diff options
| author | Patrick Williams <patrick@stwcx.xyz> | 2021-05-27 09:23:47 +0300 |
|---|---|---|
| committer | Patrick Williams <patrick@stwcx.xyz> | 2021-05-27 09:29:33 +0300 |
| commit | eee7d70a4dbbd89645098df2397aa3f4e5d8baa0 (patch) | |
| tree | 6d5e9c8499e6106fd31b902694ad519941460ed8 /poky/meta/recipes-devtools | |
| parent | 776d5d2fd95e177490624f4f2f1b2f91a20a3e77 (diff) | |
| download | openbmc-eee7d70a4dbbd89645098df2397aa3f4e5d8baa0.tar.xz | |
subtree updates
meta-openembedded: 346681e7bf..11eae11452:
Aditya.Tayade (1):
neon: Add ptest
Andrei Gherzan (1):
nss: Fix warnings generated by getcwd
Andrej Kozemcak (1):
libupnp: Fix CVE-2020-13848
Armin Kuster (3):
wireguard: fix build issue with updated 5.4 kernel
nostromo: Blacklist and exclude from world builds
packagegroup-meta-webserver: remove nostromo from pkg grp
Clément Péron (1):
nodejs: 12.20.2 -> 12.21.0
Khem Raj (1):
linuxptp: Fix cross build
Marek Vasut (1):
freerdp: Add missing libxkbcommon WL dependency
Martin Jansa (9):
opencv: refresh patches with devtool to apply cleanly
ceres-solver: prevent fetching git hook during do_configure
packagegroup-meta-oe: include nodejs without meta-python2 conditional
packagegroup-meta-oe: move the packages depending on meta-python2 to separate packages
packagegroup-meta-oe: add guider
uml-utilities: fix installed-vs-shipped with usrmerge
telepathy-glib: respect GI_DATA_ENABLED when enabling vala-bindings
libyui: switch to libyui-old repo which still has this SRCREV
ostree: switch from default master branch to main to fix do_fetch failure
Mingli Yu (2):
hostapd: fix CVE-2019-5061
hostapd: fix CVE-2021-0326 and CVE-2021-27803
Neetika Singh (1):
opencv: Security fixes
Peace Lee (2):
guider: Upgrade to 3.9.7
Update commit for version 3.9.7
Rahul Taya (1):
nghttp2: Add fix for CVE-2020-11080
Saloni Jain (1):
fuse: Whitelisted CVE-2019-14860
Sana Kazi (1):
mdns: Whitelisted CVE-2007-0613 for mdns
Sean Nyekjaer (1):
nodejs: 12.20.1 -> 12.20.2
Stefan Ghinea (1):
hostapd: fix CVE-2021-30004
changqing.li@windriver.com (1):
thin-provisioning-tools: switch branch from master to main
poky: d20ef1f5a5..6ebb33bdac:
Alejandro Hernandez Samaniego (1):
devtool: Fix do_kernel_configme task
Alexander Kanavin (11):
selftest/reproducible: enable world reproducibility test
selftest/reproducible: add an exclusion list for items that are not yet reproducible
selftest/reproducible: track unusued entries in the exclusion list
oeqa: tear down oeqa decorators if one of them raises an exception in setup
meta/lib/oeqa/core/tests/cases/timeout.py: add a testcase for the previous fix
diffoscope: add native libraries to LD_LIBRARY_PATH
Revert "oeqa: Set LD_LIBRARY_PATH when executing native commands"
ovmf: update to 202002
ovmf: update to 202005
ovmf: update edk2-stable202005 -> edk2-stable202008
linux-firmware: upgrade 20210208 -> 20210315
Anatol Belski (2):
glibc: Pull latest 2.31 HEAD
tar: Fix CVE-2021-20193
Anton D. Kachalov (1):
run-postinsts: do not remove postinsts directory.
Anuj Mittal (1):
lsb-release: fix reproducibility failure
Bruce Ashfield (14):
linux-yocto/5.4: update to v5.4.99
linux-yocto/5.4: update to v5.4.101
linux-yocto/5.4: update to v5.4.103
linux-yocto/5.4: update to v5.4.105
linux-yocto/5.4: update to v5.4.107
linux-yocto/5.4: update to v5.4.109
linux-yocto/5.4: update to v5.4.111
linux-yocto/5.4: update to v5.4.112
linux-yocto/5.4: fix arm defconfig warnings
linux-yocto/5.4: update to v5.4.114
linux-yocto/5.4: update to v5.4.116
perf: fix python-audit RDEPENDS
make-mod-scripts: add HOSTCXX definitions and gmp-native dependency
linux-yocto/5.4: qemuppc32: reduce serial shutdown issues
Catalin Enache (1):
connman: fix CVE-2021-26675, CVE-2021-26676
Charlie Davies (1):
bitbake-bblayers/create: Fix incorrect priority help message
Chee Yang Lee (1):
initrdscripts: init-install-efi.sh install extra files for ESP
Chen Qi (4):
python3-jinja2: set CVE_PRODUCT
cups: use /run instead /var/run in systemd's unit file
populate_sdk_ext: record METADATA_REVISION
db: update CVE_PRODUCT
Christophe Chapuis (1):
rootfs.py: find .ko.gz and .ko.xz kernel modules as well
Christopher Larson (2):
buildhistory: add missing vardepsexcludes
image,populate_sdk_base: move 'func' flag setting for sdk command vars
Denys Dmytriyenko (1):
maintainers: update own email address
Diego Santa Cruz (1):
iputils: fix various arping regressions
Diego Sueiro (1):
oeqa/selftest/bblayers: Add test case for bitbake-layers layerindex-show-depends
Dorinda (7):
meta/recipes-rt: Add HOMEPAGE / DESCRIPTION
meta-skeleton: Add HOMEPAGE / DESCRIPTION
meta/recipes-extended: Add HOMEPAGE / DESCRIPTION
meta/recipes-support: Add HOMEPAGE / DESCRIPTION
meta/recipes-kernel: Add HOMEPAGE / DESCRIPTION
meta/recipes-multimedia: Add HOMEPAGE / DESCRIPTION
meta/recipes-graphics: Add HOMEPAGE / DESCRIPTION
Dorinda Bassey (3):
meta/recipes-devtools: Add HOMEPAGE / DESCRIPTION
meta-selftest: Add HOMEPAGE / DESCRIPTION
devshell.bbclass: Exceptions displayed within devpyshell
Douglas Royds (4):
cmake: Fully-qualified path to ar
externalsrc: Detect code changes in submodules
Revert "externalsrc: Detect code changes in submodules"
externalsrc: Detect code changes in submodules
Florian Bezdeka (1):
wic: Warn if an ext filesystem affected by the Y2038 problem is used
Gavin Li (1):
kmod: do not symlink config.guess/config.sub during autoreconf
Guillaume Champagne (1):
image-live.bbclass: optional depends when ROOTFS empty
He Zhe (1):
cryptodev-module: Backport a patch to fix build failure with kernel v5.8
Jan Brzezanski (1):
bitbake: Force parser shutdown after catching an exception
Jon Mason (1):
runqemu: use "raw" instead of "bin" for ovmf
Jose Quaresma (1):
ptest-runner: libgcc must be installed for pthread_cancel to work
Joshua Watt (1):
classes/image: Use xargs to set file timestamps
Kai Uwe Broulik (1):
gstreamer1.0-plugins-good: on wayland qt5 needs qtwayland
Khem Raj (6):
oeqa/pam: Need shadow installed for the tests
rxvt-unicode: Do not use throw specifications
dtc: Fix array-bounds error
documentation-audit.sh: Fix typo in specifying LICENSE_FLAGS_WHITELIST
ca-certificates: Fix openssl runtime cert dependencies
cml1.bbclass: Return sorted list of cfg files
Konrad Weihmann (1):
cve-update-db-native: skip on empty cpe23Uri
Lee Chee Yang (7):
cve-update-db-native: consider version suffix when update CVE db
cve-check: CVE_VERSION_SUFFIX to work with patched release
binutils: fix CVE-2021-3487
subversion: fix CVE-2020-17525
qemu: fix CVE-2021-3392
tiff: fix CVE-2020-35523 CVE-2020-35524
python3-jinja2: 2.11.2 -> 2.11.3
Li Wang (1):
linux-dummy: add empty dependent packages
Marek Vasut (1):
linux-firmware: Package RSI 911x WiFi firmware
Mark Hatle (2):
populate_sdk_ext: Avoid copying and producing .pyc files
kernel.bbclass: Remove do_install[prefunc] no longer needed
Martin Jansa (2):
iso-codes: fix protocol in SRC_URI
wpa-supplicant: update CVE-2021-27803.patch
Meh Mbeh Ida Delphine (6):
recipes-gnome: Add missing HOMEPAGE and DESCRIPTION for recipes
recipes-graphics: Add missing HOMEPAGE and DESCRIPTION for recipes.
recipes-kernel: Add missing HOMEPAGE and DESCRIPTION for recipes.
recipes-multimedia: Add missing HOMEPAGE and DESCRIPTION for recipes.
recipes-sato: Add missing HOMEPAGE and DESCRIPTION for recipes
recipes-support: Add missing HOMEPAGE and DESCRIPTION for recipes
Michael Opdenacker (1):
sanity.bbclass: mention CONNECTIVITY_CHECK_URIS in network failure message
Michael Trensch (1):
linux-firmware: Fix packaging
Mike Crowe (1):
curl: Patch CVE-2021-22876 & CVE-2021-22890
Mikko Rapeli (3):
openssl: update to 1.1.1k to fix CVE-2021-3450 and CVE-2021-3449
bitbake: bitbake: tests/fetch: fix test execution without .gitconfig
bitbake: bitbake: tests/fetch: remove write protected files too
Mingli Yu (3):
libtool: make sure autoheader run before autoconf
libtool: make sure autoheader run before automake
groff: not ship /usr/bin/grap2graph
Minjae Kim (3):
wpa-supplicant: fix CVE-2021-27803
qemu: fix CVE-2021-20203
git: fix CVE-2021-21300
Naveen Saini (1):
cryptodev-module: fix build failure with kernel v5.10
Niels Avonds (1):
bitbake: fetch/gitsm: Fix crash when using git LFS and submodules
Peter Budny (1):
lib/oe/terminal: Fix tmux new-session on older tmux versions (<1.9)
Peter Morrow (2):
goarch: map target os to windows for mingw* TARGET_OS
go_1.14: don't set -buildmode=pie when building for windows targets
Petr Vorel (1):
scripts/verify-bashisms: Update checkbashisms.pl URL
Purushottam Choudhary (1):
shadow: whitelist CVE-2013-4235
Reto Schneider (2):
license_image.bbclass: Detect broken symlinks
license_image.bbclass: Fix symlink to generic license files
Richard Purdie (44):
libid3tag: Fix reproducibility issue
syslinux: Fix reproducibility issues
swig: Fix reproducibility issue
efivar: Fix reproducibility issue
selftest/reproducible: Add ability to pull some objects from sstate
build-appliance-image: Drop kernel module handling
bitbake: runqueue: Fix task execution corruption issue
bitbake: runqueue: Add setscene task overlap sanity check
selftest/wic: Fix dependency issue in rawcopy test
build-appliance-image: Update to dunfell head revision
selftest/reproducible: Sort the unused exclusion list
diffoscope: Upgrade 136 -> 168
diffoscope: Upgrade 168 -> 172
oeqa/selftest: Hardcode test assumptions about heartbeat event timings
oeqa/selftest: Ensure packages classes are set correctly for maintainers test
sanity: Add error check for '%' in build path
sanity: Further improve directory sanity tests
pseudo: Upgrade to add trailing slashes ignore path fix
yocto-check-layer: Avoid bug when iterating and autoadding dependencies
bitbake: runqueue: Fix deferred task issues
yocto-uninative: Update to 3.1 which includes a patchelf fix
pybootchart/draw: Avoid divide by zero error
glibc: Document and whitelist CVE-2019-1010022-25
qemu: Exclude CVE-2017-5957 from cve-check
qemu: Exclude CVE-2007-0998 from cve-check
qemu: Exclude CVE-2018-18438 from cve-check
jquery: Exclude CVE-2007-2379 from cve-check
logrotate: Exclude CVE-2011-1548,1549,1550 from cve-check
openssh: Exclude CVE-2007-2768 from cve-check
openssh: Exclude CVE-2008-3844 from cve-check
unzip: Exclude CVE-2008-0888 from cve-check
cpio: Exclude CVE-2010-4226 from cve-check
ghostscript: Exclude CVE-2013-6629 from cve-check
bluez: Exclude CVE-2020-12352 CVE-2020-24490 from cve-check
tiff: Exclude CVE-2015-7313 from cve-check
coreutils: Exclude CVE-2016-2781 from cve-check
librsvg: Exclude CVE-2018-1000041 from cve-check
avahi: Exclude CVE-2021-26720 from cve-check
oeqa/qemurunner: Improve logging thread exit handling for qemu shutdown test
oeqa/qemurunner: Fix binary vs str issue
oeqa/qemurunner: Improve handling of run_serial for shutdown commands
Revert "cml1.bbclass: Return sorted list of cfg files"
sstate: Handle manifest 'corruption' issue
build-appliance-image: Update to dunfell head revision
Robert P. J. Day (4):
bitbake-whatchanged: change ending quote to proper period
bitbake.conf: correct description of HOSTTOOLS_DIR
image.bbclass: fix comment "pacackages" -> "packages"
meta/lib/oe/rootfs.py: Fix typo "Restoreing" -> "Restoring"
Romain Naour (1):
dejagnu: needs expect at runtime
Ross Burton (7):
ptest-packagelists: remove libinput-ptest
insane: don't check for a warning string that is never output
insane: clean up some more warning messages
cairo: backport patch for CVE-2020-35492
libnotify: whitelist CVE-2013-7381 (specific to the NodeJS bindings)
builder: whitelist CVE-2008-4178 (a different builder)
bitbake: providers: selected version not available should be a warning
Stefan Ghinea (2):
wpa-supplicant: fix CVE-2021-30004
boost: fix do_fetch failure
Stefan Schmidt (1):
systemd-conf: do not ask for DHCP if configured on kernel command line
Steve Sakoman (11):
Revert "sstatesig.py: show an error instead of warning when sstate manifest isn't found"
documentation: prepare for 3.1.7 release
poky.conf: Bump version for 3.1.7 release
selftest/reproducible: adjust exclusion list for dunfell
lib/package_manager: Use shutil.copy instead of bb.utils.copyfile for intercepts
reproducible.py: add quilt-ptest and valgrind-ptest
poky-tiny.conf: set PREFERRED_VERSION_linux-yocto-tiny to 5.4%
ref-system-requirements.rst: Add Fedora 33 to list of supported distros
documentation: prepare for 3.1.8 release
poky.conf: Add fedora33 as a supported distro
poky.conf: Bump version for 3.1.8 release
Vinay Kumar (1):
Binutils: Fix CVE-2021-20197
Yanfei Xu (1):
parselogs: ignore floppy error on qemu-system-x86 at boot stage
Yann Dirson (1):
linux-firmware: include all relevant files in -bcm4356
Yi Fan Yu (2):
valgrind: Increase timeout duration 30 -> 90 s
libevent: Increase ptest timing tolerance 50 ms -> 100 ms
Zhang Qiang (1):
kernel.bbclass: Configuration for environment with HOSTCXX
zhengruoqin (1):
wireless-regdb: upgrade 2020.11.20 -> 2021.04.21
meta-security: c74cc97641..93232ae6d5:
Armin Kuster (1):
kas-security-base: drop DL_DIR
Ming Liu (12):
ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
initramfs-framework-ima: fix a wrong path
ima-evm-keys: add recipe
initramfs-framework-ima: RDEPENDS on ima-evm-keys
meta: refactor IMA/EVM sign rootfs
README.md: update according to the refactoring in ima-evm-rootfs.bbclass
initramfs-framework-ima: let ima_enabled return 0
ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic
ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic
ima-evm-keys: add file-checksums to IMA_EVM_X509
meta: drop IMA_POLICY from policy recipes
initramfs-framework-ima: introduce IMA_FORCE
Omer Akram (4):
Update apparmor to 2.13.6
backport cross-compile python binding fix
Use C preprocessor from the yocto build environment
tests: correctly escape # in Makefile
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ibb369f72ca2601f5582a5608d6bdd516d90bea2a
Diffstat (limited to 'poky/meta/recipes-devtools')
26 files changed, 1410 insertions, 15 deletions
diff --git a/poky/meta/recipes-devtools/binutils/binutils-2.34.inc b/poky/meta/recipes-devtools/binutils/binutils-2.34.inc index f557fe970c..3e10279b1d 100644 --- a/poky/meta/recipes-devtools/binutils/binutils-2.34.inc +++ b/poky/meta/recipes-devtools/binutils/binutils-2.34.inc @@ -46,5 +46,7 @@ SRC_URI = "\ file://0001-gas-improve-reproducibility-for-stabs-debugging-data.patch \ file://CVE-2020-16592.patch \ file://CVE-2020-16598.patch \ + file://CVE-2021-20197.patch \ + file://CVE-2021-3487.patch \ " S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch new file mode 100644 index 0000000000..423814f98d --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch @@ -0,0 +1,572 @@ +From d3edaa91d4cf7202ec14342410194841e2f67f12 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Fri, 26 Feb 2021 11:30:32 +1030 +Subject: [PATCH v2] Reinstate various pieces backed out from smart_rename changes + +In the interests of a stable release various last minute smart_rename +patches were backed out of the 2.36 branch. The main reason to +reinstate some of those backed out changes here is to make necessary +followup fixes to commit 8e03235147a9 simple cherry-picks from +mainline. A secondary reason is that ar -M support isn't fixed for +pr26945 without this patch. + + PR 26945 + * ar.c: Don't include libbfd.h. + (write_archive): Replace xmalloc+strcpy with xstrdup. + * arsup.c (temp_name, real_ofd): New static variables. + (ar_open): Use make_tempname and bfd_fdopenw. + (ar_save): Adjust to suit ar_open changes. + * objcopy.c: Don't include libbfd.h. + * rename.c: Rename and reorder variables. + +(cherry picked from commit 95b91a043aeaeb546d2fea556d84a2de1e917770) + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d3edaa91d4cf7202ec14342410194841e2f67f12] +CVE: CVE-2021-20197 +Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> +--- + bfd/bfd-in2.h | 2 + + bfd/opncls.c | 33 ++++++++++ + binutils/ar.c | 15 +++-- + binutils/arsup.c | 37 ++++++++---- + binutils/bucomm.c | 4 +- + binutils/bucomm.h | 5 +- + binutils/objcopy.c | 37 +++++++----- + binutils/rename.c | 148 +++++++++++---------------------------------- + 8 files changed, 133 insertions(+), 148 deletions(-) + +diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h +index 2e453c50c18..e53f54a8ab7 100644 +--- a/bfd/bfd-in2.h ++++ b/bfd/bfd-in2.h +@@ -588,6 +588,8 @@ bfd *bfd_openr (const char *filename, const char *target); + + bfd *bfd_fdopenr (const char *filename, const char *target, int fd); + ++bfd *bfd_fdopenw (const char *filename, const char *target, int fd); ++ + bfd *bfd_openstreamr (const char * filename, const char * target, + void * stream); + +diff --git a/bfd/opncls.c b/bfd/opncls.c +index a03ad51c8fa..f9da97ed710 100644 +--- a/bfd/opncls.c ++++ b/bfd/opncls.c +@@ -370,6 +370,39 @@ bfd_fdopenr (const char *filename, const char *target, int fd) + return bfd_fopen (filename, target, mode, fd); + } + ++/* ++FUNCTION ++ bfd_fdopenw ++ ++SYNOPSIS ++ bfd *bfd_fdopenw (const char *filename, const char *target, int fd); ++ ++DESCRIPTION ++ <<bfd_fdopenw>> is exactly like <<bfd_fdopenr>> with the exception that ++ the resulting BFD is suitable for output. ++*/ ++ ++bfd * ++bfd_fdopenw (const char *filename, const char *target, int fd) ++{ ++ bfd *out = bfd_fdopenr (filename, target, fd); ++ ++ if (out != NULL) ++ { ++ if (!bfd_write_p (out)) ++ { ++ close (fd); ++ _bfd_delete_bfd (out); ++ out = NULL; ++ bfd_set_error (bfd_error_invalid_operation); ++ } ++ else ++ out->direction = write_direction; ++ } ++ ++ return out; ++} ++ + /* + FUNCTION + bfd_openstreamr +diff --git a/binutils/ar.c b/binutils/ar.c +index 1057db9980e..c33a11e0d70 100644 +--- a/binutils/ar.c ++++ b/binutils/ar.c +@@ -1195,20 +1195,23 @@ write_archive (bfd *iarch) + bfd *obfd; + char *old_name, *new_name; + bfd *contents_head = iarch->archive_next; ++ int ofd = -1; + +- old_name = (char *) xmalloc (strlen (bfd_get_filename (iarch)) + 1); +- strcpy (old_name, bfd_get_filename (iarch)); +- new_name = make_tempname (old_name); ++ old_name = xstrdup (bfd_get_filename (iarch)); ++ new_name = make_tempname (old_name, &ofd); + + if (new_name == NULL) + bfd_fatal (_("could not create temporary file whilst writing archive")); + + output_filename = new_name; + +- obfd = bfd_openw (new_name, bfd_get_target (iarch)); ++ obfd = bfd_fdopenw (new_name, bfd_get_target (iarch), ofd); + + if (obfd == NULL) +- bfd_fatal (old_name); ++ { ++ close (ofd); ++ bfd_fatal (old_name); ++ } + + output_bfd = obfd; + +@@ -1246,7 +1249,7 @@ write_archive (bfd *iarch) + /* We don't care if this fails; we might be creating the archive. */ + bfd_close (iarch); + +- if (smart_rename (new_name, old_name, 0) != 0) ++ if (smart_rename (new_name, old_name, NULL) != 0) + xexit (1); + free (old_name); + free (new_name); +diff --git a/binutils/arsup.c b/binutils/arsup.c +index 00967c972cd..b8ae4f7ec1a 100644 +--- a/binutils/arsup.c ++++ b/binutils/arsup.c +@@ -42,6 +42,8 @@ extern int deterministic; + + static bfd *obfd; + static char *real_name; ++static char *temp_name; ++static int real_ofd; + static FILE *outfile; + + static void +@@ -149,27 +151,24 @@ maybequit (void) + void + ar_open (char *name, int t) + { +- char *tname; +- const char *bname = lbasename (name); +- real_name = name; ++ real_name = xstrdup (name); ++ temp_name = make_tempname (real_name, &real_ofd); + +- /* Prepend tmp- to the beginning, to avoid file-name clashes after +- truncation on filesystems with limited namespaces (DOS). */ +- if (asprintf (&tname, "%.*stmp-%s", (int) (bname - name), name, bname) == -1) ++ if (temp_name == NULL) + { +- fprintf (stderr, _("%s: Can't allocate memory for temp name (%s)\n"), ++ fprintf (stderr, _("%s: Can't open temporary file (%s)\n"), + program_name, strerror(errno)); + maybequit (); + return; + } + +- obfd = bfd_openw (tname, NULL); ++ obfd = bfd_fdopenw (temp_name, NULL, real_ofd); + + if (!obfd) + { + fprintf (stderr, + _("%s: Can't open output archive %s\n"), +- program_name, tname); ++ program_name, temp_name); + + maybequit (); + } +@@ -344,16 +343,30 @@ ar_save (void) + } + else + { +- char *ofilename = xstrdup (bfd_get_filename (obfd)); ++ struct stat target_stat; + + if (deterministic > 0) + obfd->flags |= BFD_DETERMINISTIC_OUTPUT; + + bfd_close (obfd); + +- smart_rename (ofilename, real_name, 0); ++ if (stat (real_name, &target_stat) != 0) ++ { ++ /* The temp file created in ar_open has mode 0600 as per mkstemp. ++ Create the real empty output file here so smart_rename will ++ update the mode according to the process umask. */ ++ obfd = bfd_openw (real_name, NULL); ++ if (obfd != NULL) ++ { ++ bfd_set_format (obfd, bfd_archive); ++ bfd_close (obfd); ++ } ++ } ++ ++ smart_rename (temp_name, real_name, NULL); + obfd = 0; +- free (ofilename); ++ free (temp_name); ++ free (real_name); + } + } + +diff --git a/binutils/bucomm.c b/binutils/bucomm.c +index 9e6a02843e6..53244201f89 100644 +--- a/binutils/bucomm.c ++++ b/binutils/bucomm.c +@@ -532,7 +532,7 @@ template_in_dir (const char *path) + as FILENAME. */ + + char * +-make_tempname (const char *filename) ++make_tempname (const char *filename, int *ofd) + { + char *tmpname = template_in_dir (filename); + int fd; +@@ -550,7 +550,7 @@ make_tempname (const char *filename) + free (tmpname); + return NULL; + } +- close (fd); ++ *ofd = fd; + return tmpname; + } + +diff --git a/binutils/bucomm.h b/binutils/bucomm.h +index d8318343f78..2b164e0af68 100644 +--- a/binutils/bucomm.h ++++ b/binutils/bucomm.h +@@ -51,7 +51,7 @@ int display_info (void); + + void print_arelt_descr (FILE *, bfd *, bfd_boolean, bfd_boolean); + +-char *make_tempname (const char *); ++char *make_tempname (const char *, int *); + char *make_tempdir (const char *); + + bfd_vma parse_vma (const char *, const char *); +@@ -71,7 +71,8 @@ extern void print_version (const char *); + /* In rename.c. */ + extern void set_times (const char *, const struct stat *); + +-extern int smart_rename (const char *, const char *, int); ++extern int smart_rename (const char *, const char *, struct stat *); ++ + + /* In libiberty. */ + void *xmalloc (size_t); +diff --git a/binutils/objcopy.c b/binutils/objcopy.c +index 212e25144e6..5ccbd926610 100644 +--- a/binutils/objcopy.c ++++ b/binutils/objcopy.c +@@ -3682,7 +3682,7 @@ set_long_section_mode (bfd *output_bfd, bfd *input_bfd, enum long_section_name_h + /* The top-level control. */ + + static void +-copy_file (const char *input_filename, const char *output_filename, ++copy_file (const char *input_filename, const char *output_filename, int ofd, + const char *input_target, const char *output_target, + const bfd_arch_info_type *input_arch) + { +@@ -3757,9 +3757,14 @@ copy_file (const char *input_filename, const char *output_filename, + else + force_output_target = TRUE; + +- obfd = bfd_openw (output_filename, output_target); ++ if (ofd >= 0) ++ obfd = bfd_fdopenw (output_filename, output_target, ofd); ++ else ++ obfd = bfd_openw (output_filename, output_target); ++ + if (obfd == NULL) + { ++ close (ofd); + bfd_nonfatal_message (output_filename, NULL, NULL, NULL); + status = 1; + return; +@@ -3787,13 +3792,19 @@ copy_file (const char *input_filename, const char *output_filename, + if (output_target == NULL) + output_target = bfd_get_target (ibfd); + +- obfd = bfd_openw (output_filename, output_target); ++ if (ofd >= 0) ++ obfd = bfd_fdopenw (output_filename, output_target, ofd); ++ else ++ obfd = bfd_openw (output_filename, output_target); ++ + if (obfd == NULL) + { ++ close (ofd); + bfd_nonfatal_message (output_filename, NULL, NULL, NULL); + status = 1; + return; + } ++ + /* This is a no-op on non-Coff targets. */ + set_long_section_mode (obfd, ibfd, long_section_names); + +@@ -4746,6 +4757,7 @@ strip_main (int argc, char *argv[]) + int hold_status = status; + struct stat statbuf; + char *tmpname; ++ int tmpfd = -1; + + if (get_file_size (argv[i]) < 1) + { +@@ -4760,7 +4772,7 @@ strip_main (int argc, char *argv[]) + + if (output_file == NULL + || filename_cmp (argv[i], output_file) == 0) +- tmpname = make_tempname (argv[i]); ++ tmpname = make_tempname (argv[i], &tmpfd); + else + tmpname = output_file; + +@@ -4773,15 +4785,13 @@ strip_main (int argc, char *argv[]) + } + + status = 0; +- copy_file (argv[i], tmpname, input_target, output_target, NULL); ++ copy_file (argv[i], tmpname, tmpfd, input_target, output_target, NULL); + if (status == 0) + { +- if (preserve_dates) +- set_times (tmpname, &statbuf); + if (output_file != tmpname) + status = (smart_rename (tmpname, + output_file ? output_file : argv[i], +- preserve_dates) != 0); ++ preserve_dates ? &statbuf : NULL) != 0); + if (status == 0) + status = hold_status; + } +@@ -4993,7 +5003,7 @@ copy_main (int argc, char *argv[]) + bfd_boolean formats_info = FALSE; + bfd_boolean use_globalize = FALSE; + bfd_boolean use_keep_global = FALSE; +- int c; ++ int c, tmpfd = -1; + struct stat statbuf; + const bfd_arch_info_type *input_arch = NULL; + +@@ -5839,7 +5849,7 @@ copy_main (int argc, char *argv[]) + are the same, then create a temp and rename the result into the input. */ + if (output_filename == NULL + || filename_cmp (input_filename, output_filename) == 0) +- tmpname = make_tempname (input_filename); ++ tmpname = make_tempname (input_filename, &tmpfd); + else + tmpname = output_filename; + +@@ -5847,14 +5857,13 @@ copy_main (int argc, char *argv[]) + fatal (_("warning: could not create temporary file whilst copying '%s', (error: %s)"), + input_filename, strerror (errno)); + +- copy_file (input_filename, tmpname, input_target, output_target, input_arch); ++ copy_file (input_filename, tmpname, tmpfd, input_target, output_target, ++ input_arch); + if (status == 0) + { +- if (preserve_dates) +- set_times (tmpname, &statbuf); + if (tmpname != output_filename) + status = (smart_rename (tmpname, input_filename, +- preserve_dates) != 0); ++ preserve_dates ? &statbuf : NULL) != 0); + } + else + unlink_if_ordinary (tmpname); +diff --git a/binutils/rename.c b/binutils/rename.c +index bf3b68d0462..07d44d0f314 100644 +--- a/binutils/rename.c ++++ b/binutils/rename.c +@@ -24,14 +24,9 @@ + + #ifdef HAVE_GOOD_UTIME_H + #include <utime.h> +-#else /* ! HAVE_GOOD_UTIME_H */ +-#ifdef HAVE_UTIMES ++#elif defined HAVE_UTIMES + #include <sys/time.h> +-#endif /* HAVE_UTIMES */ +-#endif /* ! HAVE_GOOD_UTIME_H */ +- +-#if ! defined (_WIN32) || defined (__CYGWIN32__) +-static int simple_copy (const char *, const char *); ++#endif + + /* The number of bytes to copy at once. */ + #define COPY_BUF 8192 +@@ -82,7 +77,6 @@ simple_copy (const char *from, const char *to) + } + return 0; + } +-#endif /* __CYGWIN32__ or not _WIN32 */ + + /* Set the times of the file DESTINATION to be the same as those in + STATBUF. */ +@@ -91,122 +85,52 @@ void + set_times (const char *destination, const struct stat *statbuf) + { + int result; +- +- { + #ifdef HAVE_GOOD_UTIME_H +- struct utimbuf tb; +- +- tb.actime = statbuf->st_atime; +- tb.modtime = statbuf->st_mtime; +- result = utime (destination, &tb); +-#else /* ! HAVE_GOOD_UTIME_H */ +-#ifndef HAVE_UTIMES +- long tb[2]; +- +- tb[0] = statbuf->st_atime; +- tb[1] = statbuf->st_mtime; +- result = utime (destination, tb); +-#else /* HAVE_UTIMES */ +- struct timeval tv[2]; +- +- tv[0].tv_sec = statbuf->st_atime; +- tv[0].tv_usec = 0; +- tv[1].tv_sec = statbuf->st_mtime; +- tv[1].tv_usec = 0; +- result = utimes (destination, tv); +-#endif /* HAVE_UTIMES */ +-#endif /* ! HAVE_GOOD_UTIME_H */ +- } ++ struct utimbuf tb; ++ ++ tb.actime = statbuf->st_atime; ++ tb.modtime = statbuf->st_mtime; ++ result = utime (destination, &tb); ++#elif defined HAVE_UTIMES ++ struct timeval tv[2]; ++ ++ tv[0].tv_sec = statbuf->st_atime; ++ tv[0].tv_usec = 0; ++ tv[1].tv_sec = statbuf->st_mtime; ++ tv[1].tv_usec = 0; ++ result = utimes (destination, tv); ++#else ++ long tb[2]; ++ ++ tb[0] = statbuf->st_atime; ++ tb[1] = statbuf->st_mtime; ++ result = utime (destination, tb); ++#endif + + if (result != 0) + non_fatal (_("%s: cannot set time: %s"), destination, strerror (errno)); + } + +-#ifndef S_ISLNK +-#ifdef S_IFLNK +-#define S_ISLNK(m) (((m) & S_IFMT) == S_IFLNK) +-#else +-#define S_ISLNK(m) 0 +-#define lstat stat +-#endif +-#endif +- +-/* Rename FROM to TO, copying if TO is a link. +- Return 0 if ok, -1 if error. */ ++/* Copy FROM to TO. TARGET_STAT has the file status that, if non-NULL, ++ is used to fix up timestamps. Return 0 if ok, -1 if error. ++ At one time this function renamed files, but file permissions are ++ tricky to update given the number of different schemes used by ++ various systems. So now we just copy. */ + + int +-smart_rename (const char *from, const char *to, int preserve_dates ATTRIBUTE_UNUSED) ++smart_rename (const char *from, const char *to, ++ struct stat *target_stat) + { +- bfd_boolean exists; +- struct stat s; +- int ret = 0; +- +- exists = lstat (to, &s) == 0; +- +-#if defined (_WIN32) && !defined (__CYGWIN32__) +- /* Win32, unlike unix, will not erase `to' in `rename(from, to)' but +- fail instead. Also, chown is not present. */ ++ int ret; + +- if (exists) +- remove (to); +- +- ret = rename (from, to); ++ ret = simple_copy (from, to); + if (ret != 0) +- { +- /* We have to clean up here. */ +- non_fatal (_("unable to rename '%s'; reason: %s"), to, strerror (errno)); +- unlink (from); +- } +-#else +- /* Use rename only if TO is not a symbolic link and has +- only one hard link, and we have permission to write to it. */ +- if (! exists +- || (!S_ISLNK (s.st_mode) +- && S_ISREG (s.st_mode) +- && (s.st_mode & S_IWUSR) +- && s.st_nlink == 1) +- ) +- { +- ret = rename (from, to); +- if (ret == 0) +- { +- if (exists) +- { +- /* Try to preserve the permission bits and ownership of +- TO. First get the mode right except for the setuid +- bit. Then change the ownership. Then fix the setuid +- bit. We do the chmod before the chown because if the +- chown succeeds, and we are a normal user, we won't be +- able to do the chmod afterward. We don't bother to +- fix the setuid bit first because that might introduce +- a fleeting security problem, and because the chown +- will clear the setuid bit anyhow. We only fix the +- setuid bit if the chown succeeds, because we don't +- want to introduce an unexpected setuid file owned by +- the user running objcopy. */ +- chmod (to, s.st_mode & 0777); +- if (chown (to, s.st_uid, s.st_gid) >= 0) +- chmod (to, s.st_mode & 07777); +- } +- } +- else +- { +- /* We have to clean up here. */ +- non_fatal (_("unable to rename '%s'; reason: %s"), to, strerror (errno)); +- unlink (from); +- } +- } +- else +- { +- ret = simple_copy (from, to); +- if (ret != 0) +- non_fatal (_("unable to copy file '%s'; reason: %s"), to, strerror (errno)); ++ non_fatal (_("unable to copy file '%s'; reason: %s"), ++ to, strerror (errno)); + +- if (preserve_dates) +- set_times (to, &s); +- unlink (from); +- } +-#endif /* _WIN32 && !__CYGWIN32__ */ ++ if (target_stat != NULL) ++ set_times (to, target_stat); ++ unlink (from); + + return ret; + } +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch new file mode 100644 index 0000000000..1502d03f43 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch @@ -0,0 +1,83 @@ +From 647cebce12a6b0a26960220caff96ff38978cf24 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 26 Nov 2020 17:08:33 +0000 +Subject: [PATCH] Prevent a memory allocation failure when parsing corrupt + DWARF debug sections. + + PR 26946 + * dwarf2.c (read_section): Check for debug sections with excessive + sizes. + + +Upstream-Status: Backport [ +https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=647cebce12a6b0a26960220caff96ff38978cf24 +] +CVE: CVE-2021-3487 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + bfd/dwarf2.c | 25 +++++++++++++++++++------ + 1 files changed, 25 insertions(+), 6 deletions(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 977bf43a6a1..8bbfc81d3e7 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -531,22 +531,24 @@ read_section (bfd * abfd, + bfd_byte ** section_buffer, + bfd_size_type * section_size) + { +- asection *msec; + const char *section_name = sec->uncompressed_name; + bfd_byte *contents = *section_buffer; +- bfd_size_type amt; + + /* The section may have already been read. */ + if (contents == NULL) + { ++ bfd_size_type amt; ++ asection *msec; ++ ufile_ptr filesize; ++ + msec = bfd_get_section_by_name (abfd, section_name); +- if (! msec) ++ if (msec == NULL) + { + section_name = sec->compressed_name; + if (section_name != NULL) + msec = bfd_get_section_by_name (abfd, section_name); + } +- if (! msec) ++ if (msec == NULL) + { + _bfd_error_handler (_("DWARF error: can't find %s section."), + sec->uncompressed_name); +@@ -554,12 +556,23 @@ read_section (bfd * abfd, + return FALSE; + } + +- *section_size = msec->rawsize ? msec->rawsize : msec->size; ++ amt = bfd_get_section_limit_octets (abfd, msec); ++ filesize = bfd_get_file_size (abfd); ++ if (amt >= filesize) ++ { ++ /* PR 26946 */ ++ _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"), ++ section_name, (long) amt, (long) filesize); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ *section_size = amt; + /* Paranoia - alloc one extra so that we can make sure a string + section is NUL terminated. */ +- amt = *section_size + 1; ++ amt += 1; + if (amt == 0) + { ++ /* Paranoia - this should never happen. */ + bfd_set_error (bfd_error_no_memory); + return FALSE; + } +-- +2.27.0 + diff --git a/poky/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb b/poky/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb index 0a007bb2cd..ce242c3593 100644 --- a/poky/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb +++ b/poky/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb @@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" SECTION = "devel" DEPENDS += "expect-native" +RDEPENDS_${PN} = "expect" inherit autotools diff --git a/poky/meta/recipes-devtools/git/files/CVE-2021-21300.patch b/poky/meta/recipes-devtools/git/files/CVE-2021-21300.patch new file mode 100644 index 0000000000..9206f711cf --- /dev/null +++ b/poky/meta/recipes-devtools/git/files/CVE-2021-21300.patch @@ -0,0 +1,305 @@ +From 0e9cef2414f0df3fa5b9b56ff9072aa122bef29c Mon Sep 17 00:00:00 2001 +From: Minjae Kim <flowrgom@gmail.com> +Date: Sat, 27 Mar 2021 15:18:46 +0900 +Subject: [PATCH] checkout: fix bug that makes checkout follow symlinks in + leading path + +Before checking out a file, we have to confirm that all of its leading +components are real existing directories. And to reduce the number of +lstat() calls in this process, we cache the last leading path known to +contain only directories. However, when a path collision occurs (e.g. +when checking out case-sensitive files in case-insensitive file +systems), a cached path might have its file type changed on disk, +leaving the cache on an invalid state. Normally, this doesn't bring +any bad consequences as we usually check out files in index order, and +therefore, by the time the cached path becomes outdated, we no longer +need it anyway (because all files in that directory would have already +been written). + +But, there are some users of the checkout machinery that do not always +follow the index order. In particular: checkout-index writes the paths +in the same order that they appear on the CLI (or stdin); and the +delayed checkout feature -- used when a long-running filter process +replies with "status=delayed" -- postpones the checkout of some entries, +thus modifying the checkout order. + +When we have to check out an out-of-order entry and the lstat() cache is +invalid (due to a previous path collision), checkout_entry() may end up +using the invalid data and thrusting that the leading components are +real directories when, in reality, they are not. In the best case +scenario, where the directory was replaced by a regular file, the user +will get an error: "fatal: unable to create file 'foo/bar': Not a +directory". But if the directory was replaced by a symlink, checkout +could actually end up following the symlink and writing the file at a +wrong place, even outside the repository. Since delayed checkout is +affected by this bug, it could be used by an attacker to write +arbitrary files during the clone of a maliciously crafted repository. + +Some candidate solutions considered were to disable the lstat() cache +during unordered checkouts or sort the entries before passing them to +the checkout machinery. But both ideas include some performance penalty +and they don't future-proof the code against new unordered use cases. + +Instead, we now manually reset the lstat cache whenever we successfully +remove a directory. Note: We are not even checking whether the directory +was the same as the lstat cache points to because we might face a +scenario where the paths refer to the same location but differ due to +case folding, precomposed UTF-8 issues, or the presence of `..` +components in the path. Two regression tests, with case-collisions and +utf8-collisions, are also added for both checkout-index and delayed +checkout. + +Note: to make the previously mentioned clone attack unfeasible, it would +be sufficient to reset the lstat cache only after the remove_subtree() +call inside checkout_entry(). This is the place where we would remove a +directory whose path collides with the path of another entry that we are +currently trying to check out (possibly a symlink). However, in the +interest of a thorough fix that does not leave Git open to +similar-but-not-identical attack vectors, we decided to intercept +all `rmdir()` calls in one fell swoop. + +This addresses CVE-2021-21300. + +Co-authored-by: Johannes Schindelin <johannes.schindelin@gmx.de> +Signed-off-by: Matheus Tavares <matheus.bernardino@usp.br> + +Upstream-Status: Acepted [https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592] +CVE: CVE-2021-21300 +Signed-off-by: Minjae Kim <flowergom@gmail.com> +--- + cache.h | 1 + + compat/mingw.c | 2 ++ + git-compat-util.h | 5 +++++ + symlinks.c | 25 +++++++++++++++++++++ + t/t0021-conversion.sh | 39 ++++++++++++++++++++++++++++++++ + t/t0021/rot13-filter.pl | 21 ++++++++++++++--- + t/t2006-checkout-index-basic.sh | 40 +++++++++++++++++++++++++++++++++ + 7 files changed, 130 insertions(+), 3 deletions(-) + +diff --git a/cache.h b/cache.h +index 04cabaa..dda373f 100644 +--- a/cache.h ++++ b/cache.h +@@ -1675,6 +1675,7 @@ int has_symlink_leading_path(const char *name, int len); + int threaded_has_symlink_leading_path(struct cache_def *, const char *, int); + int check_leading_path(const char *name, int len); + int has_dirs_only_path(const char *name, int len, int prefix_len); ++extern void invalidate_lstat_cache(void); + void schedule_dir_for_removal(const char *name, int len); + void remove_scheduled_dirs(void); + +diff --git a/compat/mingw.c b/compat/mingw.c +index bd24d91..cea9c72 100644 +--- a/compat/mingw.c ++++ b/compat/mingw.c +@@ -340,6 +340,8 @@ int mingw_rmdir(const char *pathname) + ask_yes_no_if_possible("Deletion of directory '%s' failed. " + "Should I try again?", pathname)) + ret = _wrmdir(wpathname); ++ if (!ret) ++ invalidate_lstat_cache(); + return ret; + } + +diff --git a/git-compat-util.h b/git-compat-util.h +index d0dd9c0..a1ecfd3 100644 +--- a/git-compat-util.h ++++ b/git-compat-util.h +@@ -365,6 +365,11 @@ static inline int noop_core_config(const char *var, const char *value, void *cb) + #define platform_core_config noop_core_config + #endif + ++int lstat_cache_aware_rmdir(const char *path); ++#if !defined(__MINGW32__) && !defined(_MSC_VER) ++#define rmdir lstat_cache_aware_rmdir ++#endif ++ + #ifndef has_dos_drive_prefix + static inline int git_has_dos_drive_prefix(const char *path) + { +diff --git a/symlinks.c b/symlinks.c +index 69d458a..ae3c665 100644 +--- a/symlinks.c ++++ b/symlinks.c +@@ -267,6 +267,13 @@ int has_dirs_only_path(const char *name, int len, int prefix_len) + */ + static int threaded_has_dirs_only_path(struct cache_def *cache, const char *name, int len, int prefix_len) + { ++ /* ++ * Note: this function is used by the checkout machinery, which also ++ * takes care to properly reset the cache when it performs an operation ++ * that would leave the cache outdated. If this function starts caching ++ * anything else besides FL_DIR, remember to also invalidate the cache ++ * when creating or deleting paths that might be in the cache. ++ */ + return lstat_cache(cache, name, len, + FL_DIR|FL_FULLPATH, prefix_len) & + FL_DIR; +@@ -321,3 +328,21 @@ void remove_scheduled_dirs(void) + { + do_remove_scheduled_dirs(0); + } ++ ++ ++void invalidate_lstat_cache(void) ++{ ++ reset_lstat_cache(&default_cache); ++} ++ ++#undef rmdir ++int lstat_cache_aware_rmdir(const char *path) ++{ ++ /* Any change in this function must be made also in `mingw_rmdir()` */ ++ int ret = rmdir(path); ++ ++ if (!ret) ++ invalidate_lstat_cache(); ++ ++ return ret; ++} +diff --git a/t/t0021-conversion.sh b/t/t0021-conversion.sh +index c954c70..6a1d5f6 100755 +--- a/t/t0021-conversion.sh ++++ b/t/t0021-conversion.sh +@@ -820,4 +820,43 @@ test_expect_success PERL 'invalid file in delayed checkout' ' + grep "error: external filter .* signaled that .unfiltered. is now available although it has not been delayed earlier" git-stderr.log + ' + ++for mode in 'case' 'utf-8' ++do ++ case "$mode" in ++ case) dir='A' symlink='a' mode_prereq='CASE_INSENSITIVE_FS' ;; ++ utf-8) ++ dir=$(printf "\141\314\210") symlink=$(printf "\303\244") ++ mode_prereq='UTF8_NFD_TO_NFC' ;; ++ esac ++ ++ test_expect_success PERL,SYMLINKS,$mode_prereq \ ++ "delayed checkout with $mode-collision don't write to the wrong place" ' ++ test_config_global filter.delay.process \ ++ "\"$TEST_ROOT/rot13-filter.pl\" --always-delay delayed.log clean smudge delay" && ++ test_config_global filter.delay.required true && ++ git init $mode-collision && ++ ( ++ cd $mode-collision && ++ mkdir target-dir && ++ empty_oid=$(printf "" | git hash-object -w --stdin) && ++ symlink_oid=$(printf "%s" "$PWD/target-dir" | git hash-object -w --stdin) && ++ attr_oid=$(echo "$dir/z filter=delay" | git hash-object -w --stdin) && ++ cat >objs <<-EOF && ++ 100644 blob $empty_oid $dir/x ++ 100644 blob $empty_oid $dir/y ++ 100644 blob $empty_oid $dir/z ++ 120000 blob $symlink_oid $symlink ++ 100644 blob $attr_oid .gitattributes ++ EOF ++ git update-index --index-info <objs && ++ git commit -m "test commit" ++ ) && ++ git clone $mode-collision $mode-collision-cloned && ++ # Make sure z was really delayed ++ grep "IN: smudge $dir/z .* \\[DELAYED\\]" $mode-collision-cloned/delayed.log && ++ # Should not create $dir/z at $symlink/z ++ test_path_is_missing $mode-collision/target-dir/z ++ ' ++done ++ + test_done +diff --git a/t/t0021/rot13-filter.pl b/t/t0021/rot13-filter.pl +index 4701072..007f2d7 100644 +--- a/t/t0021/rot13-filter.pl ++++ b/t/t0021/rot13-filter.pl +@@ -2,9 +2,15 @@ + # Example implementation for the Git filter protocol version 2 + # See Documentation/gitattributes.txt, section "Filter Protocol" + # +-# The first argument defines a debug log file that the script write to. +-# All remaining arguments define a list of supported protocol +-# capabilities ("clean", "smudge", etc). ++# Usage: rot13-filter.pl [--always-delay] <log path> <capabilities> ++# ++# Log path defines a debug log file that the script writes to. The ++# subsequent arguments define a list of supported protocol capabilities ++# ("clean", "smudge", etc). ++# ++# When --always-delay is given all pathnames with the "can-delay" flag ++# that don't appear on the list bellow are delayed with a count of 1 ++# (see more below). + # + # This implementation supports special test cases: + # (1) If data with the pathname "clean-write-fail.r" is processed with +@@ -53,6 +59,13 @@ sub gitperllib { + use Git::Packet; + + my $MAX_PACKET_CONTENT_SIZE = 65516; ++ ++my $always_delay = 0; ++if ( $ARGV[0] eq '--always-delay' ) { ++ $always_delay = 1; ++ shift @ARGV; ++} ++ + my $log_file = shift @ARGV; + my @capabilities = @ARGV; + +@@ -134,6 +147,8 @@ sub rot13 { + if ( $buffer eq "can-delay=1" ) { + if ( exists $DELAY{$pathname} and $DELAY{$pathname}{"requested"} == 0 ) { + $DELAY{$pathname}{"requested"} = 1; ++ } elsif ( !exists $DELAY{$pathname} and $always_delay ) { ++ $DELAY{$pathname} = { "requested" => 1, "count" => 1 }; + } + } else { + die "Unknown message '$buffer'"; +diff --git a/t/t2006-checkout-index-basic.sh b/t/t2006-checkout-index-basic.sh +index 57cbdfe..f223a02 100755 +--- a/t/t2006-checkout-index-basic.sh ++++ b/t/t2006-checkout-index-basic.sh +@@ -21,4 +21,44 @@ test_expect_success 'checkout-index -h in broken repository' ' + test_i18ngrep "[Uu]sage" broken/usage + ' + ++for mode in 'case' 'utf-8' ++do ++ case "$mode" in ++ case) dir='A' symlink='a' mode_prereq='CASE_INSENSITIVE_FS' ;; ++ utf-8) ++ dir=$(printf "\141\314\210") symlink=$(printf "\303\244") ++ mode_prereq='UTF8_NFD_TO_NFC' ;; ++ esac ++ ++ test_expect_success SYMLINKS,$mode_prereq \ ++ "checkout-index with $mode-collision don't write to the wrong place" ' ++ git init $mode-collision && ++ ( ++ cd $mode-collision && ++ mkdir target-dir && ++ empty_obj_hex=$(git hash-object -w --stdin </dev/null) && ++ symlink_hex=$(printf "%s" "$PWD/target-dir" | git hash-object -w --stdin) && ++ cat >objs <<-EOF && ++ 100644 blob ${empty_obj_hex} ${dir}/x ++ 100644 blob ${empty_obj_hex} ${dir}/y ++ 100644 blob ${empty_obj_hex} ${dir}/z ++ 120000 blob ${symlink_hex} ${symlink} ++ EOF ++ git update-index --index-info <objs && ++ # Note: the order is important here to exercise the ++ # case where the file at ${dir} has its type changed by ++ # the time Git tries to check out ${dir}/z. ++ # ++ # Also, we use core.precomposeUnicode=false because we ++ # want Git to treat the UTF-8 paths transparently on ++ # Mac OS, matching what is in the index. ++ # ++ git -c core.precomposeUnicode=false checkout-index -f \ ++ ${dir}/x ${dir}/y ${symlink} ${dir}/z && ++ # Should not create ${dir}/z at ${symlink}/z ++ test_path_is_missing target-dir/z ++ ) ++ ' ++done ++ + test_done +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/git/git.inc b/poky/meta/recipes-devtools/git/git.inc index ae463061d8..738a429875 100644 --- a/poky/meta/recipes-devtools/git/git.inc +++ b/poky/meta/recipes-devtools/git/git.inc @@ -8,7 +8,9 @@ DEPENDS = "openssl curl zlib expat" PROVIDES_append_class-native = " git-replacement-native" SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ - ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages" + ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \ + file://CVE-2021-21300.patch \ +" S = "${WORKDIR}/git-${PV}" diff --git a/poky/meta/recipes-devtools/go/go_1.14.bb b/poky/meta/recipes-devtools/go/go_1.14.bb index bc90a1329e..c17527998b 100644 --- a/poky/meta/recipes-devtools/go/go_1.14.bb +++ b/poky/meta/recipes-devtools/go/go_1.14.bb @@ -3,11 +3,11 @@ require go-target.inc export GOBUILDMODE="" export CGO_ENABLED_riscv64 = "" -# Add pie to GOBUILDMODE to satisfy "textrel" QA checking, but mips/riscv -# doesn't support -buildmode=pie, so skip the QA checking for mips/riscv and its -# variants. +# Add pie to GOBUILDMODE to satisfy "textrel" QA checking, but +# windows/mips/riscv doesn't support -buildmode=pie, so skip the QA checking +# for windows/mips/riscv and their variants. python() { - if 'mips' in d.getVar('TARGET_ARCH',True) or 'riscv' in d.getVar('TARGET_ARCH',True): + if 'mips' in d.getVar('TARGET_ARCH',True) or 'riscv' in d.getVar('TARGET_ARCH',True) or 'windows' in d.getVar('TARGET_GOOS', True): d.appendVar('INSANE_SKIP_%s' % d.getVar('PN',True), " textrel") else: d.setVar('GOBUILDMODE', 'pie') diff --git a/poky/meta/recipes-devtools/jquery/jquery_3.5.0.bb b/poky/meta/recipes-devtools/jquery/jquery_3.5.0.bb index 35ce14e152..efffe05fd2 100644 --- a/poky/meta/recipes-devtools/jquery/jquery_3.5.0.bb +++ b/poky/meta/recipes-devtools/jquery/jquery_3.5.0.bb @@ -17,6 +17,11 @@ SRC_URI[map.sha256sum] = "3149351c8cbc3fb230bbf6188617c7ffda77d9e14333f4f5f0aa1a UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js" +# https://github.com/jquery/jquery/issues/3927 +# There are ways jquery can expose security issues but any issues are in the apps exposing them +# and there is little we can directly do +CVE_CHECK_WHITELIST += "CVE-2007-2379" + inherit allarch do_install() { diff --git a/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc b/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc index 8e17b56d46..e9225e140c 100644 --- a/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc +++ b/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc @@ -21,6 +21,8 @@ SRC_URI = "${GNU_MIRROR}/libtool/libtool-${PV}.tar.gz \ file://unwind-opt-parsing.patch \ file://0001-libtool-Fix-support-for-NIOS2-processor.patch \ file://0001-libtool-Check-for-static-libs-for-internal-compiler-.patch \ + file://0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch \ + file://0001-Makefile.am-make-sure-autoheader-run-before-automake.patch \ " SRC_URI[md5sum] = "addf44b646ddb4e3919805aa88fa7c5e" diff --git a/poky/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch b/poky/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch new file mode 100644 index 0000000000..2e9908725e --- /dev/null +++ b/poky/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch @@ -0,0 +1,35 @@ +From dfbbbd359e43e0a55fbea06f2647279ad8761cb9 Mon Sep 17 00:00:00 2001 +From: Mingli Yu <mingli.yu@windriver.com> +Date: Wed, 24 Mar 2021 03:04:13 +0000 +Subject: [PATCH] Makefile.am: make sure autoheader run before autoconf + +autoheader will update ../libtool-2.4.6/libltdl/config-h.in which +autoconf needs, so there comes a race sometimes as below: + | configure.ac:45: error: required file 'config-h.in' not found + | touch '../libtool-2.4.6/libltdl/config-h.in' + +So make sure autoheader run before autoconf to avoid this race. + +Upstream-Status: Submitted [libtool-patches@gnu.org maillist] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 4142c90..fe1a9fc 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -365,7 +365,7 @@ lt_configure_deps = $(lt_aclocal_m4) $(lt_aclocal_m4_deps) + $(lt_aclocal_m4): $(lt_aclocal_m4_deps) + $(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(ACLOCAL) -I ../m4 + +-$(lt_configure): $(lt_configure_deps) ++$(lt_configure): $(lt_configure_deps) $(lt_config_h_in) + $(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(AUTOCONF) + + $(lt_config_h_in): $(lt_configure_deps) +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch b/poky/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch new file mode 100644 index 0000000000..87f8492346 --- /dev/null +++ b/poky/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch @@ -0,0 +1,35 @@ +From e82c06584f02e3e4487aa73aa05981e2a35dc6d1 Mon Sep 17 00:00:00 2001 +From: Mingli Yu <mingli.yu@windriver.com> +Date: Tue, 13 Apr 2021 07:17:29 +0000 +Subject: [PATCH] Makefile.am: make sure autoheader run before automake + +When use automake to generate Makefile.in from Makefile.am, there +comes below race: + | configure.ac:45: error: required file 'config-h.in' not found + +It is because the file config-h.in in updating process by autoheader, +so make automake run after autoheader to avoid the above race. + +Upstream-Status: Submitted [libtool-patches@gnu.org maillist] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 2752ecc..29950db 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -328,7 +328,7 @@ EXTRA_DIST += $(lt_aclocal_m4) \ + $(lt_obsolete_m4) \ + $(stamp_mk) + +-$(lt_Makefile_in): $(lt_Makefile_am) $(lt_aclocal_m4) ++$(lt_Makefile_in): $(lt_Makefile_am) $(lt_aclocal_m4) $(lt_config_h_in) + $(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(AUTOMAKE) Makefile + + # Don't let unused scripts leak into the libltdl Makefile +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb index 17bd02c27c..4eab133128 100644 --- a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb +++ b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb @@ -6,7 +6,7 @@ SRC_URI = "git://git.yoctoproject.org/pseudo;branch=oe-core \ file://fallback-group \ " -SRCREV = "60e25a36558f1f07dcce1a044fe976b475bec42b" +SRCREV = "ee24ebec9e5a11dd5208c9be2870f35eab3b9e20" S = "${WORKDIR}/git" PV = "1.9.0+git${SRCPV}" diff --git a/poky/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb b/poky/meta/recipes-devtools/python/python3-jinja2_2.11.3.bb index 89538d2f27..dbdf563f87 100644 --- a/poky/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb +++ b/poky/meta/recipes-devtools/python/python3-jinja2_2.11.3.bb @@ -1,12 +1,15 @@ DESCRIPTION = "Python Jinja2: A small but fast and easy to use stand-alone template engine written in pure python." +HOMEPAGE = "https://pypi.org/project/Jinja/" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462" -SRC_URI[sha256sum] = "89aab215427ef59c34ad58735269eb58b1a5808103067f7bb9d5836c651b3bb0" +SRC_URI[sha256sum] = "a6d58433de0ae800347cab1fa3043cebbabe8baa9d29e668f1c768cb87a333c6" PYPI_PACKAGE = "Jinja2" +CVE_PRODUCT = "jinja2 jinja" + CLEANBROKEN = "1" inherit pypi setuptools3 diff --git a/poky/meta/recipes-devtools/python/python3-pygobject_3.34.0.bb b/poky/meta/recipes-devtools/python/python3-pygobject_3.34.0.bb index 6babf0cae8..29825492b9 100644 --- a/poky/meta/recipes-devtools/python/python3-pygobject_3.34.0.bb +++ b/poky/meta/recipes-devtools/python/python3-pygobject_3.34.0.bb @@ -1,4 +1,6 @@ SUMMARY = "Python GObject bindings" +HOMEPAGE = "https://gitlab.gnome.org/GNOME/pygobject" +DESCRIPTION = "PyGObject is a Python package which provides bindings for GObject based libraries such as GTK, GStreamer, WebKitGTK, GLib, GIO and many more." SECTION = "devel/python" LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7" diff --git a/poky/meta/recipes-devtools/python/python3-scons_3.1.2.bb b/poky/meta/recipes-devtools/python/python3-scons_3.1.2.bb index ce117a92d4..12122131a5 100644 --- a/poky/meta/recipes-devtools/python/python3-scons_3.1.2.bb +++ b/poky/meta/recipes-devtools/python/python3-scons_3.1.2.bb @@ -1,4 +1,5 @@ SUMMARY = "Software Construction tool (make/autotools replacement)" +HOMEPAGE = "https://github.com/SCons/scons" SECTION = "devel/python" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE-python3-scons-${PV};md5=e14e1b33428df24a40a782ae142785d0" diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index a1a418374f..8f927bdf54 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -53,12 +53,25 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2019-20175.patch \ file://CVE-2020-24352.patch \ file://CVE-2020-25723.patch \ + file://CVE-2021-20203.patch \ + file://CVE-2021-3392.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a" SRC_URI[sha256sum] = "d3481d4108ce211a053ef15be69af1bdd9dde1510fda80d92be0f6c3e98768f0" +# Applies against virglrender < 0.6.0 and not qemu itself +CVE_CHECK_WHITELIST += "CVE-2017-5957" + +# The VNC server can expose host files uder some circumstances. We don't +# enable it by default. +CVE_CHECK_WHITELIST += "CVE-2007-0998" + +# 'The issues identified by this CVE were determined to not constitute a vulnerability.' +# https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 +CVE_CHECK_WHITELIST += "CVE-2018-18438" + COMPATIBLE_HOST_mipsarchn32 = "null" COMPATIBLE_HOST_mipsarchn64 = "null" diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch new file mode 100644 index 0000000000..31440af0bd --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch @@ -0,0 +1,74 @@ +From: Prasad J Pandit <pjp@fedoraproject.org> + +While activating device in vmxnet3_acticate_device(), it does not +validate guest supplied configuration values against predefined +minimum - maximum limits. This may lead to integer overflow or +OOB access issues. Add checks to avoid it. + +Fixes: CVE-2021-20203 +Buglink: https://bugs.launchpad.net/qemu/+bug/1913873 +Reported-by: Gaoning Pan <pgn@zju.edu.cn> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> + +Upstream-Status: Acepted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html] +CVE: CVE-2021-20203 +Signed-off-by: Minjae Kim <flowergom@gmail.com> +--- + hw/net/vmxnet3.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index eff299f629..4a910ca971 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) + vmxnet3_setup_rx_filtering(s); + /* Cache fields from shared memory */ + s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); ++ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); + VMW_CFPRN("MTU is %u", s->mtu); + + s->max_rx_frags = +@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* Read rings memory locations for TX queues */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); ++ if (size > VMXNET3_TX_RING_MAX_SIZE) { ++ size = VMXNET3_TX_RING_MAX_SIZE; ++ } + + vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, + sizeof(struct Vmxnet3_TxDesc), false); +@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* TXC ring */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); ++ if (size > VMXNET3_TC_RING_MAX_SIZE) { ++ size = VMXNET3_TC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_TxCompDesc), true); + VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring); +@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RX rings */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); ++ if (size > VMXNET3_RX_RING_MAX_SIZE) { ++ size = VMXNET3_RX_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, + sizeof(struct Vmxnet3_RxDesc), false); + VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d", +@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RXC ring */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); ++ if (size > VMXNET3_RC_RING_MAX_SIZE) { ++ size = VMXNET3_RC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_RxCompDesc), true); + VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size); +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch new file mode 100644 index 0000000000..45b8a4f1dd --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch @@ -0,0 +1,92 @@ +From 3791642c8d60029adf9b00bcb4e34d7d8a1aea4d Mon Sep 17 00:00:00 2001 +From: Michael Tokarev <mjt@tls.msk.ru> +Date: Mon, 19 Apr 2021 15:42:47 +0200 +Subject: [PATCH] mptsas: Remove unused MPTSASState 'pending' field + (CVE-2021-3392) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +While processing SCSI i/o requests in mptsas_process_scsi_io_request(), +the Megaraid emulator appends new MPTSASRequest object 'req' to +the 's->pending' queue. In case of an error, this same object gets +dequeued in mptsas_free_request() only if SCSIRequest object +'req->sreq' is initialised. This may lead to a use-after-free issue. + +Since s->pending is actually not used, simply remove it from +MPTSASState. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr> +Message-id: 20210419134247.1467982-1-f4bug@amsat.org +Message-Id: <20210416102243.1293871-1-mjt@msgid.tls.msk.ru> +Suggested-by: Paolo Bonzini <pbonzini@redhat.com> +Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr> +BugLink: https://bugs.launchpad.net/qemu/+bug/1914236 (CVE-2021-3392) +Fixes: e351b826112 ("hw: Add support for LSI SAS1068 (mptsas) device") +[PMD: Reworded description, added more tags] +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> + +Upstream-Status: Backport [ https://git.qemu.org/?p=qemu.git;a=commit;h=3791642c8d60029adf9b00bcb4e34d7d8a1aea4d ] +CVE: CVE-2021-3392 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/scsi/mptsas.c | 6 ------ + hw/scsi/mptsas.h | 1 - + 2 files changed, 7 deletions(-) + +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c +index 7416e78..db3219e 100644 +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -251,13 +251,10 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) + + static void mptsas_free_request(MPTSASRequest *req) + { +- MPTSASState *s = req->dev; +- + if (req->sreq != NULL) { + req->sreq->hba_private = NULL; + scsi_req_unref(req->sreq); + req->sreq = NULL; +- QTAILQ_REMOVE(&s->pending, req, next); + } + qemu_sglist_destroy(&req->qsg); + g_free(req); +@@ -303,7 +300,6 @@ static int mptsas_process_scsi_io_request(MPTSASState *s, + } + + req = g_new0(MPTSASRequest, 1); +- QTAILQ_INSERT_TAIL(&s->pending, req, next); + req->scsi_io = *scsi_io; + req->dev = s; + +@@ -1319,8 +1315,6 @@ static void mptsas_scsi_realize(PCIDevice *dev, Error **errp) + + s->request_bh = qemu_bh_new(mptsas_fetch_requests, s); + +- QTAILQ_INIT(&s->pending); +- + scsi_bus_new(&s->bus, sizeof(s->bus), &dev->qdev, &mptsas_scsi_info, NULL); + } + +diff --git a/hw/scsi/mptsas.h b/hw/scsi/mptsas.h +index b85ac1a..c046497 100644 +--- a/hw/scsi/mptsas.h ++++ b/hw/scsi/mptsas.h +@@ -79,7 +79,6 @@ struct MPTSASState { + uint16_t reply_frame_size; + + SCSIBus bus; +- QTAILQ_HEAD(, MPTSASRequest) pending; + }; + + void mptsas_fix_scsi_io_endianness(MPIMsgSCSIIORequest *req); +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts b/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts index f84a7e18c8..95dccb9cae 100755 --- a/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts +++ b/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts @@ -72,12 +72,12 @@ exec_postinst_scriptlets() { else echo "ERROR: postinst $i failed." [ "$POSTINST_LOGGING" = "1" ] && eval echo "ERROR: postinst $i failed." $append_log - remove_pi_dir=0 + remove_rcsd_link=0 fi done } -remove_pi_dir=1 +remove_rcsd_link=1 if $pm_installed; then case $pm in "ipk") @@ -92,9 +92,7 @@ else exec_postinst_scriptlets fi -# since all postinstalls executed successfully, remove the postinstalls directory -# and the rcS.d link -if [ $remove_pi_dir = 1 ]; then - rm -rf $pi_dir +# since all postinstalls executed successfully, remove the rcS.d link +if [ $remove_rcsd_link = 1 ]; then remove_rcsd_link fi diff --git a/poky/meta/recipes-devtools/subversion/subversion/CVE-2020-17525.patch b/poky/meta/recipes-devtools/subversion/subversion/CVE-2020-17525.patch new file mode 100644 index 0000000000..5bebde2a86 --- /dev/null +++ b/poky/meta/recipes-devtools/subversion/subversion/CVE-2020-17525.patch @@ -0,0 +1,117 @@ +Upstream-Status: Backport [ https://subversion.apache.org/security/CVE-2020-17525-advisory.txt ] +CVE: CVE-2020-17525 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + + Remote unauthenticated denial-of-service in Subversion mod_authz_svn. + +Summary: +======== + + Subversion's mod_authz_svn module will crash if the server is using + in-repository authz rules with the AuthzSVNReposRelativeAccessFile + option and a client sends a request for a non-existing repository URL. + + This can lead to disruption for users of the service. + +Known vulnerable: +================= + + mod_dav_svn+mod_authz_svn servers 1.9.0 through 1.10.6 (inclusive). + mod_dav_svn+mod_authz_svn servers 1.11.0 through 1.14.0 (inclusive). + +Known fixed: +============ + + mod_dav_svn+mod_authz_svn servers 1.14.1 + mod_dav_svn+mod_authz_svn servers 1.10.7 + +Details: +======== + + A null-pointer-dereference has been found in mod_authz_svn that results in + a remote unauthenticated Denial-of-Service in some server configurations. + + The vulnerability can be triggered by an unauthenticated user if the + Apache HTTPD server is configured to use an in-repository authz file, + with configuration directives such as: + + AuthzSVNAccessFile "^/authz" + AuthzSVNReposRelativeAccessFile "^/authz" + + The problem originates when sending a GET request to a non-existent + repository. The mod_authz_svn module will attempt to find authz rules + at a path within the requested SVN repository. Upon constructing this + path, the function svn_repos_find_root_path will return a NULL pointer + since the requested repository does not exist on-disk. + A check for this legitimate NULL pointer condition is missing, which + results in a segmentation fault when the NULL pointer is used. + + The in-repository authz feature was first introduced in Subversion 1.8: + https://subversion.apache.org/docs/release-notes/1.8.html#in-repo-authz + + The missing NULL check was first introduced during refactoring of the + authz code during development work leading up to Subversion 1.9. + Subversion 1.8 servers are unaffected. + +Severity: +========= + + CVSSv3 Base Score: 7.5 (High) + + CVSSv3 Base Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + Exploitation results in denial of service by crashing the HTTPD worker + handling the request. The impact of this differs depending on how the + Apache HTTPD server is configured, including the choice of MPM (Multi- + Processing-Module). If the worker shares its memory address space with + the main thread, as is the case with e.g. the Event MPM, the entire + HTTPD server process will terminate. If the pre-fork MPM is used, the + worker will terminate but the HTTPD server will stay up, and service + availability will depend on how frequently the attacker is able to + send malicious requests which target the vulnerability. + +Recommendations: +================ + + We recommend all users to upgrade to a known fixed release of the + Subversion mod_dav_svn server. + + Users who are unable to upgrade may apply the included patches. + + As a workaround, the use of in-repository authz rules files with + the AuthzSVNReposRelativeAccessFile can be avoided by switching + to an alternative configuration which fetches an authz rules file + from the server's filesystem, rather than from an SVN repository. + +References: +=========== + + CVE-2020-17525 (Subversion) + +Reported by: +============ + + Thomas Åkesson, simonsoft.se + +Patches: +======== + + Patch for Subversion 1.10, 1.14: + +[[[ +Index: subversion/libsvn_repos/config_file.c +=================================================================== +--- a/subversion/libsvn_repos/config_file.c (revision 1883994) ++++ b/subversion/libsvn_repos/config_file.c (working copy) +@@ -237,6 +237,10 @@ get_repos_config(svn_stream_t **stream, + { + /* Search for a repository in the full path. */ + repos_root_dirent = svn_repos_find_root_path(dirent, scratch_pool); ++ if (repos_root_dirent == NULL) ++ return svn_error_trace(handle_missing_file(stream, checksum, access, ++ url, must_exist, ++ svn_node_none)); + + /* Attempt to open a repository at repos_root_dirent. */ + SVN_ERR(svn_repos_open3(&access->repos, repos_root_dirent, NULL, +]]] diff --git a/poky/meta/recipes-devtools/subversion/subversion_1.13.0.bb b/poky/meta/recipes-devtools/subversion/subversion_1.13.0.bb index 37b8ca3602..34c0dbe5b8 100644 --- a/poky/meta/recipes-devtools/subversion/subversion_1.13.0.bb +++ b/poky/meta/recipes-devtools/subversion/subversion_1.13.0.bb @@ -12,6 +12,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://disable_macos.patch \ file://0001-Fix-libtool-name-in-configure.ac.patch \ file://serfmacro.patch \ + file://CVE-2020-17525.patch \ " SRC_URI[md5sum] = "3004b4dae18bf45a0b6ea4ef8820064d" diff --git a/poky/meta/recipes-devtools/swig/swig/determinism.patch b/poky/meta/recipes-devtools/swig/swig/determinism.patch new file mode 100644 index 0000000000..8ffb4bce8e --- /dev/null +++ b/poky/meta/recipes-devtools/swig/swig/determinism.patch @@ -0,0 +1,19 @@ +Remove the compiler commandline/platform from the compiled binary as this +breaks reproducibilty. + +Upstream-Status: Inappropriate [OE reproducibiity fix upstream unlikely to take] +RP 2021/3/1 + + +Index: swig-3.0.12/Source/Modules/main.cxx +=================================================================== +--- swig-3.0.12.orig/Source/Modules/main.cxx ++++ swig-3.0.12/Source/Modules/main.cxx +@@ -636,7 +636,6 @@ void SWIG_getoptions(int argc, char *arg + } + } else if (strcmp(argv[i], "-version") == 0) { + fprintf(stdout, "\nSWIG Version %s\n", Swig_package_version()); +- fprintf(stdout, "\nCompiled with %s [%s]\n", SWIG_CXX, SWIG_PLATFORM); + fprintf(stdout, "\nConfigured options: %cpcre\n", + #ifdef HAVE_PCRE + '+' diff --git a/poky/meta/recipes-devtools/swig/swig_3.0.12.bb b/poky/meta/recipes-devtools/swig/swig_3.0.12.bb index 45026c9700..090aaa8112 100644 --- a/poky/meta/recipes-devtools/swig/swig_3.0.12.bb +++ b/poky/meta/recipes-devtools/swig/swig_3.0.12.bb @@ -6,6 +6,7 @@ SRC_URI += "file://0001-Use-proc-self-exe-for-swig-swiglib-on-non-Win32-plat.pat file://swig-3.0.12-Coverity-fix-issue-reported-for-SWIG_Python_FixMetho.patch \ file://Python-Fix-new-GCC8-warnings-in-generated-code.patch \ file://0001-Fix-generated-code-for-constant-expressions-containi.patch \ + file://determinism.patch \ " SRC_URI[md5sum] = "82133dfa7bba75ff9ad98a7046be687c" SRC_URI[sha256sum] = "7cf9f447ae7ed1c51722efc45e7f14418d15d7a1e143ac9f09a668999f4fc94d" diff --git a/poky/meta/recipes-devtools/syslinux/syslinux/determinism.patch b/poky/meta/recipes-devtools/syslinux/syslinux/determinism.patch new file mode 100644 index 0000000000..2fb8c64df3 --- /dev/null +++ b/poky/meta/recipes-devtools/syslinux/syslinux/determinism.patch @@ -0,0 +1,22 @@ +In order to build deterministic binaries, we need to sort the wildcard expansion +so the libraries are linked in the same order each time. This fixes reproducibility +issues within syslinux builds. + +Upstream-Status: Pending +RP 2021/3/1 + +Index: syslinux-6.04-pre2/mk/lib.mk +=================================================================== +--- syslinux-6.04-pre2.orig/mk/lib.mk ++++ syslinux-6.04-pre2/mk/lib.mk +@@ -130,8 +130,8 @@ LIBENTRY_OBJS = \ + exit.o + + LIBGCC_OBJS = \ +- $(patsubst $(com32)/lib/%.c,%.o,$(wildcard $(com32)/lib/$(ARCH)/libgcc/*.c)) \ +- $(patsubst $(com32)/lib/%.S,%.o,$(wildcard $(com32)/lib/$(ARCH)/libgcc/*.S)) ++ $(sort $(patsubst $(com32)/lib/%.c,%.o,$(wildcard $(com32)/lib/$(ARCH)/libgcc/*.c))) \ ++ $(sort $(patsubst $(com32)/lib/%.S,%.o,$(wildcard $(com32)/lib/$(ARCH)/libgcc/*.S))) + + LIBCONSOLE_OBJS = \ + \ diff --git a/poky/meta/recipes-devtools/syslinux/syslinux_6.04-pre2.bb b/poky/meta/recipes-devtools/syslinux/syslinux_6.04-pre2.bb index 4ac46ed57f..a5618327bf 100644 --- a/poky/meta/recipes-devtools/syslinux/syslinux_6.04-pre2.bb +++ b/poky/meta/recipes-devtools/syslinux/syslinux_6.04-pre2.bb @@ -23,11 +23,16 @@ SRC_URI = "https://www.zytor.com/pub/syslinux/Testing/6.04/syslinux-${PV}.tar.xz file://0009-linux-syslinux-implement-install_bootblock.patch \ file://0010-Workaround-multiple-definition-of-symbol-errors.patch \ file://0001-install-don-t-install-obsolete-file-com32.ld.patch \ + file://determinism.patch \ " SRC_URI[md5sum] = "2b31c78f087f99179feb357da312d7ec" SRC_URI[sha256sum] = "4441a5d593f85bb6e8d578cf6653fb4ec30f9e8f4a2315a3d8f2d0a8b3fadf94" +# remove at next version upgrade or when output changes +PR = "r1" +HASHEQUIV_HASH_VERSION .= ".1" + UPSTREAM_CHECK_URI = "https://www.zytor.com/pub/syslinux/" UPSTREAM_CHECK_REGEX = "syslinux-(?P<pver>.+)\.tar" UPSTREAM_VERSION_UNKNOWN = "1" diff --git a/poky/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch b/poky/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch index 7985308e41..0c399ef52c 100644 --- a/poky/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch +++ b/poky/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch @@ -19,6 +19,11 @@ Upstream-Status: Pending Signed-off-by: Dave Lerner <dave.lerner@windriver.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com> Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> + +Increase time limit to 90 s. +(double of the expected time of drd/tests/std_list on qemuarm64) + +Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com> --- tests/vg_regtest.in | 75 +++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 55 insertions(+), 20 deletions(-) @@ -66,7 +71,7 @@ index a441f42..cb05b52 100755 # Since most of the program time is spent in system() calls, need this to # propagate a Ctrl-C enabling us to quit. -sub mysystem($) -+# Enforce 30 seconds limit for the test. ++# Enforce 90 seconds limit for the test. +# This resume execution of the remaining tests if valgrind hangs. +sub mysystem($) { @@ -76,7 +81,7 @@ index a441f42..cb05b52 100755 + my $exit_code=0; + eval { + local $SIG{'ALRM'} = sub { die "timed out\n" }; -+ alarm(30); ++ alarm(90); + $exit_code = system($_[0]); + alarm (0); + ($exit_code == 2) and die "SIGINT\n"; # 2 is SIGINT |