diff options
author | Patrick Williams <patrick@stwcx.xyz> | 2023-05-02 23:26:54 +0300 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2023-05-04 00:04:39 +0300 |
commit | 821a859c1d68e8cfeea8c50e86f15daa87e71d59 (patch) | |
tree | 58306112a24fe4a57c66e3d7a324460bbd52c28f /poky/meta/recipes-devtools/python | |
parent | ce7bef12b17859cef0615675e4ad5f6f4f611384 (diff) | |
download | openbmc-821a859c1d68e8cfeea8c50e86f15daa87e71d59.tar.xz |
subtree updates
meta-openembedded: 744a4b6eda..df452d9d98:
Alexander Stein (1):
dool: Add patch to fix rebuild
Alexander Thoma (1):
Fix tigervnc crash due to missing xkbcomp rdepends
Andrej Valek (2):
grpc: upgrade 1.45.2 -> 1.46.6
grpc: upgrade 1.46.6 -> 1.46.7
Archana Polampalli (2):
Nodejs - Upgrade to 16.18.1
Nodejs: Fixed python3 DeprecationWarning
BINDU (1):
flatbuffers: adapt for cross-compilation environments
Carsten Bäcker (1):
spdlog: Fix CMake flag
Changqing Li (12):
zabbix: fix CVE-2022-43515,CVE-2022-46768
redis: 6.2.7 -> 6.2.8
redis: upgrade 7.0.4 to 7.0.5
redis: 7.0.5 -> 7.0.7
liblockfile: fix do_install failure when ldconfig is not installed
postgresql: fix CVE-2022-41862
redis: upgrade 7.0.7 -> 7.0.9
redis: upgrade 6.2.8 -> 6.2.11
zabbix: fix CVE-2023-29451
redis: upgrade 6.2.11 -> 6.2.12
redis: upgrade 7.0.9 -> 7.0.10
redis: upgrade 7.0.10 -> 7.0.11
Chase Qi (1):
kernel-selftest: install kselftest runner
Chee Yang Lee (2):
zsh: Fix CVE-2021-45444
cifs-utils: fix CVE-2022-27239 CVE-2022-29869
Dmitry Baryshkov (1):
nss: fix cross-compilation error
Dragos-Marian Panait (1):
phpmyadmin: fix CVE-2023-25727
Gary Huband (1):
chrony: add pkgconfig class as pkg-config is explicitly searched for
Geoff Parker (1):
python3-pillow: add tk to RDEPENDS ptest pkg only if x11 in DISTRO_FEATURES
He Zhe (2):
protobuf: upgrade 3.19.4 -> 3.19.6
python3-protobuf: upgrade 3.20.0 -> 3.20.3
Hermes Zhang (1):
kernel_add_regdb: Change the task order
Hitendra Prajapati (5):
dhcp: Fix CVE-2022-2928 & CVE-2022-2929
strongswan: CVE-2022-40617 A possible DoS in Using Untrusted URIs for Revocation Checking
nginx: CVE-2022-41741, CVE-2022-41742 Memory corruption in the ngx_http_mp4_module
net-snmp: CVE-2022-44792 & CVE-2022-44793 Fix NULL Pointer Exception
krb5: CVE-2022-42898 integer overflow vulnerabilities in PAC parsing
Howard Cochran (1):
ufw: Fix "could not find required binary 'iptables'"
Joe Slater (1):
phoronix-test-suite: Fix CVE-2022-40704
Khem Raj (6):
mpd: Update to 0.23.8
mpd: Upgrade to 0.23.9
ncmpc: Upgrade to 0.47
mpd: Upgrade to 0.23.12 release
monkey: Fix build with musl
postfix: Fix build on systems with linux 6.x
Manoj Saun (1):
postgresql: fix ptest failure of sysviews test
Marta Rybczynska (1):
jansson: whitelist CVE-2020-36325
Martin Jansa (12):
re2: fix branch name from master to main
exiv2: fix SRC_URI
mdns: use git fetcher
monkey: use git fetcher
jack: fix compatibility with python-3.11
restinio: fix S variable in multilib builds
mongodb: fix chown user for multilib builds
pahole: respect libdir
lvgl,lv-lib-png,lv-drivers: fix installed-vs-shipped QA issue with multilib
lirc: fix do_install with multilib
dleyna-{server,renderer}: fix dev-so QA issue with multilib
zsh: fix installed-vs-shipped with multilib
Mingli Yu (6):
php: Upgrade to 8.1.12
mariadb: not use qemu to run cross-compiled binaries
mariadb: Upgrade to 10.7.7
php: Upgrade to 8.1.16
mariadb: Upgrade to 10.7.8
mariadb: Fix CVE-2022-47015
Narpat Mali (2):
python3-oauthlib: upgrade 3.2.0 -> 3.2.2
Fix collections.abc deprecation warning in downloadutils Warning appears as:
Neetika Singh (1):
libcroco: Add fix for CVE-2020-12825
Nikhil R (1):
duktape: Add ptest
Niko Mauno (2):
nftables: Fix missing leading whitespace with ':append'
Fix missing leading whitespace with ':append'
Peter Kjellerstedt (2):
chrony: Remove the readline PACKAGECONFIG
chrony: Remove the libcap and nss PACKAGECONFIGs
Peter Marko (3):
ntp: whitelist CVE-2019-11331
c-ares: fix CVE-2022-4904
dnsmasq: fix CVE-2023-28450
Philippe Coval (1):
pim435: Relocate sources to eclipse
Polampalli, Archana (2):
xfce4-settings: 4.16.2 -> 4.16.5
nodejs: Upgrade 16.19.0 -> 16.19.1
Preeti Sachan (1):
fluidsynth: update SRC_URI to remove non-existing 2.2.x branch
Randy MacLeod (2):
python3-pillow: add ptest support
python3-pillow: Add distutils, unixadmin for ptest
S. Lockwood-Childs (1):
multipath-tools: fix QA "dev-so" regression
Siddharth Doshi (1):
xterm : Fix CVE-2022-45063 code execution via OSC 50 input sequences] CVE-2022-45063
Tim Orling (1):
nodejs: upgrade 16.18.1 -> 16.19.0
Tom Hochstein (1):
nlohmann-json: Allow empty main package for SDK
Urade, Yogita (3):
multipath-tools: fix CVE-2022-41974
poppler: fix CVE-2021-30860
dlt-daemon: fix CVE-2023-26257
Wang Mingyu (5):
python3-pillow: upgrade 9.2.0 -> 9.3.0
python3-pillow: upgrade 9.3.0 -> 9.4.0
apache2: upgrade 2.4.54 -> 2.4.55
apache2: upgrade 2.4.55 -> 2.4.56
openwsman: Change download branch from master to main.
Xu Huan (1):
python3-pillow: upgrade 9.0.1 -> 9.1.1
Yi Zhao (5):
postfix: upgrade 3.6.5 -> 3.6.7
freeradius: Security fixes for CVE-2022-41860 CVE-2022-41861
frr: Security fix for CVE-2022-42917
apache2: use /run instead of /var/run for systemd volatile config
mbedtls: upgrade 2.28.0 -> 2.28.2
Yogita Urade (2):
multipath-tools:fix CVE-2022-41973
syslog-ng: fix CVE-2022-38725
Zheng Qiu (1):
redis: build with USE_SYSTEMD=yes when systemd is enabled
wangmy (1):
libcrypt-openssl-rsa-perl: upgrade 0.32 -> 0.33
zhengruoqin (1):
python3-pillow: upgrade 9.1.1 -> 9.2.0
meta-raspberrypi: dacad9302a..2a06e4e84b:
Zachary T Welch (1):
machines: simplify MACHINEOVERRIDES definitions
meta-security: c79262a30b..cc20e2af2a:
Armin Kuster (2):
oeqa/tpm2: fix and cleanup tests
oeqa: meta-tpm shut swtpm down before and after testing
poky: eaf8ce9d39..4cc0e9438b:
Adrian Freihofer (1):
own-mirrors: add crate
Alejandro Hernandez Samaniego (2):
baremetal-image: Avoid overriding qemu variables from IMAGE_CLASSES
testimage: Fix error message to reflect new syntax
Alex Kiernan (3):
u-boot: Remove duplicate inherit of cml1
cargo_common.bbclass: Fix typos
classes: image: Set empty weak default IMAGE_LINGUAS
Alex Stewart (1):
lsof: add update-alternatives logic
Alexander Kanavin (49):
local.conf.sample: correct the location of public hashserv
lttng-modules: upgrade 2.13.4 -> 2.13.5
quilt: backport a patch to address grep 3.8 failures
lttng-tools: submit determinism.patch upstream
groff: submit patches upstream
tcl: correct patch status
kea: submit patch upstream
ovmf: correct patches status
libffi: submit patch upstream
linux-firmware: upgrade 20220913 -> 20221012
xwayland: upgrade 22.1.3 -> 22.1.4
libffi: upgrade 3.4.2 -> 3.4.4
libical: upgrade 3.0.15 -> 3.0.16
mtd-utils: upgrade 2.1.4 -> 2.1.5
gdk-pixbuf: upgrade 2.42.9 -> 2.42.10
gstreamer1.0: upgrade 1.20.3 -> 1.20.4
libepoxy: convert to git
libepoxy: update 1.5.9 -> 1.5.10
vala: install vapigen-wrapper into /usr/bin/crosscripts and stage only that
gnomebase.bbclass: return the whole version for tarball directory if it is a number
libnewt: update 0.52.21 -> 0.52.23
ruby: merge .inc into .bb
ruby: update 3.1.2 -> 3.1.3
tzdata: update 2022d -> 2022g
devtool/upgrade: correctly handle recipes where S is a subdir of upstream tree
libarchive: upgrade 3.6.1 -> 3.6.2
devtool: process local files only for the main branch
libksba: update 1.6.2 -> 1.6.3
linux-firmware: upgrade 20221109 -> 20221214
xwayland: upgrade 22.1.5 -> 22.1.7
xserver-xorg: upgrade 21.1.4 -> 21.1.6
selftest/virgl: use pkg-config from the host
vulkan-samples: branch rename master -> main
gdk-pixbuf: do not use tools from gdk-pixbuf-native when building tests
oeqa/qemurunner: do not use Popen.poll() when terminating runqemu with a signal
diffutils: update 3.8 -> 3.9
lttng-tools: update 2.13.8 -> 2.13.9
apr: update 1.7.0 -> 1.7.2
apr-util: update 1.6.1 -> 1.6.3
bind: upgrade 9.18.10 -> 9.18.11
libjpeg-turbo: upgrade 2.1.4 -> 2.1.5
linux-firmware: upgrade 20221214 -> 20230117
sudo: upgrade 1.9.12p1 -> 1.9.12p2
vim: update 9.0.1211 -> 9.0.1293 to resolve open CVEs
dbus: upgrade 1.14.4 -> 1.14.6
linux-firmware: upgrade 20230117 -> 20230210
wireless-regdb: upgrade 2022.08.12 -> 2023.02.13
devtool/upgrade: do not delete the workspace/recipes directory
patchelf: replace a rejected patch with an equivalent uninative.bbclass tweak
Alexandre Belloni (1):
oeqa/selftest/bbtests: Update message lookup for test_git_unpack_nonetwork_fail
Alexey Smirnov (1):
classes: make TOOLCHAIN more permissive for kernel
Alexis Lothoré (1):
oeqa/selftest/resulttooltests: fix minor typo
Antonin Godard (2):
busybox: always start do_compile with orig config files
busybox: rm temporary files if do_compile was interrupted
Armin Kuster (1):
lttng-modules: Fix for 5.10.163 kernel version
Arnout Vandecappelle (1):
python3-pytest: depend on python3-tomli instead of python3-toml
Bartosz Golaszewski (1):
bluez5: add dbus to RDEPENDS
Benoît Mauduit (1):
lib/oe/reproducible: Use git log without gpg signature
Bernhard Rosenkränzer (1):
cmake-native: Fix host tool contamination (Bug: 14951)
Bhabu Bindu (5):
qemu: Fix CVE-2021-3611
curl: Fix CVE-2022-32221
curl: Fix CVE-2022-42916
curl: Fix CVE-2022-42915
qemu: Fix CVE-2022-4144
Bruce Ashfield (34):
linux-yocto/5.10: update to v5.10.147
linux-yocto/5.10: update to v5.10.149
linux-yocto/5.15: update to v5.15.72
kern-tools: fix relative path processing
linux-yocto/5.15: update to v5.15.74
linux-yocto/5.15: update to v5.15.76
linux-yocto/5.15: update to v5.15.78
linux-yocto/5.15: fix CONFIG_CRYPTO_CCM mismatch warnings
kern-tools: integrate ZFS speedup patch
linux-yocto/5.10: update to v5.10.152
linux-yocto/5.10: update to v5.10.154
linux-yocto/5.10: update to v5.10.160
linux-yocto/5.15: ltp and squashfs fixes
linux-yocto/5.15: fix perf build with clang
linux-yocto/5.15: libbpf: Fix build warning on ref_ctr_off
linux-yocto/5.15: update to v5.15.84
linux-yocto/5.15: powerpc: Fix reschedule bug in KUAP-unlocked user copy
linux-yocto/5.15: update to v5.15.87
linux-yocto/5.15: update to v5.15.89
linux-yocto/5.15: update to v5.15.91
lttng-modules: fix for kernel 6.2+
linux-yocto/5.15: update to v5.15.94
linux-yocto/5.15: update to v5.15.96
linux-yocto-rt/5.15: update to -rt59
linux-yocto/5.10: update to v5.10.162
linux-yocto/5.10: update to v5.10.164
linux-yocto/5.10: update to v5.10.166
linux-yocto/5.10: update to v5.10.168
linux-yocto/5.10: update to v5.10.170
linux-yocto/5.10: update to v5.10.172
linux-yocto/5.10: update to v5.10.175
lttng-modules: update to v2.13.9
linux-yocto/5.15: update to v5.15.98
linux-yocto/5.15: update to v5.15.103
Carlos Alberto Lopez Perez (1):
xwayland: libxshmfence is needed when dri3 is enabled
Changqing Li (3):
base.bbclass: Fix way to check ccache path
apt: fix do_package_qa failure
libsdl2: fix CVE-2022-4743
Chee Yang Lee (4):
dropbear: fix CVE-2021-36369
git: upgrade to 2.35.6
tiff: fix multiple CVEs
git: ignore CVE-2023-22743
Chen Qi (10):
image_types_wic.bbclass: fix cross binutils dependency
openssl: export necessary env vars in SDK
kernel.bbclass: make KERNEL_DEBUG_TIMESTAMPS work at rebuild
resolvconf: make it work
dhcpcd: fix to work with systemd
psplash: consider the situation of psplash not exist for systemd
bc: extend to nativesdk
rm_work: adjust dependency to make do_rm_work_all depend on do_rm_work
dhcpcd: backport two patches to fix runtime error
libseccomp: fix typo in DESCRIPTION
Christian Eggers (1):
linux-firmware: split rtl8761 firmware
Claus Stovgaard (1):
gstreamer1.0-libav: fix errors with ffmpeg 5.x
Daniel Gomez (1):
gtk-icon-cache: Fix GTKIC_CMD if-else condition
Diego Sueiro (1):
kernel.bbclass: Include randstruct seed assets in STAGING_KERNEL_BUILDDIR
Dmitry Baryshkov (4):
linux-firmware: upgrade 20221012 -> 20221109
linux-firmware: add new fw file to ${PN}-qcom-adreno-a530
linux-firmware: properly set license for all Qualcomm firmware
linux-firmware: add yamato fw files to qcom-adreno-a2xx package
Ed Tanous (1):
openssl: Upgrade 3.0.5 -> 3.0.7
Enrico Jörns (1):
sstatesig: emit more helpful error message when not finding sstate manifest
Etienne Cordonnier (2):
mirrors.bbclass: use shallow tarball for binutils-native
bitbake: siggen: Fix inefficient string concatenation
Federico Pellegrin (1):
curl: fix dependencies when building with ldap/ldaps
Florin Diaconescu (1):
python3: upgrade 3.10.8 -> 3.10.9
Frank de Brabander (2):
cve-update-db-native: add timeout to urlopen() calls
bitbake: bin/utils: Ensure locale en_US.UTF-8 is available on the system
Geoffrey GIRY (1):
cve-check: Fix false negative version issue
Harald Seiler (2):
opkg: Set correct info_dir and status_file in opkg.conf
bootchart2: Fix usrmerge support
He Zhe (3):
lttng-tools: Upgrade 2.13.4 -> 2.13.8
lttng-modules: Fix crash on powerpc64
lttng-modules: update 2.13.7 -> 2.13.8
Hitendra Prajapati (14):
openssl: CVE-2022-3358 Using a Custom Cipher with NID_undef may lead to NULL encryption
QEMU: CVE-2022-3165 VNC: integer underflow in vnc_client_cut_text_ext leads to CPU exhaustion
systemd: CVE-2022-3821 Fix buffer overrun
libarchive: CVE-2022-36227 NULL pointer dereference in archive_write.c
golang: CVE-2022-41715 regexp/syntax: limit memory used by parsing regexps
libxml2: Fix CVE-2022-40303 && CVE-2022-40304
libX11: CVE-2022-3554 & CVE-2022-3555 Fix memory leak
systemd: CVE-2022-45873 deadlock in systemd-coredump via a crash with a long backtrace
go: fix CVE-2022-41717 Excessive memory use in got server
less: backport the fix for CVE-2022-46663
curl: CVE-2023-27533 TELNET option IAC injection
curl: CVE-2023-27534 SFTP path resolving discrepancy
ruby: CVE-2023-28756 ReDoS vulnerability in Time
screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs
Hongxu Jia (1):
pkgconf: fix CVE-2023-24056
Jagadeesh Krishnanjanappa (1):
qemuboot.bbclass: make sure runqemu boots bundled initramfs kernel image
Jan Kircher (1):
toolchain-scripts: compatibility with unbound variable protection
Jan-Simon Moeller (1):
buildtools-tarball: export certificates to python and curl
Jeremy Puhlman (1):
qemu-native: Add PACKAGECONFIG option for jack
Jermain Horsman (1):
cve-check: write the cve manifest to IMGDEPLOYDIR
Joe Slater (4):
python3: advance to version 3.10.8
nghttp2: never build python bindings
python3: fix CVE-2023-24329
go: fix CVE-2022-41724, 41725
John Edward Broadbent (1):
externalsrc: git submodule--helper list unsupported
Jose Quaresma (7):
kernel-yocto: improve fatal error messages of symbol_why.py
archiver: avoid using machine variable as it breaks multiconfig
sstatesig: skip the rm_work task signature
rm_work: exclude the SSTATETASKS from the rm_work tasks sinature
sstate: Allow optimisation of do_deploy_archives task dependencies
Revert "gstreamer1.0: disable flaky gstbin:test_watch_for_state_change test"
gstreamer1.0: Fix race conditions in gstbin tests
Joshua Watt (6):
runqemu: Do not perturb script environment
runqemu: Fix gl-es argument from causing other arguments to be ignored
qemu-helper-native: Re-write bridge helper as C program
qemu-helper-native: Correctly pass program name as argv[0]
scripts: convert-overrides: Allow command-line customizations
classes/create-spdx: Add SPDX_PRETTY option
KARN JYE LAU (1):
freetype:update mirror site.
Kai Kang (5):
libuv: fixup SRC_URI
webkitgtk: 2.36.7 -> 2.36.8
qemu: fix compile error
xserver-xorg: 21.1.6 -> 21.1.7
python3-git: fix indent error
Keiya Nobuta (2):
gnutls: Unified package names to lower-case
create-spdx: Remove ";name=..." for downloadLocation
Kenfe-Mickael Laventure (3):
buildtools-tarball: Handle spaces within user $PATH
toolchain-scripts: Handle spaces within user $PATH
populate_sdk_ext: Handle spaces within user $PATH
Khem Raj (10):
perf: Depend on native setuptools3
tiff: Add packageconfig knob for webp
libtirpc: Check if file exists before operating on it
libusb1: Link with latomic only if compiler has no atomic builtins
libusb1: Strip trailing whitespaces
scons: Pass MAXLINELENGTH to scons invocation
scons.bbclass: Make MAXLINELENGTH overridable
systemd.bbclass: Add /usr/lib/systemd to searchpaths as well
rsync: Add missing prototypes to function declarations
rsync: Turn on -pedantic-errors at the end of 'configure'
Konrad Weihmann (1):
create-spdx: default share_src for shared sources
Lee Chee Yang (2):
migration-guides: add release-notes for 4.0.7
migration-guides: add release-notes for 4.0.9
Leon Anavi (1):
get_module_deps3.py: Check attribute '__file__'
Liam Beguin (1):
meson: make wrapper options sub-command specific
Louis Rannou (1):
oeqa/selftest/locales: Add selftest for locale generation/presence
Luis (1):
rm_work.bbclass: use HOSTTOOLS 'rm' binary exclusively
Marek Vasut (3):
bluez5: Point hciattach bcm43xx firmware search path to /lib/firmware
bitbake: fetch2/git: Prevent git fetcher from fetching gitlab repository metadata
bitbake: fetch2/git: Clarify the meaning of namespace
Marius Kriegerowski (1):
bitbake: bitbake-diffsigs: Make PEP8 compliant
Mark Hatle (3):
insane.bbclass: Allow hashlib version that only accepts on parameter
bitbake: utils/ply: Update md5 to better report errors with hashlib
openssl: Move microblaze to linux-latomic config
Marta Rybczynska (2):
efibootmgr: update compilation with musl
cve-update-db-native: avoid incomplete updates
Martin Jansa (15):
vulkan-samples: add lfs=0 to SRC_URI to avoid git smudge errors in do_unpack
externalsrc.bbclass: fix git repo detection
libsndfile1: Backport fix for CVE-2021-4156
tiff: refresh with devtool
tiff: add CVE tag to b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
libxml2: fix test data checksums
systemd: backport another change from v252 to fix build with CVE-2022-45873.patch
ffmpeg: refresh patches to apply cleanly
meta: remove True option to getVar and getVarFlag calls (again)
bitbake: fetch2/git: show SRCREV and git repo in error message about fixed SRCREV
timezone: use 'tz' subdir instead of ${WORKDIR} directly
tzdata: use separate B instead of WORKDIR for zic output
tzcode-native: fix build with gcc-13 on host
selftest: devtool: set BB_HASHSERVE_UPSTREAM when setting SSTATE_MIRROR
bmap-tools: switch to main branch
Mateusz Marciniec (1):
sstatesig: Improve output hash calculation
Mathieu Dubois-Briand (1):
dbus: Add missing CVE product name
Mauro Queiros (1):
image.bbclass: print all QA functions exceptions
Michael Halstead (4):
uninative: Upgrade to 3.7 to work with glibc 2.36
selftest/runtime_test/virgl: Disable for all Rocky Linux
uninative: Upgrade to 3.8.1 to include libgcc
uninative: Upgrade to 3.9 to include glibc 2.37
Michael Opdenacker (11):
create-spdx.bbclass: remove unused SPDX_INCLUDE_PACKAGED
SPDX and CVE documentation updates
manuals: add 4.0.5 and 4.0.6 release notes
manuals: document SPDX_PRETTY variable
dev-manual: fix old override syntax
ref-manual: document SSTATE_EXCLUDEDEPS_SYSROOT
profile-manual: update WireShark hyperlinks
bsp-guide: fix broken git URLs and missing word
manuals: update patchwork instance URL
dev-manual: common-tasks.rst: add link to FOSDEM 2023 video
migration-guides: add 4.0.8 release notes
Mikko Rapeli (11):
common-tasks.rst: fix oeqa runtime test path
oeqa context.py: fix --target-ip comment to include ssh port number
oeqa ssh.py: move output prints to new line
oeqa ssh.py: add connection keep alive options to ssh client
oeqa dump.py: add error counter and stop after 5 failures
oeqa qemurunner: read more data at a time from serial
oeqa qemurunner.py: add timeout to QMP calls
oeqa qemurunner.py: try to avoid reading one character at a time
oeqa ssh.py: fix hangs in run()
runqemu: kill qemu if it hangs
oeqa rtc.py: skip if read-only-rootfs
Ming Liu (1):
linux: inherit pkgconfig in kernel.bbclass
Mingli Yu (4):
glslang: branch rename master -> main
mdadm: Fix testcase 06wrmostly
mdadm: fix tests/02lineargrow
mdadm: Fix raid0 tests
Narpat Mali (12):
wayland: fix CVE-2021-3782
python3-mako: backport fix for CVE-2022-40023
ffmpeg: fix for CVE-2022-3964
ffmpeg: fix for CVE-2022-3965
ffmpeg: fix for CVE-2022-3109
python3-setuptools: fix for CVE-2022-40897
python3-wheel: fix for CVE-2022-40898
python3-git: fix for CVE-2022-24439
ffmpeg: fix for CVE-2022-3341
python3-certifi: fix for CVE-2022-23491
libseccomp: fix for the ptest result format
libmicrohttpd: upgrade 0.9.75 -> 0.9.76
Nathan Rossi (4):
oeqa/selftest/lic_checksum: Cleanup changes to emptytest include
oeqa/selftest/minidebuginfo: Create selftest for minidebuginfo
glibc-locale: Do not INHIBIT_DEFAULT_DEPS
package: Fix handling of minidebuginfo with newer binutils
Niko Mauno (2):
systemd: Consider PACKAGECONFIG in RRECOMMENDS
Fix missing leading whitespace with ':append'
Ovidiu Panait (1):
kernel.bbclass: remove empty module directories to prevent QA issues
Pavel Zhukov (4):
bitbake: gitsm: Fix regression in gitsm submodule path parsing
oeqa/rpm.py: Increase timeout and add debug output
gcc: Refactor linker patches and fix linker on arm with usrmerge
wic: Fix usage of fstype=none in wic
Pawan Badganchi (2):
curl: Add fix for CVE-2023-23914, CVE-2023-23915
tiff: Add fix for CVE-2022-4645
Pawel Zalewski (1):
classes/fs-uuid: Fix command output decoding issue
Peter Kjellerstedt (2):
externalsrc.bbclass: Remove a trailing slash from ${B}
devshell: Do not add scripts/git-intercept to PATH
Peter Marko (9):
systemd: add group render to udev package
meta-selftest/staticids: add render group for systemd
externalsrc: fix lookup for .gitmodules
oeqa/selftest/externalsrc: add test for srctree_hash_files
systemd: add group sgx to udev package
systemd: fix CVE-2022-4415
gcc-shared-source: do not use ${S}/.. in deploy_source_date_epoch
package.bbclass: correct check for /build in copydebugsources()
go: ignore CVE-2022-41716
Petr Kubizňák (1):
harfbuzz: remove bindir only if it exists
Piotr Łobacz (1):
systemd: fix wrong nobody-group assignment
Polampalli, Archana (1):
libpam: fix CVE-2022-28321
Poonam (1):
python3-setuptools-rust-native: Add direct dependency of native python3 modules
Qiu, Zheng (3):
tiff: Security fix for CVE-2022-3970
vim: upgrade 9.0.0820 -> 9.0.0947
valgrind: remove most hidden tests for arm64
Quentin Schulz (4):
cairo: update patch for CVE-2019-6461 with upstream solution
docs: migration-4.0: specify variable name change for kernel inclusion in image recipe
docs: kernel-dev: faq: update tip on how to not include kernel in image
cairo: fix CVE patches assigned wrong CVE number
Randy MacLeod (3):
valgrind: skip the boost_thread test on arm
vim: upgrade 9.0.0947 -> 9.0.1211
vim: upgrade 9.0.1403 -> 9.0.1429
Ranjitsinh Rathod (3):
curl: Correct LICENSE from MIT-open-group to curl
curl: Add patch to fix CVE-2022-43551
curl: Add patch to fix CVE-2022-43552
Ravula Adhitya Siddartha (2):
linux-yocto/5.10: update genericx86* machines to v5.10.149
linux-yocto/5.15: update genericx86* machines to v5.15.72
Richard Purdie (35):
bitbake: tests/fetch: Allow handling of a file:// url within a submodule
build-appliance-image: Update to kirkstone head revision
openssl: Fix SSL_CERT_FILE to match ca-certs location
numactl: upgrade 2.0.14 -> 2.0.15
bitbake: runqueue: Fix race issues around hash equivalence and sstate reuse
lttng-modules: upgrade 2.13.5 -> 2.13.7
bitbake.conf: Drop export of SOURCE_DATE_EPOCH_FALLBACK
gcc-shared-source: Fix source date epoch handling
gcc-source: Fix gengtypes race
gcc-source: Drop gengtype manipulation
gcc-source: Ensure deploy_source_date_epoch sstate hash doesn't change
sanity: Drop data finalize call
oeqa/selftest/tinfoil: Add test for separate config_data with recipe_parse_file()
build-appliance-image: Update to kirkstone head revision
yocto-check-layer: Allow OE-Core to be tested
oeqa/concurrencytest: Add number of failures to summary output
build-appliance-image: Update to kirkstone head revision
native: Drop special variable handling
kernel/linux-kernel-base: Fix kernel build artefact determinism issues
make-mod-scripts: Ensure kernel build output is deterministic
libc-locale: Fix on target locale generation
build-appliance-image: Update to kirkstone head revision
libssh2: Clean up ptest patch/coverage
bitbake: utils: Allow to_boolean to support int values
bitbake: cookerdata: Remove incorrect SystemExit usage
bitbake: cookerdata: Improve early exception handling
bitbake: cookerdata: Drop dubious exception handling code
binutils: Fix nativesdk ld.so search
oeqa/selftest/prservice: Improve debug output for failure
staging: Separate out different multiconfig manifests
staging/multilib: Fix manifest corruption
glibc: Add missing binutils dependency
selftest/recipetool: Stop test corrupting tinfoil class
base-files: Drop localhost.localdomain from hosts file
pybootchartui: Fix python syntax issue
Robert Andersson (1):
go-crosssdk: avoid host contamination by GOCACHE
Robert Yang (1):
bitbake: fetch/git: Fix local clone url to make it work with repo
Rodolfo Quesada Zumbado (1):
tar: CVE-2022-48303
Romuald Jeanne (1):
image_types: fix multiubi var init
Ross Burton (37):
qemu: fix CVE-2022-2962
lighttpd: fix CVE-2022-41556
expat: backport the fix for CVE-2022-43680
scripts/oe-check-sstate: cleanup
scripts/oe-check-sstate: force build to run for all targets, specifically populate_sysroot
opkg-utils: use a git clone, not a dynamic snapshot
oe/packagemanager/rpm: don't leak file objects
glib-2.0: fix rare GFileInfo test case failure
pixman: backport fix for CVE-2022-44638
sanity: check for GNU tar specifically
qemu: add io_uring PACKAGECONFIG
expat: upgrade to 2.5.0
linux-firmware: don't put the firmware into the sysroot
tiff: fix a number of CVEs
xserver-xorg: backport fixes for CVE-2022-3550 and CVE-2022-3551
lib/buildstats: fix parsing of trees with reduced_proc_pressure directories
combo-layer: remove unused import
combo-layer: dont use bb.utils.rename
combo-layer: add sync-revs command
libepoxy: remove upstreamed patch
cve-update-db-native: show IP on failure
bitbake: bb/utils: include SSL certificate paths in export_proxies
ppp: backport fix for CVE-2022-4603
quilt: fix intermittent failure in faildiff.test
spirv-headers: set correct branch name
quilt: use upstreamed faildiff.test fix
git: ignore CVE-2022-41953
buildtools-tarball: set pkg-config search path
sdkext/cases/devtool: pass a logger to HTTPService
httpserver: add error handler that write to the logger
lib/buildstats: handle tasks that never finished
shadow: ignore CVE-2016-15024
vim: add missing pkgconfig inherit
vim: upgrade to 9.0.1403
vim: set modified-by to the recipe MAINTAINER
lib/resulttool: fix typo breaking resulttool log --ptest
scripts/lib/buildstats: handle top-level build_stats not being complete
Sakib Sajal (3):
go: fix CVE-2022-2880
git: upgrade 2.35.6 -> 2.35.7
go: fix CVE-2022-2879 and CVE-2022-41720
Sandeep Gundlupet Raju (2):
kernel-fitimage: Adjust order of dtb/dtbo files
kernel-fitimage: Allow user to select dtb when multiple dtb exists
Saul Wold (3):
at: Change when files are copied
package.bbclase: Add check for /build in copydebugsources()
busybox: Fix depmod patch
Schmidt, Adriaan (1):
bitbake: bitbake-diffsigs: break on first dependent task difference
Sean Anderson (2):
kernel: Clear SYSROOT_DIRS instead of replacing sysroot_stage_all
uboot-sign: Fix using wrong KEY_REQ_ARGS
Sergei Zhmylev (2):
wic: honor the SOURCE_DATE_EPOCH in case of updated fstab
wic: make ext2/3/4 images reproducible
Shubham Kulkarni (3):
glibc: Security fix for CVE-2023-0687
go-runtime: Security fix for CVE-2022-41723
go-runtime: Security fix for CVE-2022-41722
Siddharth Doshi (5):
openssl: Upgrade 3.0.7 -> 3.0.8
epiphany: Security fix for CVE-2023-26081
harfbuzz: Security fix for CVE-2023-25193
openssl: Security fix for CVE-2023-0464, CVE-2023-0465, CVE-2023-0466
curl: Security fix for CVE-2023-27535, CVE-2023-27536, CVE-2023-27538
Simone Weiss (1):
json-c: Add ptest for json-c
Steve Sakoman (12):
Revert "lttng-tools: Upgrade 2.13.4 -> 2.13.8"
poky.conf: bump version for 4.0.5
Revert "expat: backport the fix for CVE-2022-43680"
poky.conf: bump version for 4.0.6
Revert "libksba: fix CVE-2022-47629"
poky.conf: bump version for 4.0.7
poky.conf: Update SANITY_TESTED_DISTROS to match autobuilder
system-requirements.rst: add Fedora 36 and AlmaLinux 8.7 to list of supported distros
libgit2: uprade 1.4.3 -> 1.4.4
libgit2: upgrade 1.4.4 -> 1.4.5
poky.conf: bump version for 4.0.8
poky.conf: bump version for 4.0.9
Sundeep KOKKONDA (1):
cargo : non vulnerable cve-2022-46176 added to excluded list
Teoh Jay Shen (2):
tiff: Security fixes CVE-2022-2867,CVE-2022-2868 and CVE-2022-2869
vim: Upgrade 9.0.0598 -> 9.0.0614
Thomas Perrot (2):
psplash: add psplash-default in rdepends
xserver-xorg: move some recommended dependencies in required
Thomas Roos (1):
devtool: fix devtool finish when gitmodules file is empty
Tim Orling (5):
python3: upgrade 3.10.4 -> 3.10.7
git: upgrade 2.35.4 -> 2.35.5
vim: upgrade 9.0.0614 -> 9.0.0820
mirrors.bbclass: update CPAN_MIRROR
cracklib: update github branch to 'main'
Tom Hochstein (2):
meson: Fix wrapper handling of implicit setup command
oeqa/sdk: Improve Meson test
Trevor Woerner (3):
cups: use BUILDROOT instead of DESTDIR
cups: check PACKAGECONFIG for pam feature
cups: add/fix web interface packaging
Ulrich Ölmann (4):
recipe_sanity: fix old override syntax
lsof: fix old override syntax
update-alternatives: fix typos
kernel-yocto: fix kernel-meta data detection
Vincent Davis Jr (1):
linux-firmware: package amdgpu firmware
Virendra Thakur (1):
qemu: Fix CVE-2021-3750 for qemu
Vivek Kumbhar (5):
python3: fix CVE-2022-42919 local privilege escalation via the multiprocessing forkserver start method
sqlite: fix CVE-2022-46908 safe mode authorizer callback allows disallowed UDFs.
openssl: fix CVE-2022-3996 double locking leads to denial of service
gnutls: fix CVE-2023-0361 timing side-channel in the TLS RSA key exchange code
go: fix CVE-2023-24537 Infinite loop in parsing
Vyacheslav Yurkov (3):
files: overlayfs-etc: refactor preinit template
classes: files: Extend overlayfs-etc class
overlayfs: Allow not used mount points
Wang Mingyu (19):
bind: upgrade 9.18.7 -> 9.18.8
socat: upgrade 1.7.4.3 -> 1.7.4.4
libxcrypt: upgrade 4.4.28 -> 4.4.30
xwayland: upgrade 22.1.4 -> 22.1.5
mobile-broadband-provider-info: upgrade 20220725 -> 20221107
babeltrace: upgrade 1.5.8 -> 1.5.11
iso-codes: upgrade 4.11.0 -> 4.12.0
bind: upgrade 9.18.8 -> 9.18.9
mpfr: upgrade 4.1.0 -> 4.1.1
libxcrypt-compat: upgrade 4.4.30 -> 4.4.33
libpng: upgrade 1.6.38 -> 1.6.39
gstreamer1.0: upgrade 1.20.4 -> 1.20.5
bind: upgrade 9.18.9 -> 9.18.10
libjpeg-turbo: upgrade 2.1.5 -> 2.1.5.1
xwayland: upgrade 22.1.7 -> 22.1.8
iso-codes: upgrade 4.12.0 -> 4.13.0
lua: Fix install conflict when enable multilib.
vala: Fix install conflict when enable multilib.
dhcpcd: Fix install conflict when enable multilib.
Xiangyu Chen (18):
qemu: Backport patches from upstream to support float128 on qemu-ppc64
linux-yocto-dev: add qemuarm64
ltp: backport clock_gettime04 fix from upstream
dbus: fix CVE-2022-42010 Check brackets in signature nest correctly
dbus: fix CVE-2022-42011 dbus-daemon can be crashed by messages with array length inconsistent with element type
dbus: fix CVE-2022-42012 dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed
lttng-tools: Upgrade 2.13.4 -> 2.13.8
sudo: upgrade 1.9.10 -> sudo 1.9.12p1
bash: backport patch to fix CVE-2022-3715
grub2: backport patch to fix CVE-2022-2601 CVE-2022-3775
dbus: upgrade 1.14.0 -> 1.14.4
sysstat: fix CVE-2022-39377
grub: backport patches to fix CVE-2022-28736
openssh: remove RRECOMMENDS to rng-tools for sshd package
numactl: skip test case when target platform doesn't have 2 CPU node
dhcpcd: fix dhcpcd start failure on qemuppc64
sudo: update 1.9.12p2 -> 1.9.13p3
shadow: backport patch to fix CVE-2023-29383
Yash Shinde (5):
binutils: stable 2.38 branch updates
glibc: stable 2.35 branch updates.
glibc: stable 2.35 branch updates.
binutils : Fix CVE-2023-22608
binutils : Fix CVE-2023-1579
Yash.Shinde@windriver.com (1):
binutils : Fix CVE-2022-4285
Yogita Urade (1):
libksba: fix CVE-2022-47629
Zheng Qiu (1):
tiff: fix CVE-2022-2953
ciarancourtney (1):
wic: swap partitions are not added to fstab
pawan (2):
Revert "qemu: fix CVE-2021-3507"
curl: Add fix for CVE-2023-23916
pgowda (1):
binutils : Fix CVE-2022-38128
wangmy (9):
ifupdown: upgrade 0.8.37 -> 0.8.39
libcap: upgrade 2.65 -> 2.66
libical: upgrade 3.0.14 -> 3.0.15
numactl: upgrade 2.0.15 -> 2.0.16
wpebackend-fdo: upgrade 1.12.1 -> 1.14.0
libksba: upgrade 1.6.0 -> 1.6.2
lttng-ust: upgrade 2.13.3 -> 2.13.4
lttng-ust: upgrade 2.13.4 -> 2.13.5
lighttpd: upgrade 1.4.66 -> 1.4.67
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I80cf3cd933dea72160ce87efb2a42fe4d0e5d7d5
Diffstat (limited to 'poky/meta/recipes-devtools/python')
18 files changed, 1070 insertions, 66 deletions
diff --git a/poky/meta/recipes-devtools/python/python3-certifi/CVE-2022-23491.patch b/poky/meta/recipes-devtools/python/python3-certifi/CVE-2022-23491.patch new file mode 100644 index 0000000000..94ca254549 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-certifi/CVE-2022-23491.patch @@ -0,0 +1,230 @@ +From 167413eefa9482a7777b3ccdcc70e511ef5fcc2b Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Thu, 2 Feb 2023 12:57:06 +0000 +Subject: [PATCH] Certifi is a curated collection of Root Certificates for + validating the trustworthiness of SSL certificates while verifying the + identity of TLS hosts. Certifi 2022.12.07 removes root certificates from + "TrustCor" from the root store. These are in the process of being removed + from Mozilla's trust store. TrustCor's root certificates are being removed + pursuant to an investigation prompted by media reporting that TrustCor's + ownership also operated a business that produced spyware. Conclusions of + Mozilla's investigation can be found in the linked google group discussion. + +CVE: CVE-2022-23491 + +Upstream-Status: Backport [https://github.com/certifi/python-certifi/commit/9e9e840925d7b8e76c76fdac1fab7e6e88c1c3b8] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + certifi/cacert.pem | 181 --------------------------------------------- + 1 file changed, 181 deletions(-) + +diff --git a/certifi/cacert.pem b/certifi/cacert.pem +index 6d0ccc0..6bae3e4 100644 +--- a/certifi/cacert.pem ++++ b/certifi/cacert.pem +@@ -694,37 +694,6 @@ BA6+C4OmF4O5MBKgxTMVBbkN+8cFduPYSo38NBejxiEovjBFMR7HeL5YYTisO+IB + ZQ== + -----END CERTIFICATE----- + +-# Issuer: CN=Network Solutions Certificate Authority O=Network Solutions L.L.C. +-# Subject: CN=Network Solutions Certificate Authority O=Network Solutions L.L.C. +-# Label: "Network Solutions Certificate Authority" +-# Serial: 116697915152937497490437556386812487904 +-# MD5 Fingerprint: d3:f3:a6:16:c0:fa:6b:1d:59:b1:2d:96:4d:0e:11:2e +-# SHA1 Fingerprint: 74:f8:a3:c3:ef:e7:b3:90:06:4b:83:90:3c:21:64:60:20:e5:df:ce +-# SHA256 Fingerprint: 15:f0:ba:00:a3:ac:7a:f3:ac:88:4c:07:2b:10:11:a0:77:bd:77:c0:97:f4:01:64:b2:f8:59:8a:bd:83:86:0c +------BEGIN CERTIFICATE----- +-MIID5jCCAs6gAwIBAgIQV8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBi +-MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMu +-MTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3Jp +-dHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJV +-UzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydO +-ZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqG +-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xGzuAnlt7e+foS0zwz +-c7MEL7xxjOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQNJIg6nPP +-OCwGJgl6cvf6UDL4wpPTaaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rl +-mGNpSAW+Lv8ztumXWWn4Zxmuk2GWRBXTcrA/vGp97Eh/jcOrqnErU2lBUzS1sLnF +-BgrEsEX1QV1uiUV7PTsmjHTC5dLRfbIR1PtYMiKagMnc/Qzpf14Dl847ABSHJ3A4 +-qY5usyd2mFHgBeMhqxrVhSI8KbWaFsWAqPS7azCPL0YCorEMIuDTAgMBAAGjgZcw +-gZQwHQYDVR0OBBYEFCEwyfsA106Y2oeqKtCnLrFAMadMMA4GA1UdDwEB/wQEAwIB +-BjAPBgNVHRMBAf8EBTADAQH/MFIGA1UdHwRLMEkwR6BFoEOGQWh0dHA6Ly9jcmwu +-bmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zQ2VydGlmaWNhdGVBdXRob3Jp +-dHkuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQC7rkvnt1frf6ott3NHhWrB5KUd5Oc8 +-6fRZZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q4LqILPxFzBiwmZVRDuwduIj/ +-h1AcgsLj4DKAv6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/GGUsyfJj4akH +-/nxxH2szJGoeBfcFaMBqEssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3Htv +-wKeI8lN3s2Berq4o2jUsbzRF0ybh3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHN +-pGxlaKFJdlxDydi8NmdspZS11My5vWo1ViHe2MPr+8ukYEywVaCge1ey +------END CERTIFICATE----- +- + # Issuer: CN=COMODO ECC Certification Authority O=COMODO CA Limited + # Subject: CN=COMODO ECC Certification Authority O=COMODO CA Limited + # Label: "COMODO ECC Certification Authority" +@@ -2385,46 +2354,6 @@ KoZIzj0EAwMDaAAwZQIxAOVpEslu28YxuglB4Zf4+/2a4n0Sye18ZNPLBSWLVtmg + xwy8p2Fp8fc74SrL+SvzZpA3 + -----END CERTIFICATE----- + +-# Issuer: CN=Staat der Nederlanden EV Root CA O=Staat der Nederlanden +-# Subject: CN=Staat der Nederlanden EV Root CA O=Staat der Nederlanden +-# Label: "Staat der Nederlanden EV Root CA" +-# Serial: 10000013 +-# MD5 Fingerprint: fc:06:af:7b:e8:1a:f1:9a:b4:e8:d2:70:1f:c0:f5:ba +-# SHA1 Fingerprint: 76:e2:7e:c1:4f:db:82:c1:c0:a6:75:b5:05:be:3d:29:b4:ed:db:bb +-# SHA256 Fingerprint: 4d:24:91:41:4c:fe:95:67:46:ec:4c:ef:a6:cf:6f:72:e2:8a:13:29:43:2f:9d:8a:90:7a:c4:cb:5d:ad:c1:5a +------BEGIN CERTIFICATE----- +-MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJO +-TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFh +-dCBkZXIgTmVkZXJsYW5kZW4gRVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0y +-MjEyMDgxMTEwMjhaMFgxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIg +-TmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0YWF0IGRlciBOZWRlcmxhbmRlbiBFViBS +-b290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA48d+ifkkSzrS +-M4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79VWZxXSzFYGgEt9nC +-UiY4iKTWO0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs3NZmdO3d +-Z//BYY1jTw+bbRcwJu+r0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46p +-rfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13l +-pJhQDBXd4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gVXJrm0w912fxBmJc+qiXb +-j5IusHsMX/FjqTf5m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr08C+eKxC +-KFhmpUZtcALXEPlLVPxdhkqHz3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS +-/ZbV0b5GnUngC6agIk440ME8MLxwjyx1zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0X +-cgOPvZuM5l5Tnrmd74K74bzickFbIZTTRTeU0d8JOV3nI6qaHcptqAqGhYqCvkIH +-1vI4gnPah1vlPNOePqc7nvQDs/nxfRN0Av+7oeX6AHkcpmZBiFxgV6YuCcS6/ZrP +-px9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB +-/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwaivsnuL8wbqg7 +-MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsI +-eK9p0gtJ3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u +-2dfOWBfoqSmuc0iH55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHS +-v4ilf0X8rLiltTMMgsT7B/Zq5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTC +-wPTxGfARKbalGAKb12NMcIxHowNDXLldRqANb/9Zjr7dn3LDWyvfjFvO5QxGbJKy +-CqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW2HNnh/tNf1zuacpzEPuKqf2e +-vTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy+TSrK0m1zSBi5Dp6 +-Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCjuTaPPoIa +-Gl6I6lD4WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeL +-eG9QgkRQP2YGiqtDhFZKDyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8 +-FVdMpEbB4IMeDExNH08GGeL5qPQ6gqGyeUN51q1veieQA6TqJIc/2b3Z6fJfUEkc +-7uzXLg== +------END CERTIFICATE----- +- + # Issuer: CN=IdenTrust Commercial Root CA 1 O=IdenTrust + # Subject: CN=IdenTrust Commercial Root CA 1 O=IdenTrust + # Label: "IdenTrust Commercial Root CA 1" +@@ -3032,116 +2961,6 @@ T8p+ck0LcIymSLumoRT2+1hEmRSuqguTaaApJUqlyyvdimYHFngVV3Eb7PVHhPOe + MTd61X8kreS8/f3MboPoDKi3QWwH3b08hpcv0g== + -----END CERTIFICATE----- + +-# Issuer: CN=TrustCor RootCert CA-1 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Subject: CN=TrustCor RootCert CA-1 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Label: "TrustCor RootCert CA-1" +-# Serial: 15752444095811006489 +-# MD5 Fingerprint: 6e:85:f1:dc:1a:00:d3:22:d5:b2:b2:ac:6b:37:05:45 +-# SHA1 Fingerprint: ff:bd:cd:e7:82:c8:43:5e:3c:6f:26:86:5c:ca:a8:3a:45:5b:c3:0a +-# SHA256 Fingerprint: d4:0e:9c:86:cd:8f:e4:68:c1:77:69:59:f4:9e:a7:74:fa:54:86:84:b6:c4:06:f3:90:92:61:f4:dc:e2:57:5c +------BEGIN CERTIFICATE----- +-MIIEMDCCAxigAwIBAgIJANqb7HHzA7AZMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYD +-VQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEk +-MCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U +-cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRydXN0Q29y +-IFJvb3RDZXJ0IENBLTEwHhcNMTYwMjA0MTIzMjE2WhcNMjkxMjMxMTcyMzE2WjCB +-pDELMAkGA1UEBhMCUEExDzANBgNVBAgMBlBhbmFtYTEUMBIGA1UEBwwLUGFuYW1h +-IENpdHkxJDAiBgNVBAoMG1RydXN0Q29yIFN5c3RlbXMgUy4gZGUgUi5MLjEnMCUG +-A1UECwweVHJ1c3RDb3IgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR8wHQYDVQQDDBZU +-cnVzdENvciBSb290Q2VydCBDQS0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +-CgKCAQEAv463leLCJhJrMxnHQFgKq1mqjQCj/IDHUHuO1CAmujIS2CNUSSUQIpid +-RtLByZ5OGy4sDjjzGiVoHKZaBeYei0i/mJZ0PmnK6bV4pQa81QBeCQryJ3pS/C3V +-seq0iWEk8xoT26nPUu0MJLq5nux+AHT6k61sKZKuUbS701e/s/OojZz0JEsq1pme +-9J7+wH5COucLlVPat2gOkEz7cD+PSiyU8ybdY2mplNgQTsVHCJCZGxdNuWxu72CV +-EY4hgLW9oHPY0LJ3xEXqWib7ZnZ2+AYfYW0PVcWDtxBWcgYHpfOxGgMFZA6dWorW +-hnAbJN7+KIor0Gqw/Hqi3LJ5DotlDwIDAQABo2MwYTAdBgNVHQ4EFgQU7mtJPHo/ +-DeOxCbeKyKsZn3MzUOcwHwYDVR0jBBgwFoAU7mtJPHo/DeOxCbeKyKsZn3MzUOcw +-DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQAD +-ggEBACUY1JGPE+6PHh0RU9otRCkZoB5rMZ5NDp6tPVxBb5UrJKF5mDo4Nvu7Zp5I +-/5CQ7z3UuJu0h3U/IJvOcs+hVcFNZKIZBqEHMwwLKeXx6quj7LUKdJDHfXLy11yf +-ke+Ri7fc7Waiz45mO7yfOgLgJ90WmMCV1Aqk5IGadZQ1nJBfiDcGrVmVCrDRZ9MZ +-yonnMlo2HD6CqFqTvsbQZJG2z9m2GM/bftJlo6bEjhcxwft+dtvTheNYsnd6djts +-L1Ac59v2Z3kf9YKVmgenFK+P3CghZwnS1k1aHBkcjndcw5QkPTJrS37UeJSDvjdN +-zl/HHk484IkzlQsPpTLWPFp5LBk= +------END CERTIFICATE----- +- +-# Issuer: CN=TrustCor RootCert CA-2 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Subject: CN=TrustCor RootCert CA-2 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Label: "TrustCor RootCert CA-2" +-# Serial: 2711694510199101698 +-# MD5 Fingerprint: a2:e1:f8:18:0b:ba:45:d5:c7:41:2a:bb:37:52:45:64 +-# SHA1 Fingerprint: b8:be:6d:cb:56:f1:55:b9:63:d4:12:ca:4e:06:34:c7:94:b2:1c:c0 +-# SHA256 Fingerprint: 07:53:e9:40:37:8c:1b:d5:e3:83:6e:39:5d:ae:a5:cb:83:9e:50:46:f1:bd:0e:ae:19:51:cf:10:fe:c7:c9:65 +------BEGIN CERTIFICATE----- +-MIIGLzCCBBegAwIBAgIIJaHfyjPLWQIwDQYJKoZIhvcNAQELBQAwgaQxCzAJBgNV +-BAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw +-IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRy +-dXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWVHJ1c3RDb3Ig +-Um9vdENlcnQgQ0EtMjAeFw0xNjAyMDQxMjMyMjNaFw0zNDEyMzExNzI2MzlaMIGk +-MQswCQYDVQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEg +-Q2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYD +-VQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRy +-dXN0Q29yIFJvb3RDZXJ0IENBLTIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +-AoICAQCnIG7CKqJiJJWQdsg4foDSq8GbZQWU9MEKENUCrO2fk8eHyLAnK0IMPQo+ +-QVqedd2NyuCb7GgypGmSaIwLgQ5WoD4a3SwlFIIvl9NkRvRUqdw6VC0xK5mC8tkq +-1+9xALgxpL56JAfDQiDyitSSBBtlVkxs1Pu2YVpHI7TYabS3OtB0PAx1oYxOdqHp +-2yqlO/rOsP9+aij9JxzIsekp8VduZLTQwRVtDr4uDkbIXvRR/u8OYzo7cbrPb1nK +-DOObXUm4TOJXsZiKQlecdu/vvdFoqNL0Cbt3Nb4lggjEFixEIFapRBF37120Hape +-az6LMvYHL1cEksr1/p3C6eizjkxLAjHZ5DxIgif3GIJ2SDpxsROhOdUuxTTCHWKF +-3wP+TfSvPd9cW436cOGlfifHhi5qjxLGhF5DUVCcGZt45vz27Ud+ez1m7xMTiF88 +-oWP7+ayHNZ/zgp6kPwqcMWmLmaSISo5uZk3vFsQPeSghYA2FFn3XVDjxklb9tTNM +-g9zXEJ9L/cb4Qr26fHMC4P99zVvh1Kxhe1fVSntb1IVYJ12/+CtgrKAmrhQhJ8Z3 +-mjOAPF5GP/fDsaOGM8boXg25NSyqRsGFAnWAoOsk+xWq5Gd/bnc/9ASKL3x74xdh +-8N0JqSDIvgmk0H5Ew7IwSjiqqewYmgeCK9u4nBit2uBGF6zPXQIDAQABo2MwYTAd +-BgNVHQ4EFgQU2f4hQG6UnrybPZx9mCAZ5YwwYrIwHwYDVR0jBBgwFoAU2f4hQG6U +-nrybPZx9mCAZ5YwwYrIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYw +-DQYJKoZIhvcNAQELBQADggIBAJ5Fngw7tu/hOsh80QA9z+LqBrWyOrsGS2h60COX +-dKcs8AjYeVrXWoSK2BKaG9l9XE1wxaX5q+WjiYndAfrs3fnpkpfbsEZC89NiqpX+ +-MWcUaViQCqoL7jcjx1BRtPV+nuN79+TMQjItSQzL/0kMmx40/W5ulop5A7Zv2wnL +-/V9lFDfhOPXzYRZY5LVtDQsEGz9QLX+zx3oaFoBg+Iof6Rsqxvm6ARppv9JYx1RX +-CI/hOWB3S6xZhBqI8d3LT3jX5+EzLfzuQfogsL7L9ziUwOHQhQ+77Sxzq+3+knYa +-ZH9bDTMJBzN7Bj8RpFxwPIXAz+OQqIN3+tvmxYxoZxBnpVIt8MSZj3+/0WvitUfW +-2dCFmU2Umw9Lje4AWkcdEQOsQRivh7dvDDqPys/cA8GiCcjl/YBeyGBCARsaU1q7 +-N6a3vLqE6R5sGtRk2tRD/pOLS/IseRYQ1JMLiI+h2IYURpFHmygk71dSTlxCnKr3 +-Sewn6EAes6aJInKc9Q0ztFijMDvd1GpUk74aTfOTlPf8hAs/hCBcNANExdqtvArB +-As8e5ZTZ845b2EzwnexhF7sUMlQMAimTHpKG9n/v55IFDlndmQguLvqcAFLTxWYp +-5KeXRKQOKIETNcX2b2TmQcTVL8w0RSXPQQCWPUouwpaYT05KnJe32x+SMsj/D1Fu +-1uwJ +------END CERTIFICATE----- +- +-# Issuer: CN=TrustCor ECA-1 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Subject: CN=TrustCor ECA-1 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Label: "TrustCor ECA-1" +-# Serial: 9548242946988625984 +-# MD5 Fingerprint: 27:92:23:1d:0a:f5:40:7c:e9:e6:6b:9d:d8:f5:e7:6c +-# SHA1 Fingerprint: 58:d1:df:95:95:67:6b:63:c0:f0:5b:1c:17:4d:8b:84:0b:c8:78:bd +-# SHA256 Fingerprint: 5a:88:5d:b1:9c:01:d9:12:c5:75:93:88:93:8c:af:bb:df:03:1a:b2:d4:8e:91:ee:15:58:9b:42:97:1d:03:9c +------BEGIN CERTIFICATE----- +-MIIEIDCCAwigAwIBAgIJAISCLF8cYtBAMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD +-VQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEk +-MCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U +-cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFzAVBgNVBAMMDlRydXN0Q29y +-IEVDQS0xMB4XDTE2MDIwNDEyMzIzM1oXDTI5MTIzMTE3MjgwN1owgZwxCzAJBgNV +-BAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw +-IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRy +-dXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOVHJ1c3RDb3Ig +-RUNBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPj+ARtZ+odnbb +-3w9U73NjKYKtR8aja+3+XzP4Q1HpGjORMRegdMTUpwHmspI+ap3tDvl0mEDTPwOA +-BoJA6LHip1GnHYMma6ve+heRK9jGrB6xnhkB1Zem6g23xFUfJ3zSCNV2HykVh0A5 +-3ThFEXXQmqc04L/NyFIduUd+Dbi7xgz2c1cWWn5DkR9VOsZtRASqnKmcp0yJF4Ou +-owReUoCLHhIlERnXDH19MURB6tuvsBzvgdAsxZohmz3tQjtQJvLsznFhBmIhVE5/ +-wZ0+fyCMgMsq2JdiyIMzkX2woloPV+g7zPIlstR8L+xNxqE6FXrntl019fZISjZF +-ZtS6mFjBAgMBAAGjYzBhMB0GA1UdDgQWBBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAf +-BgNVHSMEGDAWgBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAPBgNVHRMBAf8EBTADAQH/ +-MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEABT41XBVwm8nHc2Fv +-civUwo/yQ10CzsSUuZQRg2dd4mdsdXa/uwyqNsatR5Nj3B5+1t4u/ukZMjgDfxT2 +-AHMsWbEhBuH7rBiVDKP/mZb3Kyeb1STMHd3BOuCYRLDE5D53sXOpZCz2HAF8P11F +-hcCF5yWPldwX8zyfGm6wyuMdKulMY/okYWLW2n62HGz1Ah3UKt1VkOsqEUc8Ll50 +-soIipX1TH0XsJ5F95yIW6MBoNtjG8U+ARDL54dHRHareqKucBK+tIA5kmE2la8BI +-WJZpTdwHjFGTot+fDz2LYLSCjaoITmJF4PkL0uDgPFveXHEnJcLmA4GLEFPjx1Wi +-tJ/X5g== +------END CERTIFICATE----- +- + # Issuer: CN=SSL.com Root Certification Authority RSA O=SSL Corporation + # Subject: CN=SSL.com Root Certification Authority RSA O=SSL Corporation + # Label: "SSL.com Root Certification Authority RSA" +-- +2.34.1 + diff --git a/poky/meta/recipes-devtools/python/python3-certifi_2021.10.8.bb b/poky/meta/recipes-devtools/python/python3-certifi_2021.10.8.bb index 4c376da897..57bd59ba44 100644 --- a/poky/meta/recipes-devtools/python/python3-certifi_2021.10.8.bb +++ b/poky/meta/recipes-devtools/python/python3-certifi_2021.10.8.bb @@ -7,6 +7,8 @@ HOMEPAGE = " http://certifi.io/" LICENSE = "ISC" LIC_FILES_CHKSUM = "file://LICENSE;md5=67da0714c3f9471067b729eca6c9fbe8" +SRC_URI += "file://CVE-2022-23491.patch" + SRC_URI[sha256sum] = "78884e7c1d4b00ce3cea67b44566851c4343c120abd683433ce934a68ea58872" inherit pypi setuptools3 diff --git a/poky/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch b/poky/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch new file mode 100644 index 0000000000..16192b22c7 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch @@ -0,0 +1,97 @@ +From 6ebe9231cd34dacd32a964859bc509aaa1e3f5fd Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Fri, 6 Jan 2023 14:13:10 +0000 +Subject: [PATCH] python3-git: CVE-2022-24439 fix from PR 1518 + +Fix command injection +Add `--` in some commands that receive user input +and if interpreted as options could lead to remote +code execution (RCE). + +There may be more commands that could benefit from `--` +so the input is never interpreted as an option, +but most of those aren't dangerous. + +Fixed commands: + +- push +- pull +- fetch +- clone/clone_from and friends +- archive (not sure if this one can be exploited, but it doesn't hurt + adding `--` :)) + +For anyone using GitPython and exposing any of the GitPython methods to users, +make sure to always validate the input (like if starts with `--`). +And for anyone allowing users to pass arbitrary options, be aware +that some options may lead fo RCE, like `--exc`, `--upload-pack`, +`--receive-pack`, `--config` (#1516). + +Ref #1517 + +CVE: CVE-2022-24439 + +Upstream-Status: Backport [https://github.com/gitpython-developers/GitPython/pull/1518] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + git/remote.py | 6 +++--- + git/repo/base.py | 4 ++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/git/remote.py b/git/remote.py +index 56f3c5b..59681bc 100644 +--- a/git/remote.py ++++ b/git/remote.py +@@ -881,7 +881,7 @@ class Remote(LazyMixin, IterableObj): + else: + args = [refspec] + +- proc = self.repo.git.fetch(self, *args, as_process=True, with_stdout=False, ++ proc = self.repo.git.fetch("--", self, *args, as_process=True, with_stdout=False, + universal_newlines=True, v=verbose, **kwargs) + res = self._get_fetch_info_from_stderr(proc, progress, + kill_after_timeout=kill_after_timeout) +@@ -905,7 +905,7 @@ class Remote(LazyMixin, IterableObj): + # No argument refspec, then ensure the repo's config has a fetch refspec. + self._assert_refspec() + kwargs = add_progress(kwargs, self.repo.git, progress) +- proc = self.repo.git.pull(self, refspec, with_stdout=False, as_process=True, ++ proc = self.repo.git.pull("--", self, refspec, with_stdout=False, as_process=True, + universal_newlines=True, v=True, **kwargs) + res = self._get_fetch_info_from_stderr(proc, progress, + kill_after_timeout=kill_after_timeout) +@@ -945,7 +945,7 @@ class Remote(LazyMixin, IterableObj): + If the operation fails completely, the length of the returned IterableList will + be 0.""" + kwargs = add_progress(kwargs, self.repo.git, progress) +- proc = self.repo.git.push(self, refspec, porcelain=True, as_process=True, ++ proc = self.repo.git.push("--", self, refspec, porcelain=True, as_process=True, + universal_newlines=True, + kill_after_timeout=kill_after_timeout, + **kwargs) +diff --git a/git/repo/base.py b/git/repo/base.py +index 7713c91..f14f929 100644 +--- a/git/repo/base.py ++++ b/git/repo/base.py +@@ -1072,7 +1072,7 @@ class Repo(object): + multi = None + if multi_options: + multi = shlex.split(' '.join(multi_options)) +- proc = git.clone(multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True, ++ proc = git.clone("--", multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True, + v=True, universal_newlines=True, **add_progress(kwargs, git, progress)) + if progress: + handle_process_output(proc, None, to_progress_instance(progress).new_message_handler(), +@@ -1173,7 +1173,7 @@ class Repo(object): + if not isinstance(path, (tuple, list)): + path = [path] + # end assure paths is list +- self.git.archive(treeish, *path, **kwargs) ++ self.git.archive("--", treeish, *path, **kwargs) + return self + + def has_separate_working_tree(self) -> bool: +-- +2.34.1 + diff --git a/poky/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch b/poky/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch new file mode 100644 index 0000000000..a017369f37 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch @@ -0,0 +1,488 @@ +From fe9b71628767610a238e47cd46b82d411a7e871a Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Sat, 7 Jan 2023 17:16:57 +0000 +Subject: [PATCH] python3-git: CVE-2022-24439 fix from PR 1521 + +Forbid unsafe protocol URLs in Repo.clone{,_from}() +Since the URL is passed directly to git clone, and the remote-ext helper +will happily execute shell commands, so by default disallow URLs that +contain a "::" unless a new unsafe_protocols kwarg is passed. +(CVE-2022-24439) + +Fixes #1515 + +CVE: CVE-2022-24439 + +Upstream-Status: Backport [https://github.com/gitpython-developers/GitPython/pull/1521] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + git/cmd.py | 51 ++++++++++++++++++++++++-- + git/exc.py | 8 ++++ + git/objects/submodule/base.py | 19 ++++++---- + git/remote.py | 69 +++++++++++++++++++++++++++++++---- + git/repo/base.py | 44 ++++++++++++++++++---- + 5 files changed, 166 insertions(+), 25 deletions(-) + +diff --git a/git/cmd.py b/git/cmd.py +index 4f05698..77026d6 100644 +--- a/git/cmd.py ++++ b/git/cmd.py +@@ -4,6 +4,7 @@ + # This module is part of GitPython and is released under + # the BSD License: http://www.opensource.org/licenses/bsd-license.php + from __future__ import annotations ++import re + from contextlib import contextmanager + import io + import logging +@@ -31,7 +32,9 @@ from git.util import is_cygwin_git, cygpath, expand_path, remove_password_if_pre + + from .exc import ( + GitCommandError, +- GitCommandNotFound ++ GitCommandNotFound, ++ UnsafeOptionError, ++ UnsafeProtocolError + ) + from .util import ( + LazyMixin, +@@ -225,6 +228,8 @@ class Git(LazyMixin): + + _excluded_ = ('cat_file_all', 'cat_file_header', '_version_info') + ++ re_unsafe_protocol = re.compile("(.+)::.+") ++ + def __getstate__(self) -> Dict[str, Any]: + return slots_to_dict(self, exclude=self._excluded_) + +@@ -400,6 +405,44 @@ class Git(LazyMixin): + url = url.replace("\\\\", "\\").replace("\\", "/") + return url + ++ @classmethod ++ def check_unsafe_protocols(cls, url: str) -> None: ++ """ ++ Check for unsafe protocols. ++ Apart from the usual protocols (http, git, ssh), ++ Git allows "remote helpers" that have the form `<transport>::<address>`, ++ one of these helpers (`ext::`) can be used to invoke any arbitrary command. ++ See: ++ - https://git-scm.com/docs/gitremote-helpers ++ - https://git-scm.com/docs/git-remote-ext ++ """ ++ match = cls.re_unsafe_protocol.match(url) ++ if match: ++ protocol = match.group(1) ++ raise UnsafeProtocolError( ++ f"The `{protocol}::` protocol looks suspicious, use `allow_unsafe_protocols=True` to allow it." ++ ) ++ ++ @classmethod ++ def check_unsafe_options(cls, options: List[str], unsafe_options: List[str]) -> None: ++ """ ++ Check for unsafe options. ++ Some options that are passed to `git <command>` can be used to execute ++ arbitrary commands, this are blocked by default. ++ """ ++ # Options can be of the form `foo` or `--foo bar` `--foo=bar`, ++ # so we need to check if they start with "--foo" or if they are equal to "foo". ++ bare_unsafe_options = [ ++ option.lstrip("-") ++ for option in unsafe_options ++ ] ++ for option in options: ++ for unsafe_option, bare_option in zip(unsafe_options, bare_unsafe_options): ++ if option.startswith(unsafe_option) or option == bare_option: ++ raise UnsafeOptionError( ++ f"{unsafe_option} is not allowed, use `allow_unsafe_options=True` to allow it." ++ ) ++ + class AutoInterrupt(object): + """Kill/Interrupt the stored process instance once this instance goes out of scope. It is + used to prevent processes piling up in case iterators stop reading. +@@ -1068,12 +1111,12 @@ class Git(LazyMixin): + return args + + @classmethod +- def __unpack_args(cls, arg_list: Sequence[str]) -> List[str]: ++ def _unpack_args(cls, arg_list: Sequence[str]) -> List[str]: + + outlist = [] + if isinstance(arg_list, (list, tuple)): + for arg in arg_list: +- outlist.extend(cls.__unpack_args(arg)) ++ outlist.extend(cls._unpack_args(arg)) + else: + outlist.append(str(arg_list)) + +@@ -1154,7 +1197,7 @@ class Git(LazyMixin): + # Prepare the argument list + + opt_args = self.transform_kwargs(**opts_kwargs) +- ext_args = self.__unpack_args([a for a in args if a is not None]) ++ ext_args = self._unpack_args([a for a in args if a is not None]) + + if insert_after_this_arg is None: + args_list = opt_args + ext_args +diff --git a/git/exc.py b/git/exc.py +index e8ff784..5c96db2 100644 +--- a/git/exc.py ++++ b/git/exc.py +@@ -36,6 +36,14 @@ class NoSuchPathError(GitError, OSError): + """ Thrown if a path could not be access by the system. """ + + ++class UnsafeProtocolError(GitError): ++ """Thrown if unsafe protocols are passed without being explicitly allowed.""" ++ ++ ++class UnsafeOptionError(GitError): ++ """Thrown if unsafe options are passed without being explicitly allowed.""" ++ ++ + class CommandError(GitError): + """Base class for exceptions thrown at every stage of `Popen()` execution. + +diff --git a/git/objects/submodule/base.py b/git/objects/submodule/base.py +index f782045..deb224e 100644 +--- a/git/objects/submodule/base.py ++++ b/git/objects/submodule/base.py +@@ -264,7 +264,8 @@ class Submodule(IndexObject, TraversableIterableObj): + # end + + @classmethod +- def _clone_repo(cls, repo: 'Repo', url: str, path: PathLike, name: str, **kwargs: Any) -> 'Repo': ++ def _clone_repo(cls, repo: 'Repo', url: str, path: PathLike, name: str, ++ allow_unsafe_options: bool = False, allow_unsafe_protocols: bool = False,**kwargs: Any) -> 'Repo': + """:return: Repo instance of newly cloned repository + :param repo: our parent repository + :param url: url to clone from +@@ -281,7 +282,8 @@ class Submodule(IndexObject, TraversableIterableObj): + module_checkout_path = osp.join(str(repo.working_tree_dir), path) + # end + +- clone = git.Repo.clone_from(url, module_checkout_path, **kwargs) ++ clone = git.Repo.clone_from(url, module_checkout_path, allow_unsafe_options=allow_unsafe_options, ++ allow_unsafe_protocols=allow_unsafe_protocols, **kwargs) + if cls._need_gitfile_submodules(repo.git): + cls._write_git_file_and_module_config(module_checkout_path, module_abspath) + # end +@@ -338,8 +340,8 @@ class Submodule(IndexObject, TraversableIterableObj): + @classmethod + def add(cls, repo: 'Repo', name: str, path: PathLike, url: Union[str, None] = None, + branch: Union[str, None] = None, no_checkout: bool = False, depth: Union[int, None] = None, +- env: Union[Mapping[str, str], None] = None, clone_multi_options: Union[Sequence[TBD], None] = None +- ) -> 'Submodule': ++ env: Union[Mapping[str, str], None] = None, clone_multi_options: Union[Sequence[TBD], None] = None, ++ allow_unsafe_options: bool = False, allow_unsafe_protocols: bool = False,) -> 'Submodule': + """Add a new submodule to the given repository. This will alter the index + as well as the .gitmodules file, but will not create a new commit. + If the submodule already exists, no matter if the configuration differs +@@ -447,7 +449,8 @@ class Submodule(IndexObject, TraversableIterableObj): + kwargs['multi_options'] = clone_multi_options + + # _clone_repo(cls, repo, url, path, name, **kwargs): +- mrepo = cls._clone_repo(repo, url, path, name, env=env, **kwargs) ++ mrepo = cls._clone_repo(repo, url, path, name, env=env, allow_unsafe_options=allow_unsafe_options, ++ allow_unsafe_protocols=allow_unsafe_protocols, **kwargs) + # END verify url + + ## See #525 for ensuring git urls in config-files valid under Windows. +@@ -484,7 +487,8 @@ class Submodule(IndexObject, TraversableIterableObj): + def update(self, recursive: bool = False, init: bool = True, to_latest_revision: bool = False, + progress: Union['UpdateProgress', None] = None, dry_run: bool = False, + force: bool = False, keep_going: bool = False, env: Union[Mapping[str, str], None] = None, +- clone_multi_options: Union[Sequence[TBD], None] = None) -> 'Submodule': ++ clone_multi_options: Union[Sequence[TBD], None] = None, allow_unsafe_options: bool = False, ++ allow_unsafe_protocols: bool = False) -> 'Submodule': + """Update the repository of this submodule to point to the checkout + we point at with the binsha of this instance. + +@@ -585,7 +589,8 @@ class Submodule(IndexObject, TraversableIterableObj): + (self.url, checkout_module_abspath, self.name)) + if not dry_run: + mrepo = self._clone_repo(self.repo, self.url, self.path, self.name, n=True, env=env, +- multi_options=clone_multi_options) ++ multi_options=clone_multi_options, allow_unsafe_options=allow_unsafe_options, ++ allow_unsafe_protocols=allow_unsafe_protocols) + # END handle dry-run + progress.update(END | CLONE, 0, 1, prefix + "Done cloning to %s" % checkout_module_abspath) + +diff --git a/git/remote.py b/git/remote.py +index 59681bc..cea6b99 100644 +--- a/git/remote.py ++++ b/git/remote.py +@@ -473,6 +473,23 @@ class Remote(LazyMixin, IterableObj): + __slots__ = ("repo", "name", "_config_reader") + _id_attribute_ = "name" + ++ unsafe_git_fetch_options = [ ++ # This option allows users to execute arbitrary commands. ++ # https://git-scm.com/docs/git-fetch#Documentation/git-fetch.txt---upload-packltupload-packgt ++ "--upload-pack", ++ ] ++ unsafe_git_pull_options = [ ++ # This option allows users to execute arbitrary commands. ++ # https://git-scm.com/docs/git-pull#Documentation/git-pull.txt---upload-packltupload-packgt ++ "--upload-pack" ++ ] ++ unsafe_git_push_options = [ ++ # This option allows users to execute arbitrary commands. ++ # https://git-scm.com/docs/git-push#Documentation/git-push.txt---execltgit-receive-packgt ++ "--receive-pack", ++ "--exec", ++ ] ++ + def __init__(self, repo: 'Repo', name: str) -> None: + """Initialize a remote instance + +@@ -549,7 +566,8 @@ class Remote(LazyMixin, IterableObj): + yield Remote(repo, section[lbound + 1:rbound]) + # END for each configuration section + +- def set_url(self, new_url: str, old_url: Optional[str] = None, **kwargs: Any) -> 'Remote': ++ def set_url(self, new_url: str, old_url: Optional[str] = None, ++ allow_unsafe_protocols: bool = False, **kwargs: Any) -> 'Remote': + """Configure URLs on current remote (cf command git remote set_url) + + This command manages URLs on the remote. +@@ -558,15 +576,17 @@ class Remote(LazyMixin, IterableObj): + :param old_url: when set, replaces this URL with new_url for the remote + :return: self + """ ++ if not allow_unsafe_protocols: ++ Git.check_unsafe_protocols(new_url) + scmd = 'set-url' + kwargs['insert_kwargs_after'] = scmd + if old_url: +- self.repo.git.remote(scmd, self.name, new_url, old_url, **kwargs) ++ self.repo.git.remote(scmd, "--", self.name, new_url, old_url, **kwargs) + else: +- self.repo.git.remote(scmd, self.name, new_url, **kwargs) ++ self.repo.git.remote(scmd, "--", self.name, new_url, **kwargs) + return self + +- def add_url(self, url: str, **kwargs: Any) -> 'Remote': ++ def add_url(self, url: str, allow_unsafe_protocols: bool = False, **kwargs: Any) -> 'Remote': + """Adds a new url on current remote (special case of git remote set_url) + + This command adds new URLs to a given remote, making it possible to have +@@ -575,7 +595,7 @@ class Remote(LazyMixin, IterableObj): + :param url: string being the URL to add as an extra remote URL + :return: self + """ +- return self.set_url(url, add=True) ++ return self.set_url(url, add=True, allow_unsafe_protocols=allow_unsafe_protocols) + + def delete_url(self, url: str, **kwargs: Any) -> 'Remote': + """Deletes a new url on current remote (special case of git remote set_url) +@@ -667,7 +687,7 @@ class Remote(LazyMixin, IterableObj): + return out_refs + + @ classmethod +- def create(cls, repo: 'Repo', name: str, url: str, **kwargs: Any) -> 'Remote': ++ def create(cls, repo: 'Repo', name: str, url: str, allow_unsafe_protocols: bool = False, *kwargs: Any) -> 'Remote': + """Create a new remote to the given repository + :param repo: Repository instance that is to receive the new remote + :param name: Desired name of the remote +@@ -677,7 +697,10 @@ class Remote(LazyMixin, IterableObj): + :raise GitCommandError: in case an origin with that name already exists""" + scmd = 'add' + kwargs['insert_kwargs_after'] = scmd +- repo.git.remote(scmd, name, Git.polish_url(url), **kwargs) ++ url = Git.polish_url(url) ++ if not allow_unsafe_protocols: ++ Git.check_unsafe_protocols(url) ++ repo.git.remote(scmd, "--", name, url, **kwargs) + return cls(repo, name) + + # add is an alias +@@ -840,6 +863,8 @@ class Remote(LazyMixin, IterableObj): + progress: Union[RemoteProgress, None, 'UpdateProgress'] = None, + verbose: bool = True, + kill_after_timeout: Union[None, float] = None, ++ allow_unsafe_protocols: bool = False, ++ allow_unsafe_options: bool = False, + **kwargs: Any) -> IterableList[FetchInfo]: + """Fetch the latest changes for this remote + +@@ -881,6 +906,14 @@ class Remote(LazyMixin, IterableObj): + else: + args = [refspec] + ++ if not allow_unsafe_protocols: ++ for ref in args: ++ if ref: ++ Git.check_unsafe_protocols(ref) ++ ++ if not allow_unsafe_options: ++ Git.check_unsafe_options(options=list(kwargs.keys()), unsafe_options=self.unsafe_git_fetch_options) ++ + proc = self.repo.git.fetch("--", self, *args, as_process=True, with_stdout=False, + universal_newlines=True, v=verbose, **kwargs) + res = self._get_fetch_info_from_stderr(proc, progress, +@@ -892,6 +925,8 @@ class Remote(LazyMixin, IterableObj): + def pull(self, refspec: Union[str, List[str], None] = None, + progress: Union[RemoteProgress, 'UpdateProgress', None] = None, + kill_after_timeout: Union[None, float] = None, ++ allow_unsafe_protocols: bool = False, ++ allow_unsafe_options: bool = False, + **kwargs: Any) -> IterableList[FetchInfo]: + """Pull changes from the given branch, being the same as a fetch followed + by a merge of branch with your local branch. +@@ -905,6 +940,15 @@ class Remote(LazyMixin, IterableObj): + # No argument refspec, then ensure the repo's config has a fetch refspec. + self._assert_refspec() + kwargs = add_progress(kwargs, self.repo.git, progress) ++ ++ refspec = Git._unpack_args(refspec or []) ++ if not allow_unsafe_protocols: ++ for ref in refspec: ++ Git.check_unsafe_protocols(ref) ++ ++ if not allow_unsafe_options: ++ Git.check_unsafe_options(options=list(kwargs.keys()), unsafe_options=self.unsafe_git_pull_options) ++ + proc = self.repo.git.pull("--", self, refspec, with_stdout=False, as_process=True, + universal_newlines=True, v=True, **kwargs) + res = self._get_fetch_info_from_stderr(proc, progress, +@@ -916,6 +960,8 @@ class Remote(LazyMixin, IterableObj): + def push(self, refspec: Union[str, List[str], None] = None, + progress: Union[RemoteProgress, 'UpdateProgress', Callable[..., RemoteProgress], None] = None, + kill_after_timeout: Union[None, float] = None, ++ allow_unsafe_protocols: bool = False, ++ allow_unsafe_options: bool = False, + **kwargs: Any) -> IterableList[PushInfo]: + """Push changes from source branch in refspec to target branch in refspec. + +@@ -945,6 +991,15 @@ class Remote(LazyMixin, IterableObj): + If the operation fails completely, the length of the returned IterableList will + be 0.""" + kwargs = add_progress(kwargs, self.repo.git, progress) ++ ++ refspec = Git._unpack_args(refspec or []) ++ if not allow_unsafe_protocols: ++ for ref in refspec: ++ Git.check_unsafe_protocols(ref) ++ ++ if not allow_unsafe_options: ++ Git.check_unsafe_options(options=list(kwargs.keys()), unsafe_options=self.unsafe_git_push_options) ++ + proc = self.repo.git.push("--", self, refspec, porcelain=True, as_process=True, + universal_newlines=True, + kill_after_timeout=kill_after_timeout, +diff --git a/git/repo/base.py b/git/repo/base.py +index f14f929..7b3565b 100644 +--- a/git/repo/base.py ++++ b/git/repo/base.py +@@ -24,7 +24,11 @@ from git.compat import ( + ) + from git.config import GitConfigParser + from git.db import GitCmdObjectDB +-from git.exc import InvalidGitRepositoryError, NoSuchPathError, GitCommandError ++from git.exc import ( ++ GitCommandError, ++ InvalidGitRepositoryError, ++ NoSuchPathError, ++) + from git.index import IndexFile + from git.objects import Submodule, RootModule, Commit + from git.refs import HEAD, Head, Reference, TagReference +@@ -97,6 +101,18 @@ class Repo(object): + re_author_committer_start = re.compile(r'^(author|committer)') + re_tab_full_line = re.compile(r'^\t(.*)$') + ++ unsafe_git_clone_options = [ ++ # This option allows users to execute arbitrary commands. ++ # https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---upload-packltupload-packgt ++ "--upload-pack", ++ "-u", ++ # Users can override configuration variables ++ # like `protocol.allow` or `core.gitProxy` to execute arbitrary commands. ++ # https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---configltkeygtltvaluegt ++ "--config", ++ "-c", ++ ] ++ + # invariants + # represents the configuration level of a configuration file + config_level: ConfigLevels_Tup = ("system", "user", "global", "repository") +@@ -1049,7 +1065,8 @@ class Repo(object): + @ classmethod + def _clone(cls, git: 'Git', url: PathLike, path: PathLike, odb_default_type: Type[GitCmdObjectDB], + progress: Union['RemoteProgress', 'UpdateProgress', Callable[..., 'RemoteProgress'], None] = None, +- multi_options: Optional[List[str]] = None, **kwargs: Any ++ multi_options: Optional[List[str]] = None, allow_unsafe_protocols: bool = False, ++ allow_unsafe_options: bool = False, **kwargs: Any + ) -> 'Repo': + odbt = kwargs.pop('odbt', odb_default_type) + +@@ -1072,6 +1089,12 @@ class Repo(object): + multi = None + if multi_options: + multi = shlex.split(' '.join(multi_options)) ++ ++ if not allow_unsafe_protocols: ++ Git.check_unsafe_protocols(str(url)) ++ if not allow_unsafe_options and multi_options: ++ Git.check_unsafe_options(options=multi_options, unsafe_options=cls.unsafe_git_clone_options) ++ + proc = git.clone("--", multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True, + v=True, universal_newlines=True, **add_progress(kwargs, git, progress)) + if progress: +@@ -1107,7 +1130,9 @@ class Repo(object): + return repo + + def clone(self, path: PathLike, progress: Optional[Callable] = None, +- multi_options: Optional[List[str]] = None, **kwargs: Any) -> 'Repo': ++ multi_options: Optional[List[str]] = None, unsafe_protocols: bool = False, ++ allow_unsafe_protocols: bool = False, allow_unsafe_options: bool = False, ++ **kwargs: Any) -> 'Repo': + """Create a clone from this repository. + + :param path: is the full path of the new repo (traditionally ends with ./<name>.git). +@@ -1116,18 +1141,21 @@ class Repo(object): + option per list item which is passed exactly as specified to clone. + For example ['--config core.filemode=false', '--config core.ignorecase', + '--recurse-submodule=repo1_path', '--recurse-submodule=repo2_path'] ++ :param unsafe_protocols: Allow unsafe protocols to be used, like ex + :param kwargs: + * odbt = ObjectDatabase Type, allowing to determine the object database + implementation used by the returned Repo instance + * All remaining keyword arguments are given to the git-clone command + + :return: ``git.Repo`` (the newly cloned repo)""" +- return self._clone(self.git, self.common_dir, path, type(self.odb), progress, multi_options, **kwargs) ++ return self._clone(self.git, self.common_dir, path, type(self.odb), progress, multi_options, ++ allow_unsafe_protocols=allow_unsafe_protocols, allow_unsafe_options=allow_unsafe_options, **kwargs) + + @ classmethod + def clone_from(cls, url: PathLike, to_path: PathLike, progress: Optional[Callable] = None, +- env: Optional[Mapping[str, str]] = None, +- multi_options: Optional[List[str]] = None, **kwargs: Any) -> 'Repo': ++ env: Optional[Mapping[str, str]] = None, multi_options: Optional[List[str]] = None, ++ unsafe_protocols: bool = False, allow_unsafe_protocols: bool = False, ++ allow_unsafe_options: bool = False, **kwargs: Any) -> 'Repo': + """Create a clone from the given URL + + :param url: valid git url, see http://www.kernel.org/pub/software/scm/git/docs/git-clone.html#URLS +@@ -1140,12 +1168,14 @@ class Repo(object): + If you want to unset some variable, consider providing empty string + as its value. + :param multi_options: See ``clone`` method ++ :param unsafe_protocols: Allow unsafe protocols to be used, like ext + :param kwargs: see the ``clone`` method + :return: Repo instance pointing to the cloned directory""" + git = cls.GitCommandWrapperType(os.getcwd()) + if env is not None: + git.update_environment(**env) +- return cls._clone(git, url, to_path, GitCmdObjectDB, progress, multi_options, **kwargs) ++ return cls._clone(git, url, to_path, GitCmdObjectDB, progress, multi_options, ++ allow_unsafe_protocols=allow_unsafe_protocols, allow_unsafe_options=allow_unsafe_options, **kwargs) + + def archive(self, ostream: Union[TextIO, BinaryIO], treeish: Optional[str] = None, + prefix: Optional[str] = None, **kwargs: Any) -> Repo: +-- +2.34.1 + diff --git a/poky/meta/recipes-devtools/python/python3-git_3.1.27.bb b/poky/meta/recipes-devtools/python/python3-git_3.1.27.bb index fb1bae8f8e..1bd1426926 100644 --- a/poky/meta/recipes-devtools/python/python3-git_3.1.27.bb +++ b/poky/meta/recipes-devtools/python/python3-git_3.1.27.bb @@ -12,6 +12,10 @@ PYPI_PACKAGE = "GitPython" inherit pypi python_setuptools_build_meta +SRC_URI += "file://0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch \ + file://0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch \ + " + SRC_URI[sha256sum] = "1c885ce809e8ba2d88a29befeb385fcea06338d3640712b59ca623c220bb5704" DEPENDS += " ${PYTHON_PN}-gitdb" diff --git a/poky/meta/recipes-devtools/python/python3-mako/CVE-2022-40023.patch b/poky/meta/recipes-devtools/python/python3-mako/CVE-2022-40023.patch new file mode 100644 index 0000000000..66690e74b4 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-mako/CVE-2022-40023.patch @@ -0,0 +1,119 @@ +From 925760291d6efec64fda6e9dd1fd9cfbd5be068c Mon Sep 17 00:00:00 2001 +From: Mike Bayer <mike_mp@zzzcomputing.com> +Date: Mon, 29 Aug 2022 12:28:52 -0400 +Subject: [PATCH] fix tag regexp to match quoted groups correctly + +Fixed issue in lexer where the regexp used to match tags would not +correctly interpret quoted sections individually. While this parsing issue +still produced the same expected tag structure later on, the mis-handling +of quoted sections was also subject to a regexp crash if a tag had a large +number of quotes within its quoted sections. + +Fixes: #366 +Change-Id: I74e0d71ff7f419970711a7cd51adcf1bb90a44c0 + +Upstream-Status: Backport [https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c] + +Signed-off-by: <narpat.mali@windriver.com> + +--- + doc/build/unreleased/366.rst | 9 +++++++++ + mako/lexer.py | 12 ++++++++---- + test/test_lexer.py | 21 +++++++++++++++++---- + 3 files changed, 34 insertions(+), 8 deletions(-) + create mode 100644 doc/build/unreleased/366.rst + +--- /dev/null ++++ Mako-1.1.6/doc/build/unreleased/366.rst +@@ -0,0 +1,9 @@ ++.. change:: ++ :tags: bug, lexer ++ :tickets: 366 ++ ++ Fixed issue in lexer where the regexp used to match tags would not ++ correctly interpret quoted sections individually. While this parsing issue ++ still produced the same expected tag structure later on, the mis-handling ++ of quoted sections was also subject to a regexp crash if a tag had a large ++ number of quotes within its quoted sections. +\ No newline at end of file +--- Mako-1.1.6.orig/mako/lexer.py ++++ Mako-1.1.6/mako/lexer.py +@@ -295,20 +295,24 @@ class Lexer(object): + return self.template + + def match_tag_start(self): +- match = self.match( +- r""" ++ reg = r""" + \<% # opening tag + + ([\w\.\:]+) # keyword + +- ((?:\s+\w+|\s*=\s*|".*?"|'.*?')*) # attrname, = \ ++ ((?:\s+\w+|\s*=\s*|"[^"]*?"|'[^']*?'|\s*,\s*)*) # attrname, = \ + # sign, string expression ++ # comma is for backwards compat ++ # identified in #366 + + \s* # more whitespace + + (/)?> # closing + +- """, ++ """ ++ ++ match = self.match( ++ reg, + re.I | re.S | re.X, + ) + +--- Mako-1.1.6.orig/test/test_lexer.py ++++ Mako-1.1.6/test/test_lexer.py +@@ -1,5 +1,7 @@ + import re + ++import pytest ++ + from mako import compat + from mako import exceptions + from mako import parsetree +@@ -146,6 +148,10 @@ class LexerTest(TemplateTest): + """ + self.assertRaises(exceptions.CompileException, Lexer(template).parse) + ++ def test_tag_many_quotes(self): ++ template = "<%0" + '"' * 3000 ++ assert_raises(exceptions.SyntaxException, Lexer(template).parse) ++ + def test_unmatched_tag(self): + template = """ + <%namespace name="bar"> +@@ -432,9 +438,16 @@ class LexerTest(TemplateTest): + ), + ) + +- def test_pagetag(self): +- template = """ +- <%page cached="True", args="a, b"/> ++ @pytest.mark.parametrize("comma,numchars", [(",", 48), ("", 47)]) ++ def test_pagetag(self, comma, numchars): ++ # note that the comma here looks like: ++ # <%page cached="True", args="a, b"/> ++ # that's what this test has looked like for decades, however, the ++ # comma there is not actually the right syntax. When issue #366 ++ # was fixed, the reg was altered to accommodate for this comma to allow ++ # backwards compat ++ template = f""" ++ <%page cached="True"{comma} args="a, b"/> + + some template + """ +@@ -453,7 +466,7 @@ class LexerTest(TemplateTest): + + some template + """, +- (2, 48), ++ (2, numchars), + ), + ], + ), diff --git a/poky/meta/recipes-devtools/python/python3-mako_1.1.6.bb b/poky/meta/recipes-devtools/python/python3-mako_1.1.6.bb index 71e5d96ba1..4e4f33f5dc 100644 --- a/poky/meta/recipes-devtools/python/python3-mako_1.1.6.bb +++ b/poky/meta/recipes-devtools/python/python3-mako_1.1.6.bb @@ -6,6 +6,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=943eb67718222db21d44a4ef1836675f" PYPI_PACKAGE = "Mako" +SRC_URI += "file://CVE-2022-40023.patch" + inherit pypi python_setuptools_build_meta SRC_URI[sha256sum] = "4e9e345a41924a954251b95b4b28e14a301145b544901332e658907a7464b6b2" diff --git a/poky/meta/recipes-devtools/python/python3-pytest_7.1.1.bb b/poky/meta/recipes-devtools/python/python3-pytest_7.1.1.bb index 1cb2fb01c0..90a4787c17 100644 --- a/poky/meta/recipes-devtools/python/python3-pytest_7.1.1.bb +++ b/poky/meta/recipes-devtools/python/python3-pytest_7.1.1.bb @@ -26,7 +26,7 @@ RDEPENDS:${PN}:class-target += " \ ${PYTHON_PN}-py \ ${PYTHON_PN}-setuptools \ ${PYTHON_PN}-six \ - ${PYTHON_PN}-toml \ + ${PYTHON_PN}-tomli \ ${PYTHON_PN}-wcwidth \ " diff --git a/poky/meta/recipes-devtools/python/python3-setuptools-rust-native_1.1.2.bb b/poky/meta/recipes-devtools/python/python3-setuptools-rust-native_1.1.2.bb index 8ec9a86f00..c11116a1f4 100644 --- a/poky/meta/recipes-devtools/python/python3-setuptools-rust-native_1.1.2.bb +++ b/poky/meta/recipes-devtools/python/python3-setuptools-rust-native_1.1.2.bb @@ -14,9 +14,7 @@ SRC_URI[sha256sum] = "a0adb9b503c0ffc4e8fe80b7c617898cefa78049983aaaea7f747e153a inherit cargo pypi python_setuptools_build_meta native -DEPENDS += "python3-setuptools-scm-native python3-wheel-native" - -RDEPENDS:${PN}:class-native += " \ +DEPENDS += " \ python3-semantic-version-native \ python3-setuptools-native \ python3-setuptools-scm-native \ diff --git a/poky/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch b/poky/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch new file mode 100644 index 0000000000..20a13da7bc --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch @@ -0,0 +1,31 @@ +From 9e9f617a83f6593b476669030b0347d48e831c3f Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Mon, 9 Jan 2023 14:45:05 +0000 +Subject: [PATCH] Limit the amount of whitespace to search/backtrack. Fixes + #3659. + +CVE: CVE-2022-40897 + +Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + setuptools/package_index.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index 270e7f3..e93fcc6 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -197,7 +197,7 @@ def unique_values(func): + return wrapper + + +-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I) ++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I) + # this line is here to fix emacs' cruddy broken syntax highlighting + + +-- +2.34.1 + diff --git a/poky/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb b/poky/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb index f2810e18d3..5f2676a04a 100644 --- a/poky/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb +++ b/poky/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb @@ -11,6 +11,7 @@ SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-e SRC_URI += "\ file://0001-change-shebang-to-python3.patch \ file://0001-_distutils-sysconfig-append-STAGING_LIBDIR-python-sy.patch \ + file://0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch \ " SRC_URI[sha256sum] = "d144f85102f999444d06f9c0e8c737fd0194f10f2f7e5fdb77573f6e2fa4fad0" diff --git a/poky/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch b/poky/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch new file mode 100644 index 0000000000..bdaae7dd10 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch @@ -0,0 +1,32 @@ +From a9a0d67a663f20b69903751c23851dd4cd6b49d4 Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Wed, 11 Jan 2023 07:45:57 +0000 +Subject: [PATCH] Fixed potential DoS attack via WHEEL_INFO_RE + +CVE: CVE-2022-40898 + +Upstream-Status: Backport [https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + src/wheel/wheelfile.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py +index 21e7361..ff06edf 100644 +--- a/src/wheel/wheelfile.py ++++ b/src/wheel/wheelfile.py +@@ -27,8 +27,8 @@ else: + # Non-greedy matching of an optional build number may be too clever (more + # invalid wheel filenames will match). Separate regex for .dist-info? + WHEEL_INFO_RE = re.compile( +- r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))? +- -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""", ++ r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))? ++ -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""", + re.VERBOSE) + + +-- +2.32.0 + diff --git a/poky/meta/recipes-devtools/python/python3-wheel_0.37.1.bb b/poky/meta/recipes-devtools/python/python3-wheel_0.37.1.bb index 2f7dd122ba..3ee03ddd36 100644 --- a/poky/meta/recipes-devtools/python/python3-wheel_0.37.1.bb +++ b/poky/meta/recipes-devtools/python/python3-wheel_0.37.1.bb @@ -8,7 +8,9 @@ SRC_URI[sha256sum] = "e9a504e793efbca1b8e0e9cb979a249cf4a0a7b5b8c9e8b65a5e39d495 inherit python_flit_core pypi -SRC_URI += " file://0001-Backport-pyproject.toml-from-flit-backend-branch.patch" +SRC_URI += "file://0001-Backport-pyproject.toml-from-flit-backend-branch.patch \ + file://0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch \ + " BBCLASSEXTEND = "native nativesdk" diff --git a/poky/meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch b/poky/meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch deleted file mode 100644 index 6a58c35cc6..0000000000 --- a/poky/meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 178a238f25ab8aff7689d7a09d66dc1583ecd6cb Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Wed, 4 May 2022 03:23:29 -0700 -Subject: [PATCH 01/40] gh-92036: Fix gc_fini_untrack() (GH-92037) - -Fix a crash in subinterpreters related to the garbage collector. When -a subinterpreter is deleted, untrack all objects tracked by its GC. -To prevent a crash in deallocator functions expecting objects to be -tracked by the GC, leak a strong reference to these objects on -purpose, so they are never deleted and their deallocator functions -are not called. -(cherry picked from commit 14243369b5f80613628a565c224bba7fb3fcacd8) - -Co-authored-by: Victor Stinner <vstinner@python.org> - -Upstream-Status: Backport ---- - .../2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst | 5 +++++ - Modules/gcmodule.c | 6 ++++++ - 2 files changed, 11 insertions(+) - create mode 100644 Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst - -diff --git a/Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst b/Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst -new file mode 100644 -index 0000000000..78094c5e4f ---- /dev/null -+++ b/Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst -@@ -0,0 +1,5 @@ -+Fix a crash in subinterpreters related to the garbage collector. When a -+subinterpreter is deleted, untrack all objects tracked by its GC. To prevent a -+crash in deallocator functions expecting objects to be tracked by the GC, leak -+a strong reference to these objects on purpose, so they are never deleted and -+their deallocator functions are not called. Patch by Victor Stinner. -diff --git a/Modules/gcmodule.c b/Modules/gcmodule.c -index 805a159d53..43ae6fa98b 100644 ---- a/Modules/gcmodule.c -+++ b/Modules/gcmodule.c -@@ -2170,6 +2170,12 @@ gc_fini_untrack(PyGC_Head *list) - for (gc = GC_NEXT(list); gc != list; gc = GC_NEXT(list)) { - PyObject *op = FROM_GC(gc); - _PyObject_GC_UNTRACK(op); -+ // gh-92036: If a deallocator function expect the object to be tracked -+ // by the GC (ex: func_dealloc()), it can crash if called on an object -+ // which is no longer tracked by the GC. Leak one strong reference on -+ // purpose so the object is never deleted and its deallocator is not -+ // called. -+ Py_INCREF(op); - } - } - --- -2.25.1 - diff --git a/poky/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch b/poky/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch index 0ead57e465..8c554feb4b 100644 --- a/poky/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch +++ b/poky/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch @@ -12,16 +12,18 @@ Upstream-Status: Inappropriate [oe-core specific] Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Alejandro Hernandez Samaniego <alejandro@enedino.org> +Refresh for 3.10.7: +Signed-off-by: Tim Orling <tim.orling@konsulko.com> --- setup.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/setup.py b/setup.py -index 2be4738..62f0e18 100644 +index 85a2b26357..7605347bf5 100644 --- a/setup.py +++ b/setup.py -@@ -517,6 +517,14 @@ class PyBuildExt(build_ext): +@@ -517,6 +517,14 @@ def print_three_column(lst): print("%-*s %-*s %-*s" % (longest, e, longest, f, longest, g)) @@ -35,4 +37,4 @@ index 2be4738..62f0e18 100644 + if self.missing: print() - print("Python build finished successfully!") + print("The necessary bits to build these optional modules were not " diff --git a/poky/meta/recipes-devtools/python/python3/cve-2023-24329.patch b/poky/meta/recipes-devtools/python/python3/cve-2023-24329.patch new file mode 100644 index 0000000000..d47425d239 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3/cve-2023-24329.patch @@ -0,0 +1,50 @@ +From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Sun, 13 Nov 2022 11:00:25 -0800 +Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme + must begin with an alphabetical ASCII character. (GH-99421) + +Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character. + +RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )` +RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A` + +The WHATWG URL spec defines a scheme like this: +`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."` +(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7) + +Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com> +--- end original header --- + +CVE: CVE-2023-24329 + +Upstream-Status: Backport [see below] + +Taken from https://github.com/python/cpython.git +commit 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 + +CVE fix extracted; test case and update to NEWS abandoned. +Defuzzed. + +Signed-off-by: Joe Slater <joe.slater@windriver.com> +--- + Lib/urllib/parse.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index 26ddf30..1c53acb 100644 +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragments=True): + clear_cache() + netloc = query = fragment = '' + i = url.find(':') +- if i > 0: ++ if i > 0 and url[0].isascii() and url[0].isalpha(): + for c in url[:i]: + if c not in scheme_chars: + break +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/python/python3/get_module_deps3.py b/poky/meta/recipes-devtools/python/python3/get_module_deps3.py index 1f4c982aed..0ca687d2eb 100644 --- a/poky/meta/recipes-devtools/python/python3/get_module_deps3.py +++ b/poky/meta/recipes-devtools/python/python3/get_module_deps3.py @@ -56,7 +56,7 @@ if debug == True: try: m = importlib.import_module(current_module) # handle python packages which may not include all modules in the __init__ - if os.path.basename(m.__file__) == "__init__.py": + if hasattr(m, '__file__') and os.path.basename(m.__file__) == "__init__.py": modulepath = os.path.dirname(m.__file__) for i in os.listdir(modulepath): if i.startswith("_") or not(i.endswith(".py")): diff --git a/poky/meta/recipes-devtools/python/python3_3.10.4.bb b/poky/meta/recipes-devtools/python/python3_3.10.9.bb index 34fd2895a3..867958c0fb 100644 --- a/poky/meta/recipes-devtools/python/python3_3.10.4.bb +++ b/poky/meta/recipes-devtools/python/python3_3.10.9.bb @@ -4,7 +4,7 @@ DESCRIPTION = "Python is a programming language that lets you work more quickly LICENSE = "PSF-2.0" SECTION = "devel/python" -LIC_FILES_CHKSUM = "file://LICENSE;md5=4b8801e752a2c70ac41a5f9aa243f766" +LIC_FILES_CHKSUM = "file://LICENSE;md5=a1822df8d0f068628ca6090aedc5bfc8" SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://run-ptest \ @@ -35,7 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \ file://deterministic_imports.patch \ file://0001-Avoid-shebang-overflow-on-python-config.py.patch \ - file://0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch \ + file://cve-2023-24329.patch \ " SRC_URI:append:class-native = " \ @@ -44,7 +44,7 @@ SRC_URI:append:class-native = " \ file://12-distutils-prefix-is-inside-staging-area.patch \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[sha256sum] = "80bf925f571da436b35210886cf79f6eb5fa5d6c571316b73568343451f77a19" +SRC_URI[sha256sum] = "5ae03e308260164baba39921fdb4dbf8e6d03d8235a939d4582b33f0b5e46a83" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" |