kirkstone: subtree updateskirkstone

meta-raspberrypi: 2a06e4e84b..43683cb14b: Florin Sarbu (1): udev-rules-rpi: Use 99-com.rules directly from upstream meta-openembedded: df452d9d98..f95484417e: Arsalan H. Awan (1): meta-networking/licenses/netperf: remove unused license Bhargav Das (2): tslib: Add native & nativestdk package support pointercal: Add native & nativestdk package support Changqing Li (1): redis: fix do_patch fuzz warning Chee Yang Lee (3): tinyproxy: fix CVE-2022-40468 capnproto: upgrade to 0.9.2 freerdp: fix CVE-2022-39316/39318/39319 Gianluigi Spagnuolo (1): libbpf: add native and nativesdk BBCLASSEXTEND Jasper Orschulko (1): python3-gcovr: Add missing runtime dependency Jonas Gorski (3): frr: Security fix CVE-2022-36440 / CVE-2022-40302 frr: Security fix CVE-2022-40318 frr: Security fix CVE-2022-43681 Khem Raj (1): nodejs: Fix build with gcc13 Martin Jansa (1): abseil-cpp: backport a fix for build with gcc-13 Narpat Mali (3): python3-werkzeug: fix for CVE-2023-25577 python3-django: upgrade 4.0.2 -> 4.2.1 python3-m2crypto: fix for CVE-2020-25657 Natasha Bailey (1): libyang: backport a fix for CVE-2023-26916 Valeria Petrov (1): apache2: upgrade 2.4.56 -> 2.4.57 Xiangyu Chen (3): pahole: fix native package build error Revert "pahole: fix native package build error" libbpf: installing uapi headers for native package poky: 4cc0e9438b..43b94d2b84: Alexander Kanavin (1): dhcpcd: use git instead of tarballs Archana Polampalli (4): nasm: fix CVE-2022-44370 git: fix CVE-2023-29007 git: fix CVE-2023-25652 git: ignore CVE-2023-25815 Arturo Buzarra (1): run-postinsts: Set dependency for ldconfig to avoid boot issues Bhabu Bindu (4): curl: Fix CVE-2023-28319 curl: Fix CVE-2023-28320 curl: Fix CVE-2023-28321 curl: Fix CVE-2023-28322 Bruce Ashfield (9): linux-yocto/5.15: update to v5.15.106 linux-yocto/5.15: update to v5.15.107 linux-yocto/5.15: update to v5.15.108 kernel: improve initramfs bundle processing time linux-yocto/5.10: update to v5.10.176 linux-yocto/5.10: update to v5.10.177 linux-yocto/5.10: update to v5.10.178 linux-yocto/5.10: update to v5.10.179 linux-yocto/5.10: update to v5.10.180 C. Andy Martin (1): systemd-networkd: backport fix for rm unmanaged wifi Christoph Lauer (1): populate_sdk_base: add zip options Daniel Ammann (1): overview-manual: concepts.rst: Fix a typo Deepthi Hemraj (5): glibc: stable 2.35 branch updates. binutils : Fix CVE-2023-25584 binutils : Fix CVE-2023-25585 binutils : Fix CVE-2023-1972 binutils : Fix CVE-2023-25588 Dmitry Baryshkov (1): linux-firmware: upgrade 20230210 -> 20230404 Eero Aaltonen (1): avahi: fix D-Bus introspection Enrico Jörns (1): package_manager/ipk: fix config path generation in _create_custom_config() Hitendra Prajapati (2): connman: fix CVE-2023-28488 DoS in client.c sysstat: Fix CVE-2023-33204 Jan Luebbe (1): p11-kit: add native to BBCLASSEXTEND Joe Slater (1): ghostscript: fix CVE-2023-29979 Kai Kang (1): webkitgtk: fix CVE-2022-32888 & CVE-2022-32923 Khem Raj (2): gcc-runtime: Use static dummy libstdc++ quilt: Fix merge.test race condition Lee Chee Yang (1): migration-guides: add release notes for 4.0.10 Marek Vasut (1): cpio: Fix wrong CRC with ASCII CRC for large files Martin Jansa (3): populate_sdk_ext.bbclass: set METADATA_REVISION with an DISTRO override llvm: backport a fix for build with gcc-13 kernel-devicetree: make shell scripts posix compliant Martin Siegumfeldt (1): systemd-systemctl: fix instance template WantedBy symlink construction Michael Halstead (2): uninative: Upgrade to 3.10 to support gcc 13 uninative: Upgrade to 4.0 to include latest gcc 13.1.1 Michael Opdenacker (2): conf.py: add macro for Mitre CVE links migration-guides: use new cve_mitre macro Ming Liu (1): weston: add xwayland to DEPENDS for PACKAGECONFIG xwayland Mingli Yu (1): ruby: Fix CVE-2023-28755 Narpat Mali (3): ffmpeg: fix for CVE-2022-48434 python3-cryptography: fix for CVE-2023-23931 python3-requests: fix for CVE-2023-32681 Omkar Patil (1): curl: Correction for CVE-2023-27536 Pablo Saavedra (1): gstreamer1.0: upgrade 1.20.5 -> 1.20.6 Pascal Bach (1): cmake: add CMAKE_SYSROOT to generated toolchain file Peter Bergin (1): update-alternatives.bbclass: fix old override syntax Peter Kjellerstedt (1): license.bbclass: Include LICENSE in the output when it fails to parse Peter Marko (2): libxml2: patch CVE-2023-28484 and CVE-2023-29469 openssl: Upgrade 3.0.8 -> 3.0.9 Piotr Łobacz (1): libarchive: Enable acls, xattr for native as well as target Quentin Schulz (1): Revert "docs: conf.py: fix cve extlinks caption for sphinx <4.0" Randolph Sapp (4): wic/bootimg-efi: if fixed-size is set then use that for mkdosfs kernel-devicetree: allow specification of dtb directory package: enable recursion on file globs kernel-devicetree: recursively search for dtbs Ranjitsinh Rathod (1): libbsd: Add correct license for all packages Richard Purdie (3): maintainers.inc: Fix email address typo maintainers.inc: Move repo to unassigned selftest/reproducible: Allow native/cross reuse in test Riyaz Khan (1): openssh: Remove BSD-4-clause contents completely from codebase Ross Burton (1): xserver-xorg: backport fix for CVE-2023-1393 Sakib Sajal (1): go: fix CVE-2023-24540 Shubham Kulkarni (1): go: Security fix for CVE-2023-24538 Soumya (1): perl: fix CVE-2023-31484 Steve Sakoman (3): Revert "xserver-xorg: backport fix for CVE-2023-1393" poky.conf: bump version for 4.0.10 build-appliance-image: Update to kirkstone head revision Thomas Roos (1): oeqa/utils/metadata.py: Fix running oe-selftest running with no distro set Tom Hochstein (2): piglit: Add PACKAGECONFIG for glx and opencl piglit: Add missing glslang dependencies Upgrade Helper (1): waffle: upgrade 1.7.0 -> 1.7.2 Virendra Thakur (1): qemu: Whitelist CVE-2023-0664 Vivek Kumbhar (3): freetype: fix CVE-2023-2004 integer overflowin in tt_hvadvance_adjust() in src/truetype/ttgxvar.c go: fix CVE-2023-24534 denial of service from excessive memory allocation go: fix CVE-2023-24539 html/template improper sanitization of CSS values Wang Mingyu (2): wpebackend-fdo: upgrade 1.14.0 -> 1.14.2 xserver-xorg: upgrade 21.1.7 -> 21.1.8 Yoann Congal (1): linux-yocto: Exclude 121 CVEs already fixed upstream Yogita Urade (2): xorg-lib-common: Add variable to set tarball type libxpm: upgrade 3.5.13 -> 3.5.15 Zhixiong Chi (1): libpam: Fix the xtests/tst-pam_motd[1|3] failures Zoltan Boszormenyi (1): piglit: Fix build time dependency bkylerussell@gmail.com (1): kernel-devsrc: depend on python3-core instead of python3 leimaohui (1): nghttp2: Deleted the entries for -client and -server, and removed a dependency on them from the main package. meta-security: cc20e2af2a..d398cc6ea6: Armin Kuster (1): apparmor: fix ownership issues Josh Harley (1): Add EROFS support to dm-verity-img class Maciej Borzęcki (1): dm-verity-img.bbclass: add squashfs images Peter Marko (1): tpm2-tss: upgrade to 3.2.2 to fix CVE-2023-22745 Signed-off-by: Patrick Williams <patrick@stwcx.xyz> Change-Id: I683201033cfd1b1135738f49b0faf6df2e6348b6
author: Patrick Williams <patrick@stwcx.xyz> 2023-06-15 13:43:17 +0300
committer: Patrick Williams <patrick@stwcx.xyz> 2023-06-15 19:22:24 +0300
commit: 91c4060797737f563a7b975d726f2efcb088e45f (patch)
tree: 0b2a543533ec0cf03a47e67056a95b0073b51524 /poky/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch
parent: 821a859c1d68e8cfeea8c50e86f15daa87e71d59 (diff)
download: openbmc-91c4060797737f563a7b975d726f2efcb088e45f.tar.xz
1 files changed, 93 insertions, 0 deletions
diff --git a/poky/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch b/poky/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch
new file mode 100644
index 0000000000..7e6e871e38
--- /dev/null
+++ b/poky/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch
@@ -0,0 +1,93 @@
+From 2305cdb2aa5ac8e9960bd64e548a119c7dd87530 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Tue, 11 Apr 2023 16:27:43 +0100
+Subject: [PATCH] html/template: handle all JS whitespace characters
+
+Rather than just a small set. Character class as defined by \s [0].
+
+Thanks to Juho Nurminen of Mattermost for reporting this.
+
+For #59721
+Fixes  #59813
+Fixes CVE-2023-24540
+
+[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes
+
+Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851497
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/491355
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+TryBot-Bypass: Carlos Amedee <carlos@golang.org>
+Run-TryBot: Carlos Amedee <carlos@golang.org>
+
+CVE: CVE-2023-24540
+Upstream-Status: Backport [https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ src/html/template/js.go      |  8 +++++++-
+ src/html/template/js_test.go | 11 +++++++----
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index b888eaf..35994f0 100644
+--- a/src/html/template/js.go
++++ b/src/html/template/js.go
+@@ -13,6 +13,11 @@ import (
+ 	"unicode/utf8"
+ )
+ 
++// jsWhitespace contains all of the JS whitespace characters, as defined
++// by the \s character class.
++// See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Character_classes.
++const jsWhitespace = "\f\n\r\t\v\u0020\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000\ufeff"
++
+ // nextJSCtx returns the context that determines whether a slash after the
+ // given run of tokens starts a regular expression instead of a division
+ // operator: / or /=.
+@@ -26,7 +31,8 @@ import (
+ // JavaScript 2.0 lexical grammar and requires one token of lookbehind:
+ // https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html
+ func nextJSCtx(s []byte, preceding jsCtx) jsCtx {
+-	s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029")
++	// Trim all JS whitespace characters
++	s = bytes.TrimRight(s, jsWhitespace)
+ 	if len(s) == 0 {
+ 		return preceding
+ 	}
+diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
+index d7ee47b..8f5d76d 100644
+--- a/src/html/template/js_test.go
++++ b/src/html/template/js_test.go
+@@ -81,14 +81,17 @@ func TestNextJsCtx(t *testing.T) {
+ 		{jsCtxDivOp, "0"},
+ 		// Dots that are part of a number are div preceders.
+ 		{jsCtxDivOp, "0."},
++		// Some JS interpreters treat NBSP as a normal space, so
++		// we must too in order to properly escape things.
++		{jsCtxRegexp, "=\u00A0"},
+ 	}
+ 
+ 	for _, test := range tests {
+-		if nextJSCtx([]byte(test.s), jsCtxRegexp) != test.jsCtx {
+-			t.Errorf("want %s got %q", test.jsCtx, test.s)
++		if ctx := nextJSCtx([]byte(test.s), jsCtxRegexp); ctx != test.jsCtx {
++			t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
+ 		}
+-		if nextJSCtx([]byte(test.s), jsCtxDivOp) != test.jsCtx {
+-			t.Errorf("want %s got %q", test.jsCtx, test.s)
++		if ctx := nextJSCtx([]byte(test.s), jsCtxDivOp); ctx != test.jsCtx {
++			t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
+ 		}
+ 	}
+ 
+-- 
+2.40.0
+
author	Patrick Williams <patrick@stwcx.xyz>	2023-06-15 13:43:17 +0300
committer	Patrick Williams <patrick@stwcx.xyz>	2023-06-15 19:22:24 +0300
commit	91c4060797737f563a7b975d726f2efcb088e45f (patch)
tree	0b2a543533ec0cf03a47e67056a95b0073b51524 /poky/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch
parent	821a859c1d68e8cfeea8c50e86f15daa87e71d59 (diff)
download	openbmc-91c4060797737f563a7b975d726f2efcb088e45f.tar.xz