subtree updatesnanbield

meta-arm: 79c52afe74..9a4ae38e84:
  Emekcan Aras (1):
        arm-bsp/optee: Improve PIN counter handling robustness

  Harsimran Singh Tungal (2):
        corstone1000:arm-bsp/tftf: Fix tftf tests on mps3
        arm-bsp/tf-a-tests: fix corstone1000

  Ross Burton (2):
        arm-bsp/documentation: upgrade Sphinx slightly
        CI: use https: to fetch meta-virtualization

meta-openembedded: 2da6e1b0e4..da9063bdfb:
  Changqing Li (2):
        postgresql: upgrade 15.4 -> 15.5
        redis: upgrade 6.2.13 -> 6.2.14

  Khem Raj (1):
        webkitgtk3: upgrade 2.42.0 -> 2.42.1

  Meenali Gupta (1):
        nginx: upgrade 1.25.2 -> 1.25.3

  Mingli Yu (1):
        mariadb: Upgrade to 10.11.6

  Wang Mingyu (5):
        strongswan: upgrade 5.9.12 -> 5.9.13
        webkitgtk3: upgrade 2.42.1 -> 2.42.2
        webkitgtk3: upgrade 2.42.2 -> 2.42.3
        webkitgtk3: upgrade 2.42.3 -> 2.42.4
        libssh: upgrade 0.10.5 -> 0.10.6

  Yi Zhao (1):
        samba: upgrade 4.18.8 -> 4.18.9

poky: 61a59d00a0..1a5c00f00c:
  Alassane Yattara (1):
        bitbake: toaster/toastergui: Bug-fix verify given layer path only if import/add local layer

  Alexander Kanavin (2):
        glibc-y2038-tests: do not run tests using 32 bit time APIs
        icon-naming-utils: take tarball from debian

  Alexander Sverdlin (1):
        linux-firmware: upgrade 20231030 -> 20231211

  Anuj Mittal (2):
        base-passwd: upgrade 3.6.2 -> 3.6.3
        glib-2.0: upgrade 2.78.1 -> 2.78.3

  Baruch Siach (1):
        contributor-guide: fix lore URL

  Benjamin Bara (1):
        glibc: stable 2.38 branch updates

  Bruce Ashfield (8):
        linux-yocto/6.1: update to v6.1.69
        linux-yocto/6.1: update to v6.1.70
        linux-yocto/6.1: update CVE exclusions
        linux-yocto/6.1: update to v6.1.72
        linux-yocto/6.1: update CVE exclusions
        linux-yocto/6.1: security/cfg: add configs to harden protection
        linux-yocto/6.1: update to v6.1.73
        linux-yocto/6.1: update CVE exclusions

  Chen Qi (2):
        sudo: upgrade from 1.9.15p2 to 1.9.15p5
        multilib_global.bbclass: fix parsing error with no kernel module split

  Clay Chang (1):
        devtool: deploy: provide max_process to strip_execs

  Enguerrand de Ribaucourt (1):
        manuals: document VSCode extension

  Ilya A. Kriveshko (1):
        dev-manual: update license manifest path

  Jason Andryuk (3):
        linux-firmware: Package iwlwifi .pnvm files
        linux-firmware: Change bnx2 packaging
        linux-firmware: Create bnx2x subpackage

  Jeremy A. Puhlman (1):
        create-spdx-2.2: combine spdx can try to write before dir creation

  Joao Marcos Costa (1):
        documentation.conf: fix do_menuconfig description

  Jonathan GUILLOT (1):
        udev-extraconf: fix unmount directories containing octal-escaped chars

  Jose Quaresma (2):
        go: update 1.20.10 -> 1.20.11
        go: update 1.20.11 -> 1.20.12

  Joshua Watt (2):
        rpcbind: Specify state directory under /run
        classes-global/sstate: Fix variable typo

  Julien Stephan (1):
        externalsrc: fix task dependency for do_populate_lic

  Jörg Sommer (1):
        documentation: Add UBOOT_BINARY, extend UBOOT_CONFIG

  Kai Kang (1):
        xserver-xorg: 21.1.9 -> 21.1.11

  Khem Raj (2):
        tiff: Backport fixes for CVE-2023-6277
        tcl: Fix prepending to run-ptest script

  Lee Chee Yang (5):
        curl: Fix CVE-2023-46219
        qemu: 8.1.2 -> 8.1.4
        migration-guide: add release notes for 4.3.2
        migration-guide: add release notes for 4.0.16
        migration-guide: add release notes for 4.3.3

  Markus Volk (1):
        libadwaita: update 1.4.0 -> 1.4.2

  Massimiliano Minella (1):
        zstd: fix LICENSE statement

  Maxin B. John (1):
        ref-manual: classes: remove insserv bbclass

  Michael Opdenacker (3):
        contributor-guide: use "apt" instead of "aptitude"
        release-notes-4.3: fix spacing
        migration-guides: fix release notes for 4.3.3

  Ming Liu (2):
        grub: fs/fat: Don't error when mtime is 0
        qemu.bbclass: fix a python TypeError

  Mingli Yu (1):
        python3-license-expression: Fix the ptest failure

  Peter Kjellerstedt (1):
        devtool: modify: Handle recipes with a menuconfig task correctly

  Peter Marko (4):
        dtc: preserve version also from shallow git clones
        sqlite3: upgrade 3.43.1 -> 3.43.2
        sqlite: drop obsolete CVE ignore
        zlib: ignore CVE-2023-6992

  Richard Purdie (9):
        pseudo: Update to pull in syncfs probe fix
        sstate: Fix dir ownership issues in SSTATE_DIR
        curl: Disable two intermittently failing tests
        lib/prservice: Improve lock handling robustness
        oeqa/selftest/prservice: Improve test robustness
        curl: Disable test 1091 due to intermittent failures
        allarch: Fix allarch corner case
        reproducible: Fix race with externalsrc/devtool over lockfile
        pseudo: Update to pull in gcc14 fix and missing statvfs64 intercept

  Robert Berger (1):
        uninative-tarball.xz - reproducibility fix

  Robert Joslyn (1):
        gtk: Set CVE_PRODUCT

  Robert Yang (2):
        nfs-utils: Upgrade 2.6.3 -> 2.6.4
        nfs-utils: Update Upstream-Status

  Rodrigo M. Duarte (1):
        linux-firmware: Fix the linux-firmware-bcm4373 FILES variable

  Ross Burton (4):
        avahi: update URL for new project location
        libssh2: backport fix for CVE-2023-48795
        cve_check: handle CVE_STATUS being set to the empty string
        cve_check: cleanup logging

  Saul Wold (1):
        package.py: OEHasPackage: Add MLPREFIX to packagename

  Simone Weiß (5):
        dev-manual: start.rst: Update use of Download page
        dev-manual: start.rst: Update use of Download page
        glibc: Set status for CVE-2023-5156 & CVE-2023-0687
        dev-manual: gen-tapdevs need iptables installed
        gcc: Update status of CVE-2023-4039

  Soumya Sambu (1):
        ncurses: Fix - tty is hung after reset

  Steve Sakoman (2):
        poky.conf: bump version for 4.3.3 release
        build-appliance-image: Update to nanbield head revision

  Trevor Gamblin (1):
        scripts/runqemu: fix regex escape sequences

  Wang Mingyu (9):
        xwayland: upgrade 23.2.2 -> 23.2.3
        libatomic-ops: upgrade 7.8.0 -> 7.8.2
        libva-utils: upgrade 2.20.0 -> 2.20.1
        kea: upgrade 2.4.0 -> 2.4.1
        gstreamer1.0: upgrade 1.22.7 -> 1.22.8
        aspell: upgrade 0.60.8 -> 0.60.8.1
        at-spi2-core: upgrade 2.50.0 -> 2.50.1
        cpio: upgrade 2.14 -> 2.15
        gstreamer: upgrade 1.22.8 -> 1.22.9

  William Lyu (1):
        elfutils: Update license information

  Xiangyu Chen (2):
        shadow: Fix for CVE-2023-4641
        sudo: upgrade 1.9.14p3 -> 1.9.15p2

  Yang Xu (1):
        rootfs.py: check depmodwrapper execution result

  Yogita Urade (2):
        tiff: fix CVE-2023-6228
        tiff: fix CVE-2023-52355 and CVE-2023-52356

  Zahir Hussain (1):
        cmake: Unset CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES

  baruch@tkos.co.il (1):
        overlayfs: add missing closing parenthesis in selftest

Change-Id: I613697694d0eb51ae9451f7e869b69d6c1ba1fd3
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

1 files changed, 147 insertions, 0 deletions

diff --git a/poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch b/poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch
new file mode 100644
index 0000000000..1fabfe928e
--- /dev/null
+++ b/poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch
@@ -0,0 +1,147 @@
+From 25dbe2ce166a13322b7536ff2f738786ea2e61e7 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: [PATCH] gpasswd(1): Fix password leak
+
+How to trigger this password leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password).  Each of those 2 password prompts
+uses agetpass() to get the password.  If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+-  malloc(3) or readpassphrase(3) failure.
+
+   These are going to be difficult to trigger.  Maybe getting the system
+   to the limits of memory utilization at that exact point, so that the
+   next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+   About readpassphrase(3), ENFILE and EINTR seem the only plausible
+   ones, and EINTR probably requires privilege or being the same user;
+   but I wouldn't discard ENFILE so easily, if a process starts opening
+   files.
+
+-  The password is longer than PASS_MAX.
+
+   The is plausible with physical access.  However, at that point, a
+   keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable.  Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> -  brk / sbrk
+> -  mmap MAP_ANONYMOUS
+> -  mmap /dev/zero
+> -  mmap some other file
+> -  shm_open
+> -  shmget
+>
+> Most of these return only pages of zeros to a process.  Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZED.  This is rare.
+>
+> malloc(3) doesn't zero memory, to our collective frustration, but all the
+> garbage in the allocations is from previous allocations in the current
+> process.  It isn't leftover from other processes.
+>
+> The avenues available for reading the memory:
+> -  /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
+> -  /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
+> -  ptrace (requires ptrace privileges, mediated by YAMA)
+> -  causing memory to be swapped to disk, and then inspecting the swap
+>
+> These all require a certain amount of privileges.
+
+How to fix it?
+~~~~~~~~~~~~~~
+
+memzero(), which internally calls explicit_bzero(3), or whatever
+alternative the system provides with a slightly different name, will
+make sure that the buffer is zeroed in memory, and optimizations are not
+allowed to impede this zeroing.
+
+This is not really 100% effective, since compilers may place copies of
+the string somewhere hidden in the stack.  Those copies won't get zeroed
+by explicit_bzero(3).  However, that's arguably a compiler bug, since
+compilers should make everything possible to avoid optimizing strings
+that are later passed to explicit_bzero(3).  But we all know that
+sometimes it's impossible to have perfect knowledge in the compiler, so
+this is plausible.  Nevertheless, there's nothing we can do against such
+issues, except minimizing the time such passwords are stored in plain
+text.
+
+Security concerns
+~~~~~~~~~~~~~~~~~
+
+We believe this isn't easy to exploit.  Nevertheless, and since the fix
+is trivial, this fix should probably be applied soon, and backported to
+all supported distributions, to prevent someone else having more
+imagination than us to find a way.
+
+Affected versions
+~~~~~~~~~~~~~~~~~
+
+All.  Bug introduced in shadow 19990709.  That's the second commit in
+the git history.
+
+Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
+
+CVE: CVE-2023-4641
+Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904]
+
+Reported-by: Alejandro Colomar <alx@kernel.org>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Iker Pedrosa <ipedrosa@redhat.com>
+Cc: Seth Arnold <seth.arnold@canonical.com>
+Cc: Christian Brauner <christian@brauner.io>
+Cc: Balint Reczey <rbalint@debian.org>
+Cc: Sam James <sam@gentoo.org>
+Cc: David Runge <dvzrv@archlinux.org>
+Cc: Andreas Jaeger <aj@suse.de>
+Cc: <~hallyn/shadow@lists.sr.ht>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ src/gpasswd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/gpasswd.c b/src/gpasswd.c
+index 5983f787..2d8869ef 100644
+--- a/src/gpasswd.c
++++ b/src/gpasswd.c
+@@ -896,6 +896,7 @@ static void change_passwd (struct group *gr)
+ 		strzero (cp);
+ 		cp = getpass (_("Re-enter new password: "));
+ 		if (NULL == cp) {
++			memzero (pass, sizeof pass);
+ 			exit (1);
+ 		}
+ 
+-- 
+2.34.1
+