_TESTS="acl3744 lock oldacl props xml xmlreq" +for t in $BASIC_TESTS $DAV_TESTS +do + echo "Running $t..." + if "./$t" + then + echo "PASS:$t" + else + echo "FAIL:$t" + fi +done diff --git a/meta-openembedded/meta-oe/recipes-support/neon/neon_0.30.2.bb b/meta-openembedded/meta-oe/recipes-support/neon/neon_0.30.2.bb index 00b79f6330..7feec41d62 100644 --- a/meta-openembedded/meta-oe/recipes-support/neon/neon_0.30.2.bb +++ b/meta-openembedded/meta-oe/recipes-support/neon/neon_0.30.2.bb @@ -7,12 +7,13 @@ LIC_FILES_CHKSUM = "file://src/COPYING.LIB;md5=f30a9716ef3762e3467a2f62bf790f0a SRC_URI = "${DEBIAN_MIRROR}/main/n/neon27/neon27_${PV}.orig.tar.gz \ file://pkgconfig.patch \ + file://run-ptest \ " SRC_URI[md5sum] = "e28d77bf14032d7f5046b3930704ef41" SRC_URI[sha256sum] = "db0bd8cdec329b48f53a6f00199c92d5ba40b0f015b153718d1b15d3d967fbca" -inherit autotools binconfig-disabled lib_package pkgconfig +inherit autotools binconfig-disabled lib_package pkgconfig ptest # Enable gnutls or openssl, not both PACKAGECONFIG ?= "expat gnutls libproxy webdav zlib" @@ -33,6 +34,18 @@ do_compile_append() { oe_runmake -C test } +do_install_ptest(){ + BASIC_TESTS="auth basic redirect request session socket string-tests \ + stubs uri-tests util-tests" + DAV_TESTS="acl3744 lock oldacl props xml xmlreq" + mkdir "${D}${PTEST_PATH}/test" + for i in ${BASIC_TESTS} ${DAV_TESTS} + do + install -m 0755 "${B}/test/${i}" \ + "${D}${PTEST_PATH}/test" + done +} + BINCONFIG = "${bindir}/neon-config" BBCLASSEXTEND = "native" diff --git a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb index 3e3c3a3fdf..0e127975b4 100644 --- a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb +++ b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb @@ -62,7 +62,6 @@ do_configure_prepend_libc-musl () { do_compile_prepend_class-native() { export NSPR_INCLUDE_DIR=${STAGING_INCDIR_NATIVE}/nspr export NSPR_LIB_DIR=${STAGING_LIBDIR_NATIVE} - export NSS_ENABLE_WERROR=0 } do_compile_prepend_class-nativesdk() { @@ -81,6 +80,11 @@ do_compile() { export NATIVE_CC="${BUILD_CC}" # Additional defines needed on Centos 7 export NATIVE_FLAGS="${BUILD_CFLAGS} -DLINUX -Dlinux" + + # POSIX.1-2001 states that the behaviour of getcwd() when passing a null + # pointer as the buf argument, is unspecified. + export NATIVE_FLAGS="${NATIVE_FLAGS} -DGETCWD_CANT_MALLOC" + export BUILD_OPT=1 export FREEBL_NO_DEPEND=1 diff --git a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0001-3rdparty-ippicv-Use-pre-downloaded-ipp.patch b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0001-3rdparty-ippicv-Use-pre-downloaded-ipp.patch index 5f909c1a8f..896d6ce9dc 100644 --- a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0001-3rdparty-ippicv-Use-pre-downloaded-ipp.patch +++ b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0001-3rdparty-ippicv-Use-pre-downloaded-ipp.patch @@ -1,4 +1,4 @@ -From 85b882b4ceb57fe6538f47af58d0a970923fde0e Mon Sep 17 00:00:00 2001 +From 806de12b95a69572fffea8eb49b4ec3fb722b65f Mon Sep 17 00:00:00 2001 From: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com> Date: Thu, 31 Mar 2016 00:20:15 +0200 Subject: [PATCH] 3rdparty/ippicv: Use pre-downloaded ipp @@ -11,7 +11,7 @@ Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/3rdparty/ippicv/ippicv.cmake b/3rdparty/ippicv/ippicv.cmake -index ae8748c..305abdb 100644 +index ae8748c283..305abdb58d 100644 --- a/3rdparty/ippicv/ippicv.cmake +++ b/3rdparty/ippicv/ippicv.cmake @@ -39,18 +39,5 @@ function(download_ippicv root_var) diff --git a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0001-Dont-use-isystem.patch b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0001-Dont-use-isystem.patch index 40d3f53e1a..a899b7e9a4 100644 --- a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0001-Dont-use-isystem.patch +++ b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0001-Dont-use-isystem.patch @@ -1,4 +1,4 @@ -From 9659f5a1e75fc29c9879c301767bba72ecf9042a Mon Sep 17 00:00:00 2001 +From b34a6e8d4582aa13ad4cd58547d8e0f0a0f1c6a6 Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Tue, 11 Sep 2018 00:21:18 -0700 Subject: [PATCH] Dont use isystem @@ -14,7 +14,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com> 1 file changed, 2 insertions(+) diff --git a/cmake/OpenCVPCHSupport.cmake b/cmake/OpenCVPCHSupport.cmake -index 59bc826..055dfce 100644 +index 59bc826ed0..055dfce251 100644 --- a/cmake/OpenCVPCHSupport.cmake +++ b/cmake/OpenCVPCHSupport.cmake @@ -18,6 +18,8 @@ IF(CV_GCC) diff --git a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0001-Temporarliy-work-around-deprecated-ffmpeg-RAW-functi.patch b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0001-Temporarliy-work-around-deprecated-ffmpeg-RAW-functi.patch index f8ccd1d558..26041e09fb 100644 --- a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0001-Temporarliy-work-around-deprecated-ffmpeg-RAW-functi.patch +++ b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0001-Temporarliy-work-around-deprecated-ffmpeg-RAW-functi.patch @@ -1,4 +1,4 @@ -From fe27d0e2341683606704115949d16250e4cacbfa Mon Sep 17 00:00:00 2001 +From 23425e45f6e26f2b1e387b88e104872b3a1ea5d1 Mon Sep 17 00:00:00 2001 From: Jason Wessel <jason.wessel@windriver.com> Date: Wed, 9 May 2018 13:33:59 -0700 Subject: [PATCH] Temporarliy work around deprecated ffmpeg RAW function @@ -11,7 +11,7 @@ Signed-off-by: Jason Wessel <jason.wessel@windriver.com> 1 file changed, 8 insertions(+) diff --git a/modules/videoio/src/cap_ffmpeg_impl.hpp b/modules/videoio/src/cap_ffmpeg_impl.hpp -index 0d360ad..566df66 100644 +index 0d360ad5d9..566df6664b 100644 --- a/modules/videoio/src/cap_ffmpeg_impl.hpp +++ b/modules/videoio/src/cap_ffmpeg_impl.hpp @@ -736,6 +736,14 @@ struct ImplMutex::Impl diff --git a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0001-carotene-Replace-ipcp-unit-growth-with-ipa-cp-unit-g.patch b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0001-carotene-Replace-ipcp-unit-growth-with-ipa-cp-unit-g.patch index 43d32fbc75..df5bd67460 100644 --- a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0001-carotene-Replace-ipcp-unit-growth-with-ipa-cp-unit-g.patch +++ b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0001-carotene-Replace-ipcp-unit-growth-with-ipa-cp-unit-g.patch @@ -1,13 +1,15 @@ -From 1edc925ecd7fb54d2dc78452069084475fbe2a70 Mon Sep 17 00:00:00 2001 +From d9bdafa95f329f33d829d89a2e51adaf833768cc Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Thu, 16 Jan 2020 08:52:00 -0800 -Subject: [PATCH] carotene: Replace ipcp-unit-growth with ipa-cp-unit-growth on gcc >= 10 +Subject: [PATCH] carotene: Replace ipcp-unit-growth with ipa-cp-unit-growth on + gcc >= 10 gcc 10+ has renamed this option, therefore check for gcc version before deciding which name to use for opt parameter Upstream-Status: Submitted [https://github.com/opencv/opencv/pull/16369] Signed-off-by: Khem Raj <raj.khem@gmail.com> + --- 3rdparty/carotene/CMakeLists.txt | 8 ++++++-- 3rdparty/carotene/hal/CMakeLists.txt | 7 ++++++- @@ -50,6 +52,3 @@ index c4b9acaedd..bbc5b11a80 100644 # set_source_files_properties(impl.cpp $<TARGET_OBJECTS:carotene_objs> COMPILE_FLAGS "--param ipcp-unit-growth=100000 --param inline-unit-growth=100000 --param large-stack-frame-growth=5000") endif() --- -2.25.0 - diff --git a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0002-Make-opencv-ts-create-share-library-intead-of-static.patch b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0002-Make-opencv-ts-create-share-library-intead-of-static.patch index 46198fb7be..3dd63829e5 100644 --- a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0002-Make-opencv-ts-create-share-library-intead-of-static.patch +++ b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0002-Make-opencv-ts-create-share-library-intead-of-static.patch @@ -1,4 +1,4 @@ -From 46ffa1f8f443b71673774fcb864eb741bbc26200 Mon Sep 17 00:00:00 2001 +From 6a490df70aadc43ed4f503452c278e334716826d Mon Sep 17 00:00:00 2001 From: Bian Naimeng <biannm@cn.fujitsu.com> Date: Wed, 19 Apr 2017 03:11:37 +0900 Subject: [PATCH] Make opencv-ts create share library intead of static. @@ -10,7 +10,7 @@ Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com> 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ts/CMakeLists.txt b/modules/ts/CMakeLists.txt -index f95bed0..ee67858 100644 +index f95bed0793..ee67858df8 100644 --- a/modules/ts/CMakeLists.txt +++ b/modules/ts/CMakeLists.txt @@ -4,7 +4,7 @@ if(NOT BUILD_opencv_ts AND NOT BUILD_TESTS AND NOT BUILD_PERF_TESTS) diff --git a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0003-To-fix-errors-as-following.patch b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0003-To-fix-errors-as-following.patch index 336c2e08e6..77571ead98 100644 --- a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0003-To-fix-errors-as-following.patch +++ b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/0003-To-fix-errors-as-following.patch @@ -1,4 +1,4 @@ -From 867caccc358266f7021f076fc8c8e41bf048782c Mon Sep 17 00:00:00 2001 +From b3dc5478cb0d2d2b617dc6c5e28d59559edadf36 Mon Sep 17 00:00:00 2001 From: Huang Qiyu <huangqy.fnst@cn.fujitsu.com> Date: Fri, 19 May 2017 04:27:50 +0900 Subject: [PATCH] To fix errors as following: @@ -21,7 +21,7 @@ Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/ts/include/opencv2/ts.hpp b/modules/ts/include/opencv2/ts.hpp -index b9d6b74..f1ee7ee 100644 +index b9d6b74ffc..f1ee7ee429 100644 --- a/modules/ts/include/opencv2/ts.hpp +++ b/modules/ts/include/opencv2/ts.hpp @@ -622,7 +622,7 @@ protected: @@ -43,7 +43,7 @@ index b9d6b74..f1ee7ee 100644 #define CV_TEST_INIT0_NOOP (void)0 diff --git a/modules/ts/include/opencv2/ts/ocl_test.hpp b/modules/ts/include/opencv2/ts/ocl_test.hpp -index 11572e9..438112e 100644 +index 11572e9f48..438112e2aa 100644 --- a/modules/ts/include/opencv2/ts/ocl_test.hpp +++ b/modules/ts/include/opencv2/ts/ocl_test.hpp @@ -82,7 +82,7 @@ inline UMat ToUMat(InputArray src) @@ -56,7 +56,7 @@ index 11572e9..438112e 100644 #define MAX_VALUE 357 diff --git a/modules/ts/include/opencv2/ts/ts_ext.hpp b/modules/ts/include/opencv2/ts/ts_ext.hpp -index b5cea3e..e5b0b4b 100644 +index b5cea3e46d..e5b0b4ba8c 100644 --- a/modules/ts/include/opencv2/ts/ts_ext.hpp +++ b/modules/ts/include/opencv2/ts/ts_ext.hpp @@ -9,7 +9,7 @@ diff --git a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2019-14491.patch b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2019-14491.patch new file mode 100644 index 0000000000..54a553fb38 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2019-14491.patch @@ -0,0 +1,148 @@ +From 5a9628c134a7314e10ea0bcc4e789c935251a7f5 Mon Sep 17 00:00:00 2001 +From: Alexander Alekhin <alexander.alekhin@intel.com> +Date: Thu, 25 Jul 2019 17:15:59 +0300 +Subject: [PATCH] objdetect: validate feature rectangle on reading + +CVE: CVE-2019-14491 +CVE: CVE-2019-14492 +Upstream-Status: Backport [https://github.com/opencv/opencv/commit/ac425f67e4c1d0da9afb9203f0918d8d57c067ed.patch] +Comment: No changes in any hunk + +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> + +--- + modules/objdetect/src/cascadedetect.cpp | 43 +++++++++++++++++++++---- + modules/objdetect/src/cascadedetect.hpp | 6 ++-- + 2 files changed, 40 insertions(+), 9 deletions(-) + +diff --git a/modules/objdetect/src/cascadedetect.cpp b/modules/objdetect/src/cascadedetect.cpp +index a1865e9062..b7ef04ea7b 100644 +--- a/modules/objdetect/src/cascadedetect.cpp ++++ b/modules/objdetect/src/cascadedetect.cpp +@@ -46,6 +46,10 @@ + #include "cascadedetect.hpp" + #include "opencl_kernels_objdetect.hpp" + ++#if defined(_MSC_VER) ++# pragma warning(disable:4458) // declaration of 'origWinSize' hides class member ++#endif ++ + namespace cv + { + +@@ -536,7 +540,7 @@ bool FeatureEvaluator::setImage( InputArray _image, const std::vector<float>& _s + + //---------------------------------------------- HaarEvaluator --------------------------------------- + +-bool HaarEvaluator::Feature :: read( const FileNode& node ) ++bool HaarEvaluator::Feature::read(const FileNode& node, const Size& origWinSize) + { + FileNode rnode = node[CC_RECTS]; + FileNodeIterator it = rnode.begin(), it_end = rnode.end(); +@@ -548,11 +552,23 @@ bool HaarEvaluator::Feature :: read( const FileNode& node ) + rect[ri].weight = 0.f; + } + ++ const int W = origWinSize.width; ++ const int H = origWinSize.height; ++ + for(ri = 0; it != it_end; ++it, ri++) + { + FileNodeIterator it2 = (*it).begin(); +- it2 >> rect[ri].r.x >> rect[ri].r.y >> +- rect[ri].r.width >> rect[ri].r.height >> rect[ri].weight; ++ Feature::RectWeigth& rw = rect[ri]; ++ it2 >> rw.r.x >> rw.r.y >> rw.r.width >> rw.r.height >> rw.weight; ++ // input validation ++ { ++ CV_CheckGE(rw.r.x, 0, "Invalid HAAR feature"); ++ CV_CheckGE(rw.r.y, 0, "Invalid HAAR feature"); ++ CV_CheckLT(rw.r.x, W, "Invalid HAAR feature"); // necessary for overflow checks ++ CV_CheckLT(rw.r.y, H, "Invalid HAAR feature"); // necessary for overflow checks ++ CV_CheckLE(rw.r.x + rw.r.width, W, "Invalid HAAR feature"); ++ CV_CheckLE(rw.r.y + rw.r.height, H, "Invalid HAAR feature"); ++ } + } + + tilted = (int)node[CC_TILTED] != 0; +@@ -597,7 +613,7 @@ bool HaarEvaluator::read(const FileNode& node, Size _origWinSize) + + for(i = 0; i < n; i++, ++it) + { +- if(!ff[i].read(*it)) ++ if(!ff[i].read(*it, _origWinSize)) + return false; + if( ff[i].tilted ) + hasTiltedFeatures = true; +@@ -758,11 +774,24 @@ int HaarEvaluator::getSquaresOffset() const + } + + //---------------------------------------------- LBPEvaluator ------------------------------------- +-bool LBPEvaluator::Feature :: read(const FileNode& node ) ++bool LBPEvaluator::Feature::read(const FileNode& node, const Size& origWinSize) + { + FileNode rnode = node[CC_RECT]; + FileNodeIterator it = rnode.begin(); + it >> rect.x >> rect.y >> rect.width >> rect.height; ++ ++ const int W = origWinSize.width; ++ const int H = origWinSize.height; ++ // input validation ++ { ++ CV_CheckGE(rect.x, 0, "Invalid LBP feature"); ++ CV_CheckGE(rect.y, 0, "Invalid LBP feature"); ++ CV_CheckLT(rect.x, W, "Invalid LBP feature"); ++ CV_CheckLT(rect.y, H, "Invalid LBP feature"); ++ CV_CheckLE(rect.x + rect.width, W, "Invalid LBP feature"); ++ CV_CheckLE(rect.y + rect.height, H, "Invalid LBP feature"); ++ } ++ + return true; + } + +@@ -796,7 +825,7 @@ bool LBPEvaluator::read( const FileNode& node, Size _origWinSize ) + std::vector<Feature>& ff = *features; + for(int i = 0; it != it_end; ++it, i++) + { +- if(!ff[i].read(*it)) ++ if(!ff[i].read(*it, _origWinSize)) + return false; + } + nchannels = 1; +@@ -1441,6 +1470,8 @@ bool CascadeClassifierImpl::Data::read(const FileNode &root) + origWinSize.width = (int)root[CC_WIDTH]; + origWinSize.height = (int)root[CC_HEIGHT]; + CV_Assert( origWinSize.height > 0 && origWinSize.width > 0 ); ++ CV_CheckLE(origWinSize.width, 1000000, "Invalid window size (too large)"); ++ CV_CheckLE(origWinSize.height, 1000000, "Invalid window size (too large)"); + + // load feature params + FileNode fn = root[CC_FEATURE_PARAMS]; +diff --git a/modules/objdetect/src/cascadedetect.hpp b/modules/objdetect/src/cascadedetect.hpp +index a011ed4804..ffc03af841 100644 +--- a/modules/objdetect/src/cascadedetect.hpp ++++ b/modules/objdetect/src/cascadedetect.hpp +@@ -317,12 +317,12 @@ public: + struct Feature + { + Feature(); +- bool read( const FileNode& node ); ++ bool read(const FileNode& node, const Size& origWinSize); + + bool tilted; + + enum { RECT_NUM = 3 }; +- struct ++ struct RectWeigth + { + Rect r; + float weight; +@@ -412,7 +412,7 @@ public: + Feature( int x, int y, int _block_w, int _block_h ) : + rect(x, y, _block_w, _block_h) {} + +- bool read(const FileNode& node ); ++ bool read(const FileNode& node, const Size& origWinSize); + + Rect rect; // weight and height for block + }; diff --git a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2019-14493.patch b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2019-14493.patch new file mode 100644 index 0000000000..37be12b500 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2019-14493.patch @@ -0,0 +1,237 @@ +From 0d88c87ed94e89af490c3d882597e034422aa4a5 Mon Sep 17 00:00:00 2001 +From: Alexander Alekhin <alexander.alekhin@intel.com> +Date: Thu, 25 Jul 2019 15:14:22 +0300 +Subject: [PATCH] core(persistence): added null ptr checks + +CVE: CVE-2019-14493 +Upstream-Status: Backport [https://github.com/opencv/opencv/commit/5691d998ead1d9b0542bcfced36c2dceb3a59023.patch] +Comment: No changes in any hunk + +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> + +--- + modules/core/src/persistence_json.cpp | 12 ++++++++++++ + modules/core/src/persistence_xml.cpp | 21 +++++++++++++++++++++ + modules/core/src/persistence_yml.cpp | 21 +++++++++++++++++++++ + 3 files changed, 54 insertions(+) + +diff --git a/modules/core/src/persistence_json.cpp b/modules/core/src/persistence_json.cpp +index ae678e1b8b..89914e6534 100644 +--- a/modules/core/src/persistence_json.cpp ++++ b/modules/core/src/persistence_json.cpp +@@ -296,6 +296,8 @@ public: + + while ( is_eof == false && is_completed == false ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + switch ( *ptr ) + { + /* comment */ +@@ -381,6 +383,7 @@ public: + if ( is_eof || !is_completed ) + { + ptr = fs->bufferStart(); ++ CV_Assert(ptr); + *ptr = '\0'; + fs->setEof(); + if( !is_completed ) +@@ -392,6 +395,9 @@ public: + + char* parseKey( char* ptr, FileNode& collection, FileNode& value_placeholder ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + if( *ptr != '"' ) + CV_PARSE_ERROR_CPP( "Key must start with \'\"\'" ); + +@@ -430,6 +436,9 @@ public: + + char* parseValue( char* ptr, FileNode& node ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid value input"); ++ + ptr = skipSpaces( ptr ); + if( !ptr || !*ptr ) + CV_PARSE_ERROR_CPP( "Unexpected End-Of-File" ); +@@ -817,6 +826,9 @@ public: + + bool parse( char* ptr ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + ptr = skipSpaces( ptr ); + if ( !ptr || !*ptr ) + return false; +diff --git a/modules/core/src/persistence_xml.cpp b/modules/core/src/persistence_xml.cpp +index fb30d90896..89876dd3da 100644 +--- a/modules/core/src/persistence_xml.cpp ++++ b/modules/core/src/persistence_xml.cpp +@@ -360,6 +360,9 @@ public: + + char* skipSpaces( char* ptr, int mode ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + int level = 0; + + for(;;) +@@ -441,6 +444,9 @@ public: + + char* parseValue( char* ptr, FileNode& node ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + FileNode new_elem; + bool have_space = true; + int value_type = node.type(); +@@ -456,6 +462,8 @@ public: + (c == '<' && ptr[1] == '!' && ptr[2] == '-') ) + { + ptr = skipSpaces( ptr, 0 ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + have_space = true; + c = *ptr; + } +@@ -502,6 +510,8 @@ public: + { + ptr = fs->parseBase64( ptr, 0, new_elem); + ptr = skipSpaces( ptr, 0 ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + } + + ptr = parseTag( ptr, key2, type_name, tag_type ); +@@ -645,6 +655,9 @@ public: + char* parseTag( char* ptr, std::string& tag_name, + std::string& type_name, int& tag_type ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid tag input"); ++ + if( *ptr == '\0' ) + CV_PARSE_ERROR_CPP( "Unexpected end of the stream" ); + +@@ -702,6 +715,8 @@ public: + if( *ptr != '=' ) + { + ptr = skipSpaces( ptr, CV_XML_INSIDE_TAG ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid attribute"); + if( *ptr != '=' ) + CV_PARSE_ERROR_CPP( "Attribute name should be followed by \'=\'" ); + } +@@ -740,6 +755,8 @@ public: + if( c != '>' ) + { + ptr = skipSpaces( ptr, CV_XML_INSIDE_TAG ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + c = *ptr; + } + +@@ -781,6 +798,8 @@ public: + + // CV_XML_INSIDE_TAG is used to prohibit leading comments + ptr = skipSpaces( ptr, CV_XML_INSIDE_TAG ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + + if( memcmp( ptr, "<?xml", 5 ) != 0 ) // FIXIT ptr[1..] - out of bounds read without check + CV_PARSE_ERROR_CPP( "Valid XML should start with \'<?xml ...?>\'" ); +@@ -791,6 +810,8 @@ public: + while( ptr && *ptr != '\0' ) + { + ptr = skipSpaces( ptr, 0 ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + + if( *ptr != '\0' ) + { +diff --git a/modules/core/src/persistence_yml.cpp b/modules/core/src/persistence_yml.cpp +index 4129ca1dc5..7742e82770 100644 +--- a/modules/core/src/persistence_yml.cpp ++++ b/modules/core/src/persistence_yml.cpp +@@ -330,6 +330,9 @@ public: + + char* skipSpaces( char* ptr, int min_indent, int max_comment_indent ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + for(;;) + { + while( *ptr == ' ' ) +@@ -374,6 +377,9 @@ public: + + bool getBase64Row(char* ptr, int indent, char* &beg, char* &end) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + beg = end = ptr = skipSpaces(ptr, 0, INT_MAX); + if (!ptr || !*ptr) + return false; // end of file +@@ -394,6 +400,9 @@ public: + + char* parseKey( char* ptr, FileNode& map_node, FileNode& value_placeholder ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + char c; + char *endptr = ptr - 1, *saveptr; + +@@ -422,6 +431,9 @@ public: + + char* parseValue( char* ptr, FileNode& node, int min_indent, bool is_parent_flow ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + char* endptr = 0; + char c = ptr[0], d = ptr[1]; + int value_type = FileNode::NONE; +@@ -508,6 +520,8 @@ public: + + *endptr = d; + ptr = skipSpaces( endptr, min_indent, INT_MAX ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + + c = *ptr; + +@@ -634,6 +648,8 @@ public: + FileNode elem; + + ptr = skipSpaces( ptr, new_min_indent, INT_MAX ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + if( *ptr == '}' || *ptr == ']' ) + { + if( *ptr != d ) +@@ -647,6 +663,8 @@ public: + if( *ptr != ',' ) + CV_PARSE_ERROR_CPP( "Missing , between the elements" ); + ptr = skipSpaces( ptr + 1, new_min_indent, INT_MAX ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + } + + if( struct_type == FileNode::MAP ) +@@ -746,6 +764,9 @@ public: + + bool parse( char* ptr ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + bool first = true; + bool ok = true; + FileNode root_collection(fs->getFS(), 0, 0); diff --git a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2019-15939.patch b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2019-15939.patch new file mode 100644 index 0000000000..ad61d7c231 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2019-15939.patch @@ -0,0 +1,73 @@ +From 384c5fa5f09aec5512343340fe65ccaaf83dfc48 Mon Sep 17 00:00:00 2001 +From: Alexander Alekhin <alexander.alekhin@intel.com> +Date: Fri, 23 Aug 2019 16:14:53 +0300 +Subject: [PATCH] objdetect: add input check in HOG detector + +CVE: CVE-2019-15939 +Upstream-Status: Backport [https://github.com/opencv/opencv/commit/5a497077f109d543ab86dfdf8add1c76c0e47d29.patch] +Comment: No changes in any hunk + +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> + +--- + modules/objdetect/src/hog.cpp | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/modules/objdetect/src/hog.cpp b/modules/objdetect/src/hog.cpp +index e3e43bb86e..af814658fe 100644 +--- a/modules/objdetect/src/hog.cpp ++++ b/modules/objdetect/src/hog.cpp +@@ -65,6 +65,7 @@ namespace cv + + static int numPartsWithin(int size, int part_size, int stride) + { ++ CV_Assert(stride != 0); + return (size - part_size + stride) / stride; + } + +@@ -77,13 +78,17 @@ static Size numPartsWithin(cv::Size size, cv::Size part_size, + + static size_t getBlockHistogramSize(Size block_size, Size cell_size, int nbins) + { ++ CV_Assert(!cell_size.empty()); + Size cells_per_block = Size(block_size.width / cell_size.width, +- block_size.height / cell_size.height); ++ block_size.height / cell_size.height); + return (size_t)(nbins * cells_per_block.area()); + } + + size_t HOGDescriptor::getDescriptorSize() const + { ++ CV_Assert(!cellSize.empty()); ++ CV_Assert(!blockStride.empty()); ++ + CV_Assert(blockSize.width % cellSize.width == 0 && + blockSize.height % cellSize.height == 0); + CV_Assert((winSize.width - blockSize.width) % blockStride.width == 0 && +@@ -141,20 +146,20 @@ bool HOGDescriptor::read(FileNode& obj) + if( !obj.isMap() ) + return false; + FileNodeIterator it = obj["winSize"].begin(); +- it >> winSize.width >> winSize.height; ++ it >> winSize.width >> winSize.height; CV_Assert(!winSize.empty()); + it = obj["blockSize"].begin(); +- it >> blockSize.width >> blockSize.height; ++ it >> blockSize.width >> blockSize.height; CV_Assert(!blockSize.empty()); + it = obj["blockStride"].begin(); +- it >> blockStride.width >> blockStride.height; ++ it >> blockStride.width >> blockStride.height; CV_Assert(!blockStride.empty()); + it = obj["cellSize"].begin(); +- it >> cellSize.width >> cellSize.height; +- obj["nbins"] >> nbins; ++ it >> cellSize.width >> cellSize.height; CV_Assert(!cellSize.empty()); ++ obj["nbins"] >> nbins; CV_Assert(nbins > 0); + obj["derivAperture"] >> derivAperture; + obj["winSigma"] >> winSigma; + obj["histogramNormType"] >> histogramNormType; + obj["L2HysThreshold"] >> L2HysThreshold; + obj["gammaCorrection"] >> gammaCorrection; +- obj["nlevels"] >> nlevels; ++ obj["nlevels"] >> nlevels; CV_Assert(nlevels > 0); + if (obj["signedGradient"].empty()) + signedGradient = false; + else diff --git a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2019-19624.patch b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2019-19624.patch new file mode 100644 index 0000000000..3510e1eb98 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/CVE-2019-19624.patch @@ -0,0 +1,157 @@ +From 34195a57528a3f2c807bc3eeb8c934b8ea8289bd Mon Sep 17 00:00:00 2001 +From: Thang Tran <TranKimThang279@gmail.com> +Date: Mon, 27 May 2019 08:18:26 +0200 +Subject: [PATCH] video:fixed DISOpticalFlow segfault from small img + +CVE: CVE-2019-19624 +Upstream-Status: Backport [https://github.com/opencv/opencv/commit/d1615ba11a93062b1429fce9f0f638d1572d3418.patch] +Comment: No changes in any hunk + +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> + +--- + modules/video/src/dis_flow.cpp | 67 ++++++++++++++++++++++++- + modules/video/test/test_OF_accuracy.cpp | 28 +++++++++++ + 2 files changed, 93 insertions(+), 2 deletions(-) + +diff --git a/modules/video/src/dis_flow.cpp b/modules/video/src/dis_flow.cpp +index b86df1564b..adafcc92d8 100644 +--- a/modules/video/src/dis_flow.cpp ++++ b/modules/video/src/dis_flow.cpp +@@ -140,6 +140,8 @@ class DISOpticalFlowImpl CV_FINAL : public DISOpticalFlow + void prepareBuffers(Mat &I0, Mat &I1, Mat &flow, bool use_flow); + void precomputeStructureTensor(Mat &dst_I0xx, Mat &dst_I0yy, Mat &dst_I0xy, Mat &dst_I0x, Mat &dst_I0y, Mat &I0x, + Mat &I0y); ++ int autoSelectCoarsestScale(int img_width); ++ void autoSelectPatchSizeAndScales(int img_width); + + struct PatchInverseSearch_ParBody : public ParallelLoopBody + { +@@ -435,6 +437,44 @@ void DISOpticalFlowImpl::precomputeStructureTensor(Mat &dst_I0xx, Mat &dst_I0yy, + } + } + ++int DISOpticalFlowImpl::autoSelectCoarsestScale(int img_width) ++{ ++ const int fratio = 5; ++ return std::max(0, (int)std::floor(log2((2.0f*(float)img_width) / ((float)fratio * (float)patch_size)))); ++} ++ ++void DISOpticalFlowImpl::autoSelectPatchSizeAndScales(int img_width) ++{ ++ switch (finest_scale) ++ { ++ case 1: ++ patch_size = 8; ++ coarsest_scale = autoSelectCoarsestScale(img_width); ++ finest_scale = std::max(coarsest_scale-2, 0); ++ break; ++ ++ case 3: ++ patch_size = 12; ++ coarsest_scale = autoSelectCoarsestScale(img_width); ++ finest_scale = std::max(coarsest_scale-4, 0); ++ break; ++ ++ case 4: ++ patch_size = 12; ++ coarsest_scale = autoSelectCoarsestScale(img_width); ++ finest_scale = std::max(coarsest_scale-5, 0); ++ break; ++ ++ // default case, fall-through. ++ case 2: ++ default: ++ patch_size = 8; ++ coarsest_scale = autoSelectCoarsestScale(img_width); ++ finest_scale = std::max(coarsest_scale-2, 0); ++ break; ++ } ++} ++ + DISOpticalFlowImpl::PatchInverseSearch_ParBody::PatchInverseSearch_ParBody(DISOpticalFlowImpl &_dis, int _nstripes, + int _hs, Mat &dst_Sx, Mat &dst_Sy, + Mat &src_Ux, Mat &src_Uy, Mat &_I0, Mat &_I1, +@@ -1313,9 +1353,20 @@ bool DISOpticalFlowImpl::ocl_calc(InputArray I0, InputArray I1, InputOutputArray + else + flow.create(I1Mat.size(), CV_32FC2); + UMat &u_flowMat = flow.getUMatRef(); +- coarsest_scale = min((int)(log(max(I0Mat.cols, I0Mat.rows) / (4.0 * patch_size)) / log(2.0) + 0.5), /* Original code serach for maximal movement of width/4 */ ++ coarsest_scale = min((int)(log(max(I0Mat.cols, I0Mat.rows) / (4.0 * patch_size)) / log(2.0) + 0.5), /* Original code search for maximal movement of width/4 */ + (int)(log(min(I0Mat.cols, I0Mat.rows) / patch_size) / log(2.0))); /* Deepest pyramid level greater or equal than patch*/ + ++ if (coarsest_scale<0) ++ CV_Error(cv::Error::StsBadSize, "The input image must have either width or height >= 12"); ++ ++ if (coarsest_scale<finest_scale) ++ { ++ // choose the finest level based on coarsest level. ++ // Refs: https://github.com/tikroeger/OF_DIS/blob/2c9f2a674f3128d3a41c10e41cc9f3a35bb1b523/run_dense.cpp#L239 ++ int original_img_width = I0.size().width; ++ autoSelectPatchSizeAndScales(original_img_width); ++ } ++ + ocl_prepareBuffers(I0Mat, I1Mat, u_flowMat, use_input_flow); + u_Ux[coarsest_scale].setTo(0.0f); + u_Uy[coarsest_scale].setTo(0.0f); +@@ -1380,8 +1431,20 @@ void DISOpticalFlowImpl::calc(InputArray I0, InputArray I1, InputOutputArray flo + else + flow.create(I1Mat.size(), CV_32FC2); + Mat flowMat = flow.getMat(); +- coarsest_scale = min((int)(log(max(I0Mat.cols, I0Mat.rows) / (4.0 * patch_size)) / log(2.0) + 0.5), /* Original code serach for maximal movement of width/4 */ ++ coarsest_scale = min((int)(log(max(I0Mat.cols, I0Mat.rows) / (4.0 * patch_size)) / log(2.0) + 0.5), /* Original code search for maximal movement of width/4 */ + (int)(log(min(I0Mat.cols, I0Mat.rows) / patch_size) / log(2.0))); /* Deepest pyramid level greater or equal than patch*/ ++ ++ if (coarsest_scale<0) ++ CV_Error(cv::Error::StsBadSize, "The input image must have either width or height >= 12"); ++ ++ if (coarsest_scale<finest_scale) ++ { ++ // choose the finest level based on coarsest level. ++ // Refs: https://github.com/tikroeger/OF_DIS/blob/2c9f2a674f3128d3a41c10e41cc9f3a35bb1b523/run_dense.cpp#L239 ++ int original_img_width = I0.size().width; ++ autoSelectPatchSizeAndScales(original_img_width); ++ } ++ + int num_stripes = getNumThreads(); + + prepareBuffers(I0Mat, I1Mat, flowMat, use_input_flow); +diff --git a/modules/video/test/test_OF_accuracy.cpp b/modules/video/test/test_OF_accuracy.cpp +index affbab6586..b99ffce2a8 100644 +--- a/modules/video/test/test_OF_accuracy.cpp ++++ b/modules/video/test/test_OF_accuracy.cpp +@@ -121,6 +121,34 @@ TEST(DenseOpticalFlow_DIS, ReferenceAccuracy) + } + } + ++TEST(DenseOpticalFlow_DIS, InvalidImgSize_CoarsestLevelLessThanZero) ++{ ++ cv::Ptr<cv::DISOpticalFlow> of = cv::DISOpticalFlow::create(); ++ const int mat_size = 10; ++ ++ cv::Mat x(mat_size, mat_size, CV_8UC1, 42); ++ cv::Mat y(mat_size, mat_size, CV_8UC1, 42); ++ cv::Mat flow; ++ ++ ASSERT_THROW(of->calc(x, y, flow), cv::Exception); ++} ++ ++// make sure that autoSelectPatchSizeAndScales() works properly. ++TEST(DenseOpticalFlow_DIS, InvalidImgSize_CoarsestLevelLessThanFinestLevel) ++{ ++ cv::Ptr<cv::DISOpticalFlow> of = cv::DISOpticalFlow::create(); ++ const int mat_size = 80; ++ ++ cv::Mat x(mat_size, mat_size, CV_8UC1, 42); ++ cv::Mat y(mat_size, mat_size, CV_8UC1, 42); ++ cv::Mat flow; ++ ++ of->calc(x, y, flow); ++ ++ ASSERT_EQ(flow.rows, mat_size); ++ ASSERT_EQ(flow.cols, mat_size); ++} ++ + TEST(DenseOpticalFlow_VariationalRefinement, ReferenceAccuracy) + { + Mat frame1, frame2, GT; diff --git a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/download.patch b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/download.patch index fa8db88078..ae01a5edcd 100644 --- a/meta-openembedded/meta-oe/recipes-support/opencv/opencv/download.patch +++ b/meta-openembedded/meta-oe/recipes-support/opencv/opencv/download.patch @@ -1,3 +1,8 @@ +From 3b1a69503dea2075d51655a0cea5369c88a67632 Mon Sep 17 00:00:00 2001 +From: Ross Burton <ross.burton@intel.com> +Date: Thu, 9 Jan 2020 16:24:24 +0000 +Subject: [PATCH] opencv: abort configure if we need to download + This CMake module will download files during do_configure. This is bad as it means we can't do offline builds. @@ -6,6 +11,10 @@ Add an option to disallow downloads by emitting a fatal error. Upstream-Status: Pending Signed-off-by: Ross Burton <ross.burton@intel.com> +--- + cmake/OpenCVDownload.cmake | 6 ++++++ + 1 file changed, 6 insertions(+) + diff --git a/cmake/OpenCVDownload.cmake b/cmake/OpenCVDownload.cmake index cdc47ad2cb..74573f45a2 100644 --- a/cmake/OpenCVDownload.cmake diff --git a/meta-openembedded/meta-oe/recipes-support/opencv/opencv_4.1.0.bb b/meta-openembedded/meta-oe/recipes-support/opencv/opencv_4.1.0.bb index d781da6005..de708fd06d 100644 --- a/meta-openembedded/meta-oe/recipes-support/opencv/opencv_4.1.0.bb +++ b/meta-openembedded/meta-oe/recipes-support/opencv/opencv_4.1.0.bb @@ -50,6 +50,10 @@ SRC_URI = "git://github.com/opencv/opencv.git;name=opencv \ file://0001-Dont-use-isystem.patch \ file://0001-carotene-Replace-ipcp-unit-growth-with-ipa-cp-unit-g.patch \ file://download.patch \ + file://CVE-2019-14491.patch \ + file://CVE-2019-14493.patch \ + file://CVE-2019-15939.patch \ + file://CVE-2019-19624.patch \ " PV = "4.1.0" diff --git a/meta-openembedded/meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb b/meta-openembedded/meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb index 9f89bac22a..3f82734acd 100644 --- a/meta-openembedded/meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb +++ b/meta-openembedded/meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb @@ -7,7 +7,7 @@ SECTION = "devel" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/jthornber/thin-provisioning-tools \ +SRC_URI = "git://github.com/jthornber/thin-provisioning-tools;branch=main \ file://0001-do-not-strip-pdata_tools-at-do_install.patch \ file://use-sh-on-path.patch \ " diff --git a/meta-openembedded/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb b/meta-openembedded/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb index f5d5debe11..d83a4a20b1 100644 --- a/meta-openembedded/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb +++ b/meta-openembedded/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb @@ -19,7 +19,7 @@ RDEPENDS_packagegroup-meta-webserver = "\ " RDEPENDS_packagegroup-meta-webserver-http = "\ - nginx monkey hiawatha nostromo apache-websocket \ + nginx monkey hiawatha apache-websocket \ apache2 sthttpd \ ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "cherokee", "", d)} \ " diff --git a/meta-openembedded/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.7.bb b/meta-openembedded/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.7.bb index d13ef74feb..deb76ac95c 100644 --- a/meta-openembedded/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.7.bb +++ b/meta-openembedded/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.7.bb @@ -62,3 +62,6 @@ pkg_postinst_${PN} () { fi fi } + +PNBLACKLIST[nostromo] ?= "Host site for URI is dead" +EXCLUDE_FROM_WORLD = "1" |