diff options
97 files changed, 1937 insertions, 319 deletions
diff --git a/meta-openembedded/meta-networking/recipes-support/ntp/ntp/ntpdate b/meta-openembedded/meta-networking/recipes-support/ntp/ntp/ntpdate index 17b64d1335..be3bacfcd1 100755 --- a/meta-openembedded/meta-networking/recipes-support/ntp/ntp/ntpdate +++ b/meta-openembedded/meta-networking/recipes-support/ntp/ntp/ntpdate @@ -52,3 +52,8 @@ if [ -x /usr/bin/lockfile-create ] ; then fi ) & + +# wait for all subprocesses to finish +# this is required when using systemd service as ntpd will start before ntpdate finishes +# and results in a bind error (port 123) +wait diff --git a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb index f82107dbee..646f0387ad 100644 --- a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb +++ b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb @@ -17,6 +17,9 @@ UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" SRC_URI[md5sum] = "7643f135b49aee49df7d83c1f434dc4e" SRC_URI[sha256sum] = "b9d295988b34e39964ac475b619c3585d667b36c350cf1adec19e5e3c843ba11" +# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. +CVE_CHECK_WHITELIST += "CVE-2020-7224 CVE-2020-27569" + SYSTEMD_SERVICE_${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service" SYSTEMD_AUTO_ENABLE = "disable" diff --git a/meta-openembedded/meta-oe/recipes-benchmark/sysbench/sysbench/0001-Adding-volatile-modifier-to-tmp-variable-in-memory-t.patch b/meta-openembedded/meta-oe/recipes-benchmark/sysbench/sysbench/0001-Adding-volatile-modifier-to-tmp-variable-in-memory-t.patch new file mode 100644 index 0000000000..d628e81b56 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-benchmark/sysbench/sysbench/0001-Adding-volatile-modifier-to-tmp-variable-in-memory-t.patch @@ -0,0 +1,40 @@ +From c1ebf893e32a0a77e820484d48a903523fef7c1b Mon Sep 17 00:00:00 2001 +From: Vasily Tarasov <tarasov@vasily.name> +Date: Fri, 10 Jun 2016 14:33:48 -0400 +Subject: [PATCH] Adding volatile modifier to tmp variable in memory test + +Issue explanation: + +./sysbench/sysbench --test=memory --num-threads=16 \ + --memory-block-size=268435456 \ + --memory-total-size=137438953472 \ + --memory-oper=read \ + --memory-access-mode=seq \ + --memory-scope=local run + +Without this commit the time to run the above command is 0.0004 seconds. +With this commit the time is greater than 3 seconds. Essentially, +without the volatile modifier, the compiler optimizes read access so +that no real access happens. + +Upstream-Status: Backport [part of v1.0.0 https://github.com/akopytov/sysbench/commit/8753cb93be4c0b81a20b704ced91e7a422da52b1] + +(cherry picked from commit 8753cb93be4c0b81a20b704ced91e7a422da52b1) +Signed-off-by: massimo toscanelli <massimo.toscanelli@leica-geosystems.com> +--- + sysbench/tests/memory/sb_memory.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sysbench/tests/memory/sb_memory.c b/sysbench/tests/memory/sb_memory.c +index 2e8998f..7d22bb9 100644 +--- a/sysbench/tests/memory/sb_memory.c ++++ b/sysbench/tests/memory/sb_memory.c +@@ -244,7 +244,7 @@ sb_request_t memory_get_request(int tid) + int memory_execute_request(sb_request_t *sb_req, int thread_id) + { + sb_mem_request_t *mem_req = &sb_req->u.mem_request; +- int tmp = 0; ++ volatile int tmp = 0; + int idx; + int *buf, *end; + log_msg_t msg; diff --git a/meta-openembedded/meta-oe/recipes-benchmark/sysbench/sysbench_0.4.12.bb b/meta-openembedded/meta-oe/recipes-benchmark/sysbench/sysbench_0.4.12.bb index 708c71f4ff..d1725dddd6 100644 --- a/meta-openembedded/meta-oe/recipes-benchmark/sysbench/sysbench_0.4.12.bb +++ b/meta-openembedded/meta-oe/recipes-benchmark/sysbench/sysbench_0.4.12.bb @@ -8,7 +8,9 @@ inherit autotools # The project has moved from Sourceforge to Launchpad, to Github. Use the source tarball from # Launchpad until the next release is available from Github. -SRC_URI = "https://launchpad.net/ubuntu/+archive/primary/+files/${BPN}_${PV}.orig.tar.gz" +SRC_URI = "https://launchpad.net/ubuntu/+archive/primary/+files/${BPN}_${PV}.orig.tar.gz \ + file://0001-Adding-volatile-modifier-to-tmp-variable-in-memory-t.patch \ + " SRC_URI[md5sum] = "3a6d54fdd3fe002328e4458206392b9d" SRC_URI[sha256sum] = "83fa7464193e012c91254e595a89894d8e35b4a38324b52a5974777e3823ea9e" diff --git a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb-native_10.5.9.bb b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb-native_10.5.11.bb index 73b2a0980d..73b2a0980d 100644 --- a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb-native_10.5.9.bb +++ b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb-native_10.5.11.bb diff --git a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb.inc index 9833b28857..5787ae4bd7 100644 --- a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb.inc +++ b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb.inc @@ -11,9 +11,7 @@ SRC_URI = "https://downloads.mariadb.org/interstitial/${BP}/source/${BP}.tar.gz file://install_db \ file://mysql-systemd-start \ file://configure.cmake-fix-valgrind.patch \ - file://fix-a-building-failure.patch \ file://support-files-CMakeLists.txt-fix-do_populate_sysroot.patch \ - file://sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \ file://0001-disable-ucontext-on-musl.patch \ file://c11_atomics.patch \ file://clang_version_header_conflict.patch \ @@ -22,10 +20,12 @@ SRC_URI = "https://downloads.mariadb.org/interstitial/${BP}/source/${BP}.tar.gz file://0001-innobase-Define-__NR_futex-if-it-does-not-exist.patch \ file://0001-aio_linux-Check-if-syscall-exists-before-using-it.patch \ file://sys_futex.patch \ + file://ssize_t.patch \ + file://mm_malloc.patch \ " SRC_URI_append_libc-musl = " file://ppc-remove-glibc-dep.patch" -SRC_URI[sha256sum] = "40ab19aeb8de141fdc188cf2251213c9e7351bee4d0cd29db704fae68d1068cf" +SRC_URI[sha256sum] = "761053605fe30ce393f324852117990350840a93b3e6305ef4d2f8c8305cc47a" UPSTREAM_CHECK_URI = "https://github.com/MariaDB/server/releases" @@ -36,15 +36,15 @@ BINCONFIG_GLOB = "mysql_config" inherit cmake gettext binconfig update-rc.d useradd systemd multilib_script MULTILIB_SCRIPTS = "${PN}-server:${bindir}/mariadbd-safe \ - ${PN}-server:${bindir}/mariadb-install-db" + ${PN}-setupdb:${bindir}/mariadb-install-db" INITSCRIPT_PACKAGES = "${PN}-server ${PN}-setupdb" INITSCRIPT_NAME_${PN}-server = "mysqld" INITSCRIPT_PARAMS_${PN}-server ?= "start 45 5 . stop 45 0 6 1 ." -USERADD_PACKAGES = "${PN}-server" -USERADD_PARAM_${PN}-server = "--system --home-dir /var/mysql -g mysql --shell /bin/false mysql" -GROUPADD_PARAM_${PN}-server = "--system mysql" +USERADD_PACKAGES = "${PN}-setupdb" +USERADD_PARAM_${PN}-setupdb = "--system --home-dir /var/mysql -g mysql --shell /bin/false mysql" +GROUPADD_PARAM_${PN}-setupdb = "--system mysql" INITSCRIPT_NAME_${PN}-setupdb = "install_db" INITSCRIPT_PARAMS_${PN}-setupdb ?= "defaults 44 44" @@ -56,16 +56,18 @@ SYSTEMD_AUTO_ENABLE_${PN}-server ?= "disable" SYSTEMD_SERVICE_${PN}-setupdb = "install_db.service" SYSTEMD_AUTO_ENABLE_${PN}-setupdb ?= "enable" ALLOW_EMPTY_${PN}-setupdb ?= "1" -FILES_${PN}-setupdb = "${sysconfdir}/init.d/install_db" - -EXTRA_OEMAKE = "'GEN_LEX_HASH=${STAGING_BINDIR_NATIVE}/gen_lex_hash'" - -PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} setupdb" +FILES_${PN}-setupdb = "${sysconfdir}/init.d/install_db \ + ${bindir}/mariadb-install-db \ + ${bindir}/my_print_defaults \ + ${bindir}/mysql_install_db \ + ${bindir}/mysql-systemd-start \ + " + +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" PACKAGECONFIG_class-native = "" PACKAGECONFIG[pam] = ",-DWITHOUT_AUTH_PAM=TRUE,libpam" PACKAGECONFIG[valgrind] = "-DWITH_VALGRIND=TRUE,-DWITH_VALGRIND=FALSE,valgrind" PACKAGECONFIG[krb5] = ", ,krb5" -PACKAGECONFIG[setupdb] = ", ,,${PN}-setupdb" PACKAGECONFIG[zstd] = "-DWITH_ROCKSDB_ZSTD=ON,-DWITH_ROCKSDB_ZSTD=OFF,zstd" # MariaDB doesn't link properly with gold @@ -93,6 +95,8 @@ EXTRA_OECMAKE = "-DWITH_EMBEDDED_SERVER=ON \ -DCAT_EXECUTABLE=`which cat` \ -DCMAKE_AR:FILEPATH=${AR}" +EXTRA_OECMAKE_prepend_class-target = "-DCMAKE_CROSSCOMPILING_EMULATOR=${WORKDIR}/qemuwrapper " + # With Ninja it fails with: # make: *** No rule to make target `install'. Stop. OECMAKE_GENERATOR = "Unix Makefiles" @@ -115,12 +119,18 @@ do_generate_toolchain_file_append_class-native () { sed -i "/set( CMAKE_SYSTEM_PROCESSOR/d" ${WORKDIR}/toolchain.cmake } -do_compile_prepend_class-target () { - # These need to be in-tree or make will think they need to be built, - # and since we're cross-compiling that is disabled - cp ${STAGING_BINDIR_NATIVE}/comp_err ${S}/extra - cp ${STAGING_BINDIR_NATIVE}/comp_sql ${S}/scripts +do_configure_prepend_class-target () { + # Write out a qemu wrapper that will be used by cmake + # so that it can run target helper binaries through that. + qemu_binary="${@qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST'), [d.expand('${STAGING_DIR_HOST}${libdir}'),d.expand('${STAGING_DIR_HOST}${base_libdir}')])}" + cat > ${WORKDIR}/qemuwrapper << EOF +#!/bin/sh +$qemu_binary "\$@" +EOF + chmod +x ${WORKDIR}/qemuwrapper +} +do_compile_prepend_class-target () { if [ "${@bb.utils.contains('PACKAGECONFIG', 'krb5', 'yes', 'no', d)}" = "no" ]; then if ! [ -e ${B}/include/openssl/kssl.h ] ; then mkdir -p ${B}/include/openssl @@ -130,11 +140,6 @@ do_compile_prepend_class-target () { echo "#endif" >>${B}/include/openssl/kssl.h fi fi - # workaround to handle out-of-source build from source package - yacc_files="sql_yacc.hh sql_yacc.cc sql_yacc_ora.hh sql_yacc_ora.cc" - for yacc_file in ${yacc_files}; do - cp ${S}/sql/${yacc_file} ${B}/sql/${yacc_file} - done } SYSROOT_PREPROCESS_FUNCS += "mariadb_sysroot_preprocess" @@ -184,10 +189,10 @@ do_install() { fi } -PACKAGES = "${PN}-dbg ${PN} \ +PACKAGES = "${PN}-dbg ${PN}-setupdb ${PN} \ libmysqlclient-r libmysqlclient-r-dev libmysqlclient-r-staticdev \ libmysqlclient libmysqlclient-dev libmysqlclient-staticdev \ - libmysqld libmysqld-dev ${PN}-client ${PN}-server ${PN}-setupdb ${PN}-leftovers" + libmysqld libmysqld-dev ${PN}-client ${PN}-server ${PN}-leftovers" CONFFILES_${PN}-server += "${sysconfdir}/my.cnf ${sysconfdir}/my.cnf.d/server.cnf" CONFFILES_${PN}-client += "${sysconfdir}/my.cnf.d/mysql-clients.cnf" CONFFILES_libmysqlclient += "${sysconfdir}/my.cnf.d/client.cnf" @@ -290,7 +295,6 @@ FILES_${PN}-server = "\ ${bindir}/mysql_convert_table_format \ ${bindir}/mariadb-convert-table-format \ ${bindir}/mysql_install_db \ - ${bindir}/mariadb-install-db \ ${bindir}/mysql_secure_installation \ ${bindir}/mariadb-secure-installation \ ${bindir}/mysql_setpermission \ diff --git a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/fix-a-building-failure.patch b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/fix-a-building-failure.patch deleted file mode 100644 index 9149ee21f2..0000000000 --- a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/fix-a-building-failure.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 1b2b6a61c9f82157cd2e0c3744f6c07e07aeb0bd Mon Sep 17 00:00:00 2001 -From: Mingli Yu <mingli.yu@windriver.com> -Date: Mon, 4 Mar 2019 01:11:30 -0800 -Subject: [PATCH] fix a building failure - -Upstream-Status: Inappropriate [configuration] - -building failed since native does not generate import_executables.cmake -In fact, our building system will export the needed commands - -Signed-off-by: Roy Li <rongqing.li@windriver.com> -Signed-off-by: Mingli Yu <mingli.yu@windriver.com> ---- - CMakeLists.txt | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index fc30750..4f9110e 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -347,11 +347,6 @@ CHECK_PCRE() - - CHECK_SYSTEMD() - --IF(CMAKE_CROSSCOMPILING) -- SET(IMPORT_EXECUTABLES "IMPORTFILE-NOTFOUND" CACHE FILEPATH "Path to import_executables.cmake from a native build") -- INCLUDE(${IMPORT_EXECUTABLES}) --ENDIF() -- - # - # Setup maintainer mode options. Platform checks are - # not run with the warning options as to not perturb fragile checks --- -2.17.1 - diff --git a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/mm_malloc.patch b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/mm_malloc.patch new file mode 100644 index 0000000000..347fcd8516 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/mm_malloc.patch @@ -0,0 +1,11 @@ +--- a/storage/rocksdb/rocksdb/port/jemalloc_helper.h ++++ b/storage/rocksdb/rocksdb/port/jemalloc_helper.h +@@ -5,7 +5,7 @@ + + #pragma once + +-#if defined(__clang__) ++#if defined(__clang__) && defined(__GLIBC__) + // glibc's `posix_memalign()` declaration specifies `throw()` while clang's + // declaration does not. There is a hack in clang to make its re-declaration + // compatible with glibc's if they are declared consecutively. That hack breaks diff --git a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/ppc-remove-glibc-dep.patch b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/ppc-remove-glibc-dep.patch index 1ca86bcca2..d6e53c29e1 100644 --- a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/ppc-remove-glibc-dep.patch +++ b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/ppc-remove-glibc-dep.patch @@ -36,7 +36,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com> + __builtin_ppc_get_timebase(); #elif defined __GNUC__ && (defined __arm__ || defined __aarch64__) /* Mainly, prevent the compiler from optimizing away delay loops */ - __asm__ __volatile__ ("":::"memory"); + #ifdef _aarch64_ --- a/storage/tokudb/PerconaFT/portability/toku_time.h +++ b/storage/tokudb/PerconaFT/portability/toku_time.h @@ -124,7 +124,7 @@ static inline tokutime_t toku_time_now(v diff --git a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch deleted file mode 100644 index 4cb0443392..0000000000 --- a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch +++ /dev/null @@ -1,67 +0,0 @@ -From cfce1491827e5a581878b5e166bf4d30e6d90e07 Mon Sep 17 00:00:00 2001 -From: Mingli Yu <mingli.yu@windriver.com> -Date: Thu, 23 Jul 2020 00:08:16 -0700 -Subject: [PATCH] sql/CMakeLists.txt: fix gen_lex_hash not found - -Fix the below do_compile issue in cross-compiling env. -| make[2]: *** No rule to make target '/build/tmp/work/aarch64-poky-linux/mariadb/10.3.13-r0/mariadb-10.3.13/sql/gen_lex_hash', needed by 'sql/lex_hash.h'. Stop. -| make[2]: *** No rule to make target '/build/tmp/work/aarch64-poky-linux/mariadb/10.3.13-r0/mariadb-10.3.13/sql/gen_lex_token', needed by 'sql/lex_token.h'. Stop. - -Upstream-Status: Inappropriate [oe build specific] - -Signed-off-by: Mingli Yu <mingli.yu@windriver.com> ---- - sql/CMakeLists.txt | 30 ++++++++++++++++++++---------- - 1 file changed, 20 insertions(+), 10 deletions(-) - -diff --git a/sql/CMakeLists.txt b/sql/CMakeLists.txt -index 0dc3caa..616017b 100644 ---- a/sql/CMakeLists.txt -+++ b/sql/CMakeLists.txt -@@ -52,11 +52,16 @@ ${CMAKE_BINARY_DIR}/sql - ${CMAKE_SOURCE_DIR}/tpool - ) - --ADD_CUSTOM_COMMAND( -- OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/lex_token.h -- COMMAND gen_lex_token > lex_token.h -- DEPENDS gen_lex_token --) -+IF(NOT CMAKE_CROSSCOMPILING) -+ ADD_CUSTOM_COMMAND( -+ OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/lex_token.h -+ COMMAND gen_lex_token > lex_token.h -+ DEPENDS gen_lex_token) -+ELSE() -+ ADD_CUSTOM_COMMAND( -+ OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/lex_token.h -+ COMMAND gen_lex_token > lex_token.h) -+ENDIF() - - ADD_CUSTOM_COMMAND( - OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/sql_yacc_ora.yy -@@ -345,11 +350,16 @@ IF(NOT CMAKE_CROSSCOMPILING) - ADD_EXECUTABLE(gen_lex_hash gen_lex_hash.cc) - ENDIF() - --ADD_CUSTOM_COMMAND( -- OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/lex_hash.h -- COMMAND gen_lex_hash > lex_hash.h -- DEPENDS gen_lex_hash --) -+IF(NOT CMAKE_CROSSCOMPILING) -+ ADD_CUSTOM_COMMAND( -+ OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/lex_hash.h -+ COMMAND gen_lex_hash > lex_hash.h -+ DEPENDS gen_lex_hash) -+ELSE() -+ ADD_CUSTOM_COMMAND( -+ OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/lex_hash.h -+ COMMAND gen_lex_hash > lex_hash.h) -+ENDIF() - - MYSQL_ADD_EXECUTABLE(mariadb-tzinfo-to-sql tztime.cc COMPONENT Server) - SET_TARGET_PROPERTIES(mariadb-tzinfo-to-sql PROPERTIES COMPILE_FLAGS "-DTZINFO2SQL") --- -2.17.1 - diff --git a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/ssize_t.patch b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/ssize_t.patch new file mode 100644 index 0000000000..4e499d4137 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb/ssize_t.patch @@ -0,0 +1,15 @@ +ssize_t comes from sys/types.h therefore include it + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- a/wsrep-lib/include/wsrep/gtid.hpp ++++ b/wsrep-lib/include/wsrep/gtid.hpp +@@ -25,7 +25,7 @@ + #include "compiler.hpp" + + #include <iosfwd> +- ++#include <sys/types.h> + /** + * Minimum number of bytes guaratneed to store GTID string representation, + * terminating '\0' not included (36 + 1 + 20). diff --git a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb_10.5.9.bb b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb_10.5.11.bb index e6743fe97a..57d7736ea3 100644 --- a/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb_10.5.9.bb +++ b/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb_10.5.11.bb @@ -1,8 +1,8 @@ require mariadb.inc -EXTRA_OECMAKE += "-DSTACK_DIRECTION=-1" +inherit qemu -DEPENDS += "mariadb-native bison-native libpcre2 curl openssl ncurses zlib libaio libedit libevent libxml2" +DEPENDS += "qemu-native bison-native boost libpcre2 curl openssl ncurses zlib libaio libedit libevent libxml2" PROVIDES += "mysql5 libmysqlclient" diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch new file mode 100644 index 0000000000..a5e5a1ba55 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch @@ -0,0 +1,35 @@ +From f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 Mon Sep 17 00:00:00 2001 +From: Oran Agra <oran@redislabs.com> +Date: Mon, 3 May 2021 08:32:31 +0300 +Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-29477) + +An integer overflow bug in Redis version 6.0 or newer could be exploited using +the STRALGO LCS command to corrupt the heap and potentially result with remote +code execution. + +CVE: CVE-2021-29477 +Upstream-Status: Backport +[https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9] + +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> + +--- + src/t_string.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/t_string.c b/src/t_string.c +index 9228c5ed0..db6f7042e 100644 +--- a/src/t_string.c ++++ b/src/t_string.c +@@ -805,7 +805,7 @@ void stralgoLCS(client *c) { + /* Setup an uint32_t array to store at LCS[i,j] the length of the + * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so + * we index it as LCS[j+(blen+1)*j] */ +- uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t)); ++ uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t)); + #define LCS(A,B) lcs[(B)+((A)*(blen+1))] + + /* Start building the LCS table. */ +-- +2.32.0 + diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29478.patch b/meta-openembedded/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29478.patch new file mode 100644 index 0000000000..ebbf6e1b94 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29478.patch @@ -0,0 +1,42 @@ +From 29900d4e6bccdf3691bedf0ea9a5d84863fa3592 Mon Sep 17 00:00:00 2001 +From: Oran Agra <oran@redislabs.com> +Date: Mon, 3 May 2021 08:27:22 +0300 +Subject: [PATCH] Fix integer overflow in intset (CVE-2021-29478) + +An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and +potentially result with remote code execution. + +The vulnerability involves changing the default set-max-intset-entries +configuration value, creating a large set key that consists of integer values +and using the COPY command to duplicate it. + +The integer overflow bug exists in all versions of Redis starting with 2.6, +where it could result with a corrupted RDB or DUMP payload, but not exploited +through COPY (which did not exist before 6.2). + +CVE: CVE-2021-29478 +Upstream-Status: Backport +[https://github.com/redis/redis/commit/29900d4e6bccdf3691bedf0ea9a5d84863fa3592] + +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> + +--- + src/intset.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/intset.c b/src/intset.c +index 1a64ecae8..9ba13898d 100644 +--- a/src/intset.c ++++ b/src/intset.c +@@ -281,7 +281,7 @@ uint32_t intsetLen(const intset *is) { + + /* Return intset blob size in bytes. */ + size_t intsetBlobLen(intset *is) { +- return sizeof(intset)+intrev32ifbe(is->length)*intrev32ifbe(is->encoding); ++ return sizeof(intset)+(size_t)intrev32ifbe(is->length)*intrev32ifbe(is->encoding); + } + + /* Validate the integrity of the data structure. +-- +2.32.0 + diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.2.bb b/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.2.bb index 65b525709e..a36c190af3 100644 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.2.bb +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.2.bb @@ -16,6 +16,8 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0001-src-Do-not-reset-FINAL_LIBS.patch \ file://GNU_SOURCE.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ + file://fix-CVE-2021-29477.patch \ + file://fix-CVE-2021-29478.patch \ " SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535" diff --git a/meta-openembedded/meta-oe/recipes-support/libiio/files/0001-python-Do-not-verify-whether-libiio-is-installed-whe.patch b/meta-openembedded/meta-oe/recipes-support/libiio/files/0001-python-Do-not-verify-whether-libiio-is-installed-whe.patch new file mode 100644 index 0000000000..5566aa0ffd --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/libiio/files/0001-python-Do-not-verify-whether-libiio-is-installed-whe.patch @@ -0,0 +1,37 @@ +From 3a26f0536706fa7c241c9de986799ae440c68c8a Mon Sep 17 00:00:00 2001 +From: Julien Malik <julien.malik@unseenlabs.fr> +Date: Mon, 27 Jul 2020 14:34:44 +0200 +Subject: [PATCH] python: Do not verify whether libiio is installed when + cross-compiling + +This should fix #561 + +Upstream-Status: Backport + +Signed-off-by: Julien Malik <julien.malik@paraiso.me> +Signed-off-by: Sam Van Den Berge <sam.van.den.berge@gmail.com> +--- + bindings/python/setup.py.cmakein | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/bindings/python/setup.py.cmakein b/bindings/python/setup.py.cmakein +index cd14e2e..96d58a8 100644 +--- a/bindings/python/setup.py.cmakein ++++ b/bindings/python/setup.py.cmakein +@@ -54,6 +54,13 @@ class InstallWrapper(install): + install.run(self) + + def _check_libiio_installed(self): ++ cross_compiling = ("${CMAKE_CROSSCOMPILING}" == "TRUE") ++ if cross_compiling: ++ # When cross-compiling, we generally cannot dlopen ++ # the libiio shared lib from the build platform. ++ # Simply skip this check in that case. ++ return ++ + from platform import system as _system + from ctypes import CDLL as _cdll + from ctypes.util import find_library +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-support/libiio/libiio_git.bb b/meta-openembedded/meta-oe/recipes-support/libiio/libiio_git.bb index 00c016db44..d7e4cc60a9 100644 --- a/meta-openembedded/meta-oe/recipes-support/libiio/libiio_git.bb +++ b/meta-openembedded/meta-oe/recipes-support/libiio/libiio_git.bb @@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING.txt;md5=7c13b3376cea0ce68d2d2da0a1b3a72c" SRCREV = "565bf68eccfdbbf22cf5cb6d792e23de564665c7" PV = "0.21+git${SRCPV}" -SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https" +SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https \ + file://0001-python-Do-not-verify-whether-libiio-is-installed-whe.patch \ +" UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.64.bb b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.64.bb index 9c4c03df99..97193aff5c 100644 --- a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.64.bb +++ b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.64.bb @@ -282,3 +282,6 @@ FILES_${PN}-dev = "\ RDEPENDS_${PN}-smime = "perl" BBCLASSEXTEND = "native nativesdk" + +# CVE-2006-5201 affects only Sun Solaris +CVE_CHECK_WHITELIST += "CVE-2006-5201" diff --git a/meta-openembedded/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/40-linux-5.13-support.patch b/meta-openembedded/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/40-linux-5.13-support.patch new file mode 100644 index 0000000000..e95e240492 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/40-linux-5.13-support.patch @@ -0,0 +1,276 @@ +Subject: Fix build errors with linux 5.13 +Origin: upstream, https://www.virtualbox.org/browser/vbox/trunk +Bug: https://bugs.launchpad.net/bugs/1929193 + +diff -urpN virtualbox-6.1.22-dfsg.orig/src/VBox/Additions/linux/drm/vbox_drv.h virtualbox-6.1.22-dfsg/src/VBox/Additions/linux/drm/vbox_drv.h +--- virtualbox-6.1.22-dfsg.orig/src/VBox/Additions/linux/drm/vbox_drv.h 2021-04-28 16:24:47.000000000 +0000 ++++ virtualbox-6.1.22-dfsg/src/VBox/Additions/linux/drm/vbox_drv.h 2021-06-23 10:08:44.431714404 +0000 +@@ -46,20 +41,20 @@ + * Evaluates to true if the linux kernel version is equal or higher to the + * one specfied. */ + #define RTLNX_VER_MIN(a_Major, a_Minor, a_Patch) \ +- (LINUX_VERSION_CODE >= KERNEL_VERSION(a_Major, a_Minor, a_Patch)) ++ (LINUX_VERSION_CODE >= KERNEL_VERSION(a_Major, a_Minor, a_Patch)) + + /** @def RTLNX_VER_MAX + * Evaluates to true if the linux kernel version is less to the one specfied + * (exclusive). */ + #define RTLNX_VER_MAX(a_Major, a_Minor, a_Patch) \ +- (LINUX_VERSION_CODE < KERNEL_VERSION(a_Major, a_Minor, a_Patch)) ++ (LINUX_VERSION_CODE < KERNEL_VERSION(a_Major, a_Minor, a_Patch)) + + /** @def RTLNX_VER_RANGE + * Evaluates to true if the linux kernel version is equal or higher to the given + * minimum version and less (but not equal) to the maximum version (exclusive). */ + #define RTLNX_VER_RANGE(a_MajorMin, a_MinorMin, a_PatchMin, a_MajorMax, a_MinorMax, a_PatchMax) \ +- ( LINUX_VERSION_CODE >= KERNEL_VERSION(a_MajorMin, a_MinorMin, a_PatchMin) \ +- && LINUX_VERSION_CODE < KERNEL_VERSION(a_MajorMax, a_MinorMax, a_PatchMax) ) ++ ( LINUX_VERSION_CODE >= KERNEL_VERSION(a_MajorMin, a_MinorMin, a_PatchMin) \ ++ && LINUX_VERSION_CODE < KERNEL_VERSION(a_MajorMax, a_MinorMax, a_PatchMax) ) + + + /** @def RTLNX_RHEL_MIN +@@ -70,7 +65,7 @@ + */ + #if defined(RHEL_MAJOR) && defined(RHEL_MINOR) + # define RTLNX_RHEL_MIN(a_iMajor, a_iMinor) \ +- ((RHEL_MAJOR) > (a_iMajor) || ((RHEL_MAJOR) == (a_iMajor) && (RHEL_MINOR) >= (a_iMinor))) ++ ((RHEL_MAJOR) > (a_iMajor) || ((RHEL_MAJOR) == (a_iMajor) && (RHEL_MINOR) >= (a_iMinor))) + #else + # define RTLNX_RHEL_MIN(a_iMajor, a_iMinor) (0) + #endif +@@ -83,7 +78,7 @@ + */ + #if defined(RHEL_MAJOR) && defined(RHEL_MINOR) + # define RTLNX_RHEL_MAX(a_iMajor, a_iMinor) \ +- ((RHEL_MAJOR) < (a_iMajor) || ((RHEL_MAJOR) == (a_iMajor) && (RHEL_MINOR) < (a_iMinor))) ++ ((RHEL_MAJOR) < (a_iMajor) || ((RHEL_MAJOR) == (a_iMajor) && (RHEL_MINOR) < (a_iMinor))) + #else + # define RTLNX_RHEL_MAX(a_iMajor, a_iMinor) (0) + #endif +@@ -95,7 +90,7 @@ + */ + #if defined(RHEL_MAJOR) && defined(RHEL_MINOR) + # define RTLNX_RHEL_RANGE(a_iMajorMin, a_iMinorMin, a_iMajorMax, a_iMinorMax) \ +- (RTLNX_RHEL_MIN(a_iMajorMin, a_iMinorMin) && RTLNX_RHEL_MAX(a_iMajorMax, a_iMinorMax)) ++ (RTLNX_RHEL_MIN(a_iMajorMin, a_iMinorMin) && RTLNX_RHEL_MAX(a_iMajorMax, a_iMinorMax)) + #else + # define RTLNX_RHEL_RANGE(a_iMajorMin, a_iMinorMin, a_iMajorMax, a_iMinorMax) (0) + #endif +@@ -173,7 +168,9 @@ + #include <drm/ttm/ttm_bo_api.h> + #include <drm/ttm/ttm_bo_driver.h> + #include <drm/ttm/ttm_placement.h> ++#if RTLNX_VER_MAX(5,13,0) + #include <drm/ttm/ttm_memory.h> ++#endif + #if RTLNX_VER_MAX(5,12,0) + # include <drm/ttm/ttm_module.h> + #endif +@@ -222,7 +219,7 @@ static inline void drm_gem_object_put(st + VBVA_ADAPTER_INFORMATION_SIZE) + #define GUEST_HEAP_SIZE VBVA_ADAPTER_INFORMATION_SIZE + #define GUEST_HEAP_USABLE_SIZE (VBVA_ADAPTER_INFORMATION_SIZE - \ +- sizeof(HGSMIHOSTFLAGS)) ++ sizeof(struct hgsmi_host_flags)) + #define HOST_FLAGS_OFFSET GUEST_HEAP_USABLE_SIZE + + /** How frequently we refresh if the guest is not providing dirty rectangles. */ +@@ -232,7 +229,7 @@ static inline void drm_gem_object_put(st + static inline void *devm_kcalloc(struct device *dev, size_t n, size_t size, + gfp_t flags) + { +- return devm_kzalloc(dev, n * size, flags); ++ return devm_kzalloc(dev, n * size, flags); + } + #endif + +@@ -244,7 +241,7 @@ struct vbox_private { + u8 __iomem *guest_heap; + u8 __iomem *vbva_buffers; + struct gen_pool *guest_pool; +- struct VBVABUFFERCONTEXT *vbva_info; ++ struct vbva_buf_context *vbva_info; + bool any_pitch; + u32 num_crtcs; + /** Amount of available VRAM, including space used for buffers. */ +@@ -252,7 +249,7 @@ struct vbox_private { + /** Amount of available VRAM, not including space used for buffers. */ + u32 available_vram_size; + /** Array of structures for receiving mode hints. */ +- VBVAMODEHINT *last_mode_hints; ++ struct vbva_modehint *last_mode_hints; + + struct vbox_fbdev *fbdev; + +@@ -263,7 +260,11 @@ struct vbox_private { + struct drm_global_reference mem_global_ref; + struct ttm_bo_global_ref bo_global_ref; + #endif ++#if RTLNX_VER_MIN(5,13,0) ++ struct ttm_device bdev; ++#else + struct ttm_bo_device bdev; ++#endif + bool mm_initialised; + } ttm; + +diff -urpN virtualbox-6.1.22-dfsg.orig/src/VBox/Additions/linux/drm/vbox_ttm.c virtualbox-6.1.22-dfsg/src/VBox/Additions/linux/drm/vbox_ttm.c +--- virtualbox-6.1.22-dfsg.orig/src/VBox/Additions/linux/drm/vbox_ttm.c 2021-04-28 16:24:47.000000000 +0000 ++++ virtualbox-6.1.22-dfsg/src/VBox/Additions/linux/drm/vbox_ttm.c 2021-06-23 10:08:07.164057918 +0000 +@@ -48,7 +43,11 @@ + #endif + + ++#if RTLNX_VER_MIN(5,13,0) ++static inline struct vbox_private *vbox_bdev(struct ttm_device *bd) ++#else + static inline struct vbox_private *vbox_bdev(struct ttm_bo_device *bd) ++#endif + { + return container_of(bd, struct vbox_private, ttm.bdev); + } +@@ -188,7 +187,7 @@ static int vbox_ttm_io_mem_reserve(struc + mem->bus.size = mem->num_pages << PAGE_SHIFT; + mem->bus.base = 0; + mem->bus.is_iomem = false; +- if (!(man->flags & TTM_MEMTYPE_FLAG_MAPPABLE)) ++ if (!(man->flags & TTM_MEMTYPE_FLAG_MAPPABLE)) + return -EINVAL; + switch (mem->mem_type) { + case TTM_PL_SYSTEM: +@@ -205,8 +204,13 @@ static int vbox_ttm_io_mem_reserve(struc + return 0; + } + #else ++# if RTLNX_VER_MAX(5,13,0) + static int vbox_ttm_io_mem_reserve(struct ttm_bo_device *bdev, + struct ttm_resource *mem) ++# else /* > 5.13.0 */ ++static int vbox_ttm_io_mem_reserve(struct ttm_device *bdev, ++ struct ttm_resource *mem) ++# endif /* > 5.13.0 */ + { + struct vbox_private *vbox = vbox_bdev(bdev); + mem->bus.addr = NULL; +@@ -241,7 +245,12 @@ static int vbox_ttm_io_mem_reserve(struc + + + +-#if RTLNX_VER_MIN(5,10,0) ++#if RTLNX_VER_MIN(5,13,0) ++static void vbox_ttm_io_mem_free(struct ttm_device *bdev, ++ struct ttm_resource *mem) ++{ ++} ++#elif RTLNX_VER_MIN(5,10,0) + static void vbox_ttm_io_mem_free(struct ttm_bo_device *bdev, + struct ttm_resource *mem) + { +@@ -253,7 +262,13 @@ static void vbox_ttm_io_mem_free(struct + } + #endif + +-#if RTLNX_VER_MIN(5,10,0) ++#if RTLNX_VER_MIN(5,13,0) ++static void vbox_ttm_tt_destroy(struct ttm_device *bdev, struct ttm_tt *tt) ++{ ++ ttm_tt_fini(tt); ++ kfree(tt); ++} ++#elif RTLNX_VER_MIN(5,10,0) + static void vbox_ttm_tt_destroy(struct ttm_bo_device *bdev, struct ttm_tt *tt) + { + ttm_tt_fini(tt); +@@ -333,7 +348,11 @@ static int vbox_bo_move(struct ttm_buffe + } + #endif + ++#if RTLNX_VER_MIN(5,13,0) ++static struct ttm_device_funcs vbox_bo_driver = { ++#else /* < 5.13.0 */ + static struct ttm_bo_driver vbox_bo_driver = { ++#endif /* < 5.13.0 */ + .ttm_tt_create = vbox_ttm_tt_create, + #if RTLNX_VER_MIN(5,10,0) + .ttm_tt_destroy = vbox_ttm_tt_destroy, +@@ -370,14 +389,22 @@ int vbox_mm_init(struct vbox_private *vb + { + int ret; + struct drm_device *dev = vbox->dev; ++#if RTLNX_VER_MIN(5,13,0) ++ struct ttm_device *bdev = &vbox->ttm.bdev; ++#else + struct ttm_bo_device *bdev = &vbox->ttm.bdev; ++#endif + + #if RTLNX_VER_MAX(5,0,0) && !RTLNX_RHEL_MAJ_PREREQ(7,7) && !RTLNX_RHEL_MAJ_PREREQ(8,1) + ret = vbox_ttm_global_init(vbox); + if (ret) + return ret; + #endif ++#if RTLNX_VER_MIN(5,13,0) ++ ret = ttm_device_init(&vbox->ttm.bdev, ++#else + ret = ttm_bo_device_init(&vbox->ttm.bdev, ++#endif + #if RTLNX_VER_MAX(5,0,0) && !RTLNX_RHEL_MAJ_PREREQ(7,7) && !RTLNX_RHEL_MAJ_PREREQ(8,1) + vbox->ttm.bo_global_ref.ref.object, + #endif +@@ -429,7 +456,11 @@ int vbox_mm_init(struct vbox_private *vb + return 0; + + err_device_release: ++#if RTLNX_VER_MIN(5,13,0) ++ ttm_device_fini(&vbox->ttm.bdev); ++#else + ttm_bo_device_release(&vbox->ttm.bdev); ++#endif + #if RTLNX_VER_MAX(5,0,0) && !RTLNX_RHEL_MAJ_PREREQ(7,7) && !RTLNX_RHEL_MAJ_PREREQ(8,1) + err_ttm_global_release: + vbox_ttm_global_release(vbox); +@@ -446,7 +477,11 @@ void vbox_mm_fini(struct vbox_private *v + #else + arch_phys_wc_del(vbox->fb_mtrr); + #endif ++#if RTLNX_VER_MIN(5,13,0) ++ ttm_device_fini(&vbox->ttm.bdev); ++#else + ttm_bo_device_release(&vbox->ttm.bdev); ++#endif + #if RTLNX_VER_MAX(5,0,0) && !RTLNX_RHEL_MAJ_PREREQ(7,7) && !RTLNX_RHEL_MAJ_PREREQ(8,1) + vbox_ttm_global_release(vbox); + #endif +@@ -528,7 +563,9 @@ int vbox_bo_create(struct drm_device *de + { + struct vbox_private *vbox = dev->dev_private; + struct vbox_bo *vboxbo; ++#if RTLNX_VER_MAX(5,13,0) + size_t acc_size; ++#endif + int ret; + + vboxbo = kzalloc(sizeof(*vboxbo), GFP_KERNEL); +@@ -551,16 +588,20 @@ int vbox_bo_create(struct drm_device *de + + vbox_ttm_placement(vboxbo, VBOX_MEM_TYPE_VRAM | VBOX_MEM_TYPE_SYSTEM); + ++#if RTLNX_VER_MAX(5,13,0) + acc_size = ttm_bo_dma_acc_size(&vbox->ttm.bdev, size, + sizeof(struct vbox_bo)); ++#endif + + ret = ttm_bo_init(&vbox->ttm.bdev, &vboxbo->bo, size, + ttm_bo_type_device, &vboxbo->placement, + #if RTLNX_VER_MAX(4,17,0) && !RTLNX_RHEL_MAJ_PREREQ(7,6) && !RTLNX_SUSE_MAJ_PREREQ(15,1) && !RTLNX_SUSE_MAJ_PREREQ(12,5) + align >> PAGE_SHIFT, false, NULL, acc_size, +-#else ++#elif RTLNX_VER_MAX(5,13,0) /* < 5.13.0 */ + align >> PAGE_SHIFT, false, acc_size, +-#endif ++#else /* > 5.13.0 */ ++ align >> PAGE_SHIFT, false, ++#endif /* > 5.13.0 */ + #if RTLNX_VER_MIN(3,18,0) || RTLNX_RHEL_MAJ_PREREQ(7,2) + NULL, NULL, vbox_bo_ttm_destroy); + #else diff --git a/meta-openembedded/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/kernel-5.10.patch b/meta-openembedded/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/kernel-5.10.patch deleted file mode 100644 index a6b0a04545..0000000000 --- a/meta-openembedded/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/kernel-5.10.patch +++ /dev/null @@ -1,23 +0,0 @@ -Origin: https://www.mail-archive.com/pld-cvs-commit@lists.pld-linux.org/msg461494.html -From 80bfab5ec8575703ef26b442a3af2d030793ebde Mon Sep 17 00:00:00 2001 -From: =?utf8?q?Jan=20R=C4=99korajski?= <baggins@pld-linux.org> -Date: Thu, 24 Dec 2020 23:03:55 +0100 -Subject: [PATCH] - DECLCALLBACK generates incorrect code on ix86, remove it - ---- - kernel-5.10.patch | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel-5.10.patch b/kernel-5.10.patch -index b28d6e0..729235d 100644 ---- a/src/VBox/Runtime/r0drv/linux/memobj-r0drv-linux.c -+++ b/src/VBox/Runtime/r0drv/linux/memobj-r0drv-linux.c -@@ -536,7 +536,7 @@ typedef const LNXAPPLYPGRANGE *PCLNXAPPLYPGRANGE; - * @param uAddr The address to apply the new protection to. - * @param pvUser The opaque user data. - */ --static DECLCALLBACK(int) rtR0MemObjLinuxApplyPageRange(pte_t *pPte, unsigned long uAddr, void *pvUser) -+static int rtR0MemObjLinuxApplyPageRange(pte_t *pPte, unsigned long uAddr, void *pvUser) - { - PCLNXAPPLYPGRANGE pArgs = (PCLNXAPPLYPGRANGE)pvUser; - PRTR0MEMOBJLNX pMemLnx = pArgs->pMemLnx; diff --git a/meta-openembedded/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers_6.1.18.bb b/meta-openembedded/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers_6.1.22.bb index 1def1a3115..19b8f8f46e 100644 --- a/meta-openembedded/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers_6.1.18.bb +++ b/meta-openembedded/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers_6.1.22.bb @@ -13,11 +13,11 @@ VBOX_NAME = "VirtualBox-${PV}" SRC_URI = "http://download.virtualbox.org/virtualbox/${PV}/${VBOX_NAME}.tar.bz2 \ file://Makefile.utils \ - file://kernel-5.10.patch \ + file://40-linux-5.13-support.patch \ file://add__divmoddi4.patch \ " -SRC_URI[md5sum] = "c61001386eb3822ab8f06d688a82e84b" -SRC_URI[sha256sum] = "108d42b9b391b7a332a33df1662cf7b0e9d9a80f3079d16288d8b9487f427d40" +SRC_URI[md5sum] = "abb1a20021e5915fe38c666e8c11cf80" +SRC_URI[sha256sum] = "99816d2a15205d49362a31e8ffeb8262d2fa0678c751dfd0a7c43b2faca8be49" S ?= "${WORKDIR}/vbox_module" S_task-patch = "${WORKDIR}/${VBOX_NAME}" diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_3.2.4.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_3.2.5.bb index 52504885e5..5890c85419 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_3.2.4.bb +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_3.2.5.bb @@ -1,7 +1,7 @@ require python-django.inc inherit setuptools3 -SRC_URI[sha256sum] = "66c9d8db8cc6fe938a28b7887c1596e42d522e27618562517cc8929eb7e7f296" +SRC_URI[sha256sum] = "3da05fea54fdec2315b54a563d5b59f3b4e2b1e69c3a5841dda35019c01855cd" RDEPENDS_${PN} += "\ ${PYTHON_PN}-sqlparse \ diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-pillow/0001-Limit-sprintf-modes-to-10-characters.patch b/meta-openembedded/meta-python/recipes-devtools/python/python3-pillow/0001-Limit-sprintf-modes-to-10-characters.patch new file mode 100644 index 0000000000..a1dd0d29ff --- /dev/null +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-pillow/0001-Limit-sprintf-modes-to-10-characters.patch @@ -0,0 +1,49 @@ +From 5f4504bb03f4edeeef8c2633dc5ba03a4c2a8a97 Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Tue, 15 Jun 2021 15:14:26 +1000 +Subject: [PATCH 1/1] Limit sprintf modes to 10 characters + +Needed to make CVE-2021-34552 fix apply cleanly. + +commit 5f4504bb03f4edeeef8c2633dc5ba03a4c2a8a97 (unmodified) + +Upstream-Status: Backport +Signed-off-by: Joe Slater <joe.slater@windriver.com> + +--- + src/libImaging/Convert.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/src/libImaging/Convert.c b/src/libImaging/Convert.c +index 8c7be36a2..1fa74a13b 100644 +--- a/src/libImaging/Convert.c ++++ b/src/libImaging/Convert.c +@@ -1594,9 +1594,8 @@ convert( + #ifdef notdef + return (Imaging)ImagingError_ValueError("conversion not supported"); + #else +- static char buf[256]; +- /* FIXME: may overflow if mode is too large */ +- sprintf(buf, "conversion from %s to %s not supported", imIn->mode, mode); ++ static char buf[100]; ++ sprintf(buf, "conversion from %.10s to %.10s not supported", imIn->mode, mode); + return (Imaging)ImagingError_ValueError(buf); + #endif + } +@@ -1645,11 +1644,10 @@ ImagingConvertTransparent(Imaging imIn, const char *mode, int r, int g, int b) { + } + #else + { +- static char buf[256]; +- /* FIXME: may overflow if mode is too large */ ++ static char buf[100]; + sprintf( + buf, +- "conversion from %s to %s not supported in convert_transparent", ++ "conversion from %.10s to %.10s not supported in convert_transparent", + imIn->mode, + mode); + return (Imaging)ImagingError_ValueError(buf); +-- +2.29.2 + diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-pillow/0001-Use-snprintf-instead-of-sprintf.patch b/meta-openembedded/meta-python/recipes-devtools/python/python3-pillow/0001-Use-snprintf-instead-of-sprintf.patch new file mode 100644 index 0000000000..fc0337f137 --- /dev/null +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-pillow/0001-Use-snprintf-instead-of-sprintf.patch @@ -0,0 +1,43 @@ +From 518ee3722a99d7f7d890db82a20bd81c1c0327fb Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Wed, 30 Jun 2021 23:47:10 +1000 +Subject: [PATCH 1/1] Use snprintf instead of sprintf + +Fix CVE-2021-34552. + +commit 518ee3722a99d7f7d890db82a20bd81c1c0327fb (unmodified) + +Upstream-Status: Backport +Signed-off-by: Joe Slater <joe.slater@windriver.com> + +--- + src/libImaging/Convert.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/libImaging/Convert.c b/src/libImaging/Convert.c +index 1fa74a13b..9012cfcd7 100644 +--- a/src/libImaging/Convert.c ++++ b/src/libImaging/Convert.c +@@ -1595,7 +1595,7 @@ convert( + return (Imaging)ImagingError_ValueError("conversion not supported"); + #else + static char buf[100]; +- sprintf(buf, "conversion from %.10s to %.10s not supported", imIn->mode, mode); ++ snprintf(buf, 100, "conversion from %.10s to %.10s not supported", imIn->mode, mode); + return (Imaging)ImagingError_ValueError(buf); + #endif + } +@@ -1645,8 +1645,9 @@ ImagingConvertTransparent(Imaging imIn, const char *mode, int r, int g, int b) { + #else + { + static char buf[100]; +- sprintf( ++ snprintf( + buf, ++ 100, + "conversion from %.10s to %.10s not supported in convert_transparent", + imIn->mode, + mode); +-- +2.29.2 + diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb index 3241230d13..40745bb763 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb @@ -8,6 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=0337b116233da4616ae9fdb130bf6f1a" SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=8.2.x \ file://0001-support-cross-compiling.patch \ file://0001-explicitly-set-compile-options.patch \ + file://0001-Limit-sprintf-modes-to-10-characters.patch \ + file://0001-Use-snprintf-instead-of-sprintf.patch \ " SRCREV ?= "e0e353c0ef7516979a9aedce3792596649ce4433" diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-urllib3_1.26.4.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-urllib3_1.26.5.bb index 0a31fb1e2d..f2fb33c6dd 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-urllib3_1.26.4.bb +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-urllib3_1.26.5.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/shazow/urllib3" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c2823cb995439c984fd62a973d79815c" -SRC_URI[sha256sum] = "e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937" +SRC_URI[sha256sum] = "a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098" inherit pypi setuptools3 diff --git a/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch new file mode 100644 index 0000000000..4eb6b85b1a --- /dev/null +++ b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch @@ -0,0 +1,45 @@ +From 8c162db8b65b2193e622b780e8c6516d4265f68b Mon Sep 17 00:00:00 2001 +From: Yann Ylavic <ylavic@apache.org> +Date: Mon, 11 May 2015 15:48:58 +0000 +Subject: [PATCH] mod_proxy_http: follow up to r1656259. The proxy connection + may be NULL during prefetch, don't try to dereference it! Still + origin->keepalive will be set according to p_conn->close by the caller + (proxy_http_handler). + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1678771 13f79535-47bb-0310-9956-ffa450edef68 + +Upstream-Status: Backport +CVE: CVE-2020-35504 + +Reference to upstream patch: +https://bugzilla.redhat.com/show_bug.cgi?id=1966738 +https://github.com/apache/httpd/commit/8c162db8b65b2193e622b780e8c6516d4265f68b + +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + modules/proxy/mod_proxy_http.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c +index ec1e042..5f507d5 100644 +--- a/modules/proxy/mod_proxy_http.c ++++ b/modules/proxy/mod_proxy_http.c +@@ -570,7 +570,6 @@ static int ap_proxy_http_prefetch(proxy_http_req_t *req, + apr_off_t bytes; + int force10, rv; + apr_read_type_e block; +- conn_rec *origin = p_conn->connection; + + if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) { + if (req->expecting_100) { +@@ -630,7 +629,6 @@ static int ap_proxy_http_prefetch(proxy_http_req_t *req, + "chunked body with Content-Length (C-L ignored)", + c->client_ip, c->remote_host ? c->remote_host: ""); + req->old_cl_val = NULL; +- origin->keepalive = AP_CONN_CLOSE; + p_conn->close = 1; + } + +-- +2.7.4 + diff --git a/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch new file mode 100644 index 0000000000..001ca9252d --- /dev/null +++ b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch @@ -0,0 +1,49 @@ +From 3b6431eb9c9dba603385f70a2131ab4a01bf0d3b Mon Sep 17 00:00:00 2001 +From: Yann Ylavic <ylavic@apache.org> +Date: Mon, 18 Jan 2021 17:39:12 +0000 +Subject: [PATCH] Merge r1885659 from trunk: + +mod_auth_digest: Fast validation of the nonce's base64 to fail early if + the format can't match anyway. + +Submitted by: ylavic +Reviewed by: ylavic, covener, jailletc36 + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1885666 13f79535-47bb-0310-9956-ffa450edef68 + +Upstream-Status: Backport +CVE: CVE-2020-35452 + +Reference to upstream patch: +https://security-tracker.debian.org/tracker/CVE-2020-35452 +https://github.com/apache/httpd/commit/3b6431eb9c9dba603385f70a2131ab4a01bf0d3b + +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + modules/aaa/mod_auth_digest.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c +index b760941..0825b1b 100644 +--- a/modules/aaa/mod_auth_digest.c ++++ b/modules/aaa/mod_auth_digest.c +@@ -1422,9 +1422,14 @@ static int check_nonce(request_rec *r, digest_header_rec *resp, + time_rec nonce_time; + char tmp, hash[NONCE_HASH_LEN+1]; + +- if (strlen(resp->nonce) != NONCE_LEN) { ++ /* Since the time part of the nonce is a base64 encoding of an ++ * apr_time_t (8 bytes), it should end with a '=', fail early otherwise. ++ */ ++ if (strlen(resp->nonce) != NONCE_LEN ++ || resp->nonce[NONCE_TIME_LEN - 1] != '=') { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775) +- "invalid nonce %s received - length is not %d", ++ "invalid nonce '%s' received - length is not %d " ++ "or time encoding is incorrect", + resp->nonce, NONCE_LEN); + note_digest_auth_failure(r, conf, resp, 1); + return HTTP_UNAUTHORIZED; +-- +2.7.4 + diff --git a/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch new file mode 100644 index 0000000000..d3aea9e122 --- /dev/null +++ b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch @@ -0,0 +1,39 @@ +From 67bd9bfe6c38831e14fe7122f1d84391472498f8 Mon Sep 17 00:00:00 2001 +From: Yann Ylavic <ylavic@apache.org> +Date: Mon, 1 Mar 2021 20:07:08 +0000 +Subject: [PATCH] mod_session: save one apr_strtok() in + session_identity_decode(). + +When the encoding is invalid (missing '='), no need to parse further. + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887050 13f79535-47bb-0310-9956-ffa450edef68 + +Upstream-Status: Backport +CVE: CVE-2021-26690 + +Reference to upstream patch: +https://security-tracker.debian.org/tracker/CVE-2021-26690 +https://github.com/apache/httpd/commit/67bd9bfe6c38831e14fe7122f1d84391472498f8 + +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + modules/session/mod_session.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c +index ebd05b0..af70f6b 100644 +--- a/modules/session/mod_session.c ++++ b/modules/session/mod_session.c +@@ -404,8 +404,8 @@ static apr_status_t session_identity_decode(request_rec * r, session_rec * z) + char *plast = NULL; + const char *psep = "="; + char *key = apr_strtok(pair, psep, &plast); +- char *val = apr_strtok(NULL, psep, &plast); + if (key && *key) { ++ char *val = apr_strtok(NULL, sep, &plast); + if (!val || !*val) { + apr_table_unset(z->entries, key); + } +-- +2.7.4 + diff --git a/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch new file mode 100644 index 0000000000..f9cf868d01 --- /dev/null +++ b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch @@ -0,0 +1,35 @@ +From 7e09dd714fc62c08c5b0319ed7b9702594faf49b Mon Sep 17 00:00:00 2001 +From: Yann Ylavic <ylavic@apache.org> +Date: Mon, 1 Mar 2021 20:13:54 +0000 +Subject: [PATCH] mod_session: account for the '&' in identity_concat(). + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68 + +Upstream-Status: Backport +CVE: CVE-2021-26691 + +Reference to upstream patch: +https://bugzilla.redhat.com/show_bug.cgi?id=1966732 +https://github.com/apache/httpd/commit/7e09dd714fc62c08c5b0319ed7b9702594faf49b + +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + modules/session/mod_session.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c +index 7ee477c..ebd05b0 100644 +--- a/modules/session/mod_session.c ++++ b/modules/session/mod_session.c +@@ -317,7 +317,7 @@ static apr_status_t ap_session_set(request_rec * r, session_rec * z, + static int identity_count(void *v, const char *key, const char *val) + { + int *count = v; +- *count += strlen(key) * 3 + strlen(val) * 3 + 1; ++ *count += strlen(key) * 3 + strlen(val) * 3 + 2; + return 1; + } + +-- +2.7.4 + diff --git a/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch new file mode 100644 index 0000000000..7f74c85e33 --- /dev/null +++ b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch @@ -0,0 +1,66 @@ +From 6141d5aa3f5cf8f1b89472e7fdb66578810d0ae3 Mon Sep 17 00:00:00 2001 +From: Eric Covener <covener@apache.org> +Date: Wed, 21 Apr 2021 01:02:11 +0000 +Subject: [PATCH] legacy default slash-matching behavior w/ 'MergeSlashes OFF' + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889036 13f79535-47bb-0310-9956-ffa450edef68 + +Upstream-Status: Backport +CVE: CVE-2021-30641 + +Reference to upstream patch: +https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-30641 +https://github.com/apache/httpd/commit/6141d5aa3f5cf8f1b89472e7fdb66578810d0ae3 + +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + server/request.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/server/request.c b/server/request.c +index d5c558a..18625af 100644 +--- a/server/request.c ++++ b/server/request.c +@@ -1419,7 +1419,20 @@ AP_DECLARE(int) ap_location_walk(request_rec *r) + + cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r); + cached = (cache->cached != NULL); +- entry_uri = r->uri; ++ ++ /* ++ * When merge_slashes is set to AP_CORE_CONFIG_OFF the slashes in r->uri ++ * have not been merged. But for Location walks we always go with merged ++ * slashes no matter what merge_slashes is set to. ++ */ ++ if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) { ++ entry_uri = r->uri; ++ } ++ else { ++ char *uri = apr_pstrdup(r->pool, r->uri); ++ ap_no2slash(uri); ++ entry_uri = uri; ++ } + + /* If we have an cache->cached location that matches r->uri, + * and the vhost's list of locations hasn't changed, we can skip +@@ -1486,7 +1499,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r) + pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t)); + } + +- if (ap_regexec(entry_core->r, entry_uri, nmatch, pmatch, 0)) { ++ if (ap_regexec(entry_core->r, r->uri, nmatch, pmatch, 0)) { + continue; + } + +@@ -1496,7 +1509,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r) + apr_table_setn(r->subprocess_env, + ((const char **)entry_core->refs->elts)[i], + apr_pstrndup(r->pool, +- entry_uri + pmatch[i].rm_so, ++ r->uri + pmatch[i].rm_so, + pmatch[i].rm_eo - pmatch[i].rm_so)); + } + } +-- +2.7.4 + diff --git a/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb index 197cb83e64..4fc1f16317 100644 --- a/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb +++ b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb @@ -15,6 +15,11 @@ SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \ file://0007-apache2-allow-to-disable-selinux-support.patch \ file://apache-configure_perlbin.patch \ file://0001-support-apxs.in-force-destdir-to-be-empty-string.patch \ + file://CVE-2020-13950.patch \ + file://CVE-2020-35452.patch \ + file://CVE-2021-26690.patch \ + file://CVE-2021-26691.patch \ + file://CVE-2021-30641.patch \ " SRC_URI_append_class-target = " \ diff --git a/meta-openembedded/meta-webserver/recipes-httpd/hiawatha/hiawatha_10.11.bb b/meta-openembedded/meta-webserver/recipes-httpd/hiawatha/hiawatha_10.11.bb index 89910841f6..f0be75f5d3 100644 --- a/meta-openembedded/meta-webserver/recipes-httpd/hiawatha/hiawatha_10.11.bb +++ b/meta-openembedded/meta-webserver/recipes-httpd/hiawatha/hiawatha_10.11.bb @@ -6,7 +6,7 @@ DEPENDS = "libxml2 libxslt virtual/crypt" SECTION = "net" -SRC_URI = "http://hiawatha-webserver.org/files/${BP}.tar.gz \ +SRC_URI = "http://hiawatha-webserver.org/files/hiawatha-10/${BP}.tar.gz \ file://hiawatha-init \ file://hiawatha.service " diff --git a/meta-openembedded/meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch b/meta-openembedded/meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch new file mode 100644 index 0000000000..a708033775 --- /dev/null +++ b/meta-openembedded/meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch @@ -0,0 +1,46 @@ +From 7199ebc203f74fd9e44595474de6bdc41740c5cf Mon Sep 17 00:00:00 2001 +From: Maxim Dounin <mdounin@mdounin.ru> +Date: Tue, 25 May 2021 15:17:36 +0300 +Subject: [PATCH] Resolver: fixed off-by-one write in ngx_resolver_copy(). + +Reported by Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH. + +Upstream-Status: Backport +CVE: CVE-2021-23017 + +Reference to upstream patch: +https://github.com/nginx/nginx/commit/7199ebc203f74fd9e44595474de6bdc41740c5cf + +Signed-off-by: Catalin Enache <catalin.enache@windriver.com> +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + src/core/ngx_resolver.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c +index 79390701..63b26193 100644 +--- a/src/core/ngx_resolver.c ++++ b/src/core/ngx_resolver.c +@@ -4008,15 +4008,15 @@ done: + n = *src++; + + } else { ++ if (dst != name->data) { ++ *dst++ = '.'; ++ } ++ + ngx_strlow(dst, src, n); + dst += n; + src += n; + + n = *src++; +- +- if (n != 0) { +- *dst++ = '.'; +- } + } + + if (n == 0) { +-- +2.17.1 + diff --git a/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx.inc index de080a2b01..a4583ed8f8 100644 --- a/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx.inc +++ b/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx.inc @@ -22,6 +22,7 @@ SRC_URI = " \ file://nginx-volatile.conf \ file://nginx.service \ file://nginx-fix-pidfile.patch \ + file://CVE-2021-23017.patch \ " inherit siteinfo update-rc.d useradd systemd diff --git a/meta-raspberrypi/recipes-devtools/python/python3-adafruit-blinka_6.2.2.bb b/meta-raspberrypi/recipes-devtools/python/python3-adafruit-blinka_6.2.2.bb index 7d3120f76d..dc9e6802b3 100644 --- a/meta-raspberrypi/recipes-devtools/python/python3-adafruit-blinka_6.2.2.bb +++ b/meta-raspberrypi/recipes-devtools/python/python3-adafruit-blinka_6.2.2.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/adafruit/Adafruit_Blinka" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=660e614bc7efb0697cc793d8a22a55c2" -SRC_URI = "git://github.com/adafruit/Adafruit_Blinka.git" +SRC_URI = "git://github.com/adafruit/Adafruit_Blinka.git;branch=main" SRCREV = "dc688f354fe779c9267c208b99f310af87e79272" S = "${WORKDIR}/git" diff --git a/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-busdevice_5.0.5.bb b/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-busdevice_5.0.5.bb index c14d6f3d65..7c1a26742e 100644 --- a/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-busdevice_5.0.5.bb +++ b/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-busdevice_5.0.5.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/adafruit/Adafruit_CircuitPython_BusDevice" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=6ec69d6e9e6c85adfb7799d7f8cf044e" -SRC_URI = "git://github.com/adafruit/Adafruit_CircuitPython_BusDevice.git" +SRC_URI = "git://github.com/adafruit/Adafruit_CircuitPython_BusDevice.git;branch=main" SRCREV = "1bfe8005293205e2f7b2cc498ab5a946f1133b40" S = "${WORKDIR}/git" diff --git a/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-motor_3.2.6.bb b/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-motor_3.2.6.bb index e05e2ab5e1..b0475e6efd 100644 --- a/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-motor_3.2.6.bb +++ b/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-motor_3.2.6.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/adafruit/Adafruit_CircuitPython_Motor" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=b72678307cc7c10910b5ef460216af07" -SRC_URI = "git://github.com/adafruit/Adafruit_CircuitPython_Motor.git" +SRC_URI = "git://github.com/adafruit/Adafruit_CircuitPython_Motor.git;branch=main" SRCREV = "2251bfc0501d0acfb96c0a43f4f2b4c6a10ca14e" S = "${WORKDIR}/git" diff --git a/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-motorkit_1.6.1.bb b/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-motorkit_1.6.1.bb index f35d48cf26..12a63f3a59 100644 --- a/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-motorkit_1.6.1.bb +++ b/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-motorkit_1.6.1.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/adafruit/Adafruit_CircuitPython_MotorKit" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=6ad4a8854b39ad474755ef1aea813bac" -SRC_URI = "git://github.com/adafruit/Adafruit_CircuitPython_MotorKit.git" +SRC_URI = "git://github.com/adafruit/Adafruit_CircuitPython_MotorKit.git;branch=main" SRCREV = "8c1462b4129b21f6db156d1517abb017bb74b982" S = "${WORKDIR}/git" diff --git a/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-pca9685_3.3.4.bb b/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-pca9685_3.3.4.bb index 0b65c81ea1..a46b13044c 100644 --- a/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-pca9685_3.3.4.bb +++ b/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-pca9685_3.3.4.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/adafruit/Adafruit_CircuitPython_PCA9685" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=e7eb6b599fb0cfb06485c64cd4242f62" -SRC_URI = "git://github.com/adafruit/Adafruit_CircuitPython_PCA9685.git" +SRC_URI = "git://github.com/adafruit/Adafruit_CircuitPython_PCA9685.git;branch=main" SRCREV = "2780c4102f4c23fbab252aa1198b61ba7e2d1b2c" S = "${WORKDIR}/git" diff --git a/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-register_1.9.4.bb b/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-register_1.9.4.bb index f1af80bea7..7d0377b49d 100644 --- a/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-register_1.9.4.bb +++ b/meta-raspberrypi/recipes-devtools/python/python3-adafruit-circuitpython-register_1.9.4.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/adafruit/Adafruit_CircuitPython_Register" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=6ec69d6e9e6c85adfb7799d7f8cf044e" -SRC_URI = "git://github.com/adafruit/Adafruit_CircuitPython_Register.git" +SRC_URI = "git://github.com/adafruit/Adafruit_CircuitPython_Register.git;branch=main" S = "${WORKDIR}/git" SRCREV = "5fee6e0c3878110844bc51e16063eeae7d94c457" diff --git a/meta-raspberrypi/recipes-devtools/python/python3-adafruit-platformdetect_3.1.1.bb b/meta-raspberrypi/recipes-devtools/python/python3-adafruit-platformdetect_3.1.1.bb index 4454d247d7..0574c532a5 100644 --- a/meta-raspberrypi/recipes-devtools/python/python3-adafruit-platformdetect_3.1.1.bb +++ b/meta-raspberrypi/recipes-devtools/python/python3-adafruit-platformdetect_3.1.1.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/adafruit/Adafruit_Python_PlatformDetect" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=fccd531dce4b989c05173925f0bbb76c" -SRC_URI = "git://github.com/adafruit/Adafruit_Python_PlatformDetect.git" +SRC_URI = "git://github.com/adafruit/Adafruit_Python_PlatformDetect.git;branch=main" SRCREV = "e0fe1b012898fa824944d6805ca74be0fa027968" S = "${WORKDIR}/git" diff --git a/meta-raspberrypi/recipes-devtools/python/python3-adafruit-pureio_1.1.8.bb b/meta-raspberrypi/recipes-devtools/python/python3-adafruit-pureio_1.1.8.bb index 82415f9548..a59e6f5738 100644 --- a/meta-raspberrypi/recipes-devtools/python/python3-adafruit-pureio_1.1.8.bb +++ b/meta-raspberrypi/recipes-devtools/python/python3-adafruit-pureio_1.1.8.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/adafruit/Adafruit_Python_PureIO" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=2a21fcca821a506d4c36f7bbecc0d009" -SRC_URI = "git://github.com/adafruit/Adafruit_Python_PureIO.git" +SRC_URI = "git://github.com/adafruit/Adafruit_Python_PureIO.git;branch=main" SRCREV = "f4d0973da05b8b21905ff6bab69cdb652128f342" S = "${WORKDIR}/git" diff --git a/poky/bitbake/lib/bb/data_smart.py b/poky/bitbake/lib/bb/data_smart.py index 2328c334ac..b4ed62a4e5 100644 --- a/poky/bitbake/lib/bb/data_smart.py +++ b/poky/bitbake/lib/bb/data_smart.py @@ -28,7 +28,7 @@ logger = logging.getLogger("BitBake.Data") __setvar_keyword__ = ["_append", "_prepend", "_remove"] __setvar_regexp__ = re.compile(r'(?P<base>.*?)(?P<keyword>_append|_prepend|_remove)(_(?P<add>[^A-Z]*))?$') -__expand_var_regexp__ = re.compile(r"\${[a-zA-Z0-9\-_+./~]+?}") +__expand_var_regexp__ = re.compile(r"\${[a-zA-Z0-9\-_+./~:]+?}") __expand_python_regexp__ = re.compile(r"\${@.+?}") __whitespace_split__ = re.compile(r'(\s)') __override_regexp__ = re.compile(r'[a-z0-9]+') @@ -481,6 +481,7 @@ class DataSmart(MutableMapping): def setVar(self, var, value, **loginfo): #print("var=" + str(var) + " val=" + str(value)) + var = var.replace(":", "_") self.expand_cache = {} parsing=False if 'parsing' in loginfo: @@ -589,6 +590,8 @@ class DataSmart(MutableMapping): """ Rename the variable key to newkey """ + key = key.replace(":", "_") + newkey = newkey.replace(":", "_") if key == newkey: bb.warn("Calling renameVar with equivalent keys (%s) is invalid" % key) return @@ -637,6 +640,7 @@ class DataSmart(MutableMapping): self.setVar(var + "_prepend", value, ignore=True, parsing=True) def delVar(self, var, **loginfo): + var = var.replace(":", "_") self.expand_cache = {} loginfo['detail'] = "" @@ -664,6 +668,7 @@ class DataSmart(MutableMapping): override = None def setVarFlag(self, var, flag, value, **loginfo): + var = var.replace(":", "_") self.expand_cache = {} if 'op' not in loginfo: @@ -687,6 +692,7 @@ class DataSmart(MutableMapping): self.dict["__exportlist"]["_content"].add(var) def getVarFlag(self, var, flag, expand=True, noweakdefault=False, parsing=False, retparser=False): + var = var.replace(":", "_") if flag == "_content": cachename = var else: @@ -814,6 +820,7 @@ class DataSmart(MutableMapping): return value def delVarFlag(self, var, flag, **loginfo): + var = var.replace(":", "_") self.expand_cache = {} local_var, _ = self._findVar(var) @@ -831,6 +838,7 @@ class DataSmart(MutableMapping): del self.dict[var][flag] def appendVarFlag(self, var, flag, value, **loginfo): + var = var.replace(":", "_") loginfo['op'] = 'append' loginfo['flag'] = flag self.varhistory.record(**loginfo) @@ -838,6 +846,7 @@ class DataSmart(MutableMapping): self.setVarFlag(var, flag, newvalue, ignore=True) def prependVarFlag(self, var, flag, value, **loginfo): + var = var.replace(":", "_") loginfo['op'] = 'prepend' loginfo['flag'] = flag self.varhistory.record(**loginfo) @@ -845,6 +854,7 @@ class DataSmart(MutableMapping): self.setVarFlag(var, flag, newvalue, ignore=True) def setVarFlags(self, var, flags, **loginfo): + var = var.replace(":", "_") self.expand_cache = {} infer_caller_details(loginfo) if not var in self.dict: @@ -859,6 +869,7 @@ class DataSmart(MutableMapping): self.dict[var][i] = flags[i] def getVarFlags(self, var, expand = False, internalflags=False): + var = var.replace(":", "_") local_var, _ = self._findVar(var) flags = {} @@ -875,6 +886,7 @@ class DataSmart(MutableMapping): def delVarFlags(self, var, **loginfo): + var = var.replace(":", "_") self.expand_cache = {} if not var in self.dict: self._makeShadowCopy(var) diff --git a/poky/bitbake/lib/bb/parse/ast.py b/poky/bitbake/lib/bb/parse/ast.py index 50a88f7da7..db2bdc35ec 100644 --- a/poky/bitbake/lib/bb/parse/ast.py +++ b/poky/bitbake/lib/bb/parse/ast.py @@ -97,6 +97,7 @@ class DataNode(AstNode): def eval(self, data): groupd = self.groupd key = groupd["var"] + key = key.replace(":", "_") loginfo = { 'variable': key, 'file': self.filename, @@ -207,6 +208,7 @@ class ExportFuncsNode(AstNode): def eval(self, data): for func in self.n: + func = func.replace(":", "_") calledfunc = self.classname + "_" + func if data.getVar(func, False) and not data.getVarFlag(func, 'export_func', False): diff --git a/poky/bitbake/lib/bb/parse/parse_py/BBHandler.py b/poky/bitbake/lib/bb/parse/parse_py/BBHandler.py index f8988b8631..152ef6ab72 100644 --- a/poky/bitbake/lib/bb/parse/parse_py/BBHandler.py +++ b/poky/bitbake/lib/bb/parse/parse_py/BBHandler.py @@ -22,7 +22,7 @@ from .ConfHandler import include, init # For compatibility bb.deprecate_import(__name__, "bb.parse", ["vars_from_file"]) -__func_start_regexp__ = re.compile(r"(((?P<py>python(?=(\s|\()))|(?P<fr>fakeroot(?=\s)))\s*)*(?P<func>[\w\.\-\+\{\}\$]+)?\s*\(\s*\)\s*{$" ) +__func_start_regexp__ = re.compile(r"(((?P<py>python(?=(\s|\()))|(?P<fr>fakeroot(?=\s)))\s*)*(?P<func>[\w\.\-\+\{\}\$:]+)?\s*\(\s*\)\s*{$" ) __inherit_regexp__ = re.compile(r"inherit\s+(.+)" ) __export_func_regexp__ = re.compile(r"EXPORT_FUNCTIONS\s+(.+)" ) __addtask_regexp__ = re.compile(r"addtask\s+(?P<func>\w+)\s*((before\s*(?P<before>((.*(?=after))|(.*))))|(after\s*(?P<after>((.*(?=before))|(.*)))))*") diff --git a/poky/bitbake/lib/bb/parse/parse_py/ConfHandler.py b/poky/bitbake/lib/bb/parse/parse_py/ConfHandler.py index f171c5c932..0834fe3f9b 100644 --- a/poky/bitbake/lib/bb/parse/parse_py/ConfHandler.py +++ b/poky/bitbake/lib/bb/parse/parse_py/ConfHandler.py @@ -20,7 +20,7 @@ from bb.parse import ParseError, resolve_file, ast, logger, handle __config_regexp__ = re.compile( r""" ^ (?P<exp>export\s+)? - (?P<var>[a-zA-Z0-9\-_+.${}/~]+?) + (?P<var>[a-zA-Z0-9\-_+.${}/~:]+?) (\[(?P<flag>[a-zA-Z0-9\-_+.]+)\])? \s* ( diff --git a/poky/bitbake/lib/bb/tests/codeparser.py b/poky/bitbake/lib/bb/tests/codeparser.py index 826a2d2f6d..f485204791 100644 --- a/poky/bitbake/lib/bb/tests/codeparser.py +++ b/poky/bitbake/lib/bb/tests/codeparser.py @@ -111,9 +111,9 @@ ${D}${libdir}/pkgconfig/*.pc self.assertExecs(set(["sed"])) def test_parameter_expansion_modifiers(self): - # - and + are also valid modifiers for parameter expansion, but are + # -,+ and : are also valid modifiers for parameter expansion, but are # valid characters in bitbake variable names, so are not included here - for i in ('=', ':-', ':=', '?', ':?', ':+', '#', '%', '##', '%%'): + for i in ('=', '?', '#', '%', '##', '%%'): name = "foo%sbar" % i self.parseExpression("${%s}" % name) self.assertNotIn(name, self.references) diff --git a/poky/documentation/conf.py b/poky/documentation/conf.py index a764ea4dea..ab8d3b94d1 100644 --- a/poky/documentation/conf.py +++ b/poky/documentation/conf.py @@ -16,7 +16,7 @@ import os import sys import datetime -current_version = "3.3.1" +current_version = "3.3.2" # String used in sidebar version = 'Version: ' + current_version diff --git a/poky/documentation/poky.yaml b/poky/documentation/poky.yaml index a273de3295..bf211e310a 100644 --- a/poky/documentation/poky.yaml +++ b/poky/documentation/poky.yaml @@ -1,12 +1,12 @@ -DISTRO : "3.3.1" +DISTRO : "3.3.2" DISTRO_NAME_NO_CAP : "hardknott" DISTRO_NAME : "Hardknott" DISTRO_NAME_NO_CAP_MINUS_ONE : "gatesgarth" DISTRO_NAME_NO_CAP_LTS : "gatesgarth" -YOCTO_DOC_VERSION : "3.3.1" +YOCTO_DOC_VERSION : "3.3.2" YOCTO_DOC_VERSION_MINUS_ONE : "3.2.4" -DISTRO_REL_TAG : "yocto-3.3.1" -POKYVERSION : "25.0.1" +DISTRO_REL_TAG : "yocto-3.3.2" +POKYVERSION : "25.0.2" YOCTO_POKY : "poky-&DISTRO_NAME_NO_CAP;-&POKYVERSION;" YOCTO_DL_URL : "https://downloads.yoctoproject.org" YOCTO_AB_URL : "https://autobuilder.yoctoproject.org" diff --git a/poky/documentation/releases.rst b/poky/documentation/releases.rst index daf8912799..08f9491300 100644 --- a/poky/documentation/releases.rst +++ b/poky/documentation/releases.rst @@ -10,6 +10,7 @@ - :yocto_docs:`3.3 Documentation </3.3>` - :yocto_docs:`3.3.1 Documentation </3.3.1>` +- :yocto_docs:`3.3.2 Documentation </3.3.2>` ******************************* @@ -33,6 +34,9 @@ - :yocto_docs:`3.1.4 Documentation </3.1.4>` - :yocto_docs:`3.1.5 Documentation </3.1.5>` - :yocto_docs:`3.1.6 Documentation </3.1.6>` +- :yocto_docs:`3.1.7 Documentation </3.1.7>` +- :yocto_docs:`3.1.8 Documentation </3.1.8>` +- :yocto_docs:`3.1.9 Documentation </3.1.9>` ========================== Previous Release Manuals diff --git a/poky/meta-poky/conf/distro/poky.conf b/poky/meta-poky/conf/distro/poky.conf index dac8f4d155..4a08f2875d 100644 --- a/poky/meta-poky/conf/distro/poky.conf +++ b/poky/meta-poky/conf/distro/poky.conf @@ -1,6 +1,6 @@ DISTRO = "poky" DISTRO_NAME = "Poky (Yocto Project Reference Distro)" -DISTRO_VERSION = "3.3.1" +DISTRO_VERSION = "3.3.2" DISTRO_CODENAME = "hardknott" SDK_VENDOR = "-pokysdk" SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}" diff --git a/poky/meta/classes/kernel-yocto.bbclass b/poky/meta/classes/kernel-yocto.bbclass index 30f07de4ca..d38b60f519 100644 --- a/poky/meta/classes/kernel-yocto.bbclass +++ b/poky/meta/classes/kernel-yocto.bbclass @@ -614,7 +614,31 @@ do_validate_branches() { # if SRCREV is AUTOREV it shows up as AUTOINC there's nothing to # check and we can exit early if [ "${machine_srcrev}" = "AUTOINC" ]; then + linux_yocto_dev='${@oe.utils.conditional("PREFERRED_PROVIDER_virtual/kernel", "linux-yocto-dev", "1", "", d)}' + if [ -n "$linux_yocto_dev" ]; then + git checkout -q -f ${machine_branch} + ver=$(grep "^VERSION =" ${S}/Makefile | sed s/.*=\ *//) + patchlevel=$(grep "^PATCHLEVEL =" ${S}/Makefile | sed s/.*=\ *//) + sublevel=$(grep "^SUBLEVEL =" ${S}/Makefile | sed s/.*=\ *//) + kver="$ver.$patchlevel" + bbnote "dev kernel: performing version -> branch -> SRCREV validation" + bbnote "dev kernel: recipe version ${LINUX_VERSION}, src version: $kver" + echo "${LINUX_VERSION}" | grep -q $kver + if [ $? -ne 0 ]; then + version="$(echo ${LINUX_VERSION} | sed 's/\+.*$//g')" + versioned_branch="v$version/$machine_branch" + + machine_branch=$versioned_branch + force_srcrev="$(git rev-parse $machine_branch 2> /dev/null)" + if [ $? -ne 0 ]; then + bbfatal "kernel version mismatch detected, and no valid branch $machine_branch detected" + fi + + bbnote "dev kernel: adjusting branch to $machine_branch, srcrev to: $force_srcrev" + fi + else bbnote "SRCREV validation is not required for AUTOREV" + fi elif [ "${machine_srcrev}" = "" ]; then if [ "${SRCREV}" != "AUTOINC" ] && [ "${SRCREV}" != "INVALID" ]; then # SRCREV_machine_<MACHINE> was not set. This means that a custom recipe diff --git a/poky/meta/classes/sstate.bbclass b/poky/meta/classes/sstate.bbclass index 3ab6328f91..2b5d94dd1f 100644 --- a/poky/meta/classes/sstate.bbclass +++ b/poky/meta/classes/sstate.bbclass @@ -483,7 +483,7 @@ def sstate_clean_cachefiles(d): ss = sstate_state_fromvars(ld, task) sstate_clean_cachefile(ss, ld) -def sstate_clean_manifest(manifest, d, prefix=None): +def sstate_clean_manifest(manifest, d, canrace=False, prefix=None): import oe.path mfile = open(manifest) @@ -501,7 +501,9 @@ def sstate_clean_manifest(manifest, d, prefix=None): if entry.endswith("/"): if os.path.islink(entry[:-1]): os.remove(entry[:-1]) - elif os.path.exists(entry) and len(os.listdir(entry)) == 0: + elif os.path.exists(entry) and len(os.listdir(entry)) == 0 and not canrace: + # Removing directories whilst builds are in progress exposes a race. Only + # do it in contexts where it is safe to do so. os.rmdir(entry[:-1]) else: os.remove(entry) @@ -539,7 +541,7 @@ def sstate_clean(ss, d): for lock in ss['lockfiles']: locks.append(bb.utils.lockfile(lock)) - sstate_clean_manifest(manifest, d) + sstate_clean_manifest(manifest, d, canrace=True) for lock in locks: bb.utils.unlockfile(lock) diff --git a/poky/meta/classes/staging.bbclass b/poky/meta/classes/staging.bbclass index 806a85773a..32a615c743 100644 --- a/poky/meta/classes/staging.bbclass +++ b/poky/meta/classes/staging.bbclass @@ -409,7 +409,7 @@ python extend_recipe_sysroot() { if os.path.islink(f) and not os.path.exists(f): bb.note("%s no longer exists, removing from sysroot" % f) lnk = os.readlink(f.replace(".complete", "")) - sstate_clean_manifest(depdir + "/" + lnk, d, workdir) + sstate_clean_manifest(depdir + "/" + lnk, d, canrace=True, prefix=workdir) os.unlink(f) os.unlink(f.replace(".complete", "")) @@ -454,7 +454,7 @@ python extend_recipe_sysroot() { fl = depdir + "/" + l bb.note("Task %s no longer depends on %s, removing from sysroot" % (mytaskname, l)) lnk = os.readlink(fl) - sstate_clean_manifest(depdir + "/" + lnk, d, workdir) + sstate_clean_manifest(depdir + "/" + lnk, d, canrace=True, prefix=workdir) os.unlink(fl) os.unlink(fl + ".complete") @@ -475,7 +475,7 @@ python extend_recipe_sysroot() { continue else: bb.note("%s exists in sysroot, but is stale (%s vs. %s), removing." % (c, lnk, c + "." + taskhash)) - sstate_clean_manifest(depdir + "/" + lnk, d, workdir) + sstate_clean_manifest(depdir + "/" + lnk, d, canrace=True, prefix=workdir) os.unlink(depdir + "/" + c) if os.path.lexists(depdir + "/" + c + ".complete"): os.unlink(depdir + "/" + c + ".complete") diff --git a/poky/meta/lib/oeqa/selftest/cases/archiver.py b/poky/meta/lib/oeqa/selftest/cases/archiver.py index ddd08ecf84..0194ae9f69 100644 --- a/poky/meta/lib/oeqa/selftest/cases/archiver.py +++ b/poky/meta/lib/oeqa/selftest/cases/archiver.py @@ -35,11 +35,11 @@ class Archiver(OESelftestTestCase): src_path = os.path.join(bb_vars['DEPLOY_DIR_SRC'], bb_vars['TARGET_SYS']) # Check that include_recipe was included - included_present = len(glob.glob(src_path + '/%s-*' % include_recipe)) + included_present = len(glob.glob(src_path + '/%s-*/*' % include_recipe)) self.assertTrue(included_present, 'Recipe %s was not included.' % include_recipe) # Check that exclude_recipe was excluded - excluded_present = len(glob.glob(src_path + '/%s-*' % exclude_recipe)) + excluded_present = len(glob.glob(src_path + '/%s-*/*' % exclude_recipe)) self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % exclude_recipe) def test_archiver_filters_by_type(self): @@ -67,11 +67,11 @@ class Archiver(OESelftestTestCase): src_path_native = os.path.join(bb_vars['DEPLOY_DIR_SRC'], bb_vars['BUILD_SYS']) # Check that target_recipe was included - included_present = len(glob.glob(src_path_target + '/%s-*' % target_recipe)) + included_present = len(glob.glob(src_path_target + '/%s-*/*' % target_recipe)) self.assertTrue(included_present, 'Recipe %s was not included.' % target_recipe) # Check that native_recipe was excluded - excluded_present = len(glob.glob(src_path_native + '/%s-*' % native_recipe)) + excluded_present = len(glob.glob(src_path_native + '/%s-*/*' % native_recipe)) self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % native_recipe) def test_archiver_filters_by_type_and_name(self): @@ -104,17 +104,17 @@ class Archiver(OESelftestTestCase): src_path_native = os.path.join(bb_vars['DEPLOY_DIR_SRC'], bb_vars['BUILD_SYS']) # Check that target_recipe[0] and native_recipes[1] were included - included_present = len(glob.glob(src_path_target + '/%s-*' % target_recipes[0])) + included_present = len(glob.glob(src_path_target + '/%s-*/*' % target_recipes[0])) self.assertTrue(included_present, 'Recipe %s was not included.' % target_recipes[0]) - included_present = len(glob.glob(src_path_native + '/%s-*' % native_recipes[1])) + included_present = len(glob.glob(src_path_native + '/%s-*/*' % native_recipes[1])) self.assertTrue(included_present, 'Recipe %s was not included.' % native_recipes[1]) # Check that native_recipes[0] and target_recipes[1] were excluded - excluded_present = len(glob.glob(src_path_native + '/%s-*' % native_recipes[0])) + excluded_present = len(glob.glob(src_path_native + '/%s-*/*' % native_recipes[0])) self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % native_recipes[0]) - excluded_present = len(glob.glob(src_path_target + '/%s-*' % target_recipes[1])) + excluded_present = len(glob.glob(src_path_target + '/%s-*/*' % target_recipes[1])) self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % target_recipes[1]) diff --git a/poky/meta/lib/oeqa/selftest/cases/oelib/utils.py b/poky/meta/lib/oeqa/selftest/cases/oelib/utils.py index a7214beb4c..bbf67bf9c9 100644 --- a/poky/meta/lib/oeqa/selftest/cases/oelib/utils.py +++ b/poky/meta/lib/oeqa/selftest/cases/oelib/utils.py @@ -64,7 +64,7 @@ class TestMultiprocessLaunch(TestCase): import bb def testfunction(item, d): - if item == "2" or item == "1": + if item == "2": raise KeyError("Invalid number %s" % item) return "Found %s" % item @@ -99,5 +99,4 @@ class TestMultiprocessLaunch(TestCase): # Assert the function prints exceptions with captured_output() as (out, err): self.assertRaises(bb.BBHandledException, multiprocess_launch, testfunction, ["1", "2", "3", "4", "5", "6"], d, extraargs=(d,)) - self.assertIn("KeyError: 'Invalid number 1'", out.getvalue()) self.assertIn("KeyError: 'Invalid number 2'", out.getvalue()) diff --git a/poky/meta/lib/oeqa/selftest/cases/runcmd.py b/poky/meta/lib/oeqa/selftest/cases/runcmd.py index fa6113d7fa..e9612389fe 100644 --- a/poky/meta/lib/oeqa/selftest/cases/runcmd.py +++ b/poky/meta/lib/oeqa/selftest/cases/runcmd.py @@ -27,8 +27,8 @@ class RunCmdTests(OESelftestTestCase): # The delta is intentionally smaller than the timeout, to detect cases where # we incorrectly apply the timeout more than once. - TIMEOUT = 5 - DELTA = 3 + TIMEOUT = 10 + DELTA = 8 def test_result_okay(self): result = runCmd("true") diff --git a/poky/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/poky/meta/recipes-connectivity/openssh/openssh/sshd_check_keys index 1931dc7153..ef117de897 100644 --- a/poky/meta/recipes-connectivity/openssh/openssh/sshd_check_keys +++ b/poky/meta/recipes-connectivity/openssh/openssh/sshd_check_keys @@ -6,6 +6,7 @@ generate_key() { local DIR="$(dirname "$FILE")" mkdir -p "$DIR" + rm -f ${FILE}.tmp ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE # Atomically rename file public key diff --git a/poky/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch b/poky/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch deleted file mode 100644 index 67c9f189cc..0000000000 --- a/poky/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch +++ /dev/null @@ -1,58 +0,0 @@ -From fe791386ebc270219ca00406c9fdadc5130b64ee Mon Sep 17 00:00:00 2001 -From: Samuel Sapalski <samuel.sapalski@nokia.com> -Date: Wed, 3 Mar 2021 16:31:22 +0100 -Subject: [PATCH] decompress_gunzip: Fix DoS if gzip is corrupt - -On certain corrupt gzip files, huft_build will set the error bit on -the result pointer. If afterwards abort_unzip is called huft_free -might run into a segmentation fault or an invalid pointer to -free(p). - -In order to mitigate this, we check in huft_free if the error bit -is set and clear it before the linked list is freed. - -Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com> -Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com> -Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> - -Upstream-Status: Backport -CVE: CVE-2021-28831 -Signed-off-by: Chen Qi <Qi.Chen@windriver.com> ---- - archival/libarchive/decompress_gunzip.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c -index eb3b64930..e93cd5005 100644 ---- a/archival/libarchive/decompress_gunzip.c -+++ b/archival/libarchive/decompress_gunzip.c -@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = { - * each table. - * t: table to free - */ -+#define BAD_HUFT(p) ((uintptr_t)(p) & 1) -+#define ERR_RET ((huft_t*)(uintptr_t)1) - static void huft_free(huft_t *p) - { - huft_t *q; - -+ /* -+ * If 'p' has the error bit set we have to clear it, otherwise we might run -+ * into a segmentation fault or an invalid pointer to free(p) -+ */ -+ if (BAD_HUFT(p)) { -+ p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET)); -+ } -+ - /* Go through linked list, freeing from the malloced (t[-1]) address. */ - while (p) { - q = (--p)->v.t; -@@ -289,8 +299,6 @@ static unsigned fill_bitbuffer(STATE_PARAM unsigned bitbuffer, unsigned *current - * or a valid pointer to a Huffman table, ORed with 0x1 if incompete table - * is given: "fixed inflate" decoder feeds us such data. - */ --#define BAD_HUFT(p) ((uintptr_t)(p) & 1) --#define ERR_RET ((huft_t*)(uintptr_t)1) - static huft_t* huft_build(const unsigned *b, const unsigned n, - const unsigned s, const struct cp_ext *cp_ext, - unsigned *m) diff --git a/poky/meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch b/poky/meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch new file mode 100644 index 0000000000..4a1960dff2 --- /dev/null +++ b/poky/meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch @@ -0,0 +1,81 @@ +From ceb378209f953ea745ed93a8645567196380ce3c Mon Sep 17 00:00:00 2001 +From: Andrej Valek <andrej.valek@siemens.com> +Date: Thu, 24 Jun 2021 19:13:22 +0200 +Subject: [PATCH] mktemp: add tmpdir option + +Make mktemp more compatible with coreutils. +- add "--tmpdir" option +- add long variants for "d,q,u" options + +Upstream-Status: Submitted [http://lists.busybox.net/pipermail/busybox/2021-June/088932.html] + +Signed-off-by: Andrej Valek <andrej.valek@siemens.com> +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + coreutils/mktemp.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/coreutils/mktemp.c b/coreutils/mktemp.c +index 5393320a5..05c6d98c6 100644 +--- a/coreutils/mktemp.c ++++ b/coreutils/mktemp.c +@@ -39,16 +39,17 @@ + //kbuild:lib-$(CONFIG_MKTEMP) += mktemp.o + + //usage:#define mktemp_trivial_usage +-//usage: "[-dt] [-p DIR] [TEMPLATE]" ++//usage: "[-dt] [-p DIR, --tmpdir[=DIR]] [TEMPLATE]" + //usage:#define mktemp_full_usage "\n\n" + //usage: "Create a temporary file with name based on TEMPLATE and print its name.\n" + //usage: "TEMPLATE must end with XXXXXX (e.g. [/dir/]nameXXXXXX).\n" + //usage: "Without TEMPLATE, -t tmp.XXXXXX is assumed.\n" +-//usage: "\n -d Make directory, not file" +-//usage: "\n -q Fail silently on errors" +-//usage: "\n -t Prepend base directory name to TEMPLATE" +-//usage: "\n -p DIR Use DIR as a base directory (implies -t)" +-//usage: "\n -u Do not create anything; print a name" ++//usage: "\n -d Make directory, not file" ++//usage: "\n -q Fail silently on errors" ++//usage: "\n -t Prepend base directory name to TEMPLATE" ++//usage: "\n -p DIR, --tmpdir[=DIR] Use DIR as a base directory (implies -t)" ++//usage: "\n For --tmpdir is a optional one." ++//usage: "\n -u Do not create anything; print a name" + //usage: "\n" + //usage: "\nBase directory is: -p DIR, else $TMPDIR, else /tmp" + //usage: +@@ -72,13 +73,22 @@ int mktemp_main(int argc UNUSED_PARAM, char **argv) + OPT_t = 1 << 2, + OPT_p = 1 << 3, + OPT_u = 1 << 4, ++ OPT_td = 1 << 5, + }; + + path = getenv("TMPDIR"); + if (!path || path[0] == '\0') + path = "/tmp"; + +- opts = getopt32(argv, "^" "dqtp:u" "\0" "?1"/*1 arg max*/, &path); ++ opts = getopt32long(argv, "^" ++ "dqtp:u\0" ++ "?1" /* 1 arg max */, ++ "directory\0" No_argument "d" ++ "quiet\0" No_argument "q" ++ "dry-run\0" No_argument "u" ++ "tmpdir\0" Optional_argument "\xff" ++ , &path, &path ++ ); + + chp = argv[optind]; + if (!chp) { +@@ -95,7 +105,7 @@ int mktemp_main(int argc UNUSED_PARAM, char **argv) + goto error; + } + #endif +- if (opts & (OPT_t|OPT_p)) ++ if (opts & (OPT_t|OPT_p|OPT_td)) + chp = concat_path_file(path, chp); + + if (opts & OPT_u) { +-- +2.11.0 + diff --git a/poky/meta/recipes-core/busybox/busybox_1.33.0.bb b/poky/meta/recipes-core/busybox/busybox_1.33.1.bb index b2a30ba16f..4002d6a5c6 100644 --- a/poky/meta/recipes-core/busybox/busybox_1.33.0.bb +++ b/poky/meta/recipes-core/busybox/busybox_1.33.1.bb @@ -37,6 +37,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ ${@["", "file://mdev.cfg"][(d.getVar('VIRTUAL-RUNTIME_dev_manager') == 'busybox-mdev')]} \ file://syslog.cfg \ file://unicode.cfg \ + file://rev.cfg \ + file://pgrep.cfg \ file://rcS \ file://rcK \ file://makefile-libbb-race.patch \ @@ -44,11 +46,9 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://0001-testsuite-use-www.example.org-for-wget-test-cases.patch \ file://0001-du-l-works-fix-to-use-145-instead-of-144.patch \ file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \ - file://rev.cfg \ - file://pgrep.cfg \ - file://0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch \ file://0001-gen_build_files-Use-C-locale-when-calling-sed-on-glo.patch \ + file://0001-mktemp-add-tmpdir-option.patch \ " SRC_URI_append_libc-musl = " file://musl.cfg " -SRC_URI[tarball.sha256sum] = "d568681c91a85edc6710770cebc1e80e042ad74d305b5c2e6d57a5f3de3b8fbd" +SRC_URI[tarball.sha256sum] = "12cec6bd2b16d8a9446dd16130f2b92982f1819f6e1c5f5887b6db03f5660d28" diff --git a/poky/meta/recipes-core/glibc/glibc-testsuite_2.33.bb b/poky/meta/recipes-core/glibc/glibc-testsuite_2.33.bb index d887aeff79..659d3132fa 100644 --- a/poky/meta/recipes-core/glibc/glibc-testsuite_2.33.bb +++ b/poky/meta/recipes-core/glibc/glibc-testsuite_2.33.bb @@ -61,3 +61,4 @@ addtask do_check after do_compile inherit nopackages deltask do_stash_locale deltask do_install +deltask do_populate_sysroot diff --git a/poky/meta/recipes-devtools/binutils/binutils-2.36.inc b/poky/meta/recipes-devtools/binutils/binutils-2.36.inc index 2968291889..9d770db5a8 100644 --- a/poky/meta/recipes-devtools/binutils/binutils-2.36.inc +++ b/poky/meta/recipes-devtools/binutils/binutils-2.36.inc @@ -41,5 +41,8 @@ SRC_URI = "\ file://0014-Fix-rpath-in-libtool-when-sysroot-is-enabled.patch \ file://0015-sync-with-OE-libtool-changes.patch \ file://0016-Check-for-clang-before-checking-gcc-version.patch \ + file://0001-CVE-2021-20197.patch \ + file://0002-CVE-2021-20197.patch \ + file://0003-CVE-2021-20197.patch \ " S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-20197.patch b/poky/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-20197.patch new file mode 100644 index 0000000000..2b4eaba26d --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-20197.patch @@ -0,0 +1,201 @@ +From 8e03235147a9e774d3ba084e93c2da1aa94d1cec Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar <siddhesh@gotplt.org> +Date: Mon, 22 Feb 2021 20:45:50 +0530 +Subject: [PATCH] binutils: Avoid renaming over existing files + +Renaming over existing files needs additional care to restore +permissions and ownership, which may not always succeed. +Additionally, other properties of the file such as extended attributes +may be lost, making the operation flaky. + +For predictable results, resort to rename() only if the file does not +exist, otherwise copy the file contents into the existing file. This +ensures that no additional tricks are needed to retain file +properties. + +This also allows dropping of the redundant set_times on the tmpfile in +objcopy/strip since now we no longer rename over existing files. + +binutils/ + + * ar.c (write_archive): Adjust call to SMART_RENAME. + * arsup.c (ar_save): Likewise. + * objcopy (strip_main): Don't set times on temporary file and + adjust call to SMART_RENAME. + (copy_main): Likewise. + * rename.c [!S_ISLNK]: Remove definitions. + (try_preserve_permissions): Remove function. + (smart_rename): Replace PRESERVE_DATES argument with + TARGET_STAT. Use rename system call only if TO does not exist. + * bucomm.h (smart_rename): Adjust declaration. + +(cherry picked from commit 3685de750e6a091663a0abe42528cad29e960e35) + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8e03235147a9e774d3ba084e93c2da1aa94d1cec] +CVE: CVE-2021-20197 +Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> +--- + binutils/ar.c | 2 +- + binutils/arsup.c | 2 +- + binutils/bucomm.h | 3 ++- + binutils/objcopy.c | 8 ++----- + binutils/rename.c | 55 +++++++++------------------------------------- + 6 files changed, 29 insertions(+), 54 deletions(-) + +diff --git a/binutils/ar.c b/binutils/ar.c +index 45a34e3a6cf..3a91708b51c 100644 +--- a/binutils/ar.c ++++ b/binutils/ar.c +@@ -1308,7 +1308,7 @@ write_archive (bfd *iarch) + /* We don't care if this fails; we might be creating the archive. */ + bfd_close (iarch); + +- if (smart_rename (new_name, old_name, 0) != 0) ++ if (smart_rename (new_name, old_name, NULL) != 0) + xexit (1); + free (old_name); + free (new_name); +diff --git a/binutils/arsup.c b/binutils/arsup.c +index 5403a0c5d74..0a1f63f6456 100644 +--- a/binutils/arsup.c ++++ b/binutils/arsup.c +@@ -351,7 +351,7 @@ ar_save (void) + + bfd_close (obfd); + +- smart_rename (ofilename, real_name, 0); ++ smart_rename (ofilename, real_name, NULL); + obfd = 0; + free (ofilename); + } +diff --git a/binutils/bucomm.h b/binutils/bucomm.h +index 91f6a5b228f..aa7e33d8cd1 100644 +--- a/binutils/bucomm.h ++++ b/binutils/bucomm.h +@@ -71,7 +71,8 @@ extern void print_version (const char *); + /* In rename.c. */ + extern void set_times (const char *, const struct stat *); + +-extern int smart_rename (const char *, const char *, int); ++extern int smart_rename (const char *, const char *, struct stat *); ++ + + /* In libiberty. */ + void *xmalloc (size_t); +diff --git a/binutils/objcopy.c b/binutils/objcopy.c +index eab3b6db585..07a872b5a80 100644 +--- a/binutils/objcopy.c ++++ b/binutils/objcopy.c +@@ -4861,12 +4861,10 @@ strip_main (int argc, char *argv[]) + output_target, NULL); + if (status == 0) + { +- if (preserve_dates) +- set_times (tmpname, &statbuf); + if (output_file != tmpname) + status = (smart_rename (tmpname, + output_file ? output_file : argv[i], +- preserve_dates) != 0); ++ preserve_dates ? &statbuf : NULL) != 0); + if (status == 0) + status = hold_status; + } +@@ -5931,11 +5929,9 @@ copy_main (int argc, char *argv[]) + output_target, input_arch); + if (status == 0) + { +- if (preserve_dates) +- set_times (tmpname, &statbuf); + if (tmpname != output_filename) + status = (smart_rename (tmpname, input_filename, +- preserve_dates) != 0); ++ preserve_dates ? &statbuf : NULL) != 0); + } + else + unlink_if_ordinary (tmpname); +diff --git a/binutils/rename.c b/binutils/rename.c +index 65ad5bf52c4..f471b45fd3f 100644 +--- a/binutils/rename.c ++++ b/binutils/rename.c +@@ -122,20 +122,13 @@ set_times (const char *destination, const struct stat *statbuf) + non_fatal (_("%s: cannot set time: %s"), destination, strerror (errno)); + } + +-#ifndef S_ISLNK +-#ifdef S_IFLNK +-#define S_ISLNK(m) (((m) & S_IFMT) == S_IFLNK) +-#else +-#define S_ISLNK(m) 0 +-#define lstat stat +-#endif +-#endif +- +-/* Rename FROM to TO, copying if TO is a link. +- Return 0 if ok, -1 if error. */ ++/* Rename FROM to TO, copying if TO exists. TARGET_STAT has the file status ++ that, if non-NULL, is used to fix up timestamps after rename. Return 0 if ++ ok, -1 if error. */ + + int +-smart_rename (const char *from, const char *to, int preserve_dates ATTRIBUTE_UNUSED) ++smart_rename (const char *from, const char *to, ++ struct stat *target_stat ATTRIBUTE_UNUSED) + { + bfd_boolean exists; + struct stat s; +@@ -158,38 +151,10 @@ smart_rename (const char *from, const char *to, int preserve_dates ATTRIBUTE_UNU + unlink (from); + } + #else +- /* Use rename only if TO is not a symbolic link and has +- only one hard link, and we have permission to write to it. */ +- if (! exists +- || (!S_ISLNK (s.st_mode) +- && S_ISREG (s.st_mode) +- && (s.st_mode & S_IWUSR) +- && s.st_nlink == 1) +- ) ++ /* Avoid a full copy and use rename if TO does not exist. */ ++ if (!exists) + { +- ret = rename (from, to); +- if (ret == 0) +- { +- if (exists) +- { +- /* Try to preserve the permission bits and ownership of +- TO. First get the mode right except for the setuid +- bit. Then change the ownership. Then fix the setuid +- bit. We do the chmod before the chown because if the +- chown succeeds, and we are a normal user, we won't be +- able to do the chmod afterward. We don't bother to +- fix the setuid bit first because that might introduce +- a fleeting security problem, and because the chown +- will clear the setuid bit anyhow. We only fix the +- setuid bit if the chown succeeds, because we don't +- want to introduce an unexpected setuid file owned by +- the user running objcopy. */ +- chmod (to, s.st_mode & 0777); +- if (chown (to, s.st_uid, s.st_gid) >= 0) +- chmod (to, s.st_mode & 07777); +- } +- } +- else ++ if ((ret = rename (from, to)) != 0) + { + /* We have to clean up here. */ + non_fatal (_("unable to rename '%s'; reason: %s"), to, strerror (errno)); +@@ -202,8 +167,8 @@ smart_rename (const char *from, const char *to, int preserve_dates ATTRIBUTE_UNU + if (ret != 0) + non_fatal (_("unable to copy file '%s'; reason: %s"), to, strerror (errno)); + +- if (preserve_dates) +- set_times (to, &s); ++ if (target_stat != NULL) ++ set_times (to, target_stat); + unlink (from); + } + #endif /* _WIN32 && !__CYGWIN32__ */ +-- +2.31.1 + diff --git a/poky/meta/recipes-devtools/binutils/binutils/0002-CVE-2021-20197.patch b/poky/meta/recipes-devtools/binutils/binutils/0002-CVE-2021-20197.patch new file mode 100644 index 0000000000..3771f571eb --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0002-CVE-2021-20197.patch @@ -0,0 +1,170 @@ +From d3edaa91d4cf7202ec14342410194841e2f67f12 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Fri, 26 Feb 2021 11:30:32 +1030 +Subject: [PATCH] Reinstate various pieces backed out from smart_rename changes + +In the interests of a stable release various last minute smart_rename +patches were backed out of the 2.36 branch. The main reason to +reinstate some of those backed out changes here is to make necessary +followup fixes to commit 8e03235147a9 simple cherry-picks from +mainline. A secondary reason is that ar -M support isn't fixed for +pr26945 without this patch. + + PR 26945 + * ar.c: Don't include libbfd.h. + (write_archive): Replace xmalloc+strcpy with xstrdup. + * arsup.c (temp_name, real_ofd): New static variables. + (ar_open): Use make_tempname and bfd_fdopenw. + (ar_save): Adjust to suit ar_open changes. + * objcopy.c: Don't include libbfd.h. + * rename.c: Rename and reorder variables. + +(cherry picked from commit 95b91a043aeaeb546d2fea556d84a2de1e917770) + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d3edaa91d4cf7202ec14342410194841e2f67f12] +CVE: CVE-2021-20197 +Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> +--- + binutils/ar.c | 4 +--- + binutils/arsup.c | 37 +++++++++++++++++++++++++------------ + binutils/objcopy.c | 1 - + binutils/rename.c | 6 +++--- + 5 files changed, 42 insertions(+), 19 deletions(-) + +diff --git a/binutils/ar.c b/binutils/ar.c +index 3a91708b51c..44df48c5c67 100644 +--- a/binutils/ar.c ++++ b/binutils/ar.c +@@ -25,7 +25,6 @@ + + #include "sysdep.h" + #include "bfd.h" +-#include "libbfd.h" + #include "libiberty.h" + #include "progress.h" + #include "getopt.h" +@@ -1255,8 +1254,7 @@ write_archive (bfd *iarch) + bfd *contents_head = iarch->archive_next; + int ofd = -1; + +- old_name = (char *) xmalloc (strlen (bfd_get_filename (iarch)) + 1); +- strcpy (old_name, bfd_get_filename (iarch)); ++ old_name = xstrdup (bfd_get_filename (iarch)); + new_name = make_tempname (old_name, &ofd); + + if (new_name == NULL) +diff --git a/binutils/arsup.c b/binutils/arsup.c +index 0a1f63f6456..f7ce8f0bc82 100644 +--- a/binutils/arsup.c ++++ b/binutils/arsup.c +@@ -42,6 +42,8 @@ extern int deterministic; + + static bfd *obfd; + static char *real_name; ++static char *temp_name; ++static int real_ofd; + static FILE *outfile; + + static void +@@ -149,27 +151,24 @@ maybequit (void) + void + ar_open (char *name, int t) + { +- char *tname; +- const char *bname = lbasename (name); +- real_name = name; ++ real_name = xstrdup (name); ++ temp_name = make_tempname (real_name, &real_ofd); + +- /* Prepend tmp- to the beginning, to avoid file-name clashes after +- truncation on filesystems with limited namespaces (DOS). */ +- if (asprintf (&tname, "%.*stmp-%s", (int) (bname - name), name, bname) == -1) ++ if (temp_name == NULL) + { +- fprintf (stderr, _("%s: Can't allocate memory for temp name (%s)\n"), ++ fprintf (stderr, _("%s: Can't open temporary file (%s)\n"), + program_name, strerror(errno)); + maybequit (); + return; + } + +- obfd = bfd_openw (tname, NULL); ++ obfd = bfd_fdopenw (temp_name, NULL, real_ofd); + + if (!obfd) + { + fprintf (stderr, + _("%s: Can't open output archive %s\n"), +- program_name, tname); ++ program_name, temp_name); + + maybequit (); + } +@@ -344,16 +343,30 @@ ar_save (void) + } + else + { +- char *ofilename = xstrdup (bfd_get_filename (obfd)); ++ struct stat target_stat; + + if (deterministic > 0) + obfd->flags |= BFD_DETERMINISTIC_OUTPUT; + + bfd_close (obfd); + +- smart_rename (ofilename, real_name, NULL); ++ if (stat (real_name, &target_stat) != 0) ++ { ++ /* The temp file created in ar_open has mode 0600 as per mkstemp. ++ Create the real empty output file here so smart_rename will ++ update the mode according to the process umask. */ ++ obfd = bfd_openw (real_name, NULL); ++ if (obfd != NULL) ++ { ++ bfd_set_format (obfd, bfd_archive); ++ bfd_close (obfd); ++ } ++ } ++ ++ smart_rename (temp_name, real_name, NULL); + obfd = 0; +- free (ofilename); ++ free (temp_name); ++ free (real_name); + } + } + +diff --git a/binutils/objcopy.c b/binutils/objcopy.c +index 07a872b5a80..73aa8bc2514 100644 +--- a/binutils/objcopy.c ++++ b/binutils/objcopy.c +@@ -20,7 +20,6 @@ + + #include "sysdep.h" + #include "bfd.h" +-#include "libbfd.h" + #include "progress.h" + #include "getopt.h" + #include "libiberty.h" +diff --git a/binutils/rename.c b/binutils/rename.c +index f471b45fd3f..2ff092ee22b 100644 +--- a/binutils/rename.c ++++ b/binutils/rename.c +@@ -130,11 +130,11 @@ int + smart_rename (const char *from, const char *to, + struct stat *target_stat ATTRIBUTE_UNUSED) + { +- bfd_boolean exists; +- struct stat s; + int ret = 0; ++ struct stat to_stat; ++ bfd_boolean exists; + +- exists = lstat (to, &s) == 0; ++ exists = lstat (to, &to_stat) == 0; + + #if defined (_WIN32) && !defined (__CYGWIN32__) + /* Win32, unlike unix, will not erase `to' in `rename(from, to)' but +-- +2.31.1 + diff --git a/poky/meta/recipes-devtools/binutils/binutils/0003-CVE-2021-20197.patch b/poky/meta/recipes-devtools/binutils/binutils/0003-CVE-2021-20197.patch new file mode 100644 index 0000000000..082b28b29c --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0003-CVE-2021-20197.patch @@ -0,0 +1,171 @@ +From 8b69e61d4be276bb862698aaafddc3e779d23c8f Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Tue, 23 Feb 2021 09:37:39 +1030 +Subject: [PATCH] PR27456, lstat in rename.c on MinGW + + PR 27456 + * rename.c: Tidy throughout. + (smart_rename): Always copy. Remove windows specific code. + +(cherry picked from commit cca8873dd5a6015d5557ea44bc1ea9c252435a29) + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8b69e61d4be276bb862698aaafddc3e779d23c8f] +CVE: CVE-2021-20197 +Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> +--- + binutils/rename.c | 111 ++++++++++++++------------------------------- + 2 files changed, 40 insertions(+), 76 deletions(-) + +diff --git a/binutils/rename.c b/binutils/rename.c +index 2ff092ee22b..72a9323d72c 100644 +--- a/binutils/rename.c ++++ b/binutils/rename.c +@@ -24,14 +24,9 @@ + + #ifdef HAVE_GOOD_UTIME_H + #include <utime.h> +-#else /* ! HAVE_GOOD_UTIME_H */ +-#ifdef HAVE_UTIMES ++#elif defined HAVE_UTIMES + #include <sys/time.h> +-#endif /* HAVE_UTIMES */ +-#endif /* ! HAVE_GOOD_UTIME_H */ +- +-#if ! defined (_WIN32) || defined (__CYGWIN32__) +-static int simple_copy (const char *, const char *); ++#endif + + /* The number of bytes to copy at once. */ + #define COPY_BUF 8192 +@@ -82,7 +77,6 @@ simple_copy (const char *from, const char *to) + } + return 0; + } +-#endif /* __CYGWIN32__ or not _WIN32 */ + + /* Set the times of the file DESTINATION to be the same as those in + STATBUF. */ +@@ -91,87 +85,52 @@ void + set_times (const char *destination, const struct stat *statbuf) + { + int result; +- +- { + #ifdef HAVE_GOOD_UTIME_H +- struct utimbuf tb; +- +- tb.actime = statbuf->st_atime; +- tb.modtime = statbuf->st_mtime; +- result = utime (destination, &tb); +-#else /* ! HAVE_GOOD_UTIME_H */ +-#ifndef HAVE_UTIMES +- long tb[2]; +- +- tb[0] = statbuf->st_atime; +- tb[1] = statbuf->st_mtime; +- result = utime (destination, tb); +-#else /* HAVE_UTIMES */ +- struct timeval tv[2]; +- +- tv[0].tv_sec = statbuf->st_atime; +- tv[0].tv_usec = 0; +- tv[1].tv_sec = statbuf->st_mtime; +- tv[1].tv_usec = 0; +- result = utimes (destination, tv); +-#endif /* HAVE_UTIMES */ +-#endif /* ! HAVE_GOOD_UTIME_H */ +- } ++ struct utimbuf tb; ++ ++ tb.actime = statbuf->st_atime; ++ tb.modtime = statbuf->st_mtime; ++ result = utime (destination, &tb); ++#elif defined HAVE_UTIMES ++ struct timeval tv[2]; ++ ++ tv[0].tv_sec = statbuf->st_atime; ++ tv[0].tv_usec = 0; ++ tv[1].tv_sec = statbuf->st_mtime; ++ tv[1].tv_usec = 0; ++ result = utimes (destination, tv); ++#else ++ long tb[2]; ++ ++ tb[0] = statbuf->st_atime; ++ tb[1] = statbuf->st_mtime; ++ result = utime (destination, tb); ++#endif + + if (result != 0) + non_fatal (_("%s: cannot set time: %s"), destination, strerror (errno)); + } + +-/* Rename FROM to TO, copying if TO exists. TARGET_STAT has the file status +- that, if non-NULL, is used to fix up timestamps after rename. Return 0 if +- ok, -1 if error. */ ++/* Copy FROM to TO. TARGET_STAT has the file status that, if non-NULL, ++ is used to fix up timestamps. Return 0 if ok, -1 if error. ++ At one time this function renamed files, but file permissions are ++ tricky to update given the number of different schemes used by ++ various systems. So now we just copy. */ + + int + smart_rename (const char *from, const char *to, +- struct stat *target_stat ATTRIBUTE_UNUSED) ++ struct stat *target_stat) + { +- int ret = 0; +- struct stat to_stat; +- bfd_boolean exists; +- +- exists = lstat (to, &to_stat) == 0; +- +-#if defined (_WIN32) && !defined (__CYGWIN32__) +- /* Win32, unlike unix, will not erase `to' in `rename(from, to)' but +- fail instead. Also, chown is not present. */ +- +- if (exists) +- remove (to); ++ int ret; + +- ret = rename (from, to); ++ ret = simple_copy (from, to); + if (ret != 0) +- { +- /* We have to clean up here. */ +- non_fatal (_("unable to rename '%s'; reason: %s"), to, strerror (errno)); +- unlink (from); +- } +-#else +- /* Avoid a full copy and use rename if TO does not exist. */ +- if (!exists) +- { +- if ((ret = rename (from, to)) != 0) +- { +- /* We have to clean up here. */ +- non_fatal (_("unable to rename '%s'; reason: %s"), to, strerror (errno)); +- unlink (from); +- } +- } +- else +- { +- ret = simple_copy (from, to); +- if (ret != 0) +- non_fatal (_("unable to copy file '%s'; reason: %s"), to, strerror (errno)); ++ non_fatal (_("unable to copy file '%s'; reason: %s"), ++ to, strerror (errno)); + +- if (target_stat != NULL) +- set_times (to, target_stat); +- unlink (from); +- } +-#endif /* _WIN32 && !__CYGWIN32__ */ ++ if (target_stat != NULL) ++ set_times (to, target_stat); ++ unlink (from); + + return ret; + } +-- +2.31.1 + diff --git a/poky/meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c b/poky/meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c index af7af524eb..9eb5ca807a 100644 --- a/poky/meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c +++ b/poky/meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c @@ -9,6 +9,7 @@ #include <argp.h> #include <stdio.h> +#include <stdlib.h> #include <dwarf.h> #include <elfutils/libdw.h> @@ -83,13 +84,15 @@ process_cu (Dwarf_Die *cu_die) int main (int argc, char **argv) { - char* args[3]; + char* args[5]; int res = 0; Dwfl *dwfl; Dwarf_Addr bias; - if (argc != 2) + if (argc != 2) { fprintf(stderr, "Usage %s <file>", argv[0]); + exit(EXIT_FAILURE); + } // Pretend "dwarfsrcfiles -e <file>" was given, so we can use standard // dwfl argp parser to open the file for us and get our Dwfl. Useful @@ -98,8 +101,12 @@ main (int argc, char **argv) args[0] = argv[0]; args[1] = "-e"; args[2] = argv[1]; + // We don't want to follow debug linked files due to the way OE processes + // files, could race against changes in the linked binary (e.g. objcopy on it) + args[3] = "--debuginfo-path"; + args[4] = "/not/exist"; - argp_parse (dwfl_standard_argp (), 3, args, 0, NULL, &dwfl); + argp_parse (dwfl_standard_argp (), 5, args, 0, NULL, &dwfl); Dwarf_Die *cu = NULL; while ((cu = dwfl_nextcu (dwfl, cu, &bias)) != NULL) diff --git a/poky/meta/recipes-devtools/go/go-1.16.3.inc b/poky/meta/recipes-devtools/go/go-1.16.5.inc index ebd25a5eaa..bd928e44f8 100644 --- a/poky/meta/recipes-devtools/go/go-1.16.3.inc +++ b/poky/meta/recipes-devtools/go/go-1.16.5.inc @@ -1,7 +1,7 @@ require go-common.inc GO_BASEVERSION = "1.16" -PV = "1.16.3" +PV = "1.16.5" FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:" LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" @@ -17,4 +17,4 @@ SRC_URI += "\ file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \ " -SRC_URI[main.sha256sum] = "b298d29de9236ca47a023e382313bcc2d2eed31dfa706b60a04103ce83a71a25" +SRC_URI[main.sha256sum] = "7bfa7e5908c7cc9e75da5ddf3066d7cbcf3fd9fa51945851325eebc17f50ba80" diff --git a/poky/meta/recipes-devtools/go/go-binary-native_1.16.3.bb b/poky/meta/recipes-devtools/go/go-binary-native_1.16.5.bb index d01a2bd8f1..b3e2b6a60e 100644 --- a/poky/meta/recipes-devtools/go/go-binary-native_1.16.3.bb +++ b/poky/meta/recipes-devtools/go/go-binary-native_1.16.5.bb @@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" PROVIDES = "go-native" SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}" -SRC_URI[go_linux_amd64.sha256sum] = "951a3c7c6ce4e56ad883f97d9db74d3d6d80d5fec77455c6ada6c1f7ac4776d2" -SRC_URI[go_linux_arm64.sha256sum] = "566b1d6f17d2bc4ad5f81486f0df44f3088c3ed47a3bec4099d8ed9939e90d5d" +SRC_URI[go_linux_amd64.sha256sum] = "b12c23023b68de22f74c0524f10b753e7b08b1504cb7e417eccebdd3fae49061" +SRC_URI[go_linux_arm64.sha256sum] = "d5446b46ef6f36fdffa852f73dfbbe78c1ddf010b99fa4964944b9ae8b4d6799" UPSTREAM_CHECK_URI = "https://golang.org/dl/" UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux" diff --git a/poky/meta/recipes-devtools/go/go-cross-canadian_1.16.3.bb b/poky/meta/recipes-devtools/go/go-cross-canadian_1.16.5.bb index 7ac9449e47..7ac9449e47 100644 --- a/poky/meta/recipes-devtools/go/go-cross-canadian_1.16.3.bb +++ b/poky/meta/recipes-devtools/go/go-cross-canadian_1.16.5.bb diff --git a/poky/meta/recipes-devtools/go/go-cross_1.16.3.bb b/poky/meta/recipes-devtools/go/go-cross_1.16.5.bb index 80b5a03f6c..80b5a03f6c 100644 --- a/poky/meta/recipes-devtools/go/go-cross_1.16.3.bb +++ b/poky/meta/recipes-devtools/go/go-cross_1.16.5.bb diff --git a/poky/meta/recipes-devtools/go/go-crosssdk_1.16.3.bb b/poky/meta/recipes-devtools/go/go-crosssdk_1.16.5.bb index 1857c8a577..1857c8a577 100644 --- a/poky/meta/recipes-devtools/go/go-crosssdk_1.16.3.bb +++ b/poky/meta/recipes-devtools/go/go-crosssdk_1.16.5.bb diff --git a/poky/meta/recipes-devtools/go/go-native_1.16.3.bb b/poky/meta/recipes-devtools/go/go-native_1.16.5.bb index f14892cdb0..f14892cdb0 100644 --- a/poky/meta/recipes-devtools/go/go-native_1.16.3.bb +++ b/poky/meta/recipes-devtools/go/go-native_1.16.5.bb diff --git a/poky/meta/recipes-devtools/go/go-runtime_1.16.3.bb b/poky/meta/recipes-devtools/go/go-runtime_1.16.5.bb index 63464a1501..63464a1501 100644 --- a/poky/meta/recipes-devtools/go/go-runtime_1.16.3.bb +++ b/poky/meta/recipes-devtools/go/go-runtime_1.16.5.bb diff --git a/poky/meta/recipes-devtools/go/go_1.16.3.bb b/poky/meta/recipes-devtools/go/go_1.16.5.bb index 4e9e0ebec8..4e9e0ebec8 100644 --- a/poky/meta/recipes-devtools/go/go_1.16.3.bb +++ b/poky/meta/recipes-devtools/go/go_1.16.5.bb diff --git a/poky/meta/recipes-devtools/perl/perl_5.32.1.bb b/poky/meta/recipes-devtools/perl/perl_5.32.1.bb index b28040c7fb..f8893af3e2 100644 --- a/poky/meta/recipes-devtools/perl/perl_5.32.1.bb +++ b/poky/meta/recipes-devtools/perl/perl_5.32.1.bb @@ -62,6 +62,8 @@ do_configure_class-target() { -Dsoname=libperl.so.5 \ -Dvendorprefix=${prefix} \ -Darchlibexp=${STAGING_LIBDIR}/perl5/${PV}/${TARGET_ARCH}-linux \ + -Dlibpth='${libdir} ${base_libdir}' \ + -Dglibpth='${libdir} ${base_libdir}' \ ${PACKAGECONFIG_CONFARGS} #perl.c uses an ARCHLIB_EXP define to generate compile-time code that diff --git a/poky/meta/recipes-extended/perl/libconvert-asn1-perl/CVE-2013-7488.patch b/poky/meta/recipes-extended/perl/libconvert-asn1-perl/CVE-2013-7488.patch new file mode 100644 index 0000000000..d0aca65393 --- /dev/null +++ b/poky/meta/recipes-extended/perl/libconvert-asn1-perl/CVE-2013-7488.patch @@ -0,0 +1,35 @@ +From 8070c6a4931801b6550c79c5766dfd3a99976036 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Thu, 8 Jul 2021 14:48:36 +0800 +Subject: [PATCH] Merge pull request #15 from danaj/danaj/unsafe-decoding + +Upstream-Status: Backport[https://github.com/gbarr/perl-Convert-ASN1/commit/108e784417db7893f348c381c837537c3bd39373] +CVE: CVE-2013-7488 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + lib/Convert/ASN1/_decode.pm | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/Convert/ASN1/_decode.pm b/lib/Convert/ASN1/_decode.pm +index cd173f9..495e1bf 100644 +--- a/lib/Convert/ASN1/_decode.pm ++++ b/lib/Convert/ASN1/_decode.pm +@@ -683,12 +683,14 @@ sub _scan_indef { + $pos += 2; + next; + } ++ return if $pos >= $end; + + my $tag = substr($_[0], $pos++, 1); + + if((unpack("C",$tag) & 0x1f) == 0x1f) { + my $b; + do { ++ return if $pos >= $end; + $tag .= substr($_[0],$pos++,1); + $b = ord substr($tag,-1); + } while($b & 0x80); +-- +2.17.1 + diff --git a/poky/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb b/poky/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb index 409a8f3896..8ec96860ad 100644 --- a/poky/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb +++ b/poky/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb @@ -5,7 +5,8 @@ DESCRIPTION = "Convert::ASN1 is a perl library for encoding/decoding data using LICENSE = "Artistic-1.0 | GPL-1.0+" LIC_FILES_CHKSUM = "file://README.md;beginline=91;endline=97;md5=ceff7fd286eb6d8e8e0d3d23e096a63f" -SRC_URI = "http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/Convert-ASN1-${PV}.tar.gz" +SRC_URI = "http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/Convert-ASN1-${PV}.tar.gz \ + file://CVE-2013-7488.patch" SRC_URI[md5sum] = "68723e96be0b258a9e20480276e8a62c" SRC_URI[sha256sum] = "74a4a78ae0c5e973100ac0a8f203a110f76fb047b79dae4fc1fd7d6814d3d58a" diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch new file mode 100644 index 0000000000..4c9cb0ebb2 --- /dev/null +++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch @@ -0,0 +1,46 @@ +From 836f93de99b35050d78d61d3654f7c5655184144 Mon Sep 17 00:00:00 2001 +From: Fabrice Fontaine <fontaine.fabrice@gmail.com> +Date: Fri, 19 Apr 2019 10:19:50 +0200 +Subject: [PATCH] hw/xwayland/Makefile.am: fix build without glx + +Commit d8ec33fe0542141aed1d9016d2ecaf52da944b4b added libglxvnd.la to +Xwayland_LDFLAGS but GLX can be disabled through --disable-glx. +In this case, build fails on: + +make[3]: *** No rule to make target '../../glx/libglxvnd.la', needed by 'Xwayland'. Stop. +make[3]: *** Waiting for unfinished jobs.... + +Fixes: + - http://autobuild.buildroot.org/results/397f8098c57fc6c88aa12dc8d35ebb1b933d52ef + +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/836f93de99b35050d78d61d3654f7c5655184144] +Signed-off-by: Wadim Egorov <w.egorov@phytec.de> +--- + hw/xwayland/Makefile.am | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/hw/xwayland/Makefile.am b/hw/xwayland/Makefile.am +index bc1cb8506..502879e2a 100644 +--- a/hw/xwayland/Makefile.am ++++ b/hw/xwayland/Makefile.am +@@ -21,10 +21,14 @@ Xwayland_SOURCES = \ + $(top_srcdir)/Xi/stubs.c \ + $(top_srcdir)/mi/miinitext.c + ++if GLX ++GLXVND_LIB = $(top_builddir)/glx/libglxvnd.la ++endif ++ + Xwayland_LDADD = \ + $(glamor_lib) \ + $(XWAYLAND_LIBS) \ +- $(top_builddir)/glx/libglxvnd.la \ ++ $(GLXVND_LIB) \ + $(XWAYLAND_SYS_LIBS) \ + $(top_builddir)/Xext/libXvidmode.la \ + $(XSERVER_SYS_LIBS) +-- +2.25.1 + diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb index 755a762a73..e0551fa999 100644 --- a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb +++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb @@ -8,6 +8,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \ file://0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch \ file://CVE-2021-3472.patch \ + file://0001-hw-xwayland-Makefile.am-fix-build-without-glx.patch \ " SRC_URI[sha256sum] = "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99" diff --git a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb index ed6e78175a..26091fba70 100644 --- a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb +++ b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb @@ -229,6 +229,7 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \ ${PN}-sd8887 ${PN}-sd8897 ${PN}-sd8997 ${PN}-usb8997 \ ${PN}-ti-connectivity-license ${PN}-wlcommon ${PN}-wl12xx ${PN}-wl18xx \ ${PN}-vt6656-license ${PN}-vt6656 \ + ${PN}-rs9113 ${PN}-rs9116 \ ${PN}-rtl-license ${PN}-rtl8188 ${PN}-rtl8192cu ${PN}-rtl8192ce ${PN}-rtl8192su ${PN}-rtl8723 ${PN}-rtl8821 \ ${PN}-rtl8168 \ ${PN}-cypress-license \ @@ -529,6 +530,16 @@ RDEPENDS_${PN}-nvidia-gpu += "${PN}-nvidia-license" RDEPENDS_${PN}-nvidia-tegra += "${PN}-nvidia-license" RDEPENDS_${PN}-nvidia-tegra-k1 += "${PN}-nvidia-license" +# For RSI RS911x WiFi +LICENSE_${PN}-rs9113 = "WHENCE" +LICENSE_${PN}-rs9116 = "WHENCE" + +FILES_${PN}-rs9113 = " ${nonarch_base_libdir}/firmware/rsi/rs9113*.rps " +FILES_${PN}-rs9116 = " ${nonarch_base_libdir}/firmware/rsi/rs9116*.rps " + +RDEPENDS_${PN}-rs9113 += "${PN}-whence-license" +RDEPENDS_${PN}-rs9116 += "${PN}-whence-license" + # For rtl LICENSE_${PN}-rtl8188 = "Firmware-rtlwifi_firmware" LICENSE_${PN}-rtl8192cu = "Firmware-rtlwifi_firmware" diff --git a/poky/meta/recipes-kernel/linux/kernel-devsrc.bb b/poky/meta/recipes-kernel/linux/kernel-devsrc.bb index 84e99233e6..92076ac8b0 100644 --- a/poky/meta/recipes-kernel/linux/kernel-devsrc.bb +++ b/poky/meta/recipes-kernel/linux/kernel-devsrc.bb @@ -112,6 +112,9 @@ do_install() { if [ "${ARCH}" = "arm64" ]; then cp -a --parents arch/arm64/kernel/vdso/vdso.lds $kerneldir/build/ fi + if [ "${ARCH}" = "powerpc" ]; then + cp -a --parents arch/powerpc/kernel/vdso32/vdso32.lds $kerneldir/build 2>/dev/null || : + fi cp -a include $kerneldir/build/include @@ -163,6 +166,14 @@ do_install() { cp -a --parents arch/arm64/kernel/vdso/gen_vdso_offsets.sh $kerneldir/build/ cp -a --parents arch/arm64/kernel/module.lds $kerneldir/build/ 2>/dev/null || : + + # 5.13+ needs these tools + cp -a --parents arch/arm64/tools/gen-cpucaps.awk $kerneldir/build/ 2>/dev/null || : + cp -a --parents arch/arm64/tools/cpucaps $kerneldir/build/ 2>/dev/null || : + + if [ -e $kerneldir/build/arch/arm64/tools/gen-cpucaps.awk ]; then + sed -i -e "s,#!.*awk.*,#!${USRBINPATH}/env awk," $kerneldir/build/arch/arm64/tools/gen-cpucaps.awk + fi fi if [ "${ARCH}" = "powerpc" ]; then @@ -170,6 +181,7 @@ do_install() { cp -a --parents arch/${ARCH}/kernel/syscalls/syscall.tbl $kerneldir/build/ 2>/dev/null || : cp -a --parents arch/${ARCH}/kernel/syscalls/syscalltbl.sh $kerneldir/build/ 2>/dev/null || : cp -a --parents arch/${ARCH}/kernel/syscalls/syscallhdr.sh $kerneldir/build/ 2>/dev/null || : + cp -a --parents arch/${ARCH}/kernel/vdso32/* $kerneldir/build/ 2>/dev/null || : fi # include the machine specific headers for ARM variants, if available. @@ -273,7 +285,11 @@ do_install() { sed -i 's/ifneq "$(LD)" ".*-linux-.*ld.bfd.*$/ifneq "$(LD)" "ld"/' "$kerneldir/build/include/config/auto.conf.cmd" sed -i 's/ifneq "$(AR)" ".*-linux-.*ar.*$/ifneq "$(AR)" "ar"/' "$kerneldir/build/include/config/auto.conf.cmd" sed -i 's/ifneq "$(OBJCOPY)" ".*-linux-.*objcopy.*$/ifneq "$(OBJCOPY)" "objcopy"/' "$kerneldir/build/include/config/auto.conf.cmd" - sed -i 's/ifneq "$(NM)" ".*-linux-.*nm.*$/ifneq "$(NM)" "nm"/' "$kerneldir/build/include/config/auto.conf.cmd" + if [ "${ARCH}" = "powerpc" ]; then + sed -i 's/ifneq "$(NM)" ".*-linux-.*nm.*$/ifneq "$(NM)" "nm --synthetic"/' "$kerneldir/build/include/config/auto.conf.cmd" + else + sed -i 's/ifneq "$(NM)" ".*-linux-.*nm.*$/ifneq "$(NM)" "nm"/' "$kerneldir/build/include/config/auto.conf.cmd" + fi sed -i 's/ifneq "$(HOSTCXX)" ".*$/ifneq "$(HOSTCXX)" "g++"/' "$kerneldir/build/include/config/auto.conf.cmd" sed -i 's/ifneq "$(HOSTCC)" ".*$/ifneq "$(HOSTCC)" "gcc"/' "$kerneldir/build/include/config/auto.conf.cmd" sed -i 's/ifneq "$(CC_VERSION_TEXT)".*\(gcc.*\)"/ifneq "$(CC_VERSION_TEXT)" "\1"/' "$kerneldir/build/include/config/auto.conf.cmd" @@ -307,3 +323,7 @@ RDEPENDS_${PN} += "openssl-dev util-linux" RDEPENDS_${PN} += "${@bb.utils.contains('ARCH', 'x86', 'elfutils', '', d)}" # 5.8+ needs gcc-plugins libmpc-dev RDEPENDS_${PN} += "gcc-plugins libmpc-dev" +# 5.13+ needs awk for arm64 +RDEPENDS_${PN}_append_aarch64 = " gawk" +# 5.13+ needs grep for powerpc +RDEPENDS_${PN}_append_powerpc = " grep" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb index f511f233b6..e0d8280128 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "4a59bc57b2be77da9394b10eb37067da7d63b7a4" -SRCREV_meta ?= "b969f83647833d21d8826c4667492f58895213c3" +SRCREV_machine ?= "42032770803ba26765376967cef09945f48abe04" +SRCREV_meta ?= "82899c6a7119b9668be9ae508159f5ac96554cc2" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.10.46" +LINUX_VERSION ?= "5.10.47" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb index 3e97058f68..7a4267531f 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "f3ac47f313e4ce608b3567c006f61d1d8b820ae2" -SRCREV_meta ?= "78949176d073f5cf04c9e0c4be699e39528f2880" +SRCREV_machine ?= "c86c4081f4764f57bbb26df8a9202c01799c3771" +SRCREV_meta ?= "c5e5dc4e13bd4882a8ed96b8026e6fd268b68f8a" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.4.128" +LINUX_VERSION ?= "5.4.129" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb index f5ade2992c..6b71573a39 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.10.46" +LINUX_VERSION ?= "5.10.47" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine_qemuarm ?= "dd1f9602f3e4e9dc177421ba12ce073ad2099a58" -SRCREV_machine ?= "139fe7d68413054f850e206ab749f97a968867a8" -SRCREV_meta ?= "b969f83647833d21d8826c4667492f58895213c3" +SRCREV_machine_qemuarm ?= "eaad1adbc817d996edf44fdd520da4810e57e66d" +SRCREV_machine ?= "52bcc5b2342739bbfc8fc385d151616883c4425c" +SRCREV_meta ?= "82899c6a7119b9668be9ae508159f5ac96554cc2" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb index 2eb5ebdbbd..5d487ac23f 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.4.128" +LINUX_VERSION ?= "5.4.129" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine_qemuarm ?= "987d6fd6c916297cde5cc7e988c28ef1e458f1cf" -SRCREV_machine ?= "befa5fba9b9f972f68acc891f2ca143d6b3e4011" -SRCREV_meta ?= "78949176d073f5cf04c9e0c4be699e39528f2880" +SRCREV_machine_qemuarm ?= "ca636d1a2ccbb2626c4eacbdb0da2c30654b108c" +SRCREV_machine ?= "d46f8ecb3f81bdba8131b90dc90174ecb36a1b78" +SRCREV_meta ?= "c5e5dc4e13bd4882a8ed96b8026e6fd268b68f8a" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb index dd4aef7f89..0315808989 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb @@ -13,17 +13,17 @@ KBRANCH_qemux86 ?= "v5.10/standard/base" KBRANCH_qemux86-64 ?= "v5.10/standard/base" KBRANCH_qemumips64 ?= "v5.10/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "17e89ca08f67fdcbaf0a3ae4c429602f76463923" -SRCREV_machine_qemuarm64 ?= "139fe7d68413054f850e206ab749f97a968867a8" -SRCREV_machine_qemumips ?= "bdcaaee7b7ce0e865670a2cee55b1974eb67357b" -SRCREV_machine_qemuppc ?= "139fe7d68413054f850e206ab749f97a968867a8" -SRCREV_machine_qemuriscv64 ?= "139fe7d68413054f850e206ab749f97a968867a8" -SRCREV_machine_qemuriscv32 ?= "139fe7d68413054f850e206ab749f97a968867a8" -SRCREV_machine_qemux86 ?= "139fe7d68413054f850e206ab749f97a968867a8" -SRCREV_machine_qemux86-64 ?= "139fe7d68413054f850e206ab749f97a968867a8" -SRCREV_machine_qemumips64 ?= "2f11a726a60ad9e8a48de6bc2101a993b461e8d1" -SRCREV_machine ?= "139fe7d68413054f850e206ab749f97a968867a8" -SRCREV_meta ?= "b969f83647833d21d8826c4667492f58895213c3" +SRCREV_machine_qemuarm ?= "8950bba5dc5b6139af3711cf82b6c35ea3ef873f" +SRCREV_machine_qemuarm64 ?= "52bcc5b2342739bbfc8fc385d151616883c4425c" +SRCREV_machine_qemumips ?= "271e6f3b206246da2937788d83c3b4e57cb33da0" +SRCREV_machine_qemuppc ?= "52bcc5b2342739bbfc8fc385d151616883c4425c" +SRCREV_machine_qemuriscv64 ?= "52bcc5b2342739bbfc8fc385d151616883c4425c" +SRCREV_machine_qemuriscv32 ?= "52bcc5b2342739bbfc8fc385d151616883c4425c" +SRCREV_machine_qemux86 ?= "52bcc5b2342739bbfc8fc385d151616883c4425c" +SRCREV_machine_qemux86-64 ?= "52bcc5b2342739bbfc8fc385d151616883c4425c" +SRCREV_machine_qemumips64 ?= "1112c8f8594df02dd6f2bd1cf13848536ca3f536" +SRCREV_machine ?= "52bcc5b2342739bbfc8fc385d151616883c4425c" +SRCREV_meta ?= "82899c6a7119b9668be9ae508159f5ac96554cc2" # remap qemuarm to qemuarma15 for the 5.8 kernel # KMACHINE_qemuarm ?= "qemuarma15" @@ -32,7 +32,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "5.10.46" +LINUX_VERSION ?= "5.10.47" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb index 5a7e9f0a35..94605b3942 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb @@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base" KBRANCH_qemux86-64 ?= "v5.4/standard/base" KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "69874edb0838e4d26002a8d30e14a5e1b355e397" -SRCREV_machine_qemuarm64 ?= "befa5fba9b9f972f68acc891f2ca143d6b3e4011" -SRCREV_machine_qemumips ?= "1bfafb3ce048d4a30aca35e847168855980f5dbc" -SRCREV_machine_qemuppc ?= "befa5fba9b9f972f68acc891f2ca143d6b3e4011" -SRCREV_machine_qemuriscv64 ?= "befa5fba9b9f972f68acc891f2ca143d6b3e4011" -SRCREV_machine_qemux86 ?= "befa5fba9b9f972f68acc891f2ca143d6b3e4011" -SRCREV_machine_qemux86-64 ?= "befa5fba9b9f972f68acc891f2ca143d6b3e4011" -SRCREV_machine_qemumips64 ?= "2a0ea1bced3f4b8ebebb19debc19b7930a4924a8" -SRCREV_machine ?= "befa5fba9b9f972f68acc891f2ca143d6b3e4011" -SRCREV_meta ?= "78949176d073f5cf04c9e0c4be699e39528f2880" +SRCREV_machine_qemuarm ?= "dfb964733268c1e6f932900a384a793a0ca8de34" +SRCREV_machine_qemuarm64 ?= "7d3eac73a6edc8fdcd701bbb0aa8c21030eb2027" +SRCREV_machine_qemumips ?= "a40b68f2f4be601dfe020940ad29ac894cc31298" +SRCREV_machine_qemuppc ?= "a3258c8b1690ecfa620eae9552a75cec9224ecd4" +SRCREV_machine_qemuriscv64 ?= "e211c039dcd85ad2d4c1f1a70909d0eefef49778" +SRCREV_machine_qemux86 ?= "e211c039dcd85ad2d4c1f1a70909d0eefef49778" +SRCREV_machine_qemux86-64 ?= "e211c039dcd85ad2d4c1f1a70909d0eefef49778" +SRCREV_machine_qemumips64 ?= "dded4f6e58cd90c7333b5257c9327e5e30f78e26" +SRCREV_machine ?= "e211c039dcd85ad2d4c1f1a70909d0eefef49778" +SRCREV_meta ?= "c5e5dc4e13bd4882a8ed96b8026e6fd268b68f8a" # remap qemuarm to qemuarma15 for the 5.4 kernel # KMACHINE_qemuarm ?= "qemuarma15" @@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" -LINUX_VERSION ?= "5.4.128" +LINUX_VERSION ?= "5.4.129" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/poky/meta/recipes-sato/rxvt-unicode/rxvt-unicode/rxvt-unicode-fix-CVE-2021-33477.patch b/poky/meta/recipes-sato/rxvt-unicode/rxvt-unicode/rxvt-unicode-fix-CVE-2021-33477.patch new file mode 100644 index 0000000000..6c3590c311 --- /dev/null +++ b/poky/meta/recipes-sato/rxvt-unicode/rxvt-unicode/rxvt-unicode-fix-CVE-2021-33477.patch @@ -0,0 +1,33 @@ +Backport patch to fix CVE-2021-33477. + +CVE: CVE-2021-33477 + +Upstream-Status: Backport [http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- + src/command.C | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/command.C b/src/command.C +index 7b79f51..2f7de60 100644 +--- a/src/command.C ++++ b/src/command.C +@@ -2725,7 +2725,7 @@ rxvt_term::process_escape_seq () + /* kidnapped escape sequence: Should be 8.3.48 */ + case C1_ESA: /* ESC G */ + // used by original rxvt for rob nations own graphics mode +- if (cmd_getc () == 'Q') ++ if (cmd_getc () == 'Q' && option (Opt_insecure)) + tt_printf ("\033G0\012"); /* query graphics - no graphics */ + break; + +@@ -2944,7 +2944,7 @@ rxvt_term::process_csi_seq () + break; + + case CSI_CUB: /* 8.3.18: (1) CURSOR LEFT */ +- case CSI_HPB: /* 8.3.59: (1) CHARACTER POSITION BACKWARD */ ++ case CSI_HPB: /* 8.3.59: (1) CHARACTER POSITION BACKWARD */ + #ifdef ISO6429 + arg[0] = -arg[0]; + #else /* emulate common DEC VTs */ diff --git a/poky/meta/recipes-sato/rxvt-unicode/rxvt-unicode_9.22.bb b/poky/meta/recipes-sato/rxvt-unicode/rxvt-unicode_9.22.bb index 283e8d7751..dee549cc78 100644 --- a/poky/meta/recipes-sato/rxvt-unicode/rxvt-unicode_9.22.bb +++ b/poky/meta/recipes-sato/rxvt-unicode/rxvt-unicode_9.22.bb @@ -4,7 +4,9 @@ LICENSE = "GPLv3" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \ file://src/main.C;beginline=1;endline=31;md5=d3600d7ee1062667fcd1193fbe6485f6" -SRC_URI += "file://0001-libev-remove-deprecated-throw-specification.patch" +SRC_URI += "file://0001-libev-remove-deprecated-throw-specification.patch \ + file://rxvt-unicode-fix-CVE-2021-33477.patch \ + " SRC_URI[sha256sum] = "e94628e9bcfa0adb1115d83649f898d6edb4baced44f5d5b769c2eeb8b95addd" diff --git a/poky/meta/recipes-support/boost/boost-build-native_4.3.0.bb b/poky/meta/recipes-support/boost/boost-build-native_4.3.0.bb index 19e991e65f..00f3a86dd6 100644 --- a/poky/meta/recipes-support/boost/boost-build-native_4.3.0.bb +++ b/poky/meta/recipes-support/boost/boost-build-native_4.3.0.bb @@ -20,7 +20,7 @@ do_compile() { } do_install() { - ./b2 install --prefix=${prefix} staging-prefix=${D}${prefix} + HOME=/var/run ./b2 install --prefix=${prefix} staging-prefix=${D}${prefix} } # The build is either release mode (pre-stripped) or debug (-O0). diff --git a/poky/meta/recipes-support/curl/curl/CVE-2021-22897.patch b/poky/meta/recipes-support/curl/curl/CVE-2021-22897.patch new file mode 100644 index 0000000000..fcd11b7674 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2021-22897.patch @@ -0,0 +1,72 @@ +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 23 Apr 2021 10:54:10 +0200 +Subject: [PATCH] schannel: don't use static to store selected ciphers + +CVE-2021-22897 + +Bug: https://curl.se/docs/CVE-2021-22897.html + +Upstream-Status: Backport +[https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511] + +CVE: CVE-2021-22897 + +Signed-off-by: Daniel Stenberg <daniel@haxx.se> +Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> +--- + lib/vtls/schannel.c | 9 +++++---- + lib/vtls/schannel.h | 3 +++ + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index 8c25ac5dd5a5..dba7072273a9 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -328,12 +328,12 @@ get_alg_id_by_name(char *name) + } + + static CURLcode +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers) ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, ++ int *algIds) + { + char *startCur = ciphers; + int algCount = 0; +- static ALG_ID algIds[45]; /*There are 45 listed in the MS headers*/ +- while(startCur && (0 != *startCur) && (algCount < 45)) { ++ while(startCur && (0 != *startCur) && (algCount < NUMOF_CIPHERS)) { + long alg = strtol(startCur, 0, 0); + if(!alg) + alg = get_alg_id_by_name(startCur); +@@ -593,7 +593,8 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, + } + + if(SSL_CONN_CONFIG(cipher_list)) { +- result = set_ssl_ciphers(&schannel_cred, SSL_CONN_CONFIG(cipher_list)); ++ result = set_ssl_ciphers(&schannel_cred, SSL_CONN_CONFIG(cipher_list), ++ BACKEND->algIds); + if(CURLE_OK != result) { + failf(data, "Unable to set ciphers to passed via SSL_CONN_CONFIG"); + return result; +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h +index 2952caa1a5a1..77853aa30f96 100644 +--- a/lib/vtls/schannel.h ++++ b/lib/vtls/schannel.h +@@ -71,6 +71,8 @@ CURLcode Curl_verify_certificate(struct Curl_easy *data, + #endif + #endif + ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS headers */ ++ + struct Curl_schannel_cred { + CredHandle cred_handle; + TimeStamp time_stamp; +@@ -102,6 +104,7 @@ struct ssl_backend_data { + #ifdef HAS_MANUAL_VERIFY_API + bool use_manual_cred_validation; /* true if manual cred validation is used */ + #endif ++ ALG_ID algIds[NUMOF_CIPHERS]; + }; + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */ + diff --git a/poky/meta/recipes-support/curl/curl/CVE-2021-22898.patch b/poky/meta/recipes-support/curl/curl/CVE-2021-22898.patch new file mode 100644 index 0000000000..1a9cd7289e --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2021-22898.patch @@ -0,0 +1,32 @@ +From 39ce47f219b09c380b81f89fe54ac586c8db6bde Mon Sep 17 00:00:00 2001 +From: Harry Sintonen <sintonen@iki.fi> +Date: Fri, 7 May 2021 13:09:57 +0200 +Subject: [PATCH] telnet: check sscanf() for correct number of matches + +CVE-2021-22898 + +Bug: https://curl.se/docs/CVE-2021-22898.html + +Upstream-Status: Backport [https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde] + +CVE: CVE-2021-22898 + +Signed-off-by: Harry Sintonen <sintonen@iki.fi> +Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> +--- + lib/telnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 26e0658ba9cc..fdd137fb0c04 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -922,7 +922,7 @@ static void suboption(struct Curl_easy *data) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { ++ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { + msnprintf((char *)&temp[len], sizeof(temp) - len, + "%c%s%c%s", CURL_NEW_ENV_VAR, varname, + CURL_NEW_ENV_VALUE, varval); diff --git a/poky/meta/recipes-support/curl/curl_7.75.0.bb b/poky/meta/recipes-support/curl/curl_7.75.0.bb index f7a8202bc9..42be2eb0b5 100644 --- a/poky/meta/recipes-support/curl/curl_7.75.0.bb +++ b/poky/meta/recipes-support/curl/curl_7.75.0.bb @@ -15,6 +15,8 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://0002-transfer-strip-credentials-from-the-auto-referer-hea.patch \ file://vtls-fix-addsessionid.patch \ file://vtls-fix-warning.patch \ + file://CVE-2021-22898.patch \ + file://CVE-2021-22897.patch \ " SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026" diff --git a/poky/scripts/lib/devtool/deploy.py b/poky/scripts/lib/devtool/deploy.py index e5af2c95ae..833322571f 100644 --- a/poky/scripts/lib/devtool/deploy.py +++ b/poky/scripts/lib/devtool/deploy.py @@ -168,7 +168,7 @@ def deploy(args, config, basepath, workspace): if args.strip and not args.dry_run: # Fakeroot copy to new destination srcdir = recipe_outdir - recipe_outdir = os.path.join(rd.getVar('WORKDIR'), 'deploy-target-stripped') + recipe_outdir = os.path.join(rd.getVar('WORKDIR'), 'devtool-deploy-target-stripped') if os.path.isdir(recipe_outdir): bb.utils.remove(recipe_outdir, True) exec_fakeroot(rd, "cp -af %s %s" % (os.path.join(srcdir, '.'), recipe_outdir), shell=True) diff --git a/poky/scripts/runqemu b/poky/scripts/runqemu index edd17d09c4..c985f4e75a 100755 --- a/poky/scripts/runqemu +++ b/poky/scripts/runqemu @@ -232,9 +232,12 @@ class BaseConfig(object): def release_taplock(self): if self.taplock_descriptor: logger.debug("Releasing lockfile for tap device '%s'" % self.tap) - fcntl.flock(self.taplock_descriptor, fcntl.LOCK_UN) + # We pass the fd to the qemu process and if we unlock here, it would unlock for + # that too. Therefore don't unlock, just close + # fcntl.flock(self.taplock_descriptor, fcntl.LOCK_UN) self.taplock_descriptor.close() - os.remove(self.taplock) + # Removing the file is a potential race, don't do that either + # os.remove(self.taplock) self.taplock_descriptor = None def check_free_port(self, host, port, lockdir): @@ -272,17 +275,23 @@ class BaseConfig(object): def release_portlock(self, lockfile=None): if lockfile != None: - logger.debug("Releasing lockfile '%s'" % lockfile) - fcntl.flock(self.portlocks[lockfile], fcntl.LOCK_UN) - self.portlocks[lockfile].close() - os.remove(lockfile) - del self.portlocks[lockfile] + logger.debug("Releasing lockfile '%s'" % lockfile) + # We pass the fd to the qemu process and if we unlock here, it would unlock for + # that too. Therefore don't unlock, just close + # fcntl.flock(self.portlocks[lockfile], fcntl.LOCK_UN) + self.portlocks[lockfile].close() + # Removing the file is a potential race, don't do that either + # os.remove(lockfile) + del self.portlocks[lockfile] elif len(self.portlocks): for lockfile, descriptor in self.portlocks.items(): logger.debug("Releasing lockfile '%s'" % lockfile) - fcntl.flock(descriptor, fcntl.LOCK_UN) + # We pass the fd to the qemu process and if we unlock here, it would unlock for + # that too. Therefore don't unlock, just close + # fcntl.flock(descriptor, fcntl.LOCK_UN) descriptor.close() - os.remove(lockfile) + # Removing the file is a potential race, don't do that either + # os.remove(lockfile) self.portlocks = {} def get(self, key): |