diff options
Diffstat (limited to 'poky/meta/recipes-connectivity')
32 files changed, 733 insertions, 1836 deletions
diff --git a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb index 7b0f490768..4c830cc058 100644 --- a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -25,6 +25,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \ file://0001-Fix-opening-etc-resolv.conf-error.patch \ file://handle-hup.patch \ file://local-ping.patch \ + file://invalid-service.patch \ " GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/" diff --git a/poky/meta/recipes-connectivity/avahi/files/invalid-service.patch b/poky/meta/recipes-connectivity/avahi/files/invalid-service.patch new file mode 100644 index 0000000000..8f188aff2c --- /dev/null +++ b/poky/meta/recipes-connectivity/avahi/files/invalid-service.patch @@ -0,0 +1,29 @@ +From 46490e95151d415cd22f02565e530eb5efcef680 Mon Sep 17 00:00:00 2001 +From: Asger Hautop Drewsen <asger@princh.com> +Date: Mon, 9 Aug 2021 14:25:08 +0200 +Subject: [PATCH] Fix avahi-browse: Invalid service type + +Invalid service types will stop the browse from completing, or +in simple terms "my washing machine stops me from printing". + +Upstream-Status: Submitted [https://github.com/lathiat/avahi/pull/472] +Signed-off-by: Ross Burton <ross.burton@arm.com> +--- + avahi-core/browse-service.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/avahi-core/browse-service.c b/avahi-core/browse-service.c +index 63e0275a..ac3d2ecb 100644 +--- a/avahi-core/browse-service.c ++++ b/avahi-core/browse-service.c +@@ -103,7 +103,9 @@ AvahiSServiceBrowser *avahi_s_service_browser_prepare( + AVAHI_CHECK_VALIDITY_RETURN_NULL(server, AVAHI_PROTO_VALID(protocol), AVAHI_ERR_INVALID_PROTOCOL); + AVAHI_CHECK_VALIDITY_RETURN_NULL(server, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME); + AVAHI_CHECK_VALIDITY_RETURN_NULL(server, AVAHI_FLAGS_VALID(flags, AVAHI_LOOKUP_USE_WIDE_AREA|AVAHI_LOOKUP_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); +- AVAHI_CHECK_VALIDITY_RETURN_NULL(server, avahi_is_valid_service_type_generic(service_type), AVAHI_ERR_INVALID_SERVICE_TYPE); ++ ++ if (!avahi_is_valid_service_type_generic(service_type)) ++ service_type = "_invalid._tcp"; + + if (!domain) + domain = server->domain_name; diff --git a/poky/meta/recipes-connectivity/bind/bind_9.18.17.bb b/poky/meta/recipes-connectivity/bind/bind_9.18.18.bb index 9e7973ecbf..e74e685fe8 100644 --- a/poky/meta/recipes-connectivity/bind/bind_9.18.17.bb +++ b/poky/meta/recipes-connectivity/bind/bind_9.18.18.bb @@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ file://0001-avoid-start-failure-with-bind-user.patch \ " -SRC_URI[sha256sum] = "bde1c5017b81d1d79c69eb8f537f2e5032fd3623acdd5ee830d4f74bc2483458" +SRC_URI[sha256sum] = "d735cdc127a6c5709bde475b5bf16fa2133f36fdba202f7c3c37d134e5192160" UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" # follow the ESV versions divisible by 2 diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5.inc b/poky/meta/recipes-connectivity/bluez5/bluez5.inc index d2ee2b4f12..e10158a6e5 100644 --- a/poky/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/poky/meta/recipes-connectivity/bluez5/bluez5.inc @@ -55,7 +55,6 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \ file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ file://0001-test-gatt-Fix-hung-issue.patch \ file://0004-src-shared-util.c-include-linux-limits.h.patch \ - file://fix-check-ell-path.patch \ " S = "${WORKDIR}/bluez-${PV}" diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5/fix-check-ell-path.patch b/poky/meta/recipes-connectivity/bluez5/bluez5/fix-check-ell-path.patch deleted file mode 100644 index 7afa63962d..0000000000 --- a/poky/meta/recipes-connectivity/bluez5/bluez5/fix-check-ell-path.patch +++ /dev/null @@ -1,39 +0,0 @@ -Upstream-Status: Submitted [https://marc.info/?l=linux-bluetooth&m=168818474411163&w=2] -Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> - -From linux-bluetooth Sat Jul 01 04:12:52 2023 -From: Rudi Heitbaum <rudi () heitbaum ! com> -Date: Sat, 01 Jul 2023 04:12:52 +0000 -To: linux-bluetooth -Subject: [PATCH] configure: Fix check ell path for cross compiling -Message-Id: <20230701041252.139338-1-rudi () heitbaum ! com> -X-MARC-Message: https://marc.info/?l=linux-bluetooth&m=168818474411163 - -Use of AC_CHECK_FILE prevents cross compilation. -Instead use test to support cross compiling. - -Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com> ---- - configure.ac | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/configure.ac b/configure.ac -index eff297960..bc7edfcd3 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -298,9 +298,10 @@ if (test "${enable_external_ell}" = "yes"); then - AC_SUBST(ELL_LIBS) - fi - if (test "${enable_external_ell}" != "yes"); then -- AC_CHECK_FILE(${srcdir}/ell/ell.h, dummy=yes, -- AC_CHECK_FILE(${srcdir}/../ell/ell/ell.h, dummy=yes, -- AC_MSG_ERROR(ELL source is required or use --enable-external-ell))) -+ if (test ! -f ${srcdir}/ell/ell.h) && -+ (test ! -f ${srcdir}/../ell/ell/ell.h); then -+ AC_MSG_ERROR(ELL source is required or use --enable-external-ell) -+ fi - fi - AM_CONDITIONAL(EXTERNAL_ELL, test "${enable_external_ell}" = "yes" || - (test "${enable_btpclient}" != "yes" && --- -2.34.1 diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5_5.68.bb b/poky/meta/recipes-connectivity/bluez5/bluez5_5.69.bb index 7c7ad75ed8..4673000f60 100644 --- a/poky/meta/recipes-connectivity/bluez5/bluez5_5.68.bb +++ b/poky/meta/recipes-connectivity/bluez5/bluez5_5.69.bb @@ -1,6 +1,6 @@ require bluez5.inc -SRC_URI[sha256sum] = "fc505e6445cb579a55cacee6821fe70d633921522043d322b696de0a175ff933" +SRC_URI[sha256sum] = "bc5a35ddc7c72d0d3999a0d7b2175c8b7d57ab670774f8b5b4900ff38a2627fc" CVE_STATUS[CVE-2020-24490] = "cpe-incorrect: This issue has kernel fixes rather than bluez fixes" diff --git a/poky/meta/recipes-connectivity/connman/connman-conf/main.conf b/poky/meta/recipes-connectivity/connman/connman-conf/main.conf index a394e8f25b..3c9dd396f6 100644 --- a/poky/meta/recipes-connectivity/connman/connman-conf/main.conf +++ b/poky/meta/recipes-connectivity/connman/connman-conf/main.conf @@ -1,2 +1,2 @@ [General] -NetworkInterfaceBlacklist = eth0 +NetworkInterfaceBlacklist = eth,en diff --git a/poky/meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch b/poky/meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch deleted file mode 100644 index 8e2f47a1d5..0000000000 --- a/poky/meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001 -From: Daniel Wagner <wagi@monom.org> -Date: Tue, 11 Apr 2023 08:12:56 +0200 -Subject: [PATCH] gdhcp: Verify and sanitize packet length first - -Avoid overwriting the read packet length after the initial test. Thus -move all the length checks which depends on the total length first -and do not use the total lenght from the IP packet afterwards. - -Fixes CVE-2023-28488 - -Reported by Polina Smirnova <moe.hwr@gmail.com> - -CVE: CVE-2023-28488 -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - ---- - gdhcp/client.c | 16 +++++++++------- - 1 file changed, 9 insertions(+), 7 deletions(-) - -diff --git a/gdhcp/client.c b/gdhcp/client.c -index 7efa7e45..82017692 100644 ---- a/gdhcp/client.c -+++ b/gdhcp/client.c -@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes) - static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd, - struct sockaddr_in *dst_addr) - { -- int bytes; - struct ip_udp_dhcp_packet packet; - uint16_t check; -+ int bytes, tot_len; - - memset(&packet, 0, sizeof(packet)); - -@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd, - if (bytes < 0) - return -1; - -- if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp))) -- return -1; -- -- if (bytes < ntohs(packet.ip.tot_len)) -+ tot_len = ntohs(packet.ip.tot_len); -+ if (bytes > tot_len) { -+ /* ignore any extra garbage bytes */ -+ bytes = tot_len; -+ } else if (bytes < tot_len) { - /* packet is bigger than sizeof(packet), we did partial read */ - return -1; -+ } - -- /* ignore any extra garbage bytes */ -- bytes = ntohs(packet.ip.tot_len); -+ if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp))) -+ return -1; - - if (!sanity_check(&packet, bytes)) - return -1; --- -2.34.1 - diff --git a/poky/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch b/poky/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch index 83343fdda5..9e5ac8da15 100644 --- a/poky/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch +++ b/poky/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch @@ -1,4 +1,4 @@ -From 5f373f373f5baccc282dce257b7b16c8bb4a82c4 Mon Sep 17 00:00:00 2001 +From af55a6a414d32c12f9ef3cab778385a361e1ad6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Eivind=20N=C3=A6ss?= <eivnaes@yahoo.com> Date: Sat, 25 Mar 2023 20:51:52 +0000 Subject: [PATCH] vpn: Adding support for latest pppd 2.5.0 release @@ -11,82 +11,12 @@ Adding a libppp-compat.h file to mask for any differences in the version. Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a48864a2e5d2a725dfc6eef567108bc13b43857f] Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> + --- - configure.ac | 42 ++++++++----- scripts/libppp-compat.h | 127 ++++++++++++++++++++++++++++++++++++++++ - scripts/libppp-plugin.c | 15 +++-- - 3 files changed, 161 insertions(+), 23 deletions(-) + 1 file changed, 127 insertions(+) create mode 100644 scripts/libppp-compat.h -diff --git a/configure.ac b/configure.ac -index a573cef..f34bb38 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -135,14 +135,6 @@ AC_ARG_ENABLE(l2tp, - AC_HELP_STRING([--enable-l2tp], [enable l2tp support]), - [enable_l2tp=${enableval}], [enable_l2tp="no"]) - if (test "${enable_l2tp}" != "no"); then -- if (test -z "${path_pppd}"); then -- AC_PATH_PROG(PPPD, [pppd], [/usr/sbin/pppd], $PATH:/sbin:/usr/sbin) -- else -- PPPD="${path_pppd}" -- AC_SUBST(PPPD) -- fi -- AC_CHECK_HEADERS(pppd/pppd.h, dummy=yes, -- AC_MSG_ERROR(ppp header files are required)) - if (test -z "${path_l2tp}"); then - AC_PATH_PROG(L2TP, [xl2tpd], [/usr/sbin/xl2tpd], $PATH:/sbin:/usr/sbin) - else -@@ -160,6 +152,18 @@ AC_ARG_ENABLE(pptp, - AC_HELP_STRING([--enable-pptp], [enable pptp support]), - [enable_pptp=${enableval}], [enable_pptp="no"]) - if (test "${enable_pptp}" != "no"); then -+ if (test -z "${path_pptp}"); then -+ AC_PATH_PROG(PPTP, [pptp], [/usr/sbin/pptp], $PATH:/sbin:/usr/sbin) -+ else -+ PPTP="${path_pptp}" -+ AC_SUBST(PPTP) -+ fi -+fi -+AM_CONDITIONAL(PPTP, test "${enable_pptp}" != "no") -+AM_CONDITIONAL(PPTP_BUILTIN, test "${enable_pptp}" = "builtin") -+ -+if (test "${enable_pptp}" != "no" || test "${enable_l2tp}" != "no"); then -+ - if (test -z "${path_pppd}"); then - AC_PATH_PROG(PPPD, [pppd], [/usr/sbin/pppd], $PATH:/sbin:/usr/sbin) - else -@@ -168,15 +172,23 @@ if (test "${enable_pptp}" != "no"); then - fi - AC_CHECK_HEADERS(pppd/pppd.h, dummy=yes, - AC_MSG_ERROR(ppp header files are required)) -- if (test -z "${path_pptp}"); then -- AC_PATH_PROG(PPTP, [pptp], [/usr/sbin/pptp], $PATH:/sbin:/usr/sbin) -- else -- PPTP="${path_pptp}" -- AC_SUBST(PPTP) -+ AC_CHECK_HEADERS([pppd/chap.h pppd/chap-new.h pppd/chap_ms.h]) -+ -+ PKG_CHECK_EXISTS([pppd], -+ [AS_VAR_SET([pppd_pkgconfig_support],[yes])]) -+ -+ PPPD_VERSION=2.4.9 -+ if test x"$pppd_pkgconfig_support" = xyes; then -+ PPPD_VERSION=`$PKG_CONFIG --modversion pppd` - fi -+ -+ AC_DEFINE_UNQUOTED([PPP_VERSION(x,y,z)], -+ [((x & 0xFF) << 16 | (y & 0xFF) << 8 | (z & 0xFF) << 0)], -+ [Macro to help determine the particular version of pppd]) -+ PPP_VERSION=$(echo $PPPD_VERSION | sed -e "s/\./\,/g") -+ AC_DEFINE_UNQUOTED(WITH_PPP_VERSION, PPP_VERSION($PPP_VERSION), -+ [The real version of pppd represented as an int]) - fi --AM_CONDITIONAL(PPTP, test "${enable_pptp}" != "no") --AM_CONDITIONAL(PPTP_BUILTIN, test "${enable_pptp}" = "builtin") - - AC_CHECK_HEADERS(resolv.h, dummy=yes, - AC_MSG_ERROR(resolver header files are required)) diff --git a/scripts/libppp-compat.h b/scripts/libppp-compat.h new file mode 100644 index 0000000..eee1d09 @@ -220,55 +150,3 @@ index 0000000..eee1d09 + +#endif /* #if WITH_PPP_VERSION < PPP_VERSION(2,5,0) */ +#endif /* #if__LIBPPP_COMPAT_H__ */ -diff --git a/scripts/libppp-plugin.c b/scripts/libppp-plugin.c -index 0dd8b47..61641b5 100644 ---- a/scripts/libppp-plugin.c -+++ b/scripts/libppp-plugin.c -@@ -29,14 +29,13 @@ - #include <sys/types.h> - #include <sys/stat.h> - #include <fcntl.h> --#include <pppd/pppd.h> --#include <pppd/fsm.h> --#include <pppd/ipcp.h> - #include <netinet/in.h> - #include <arpa/inet.h> - - #include <dbus/dbus.h> - -+#include "libppp-compat.h" -+ - #define INET_ADDRES_LEN (INET_ADDRSTRLEN + 5) - #define INET_DNS_LEN (2*INET_ADDRSTRLEN + 9) - -@@ -47,7 +46,7 @@ static char *path; - static DBusConnection *connection; - static int prev_phase; - --char pppd_version[] = VERSION; -+char pppd_version[] = PPPD_VERSION; - - int plugin_init(void); - -@@ -170,7 +169,7 @@ static void ppp_up(void *data, int arg) - DBUS_TYPE_STRING_AS_STRING DBUS_TYPE_STRING_AS_STRING - DBUS_DICT_ENTRY_END_CHAR_AS_STRING, &dict); - -- append(&dict, "INTERNAL_IFNAME", ifname); -+ append(&dict, "INTERNAL_IFNAME", ppp_ifname()); - - inet_ntop(AF_INET, &ipcp_gotoptions[0].ouraddr, buf, INET_ADDRSTRLEN); - append(&dict, "INTERNAL_IP4_ADDRESS", buf); -@@ -309,9 +308,9 @@ int plugin_init(void) - chap_check_hook = ppp_have_secret; - pap_check_hook = ppp_have_secret; - -- add_notifier(&ip_up_notifier, ppp_up, NULL); -- add_notifier(&phasechange, ppp_phase_change, NULL); -- add_notifier(&exitnotify, ppp_exit, connection); -+ ppp_add_notify(NF_IP_UP, ppp_up, NULL); -+ ppp_add_notify(NF_PHASE_CHANGE, ppp_phase_change, NULL); -+ ppp_add_notify(NF_EXIT, ppp_exit, connection); - - return 0; - } diff --git a/poky/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch b/poky/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch index 9dca21a02f..aefdd3aa06 100644 --- a/poky/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch +++ b/poky/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch @@ -18,14 +18,6 @@ diff --git a/gweb/gresolv.c b/gweb/gresolv.c index 954e7cf..2a9bc51 100644 --- a/gweb/gresolv.c +++ b/gweb/gresolv.c -@@ -36,6 +36,7 @@ - #include <arpa/inet.h> - #include <arpa/nameser.h> - #include <net/if.h> -+#include <ctype.h> - - #include "gresolv.h" - @@ -878,8 +879,6 @@ GResolv *g_resolv_new(int index) resolv->index = index; resolv->nameserver_list = NULL; diff --git a/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch deleted file mode 100644 index 182c5ca29c..0000000000 --- a/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch +++ /dev/null @@ -1,37 +0,0 @@ -From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001 -From: Nathan Crandall <ncrandall@tesla.com> -Date: Tue, 12 Jul 2022 08:56:34 +0200 -Subject: gweb: Fix OOB write in received_data() - -There is a mismatch of handling binary vs. C-string data with memchr -and strlen, resulting in pos, count, and bytes_read to become out of -sync and result in a heap overflow. Instead, do not treat the buffer -as an ASCII C-string. We calculate the count based on the return value -of memchr, instead of strlen. - -Fixes: CVE-2022-32292 - -CVE: CVE-2022-32292 - -Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312bd] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - gweb/gweb.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/gweb/gweb.c b/gweb/gweb.c -index 12fcb1d8..13c6c5f2 100644 ---- a/gweb/gweb.c -+++ b/gweb/gweb.c -@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond, - } - - *pos = '\0'; -- count = strlen((char *) ptr); -+ count = pos - ptr; - if (count > 0 && ptr[count - 1] == '\r') { - ptr[--count] = '\0'; - bytes_read--; --- -cgit - diff --git a/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch b/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch deleted file mode 100644 index b280203594..0000000000 --- a/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch +++ /dev/null @@ -1,141 +0,0 @@ -From 72343929836de80727a27d6744c869dff045757c Mon Sep 17 00:00:00 2001 -From: Daniel Wagner <wagi@monom.org> -Date: Tue, 5 Jul 2022 08:32:12 +0200 -Subject: wispr: Add reference counter to portal context - -Track the connman_wispr_portal_context live time via a -refcounter. This only adds the infrastructure to do proper reference -counting. - -Fixes: CVE-2022-32293 -CVE: CVE-2022-32293 -Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=416bfaff988882c553c672e5bfc2d4f648d29e8a] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - src/wispr.c | 52 ++++++++++++++++++++++++++++++++++++++++++---------- - 1 file changed, 42 insertions(+), 10 deletions(-) - -diff --git a/src/wispr.c b/src/wispr.c -index a07896ca..bde7e63b 100644 ---- a/src/wispr.c -+++ b/src/wispr.c -@@ -56,6 +56,7 @@ struct wispr_route { - }; - - struct connman_wispr_portal_context { -+ int refcount; - struct connman_service *service; - enum connman_ipconfig_type type; - struct connman_wispr_portal *wispr_portal; -@@ -97,6 +98,11 @@ static char *online_check_ipv4_url = NULL; - static char *online_check_ipv6_url = NULL; - static bool enable_online_to_ready_transition = false; - -+#define wispr_portal_context_ref(wp_context) \ -+ wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__) -+#define wispr_portal_context_unref(wp_context) \ -+ wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__) -+ - static void connman_wispr_message_init(struct connman_wispr_message *msg) - { - DBG(""); -@@ -162,9 +168,6 @@ static void free_connman_wispr_portal_context( - { - DBG("context %p", wp_context); - -- if (!wp_context) -- return; -- - if (wp_context->wispr_portal) { - if (wp_context->wispr_portal->ipv4_context == wp_context) - wp_context->wispr_portal->ipv4_context = NULL; -@@ -201,9 +204,38 @@ static void free_connman_wispr_portal_context( - g_free(wp_context); - } - -+static struct connman_wispr_portal_context * -+wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context, -+ const char *file, int line, const char *caller) -+{ -+ DBG("%p ref %d by %s:%d:%s()", wp_context, -+ wp_context->refcount + 1, file, line, caller); -+ -+ __sync_fetch_and_add(&wp_context->refcount, 1); -+ -+ return wp_context; -+} -+ -+static void wispr_portal_context_unref_debug( -+ struct connman_wispr_portal_context *wp_context, -+ const char *file, int line, const char *caller) -+{ -+ if (!wp_context) -+ return; -+ -+ DBG("%p ref %d by %s:%d:%s()", wp_context, -+ wp_context->refcount - 1, file, line, caller); -+ -+ if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1) -+ return; -+ -+ free_connman_wispr_portal_context(wp_context); -+} -+ - static struct connman_wispr_portal_context *create_wispr_portal_context(void) - { -- return g_try_new0(struct connman_wispr_portal_context, 1); -+ return wispr_portal_context_ref( -+ g_new0(struct connman_wispr_portal_context, 1)); - } - - static void free_connman_wispr_portal(gpointer data) -@@ -215,8 +247,8 @@ static void free_connman_wispr_portal(gpointer data) - if (!wispr_portal) - return; - -- free_connman_wispr_portal_context(wispr_portal->ipv4_context); -- free_connman_wispr_portal_context(wispr_portal->ipv6_context); -+ wispr_portal_context_unref(wispr_portal->ipv4_context); -+ wispr_portal_context_unref(wispr_portal->ipv6_context); - - g_free(wispr_portal); - } -@@ -452,7 +484,7 @@ static void portal_manage_status(GWebResult *result, - connman_info("Client-Timezone: %s", str); - - if (!enable_online_to_ready_transition) -- free_connman_wispr_portal_context(wp_context); -+ wispr_portal_context_unref(wp_context); - - __connman_service_ipconfig_indicate_state(service, - CONNMAN_SERVICE_STATE_ONLINE, type); -@@ -616,7 +648,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service, - return; - } - -- free_connman_wispr_portal_context(wp_context); -+ wispr_portal_context_unref(wp_context); - return; - } - -@@ -952,7 +984,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context) - - if (wp_context->token == 0) { - err = -EINVAL; -- free_connman_wispr_portal_context(wp_context); -+ wispr_portal_context_unref(wp_context); - } - } else if (wp_context->timeout == 0) { - wp_context->timeout = g_idle_add(no_proxy_callback, wp_context); -@@ -1001,7 +1033,7 @@ int __connman_wispr_start(struct connman_service *service, - - /* If there is already an existing context, we wipe it */ - if (wp_context) -- free_connman_wispr_portal_context(wp_context); -+ wispr_portal_context_unref(wp_context); - - wp_context = create_wispr_portal_context(); - if (!wp_context) --- -cgit - diff --git a/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch b/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch deleted file mode 100644 index 56f8fc82de..0000000000 --- a/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch +++ /dev/null @@ -1,174 +0,0 @@ -From 416bfaff988882c553c672e5bfc2d4f648d29e8a Mon Sep 17 00:00:00 2001 -From: Daniel Wagner <wagi@monom.org> -Date: Tue, 5 Jul 2022 09:11:09 +0200 -Subject: wispr: Update portal context references - -Maintain proper portal context references to avoid UAF. - -Fixes: CVE-2022-32293 -CVE: CVE-2022-32293 -Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - src/wispr.c | 34 ++++++++++++++++++++++------------ - 1 file changed, 22 insertions(+), 12 deletions(-) - -diff --git a/src/wispr.c b/src/wispr.c -index bde7e63b..84bed33f 100644 ---- a/src/wispr.c -+++ b/src/wispr.c -@@ -105,8 +105,6 @@ static bool enable_online_to_ready_transition = false; - - static void connman_wispr_message_init(struct connman_wispr_message *msg) - { -- DBG(""); -- - msg->has_error = false; - msg->current_element = NULL; - -@@ -166,8 +164,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context) - static void free_connman_wispr_portal_context( - struct connman_wispr_portal_context *wp_context) - { -- DBG("context %p", wp_context); -- - if (wp_context->wispr_portal) { - if (wp_context->wispr_portal->ipv4_context == wp_context) - wp_context->wispr_portal->ipv4_context = NULL; -@@ -483,9 +479,6 @@ static void portal_manage_status(GWebResult *result, - &str)) - connman_info("Client-Timezone: %s", str); - -- if (!enable_online_to_ready_transition) -- wispr_portal_context_unref(wp_context); -- - __connman_service_ipconfig_indicate_state(service, - CONNMAN_SERVICE_STATE_ONLINE, type); - -@@ -546,14 +539,17 @@ static void wispr_portal_request_portal( - { - DBG(""); - -+ wispr_portal_context_ref(wp_context); - wp_context->request_id = g_web_request_get(wp_context->web, - wp_context->status_url, - wispr_portal_web_result, - wispr_route_request, - wp_context); - -- if (wp_context->request_id == 0) -+ if (wp_context->request_id == 0) { - wispr_portal_error(wp_context); -+ wispr_portal_context_unref(wp_context); -+ } - } - - static bool wispr_input(const guint8 **data, gsize *length, -@@ -618,13 +614,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service, - return; - - if (!authentication_done) { -- wispr_portal_error(wp_context); - free_wispr_routes(wp_context); -+ wispr_portal_error(wp_context); -+ wispr_portal_context_unref(wp_context); - return; - } - - /* Restarting the test */ - __connman_service_wispr_start(service, wp_context->type); -+ wispr_portal_context_unref(wp_context); - } - - static void wispr_portal_request_wispr_login(struct connman_service *service, -@@ -700,11 +698,13 @@ static bool wispr_manage_message(GWebResult *result, - - wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN; - -+ wispr_portal_context_ref(wp_context); - if (__connman_agent_request_login_input(wp_context->service, - wispr_portal_request_wispr_login, -- wp_context) != -EINPROGRESS) -+ wp_context) != -EINPROGRESS) { - wispr_portal_error(wp_context); -- else -+ wispr_portal_context_unref(wp_context); -+ } else - return true; - - break; -@@ -753,6 +753,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) - if (length > 0) { - g_web_parser_feed_data(wp_context->wispr_parser, - chunk, length); -+ wispr_portal_context_unref(wp_context); - return true; - } - -@@ -770,6 +771,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) - - switch (status) { - case 000: -+ wispr_portal_context_ref(wp_context); - __connman_agent_request_browser(wp_context->service, - wispr_portal_browser_reply_cb, - wp_context->status_url, wp_context); -@@ -781,11 +783,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) - if (g_web_result_get_header(result, "X-ConnMan-Status", - &str)) { - portal_manage_status(result, wp_context); -+ wispr_portal_context_unref(wp_context); - return false; -- } else -+ } else { -+ wispr_portal_context_ref(wp_context); - __connman_agent_request_browser(wp_context->service, - wispr_portal_browser_reply_cb, - wp_context->redirect_url, wp_context); -+ } - - break; - case 300: -@@ -798,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) - !g_web_result_get_header(result, "Location", - &redirect)) { - -+ wispr_portal_context_ref(wp_context); - __connman_agent_request_browser(wp_context->service, - wispr_portal_browser_reply_cb, - wp_context->status_url, wp_context); -@@ -808,6 +814,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) - - wp_context->redirect_url = g_strdup(redirect); - -+ wispr_portal_context_ref(wp_context); - wp_context->request_id = g_web_request_get(wp_context->web, - redirect, wispr_portal_web_result, - wispr_route_request, wp_context); -@@ -820,6 +827,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) - - break; - case 505: -+ wispr_portal_context_ref(wp_context); - __connman_agent_request_browser(wp_context->service, - wispr_portal_browser_reply_cb, - wp_context->status_url, wp_context); -@@ -832,6 +840,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) - wp_context->request_id = 0; - done: - wp_context->wispr_msg.message_type = -1; -+ wispr_portal_context_unref(wp_context); - return false; - } - -@@ -890,6 +899,7 @@ static void proxy_callback(const char *proxy, void *user_data) - xml_wispr_parser_callback, wp_context); - - wispr_portal_request_portal(wp_context); -+ wispr_portal_context_unref(wp_context); - } - - static gboolean no_proxy_callback(gpointer user_data) --- -cgit - diff --git a/poky/meta/recipes-connectivity/connman/connman_1.41.bb b/poky/meta/recipes-connectivity/connman/connman_1.42.bb index d8ac1f5cde..c2fcd617ae 100644 --- a/poky/meta/recipes-connectivity/connman/connman_1.41.bb +++ b/poky/meta/recipes-connectivity/connman/connman_1.42.bb @@ -5,16 +5,12 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://0001-connman.service-stop-systemd-resolved-when-we-use-co.patch \ file://connman \ file://no-version-scripts.patch \ - file://CVE-2022-32293_p1.patch \ - file://CVE-2022-32293_p2.patch \ - file://CVE-2022-32292.patch \ - file://0001-gdhcp-Verify-and-sanitize-packet-length-first.patch \ file://0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch \ " SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" -SRC_URI[sha256sum] = "79fb40f4fdd5530c45aa8e592fb16ba23d3674f3a98cf10b89a6576f198de589" +SRC_URI[sha256sum] = "a3e6bae46fc081ef2e9dae3caa4f7649de892c3de622c20283ac0ca81423c2aa" RRECOMMENDS:${PN} = "connman-conf" RCONFLICTS:${PN} = "networkmanager" diff --git a/poky/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.1.bb b/poky/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.2.bb index de007a6e6c..0966edd1b8 100644 --- a/poky/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.1.bb +++ b/poky/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.2.bb @@ -15,9 +15,10 @@ SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=ma file://dhcpcd.service \ file://dhcpcd@.service \ file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \ + file://0001-privsep-fix-strlcpy-overflow-in-psp_ifname-239.patch \ " -SRCREV = "5d9bf80c26b4b7dc9d8aa175d96d5a24e75b4d48" +SRCREV = "d2fbde99cf2d0072016af9dfe6a77032a5a9fc30" S = "${WORKDIR}/git" inherit pkgconfig autotools-brokensep systemd useradd diff --git a/poky/meta/recipes-connectivity/dhcpcd/files/0001-privsep-fix-strlcpy-overflow-in-psp_ifname-239.patch b/poky/meta/recipes-connectivity/dhcpcd/files/0001-privsep-fix-strlcpy-overflow-in-psp_ifname-239.patch new file mode 100644 index 0000000000..d4fb1737a6 --- /dev/null +++ b/poky/meta/recipes-connectivity/dhcpcd/files/0001-privsep-fix-strlcpy-overflow-in-psp_ifname-239.patch @@ -0,0 +1,33 @@ +From 1bd8fc7d4b34f752a32709d277a897e5ad202d97 Mon Sep 17 00:00:00 2001 +From: Tobias Heider <tobhe@users.noreply.github.com> +Date: Tue, 15 Aug 2023 18:06:48 +0200 +Subject: [PATCH] privsep: fix strlcpy overflow in psp_ifname (#239) + +When running our Ubuntu tests with libc6 and strlcpy overflow checks +enabled we found that the wrong size is passed to strlcpy resulting +in a crash because of an overflow. + +Upstream-Status: Backport +[https://github.com/NetworkConfiguration/dhcpcd/commit/1bd8fc7d4b34f752a32709d277a897e5ad202d97] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + src/privsep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/privsep.c b/src/privsep.c +index b11c0351..cfe54742 100644 +--- a/src/privsep.c ++++ b/src/privsep.c +@@ -1200,7 +1200,7 @@ ps_newprocess(struct dhcpcd_ctx *ctx, struct ps_id *psid) + #endif + + if (!(ctx->options & DHCPCD_MANAGER)) +- strlcpy(psp->psp_ifname, ctx->ifv[0], sizeof(psp->psp_name)); ++ strlcpy(psp->psp_ifname, ctx->ifv[0], sizeof(psp->psp_ifname)); + TAILQ_INSERT_TAIL(&ctx->ps_processes, psp, next); + return psp; + } +-- +2.25.1 + diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch new file mode 100644 index 0000000000..70bd98897d --- /dev/null +++ b/poky/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch @@ -0,0 +1,279 @@ +From 703418fe9d2e3b1e8d594df5788d8001a8116265 Mon Sep 17 00:00:00 2001 +From: Jeffrey Bencteux <jeffbencteux@gmail.com> +Date: Fri, 30 Jun 2023 19:02:45 +0200 +Subject: [PATCH] CVE-2023-40303: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check + set*id() return values + +Several setuid(), setgid(), seteuid() and setguid() return values +were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially +leading to potential security issues. + +CVE: CVE-2023-40303 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6] +Signed-off-by: Jeffrey Bencteux <jeffbencteux@gmail.com> +Signed-off-by: Simon Josefsson <simon@josefsson.org> +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + ftpd/ftpd.c | 10 +++++++--- + src/rcp.c | 39 +++++++++++++++++++++++++++++++++------ + src/rlogin.c | 11 +++++++++-- + src/rsh.c | 25 +++++++++++++++++++++---- + src/rshd.c | 20 +++++++++++++++++--- + src/uucpd.c | 15 +++++++++++++-- + 6 files changed, 100 insertions(+), 20 deletions(-) + +diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c +index 92b2cca5..28dd523f 100644 +--- a/ftpd/ftpd.c ++++ b/ftpd/ftpd.c +@@ -862,7 +862,9 @@ end_login (struct credentials *pcred) + char *remotehost = pcred->remotehost; + int atype = pcred->auth_type; + +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++ _exit (EXIT_FAILURE); ++ + if (pcred->logged_in) + { + logwtmp_keep_open (ttyline, "", ""); +@@ -1151,7 +1153,8 @@ getdatasock (const char *mode) + + if (data >= 0) + return fdopen (data, mode); +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++ _exit (EXIT_FAILURE); + s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0); + if (s < 0) + goto bad; +@@ -1978,7 +1981,8 @@ passive (int epsv, int af) + else /* !AF_INET6 */ + ((struct sockaddr_in *) &pasv_addr)->sin_port = 0; + +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++ _exit (EXIT_FAILURE); + if (bind (pdata, (struct sockaddr *) &pasv_addr, pasv_addrlen) < 0) + { + if (seteuid ((uid_t) cred.uid)) +diff --git a/src/rcp.c b/src/rcp.c +index 75adb253..cdcf8500 100644 +--- a/src/rcp.c ++++ b/src/rcp.c +@@ -345,14 +345,23 @@ main (int argc, char *argv[]) + if (from_option) + { /* Follow "protocol", send data. */ + response (); +- setuid (userid); ++ ++ if (setuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } ++ + source (argc, argv); + exit (errs); + } + + if (to_option) + { /* Receive data. */ +- setuid (userid); ++ if (setuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } ++ + sink (argc, argv); + exit (errs); + } +@@ -537,7 +546,11 @@ toremote (char *targ, int argc, char *argv[]) + if (response () < 0) + exit (EXIT_FAILURE); + free (bp); +- setuid (userid); ++ ++ if (setuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } + } + source (1, argv + i); + close (rem); +@@ -630,7 +643,12 @@ tolocal (int argc, char *argv[]) + ++errs; + continue; + } +- seteuid (userid); ++ ++ if (seteuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } ++ + #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT + sslen = sizeof (ss); + (void) getpeername (rem, (struct sockaddr *) &ss, &sslen); +@@ -643,7 +661,12 @@ tolocal (int argc, char *argv[]) + #endif + vect[0] = target; + sink (1, vect); +- seteuid (effuid); ++ ++ if (seteuid (effuid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } ++ + close (rem); + rem = -1; + #ifdef SHISHI +@@ -1441,7 +1464,11 @@ susystem (char *s, int userid) + return (127); + + case 0: +- setuid (userid); ++ if (setuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } ++ + execl (PATH_BSHELL, "sh", "-c", s, NULL); + _exit (127); + } +diff --git a/src/rlogin.c b/src/rlogin.c +index aa6426fb..c543de0c 100644 +--- a/src/rlogin.c ++++ b/src/rlogin.c +@@ -647,8 +647,15 @@ try_connect: + /* Now change to the real user ID. We have to be set-user-ID root + to get the privileged port that rcmd () uses. We now want, however, + to run as the real user who invoked us. */ +- seteuid (uid); +- setuid (uid); ++ if (seteuid (uid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } ++ ++ if (setuid (uid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } + + doit (&osmask); /* The old mask will activate SIGURG and SIGUSR1! */ + +diff --git a/src/rsh.c b/src/rsh.c +index 2d622ca4..6f60667d 100644 +--- a/src/rsh.c ++++ b/src/rsh.c +@@ -276,8 +276,17 @@ main (int argc, char **argv) + { + if (asrsh) + *argv = (char *) "rlogin"; +- seteuid (getuid ()); +- setuid (getuid ()); ++ ++ if (seteuid (getuid ()) == -1) ++ { ++ error (EXIT_FAILURE, errno, "seteuid() failed"); ++ } ++ ++ if (setuid (getuid ()) == -1) ++ { ++ error (EXIT_FAILURE, errno, "setuid() failed"); ++ } ++ + execv (PATH_RLOGIN, argv); + error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN); + } +@@ -541,8 +550,16 @@ try_connect: + error (0, errno, "setsockopt DEBUG (ignored)"); + } + +- seteuid (uid); +- setuid (uid); ++ if (seteuid (uid) == -1) ++ { ++ error (EXIT_FAILURE, errno, "seteuid() failed"); ++ } ++ ++ if (setuid (uid) == -1) ++ { ++ error (EXIT_FAILURE, errno, "setuid() failed"); ++ } ++ + #ifdef HAVE_SIGACTION + sigemptyset (&sigs); + sigaddset (&sigs, SIGINT); +diff --git a/src/rshd.c b/src/rshd.c +index d1c0d0cd..707790e7 100644 +--- a/src/rshd.c ++++ b/src/rshd.c +@@ -1847,8 +1847,18 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) + pwd->pw_shell = PATH_BSHELL; + + /* Set the gid, then uid to become the user specified by "locuser" */ +- setegid ((gid_t) pwd->pw_gid); +- setgid ((gid_t) pwd->pw_gid); ++ if (setegid ((gid_t) pwd->pw_gid) == -1) ++ { ++ rshd_error ("Cannot drop privileges (setegid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } ++ ++ if (setgid ((gid_t) pwd->pw_gid) == -1) ++ { ++ rshd_error ("Cannot drop privileges (setgid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } ++ + #ifdef HAVE_INITGROUPS + initgroups (pwd->pw_name, pwd->pw_gid); /* BSD groups */ + #endif +@@ -1870,7 +1880,11 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) + } + #endif /* WITH_PAM */ + +- setuid ((uid_t) pwd->pw_uid); ++ if (setuid ((uid_t) pwd->pw_uid) == -1) ++ { ++ rshd_error ("Cannot drop privileges (setuid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } + + /* We'll execute the client's command in the home directory + * of locuser. Note, that the chdir must be executed after +diff --git a/src/uucpd.c b/src/uucpd.c +index 107589e1..29cfce35 100644 +--- a/src/uucpd.c ++++ b/src/uucpd.c +@@ -252,7 +252,12 @@ doit (struct sockaddr *sap, socklen_t salen) + snprintf (Username, sizeof (Username), "USER=%s", user); + snprintf (Logname, sizeof (Logname), "LOGNAME=%s", user); + dologin (pw, sap, salen); +- setgid (pw->pw_gid); ++ ++ if (setgid (pw->pw_gid) == -1) ++ { ++ fprintf (stderr, "setgid() failed"); ++ return; ++ } + #ifdef HAVE_INITGROUPS + initgroups (pw->pw_name, pw->pw_gid); + #endif +@@ -261,7 +266,13 @@ doit (struct sockaddr *sap, socklen_t salen) + fprintf (stderr, "Login incorrect."); + return; + } +- setuid (pw->pw_uid); ++ ++ if (setuid (pw->pw_uid) == -1) ++ { ++ fprintf (stderr, "setuid() failed"); ++ return; ++ } ++ + execl (uucico_location, "uucico", NULL); + perror ("uucico server: execl"); + } diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch new file mode 100644 index 0000000000..1b972aac29 --- /dev/null +++ b/poky/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch @@ -0,0 +1,253 @@ +From 70fe022f9dac760eaece0228cad17e3d29a57fb8 Mon Sep 17 00:00:00 2001 +From: Simon Josefsson <simon@josefsson.org> +Date: Mon, 31 Jul 2023 13:59:05 +0200 +Subject: [PATCH] CVE-2023-40303: Indent changes in previous commit. + +CVE: CVE-2023-40303 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/rcp.c | 42 ++++++++++++++++++++++++------------------ + src/rlogin.c | 12 ++++++------ + src/rsh.c | 24 ++++++++++++------------ + src/rshd.c | 24 ++++++++++++------------ + src/uucpd.c | 16 ++++++++-------- + 5 files changed, 62 insertions(+), 56 deletions(-) + +diff --git a/src/rcp.c b/src/rcp.c +index cdcf8500..652f22e6 100644 +--- a/src/rcp.c ++++ b/src/rcp.c +@@ -347,9 +347,10 @@ main (int argc, char *argv[]) + response (); + + if (setuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (setuid() failed)"); ++ } + + source (argc, argv); + exit (errs); +@@ -358,9 +359,10 @@ main (int argc, char *argv[]) + if (to_option) + { /* Receive data. */ + if (setuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (setuid() failed)"); ++ } + + sink (argc, argv); + exit (errs); +@@ -548,9 +550,10 @@ toremote (char *targ, int argc, char *argv[]) + free (bp); + + if (setuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (setuid() failed)"); ++ } + } + source (1, argv + i); + close (rem); +@@ -645,9 +648,10 @@ tolocal (int argc, char *argv[]) + } + + if (seteuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (seteuid() failed)"); ++ } + + #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT + sslen = sizeof (ss); +@@ -663,9 +667,10 @@ tolocal (int argc, char *argv[]) + sink (1, vect); + + if (seteuid (effuid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (seteuid() failed)"); ++ } + + close (rem); + rem = -1; +@@ -1465,9 +1470,10 @@ susystem (char *s, int userid) + + case 0: + if (setuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (setuid() failed)"); ++ } + + execl (PATH_BSHELL, "sh", "-c", s, NULL); + _exit (127); +diff --git a/src/rlogin.c b/src/rlogin.c +index c543de0c..4360202f 100644 +--- a/src/rlogin.c ++++ b/src/rlogin.c +@@ -648,14 +648,14 @@ try_connect: + to get the privileged port that rcmd () uses. We now want, however, + to run as the real user who invoked us. */ + if (seteuid (uid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } + + if (setuid (uid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } + + doit (&osmask); /* The old mask will activate SIGURG and SIGUSR1! */ + +diff --git a/src/rsh.c b/src/rsh.c +index 6f60667d..179b47cd 100644 +--- a/src/rsh.c ++++ b/src/rsh.c +@@ -278,14 +278,14 @@ main (int argc, char **argv) + *argv = (char *) "rlogin"; + + if (seteuid (getuid ()) == -1) +- { +- error (EXIT_FAILURE, errno, "seteuid() failed"); +- } ++ { ++ error (EXIT_FAILURE, errno, "seteuid() failed"); ++ } + + if (setuid (getuid ()) == -1) +- { +- error (EXIT_FAILURE, errno, "setuid() failed"); +- } ++ { ++ error (EXIT_FAILURE, errno, "setuid() failed"); ++ } + + execv (PATH_RLOGIN, argv); + error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN); +@@ -551,14 +551,14 @@ try_connect: + } + + if (seteuid (uid) == -1) +- { +- error (EXIT_FAILURE, errno, "seteuid() failed"); +- } ++ { ++ error (EXIT_FAILURE, errno, "seteuid() failed"); ++ } + + if (setuid (uid) == -1) +- { +- error (EXIT_FAILURE, errno, "setuid() failed"); +- } ++ { ++ error (EXIT_FAILURE, errno, "setuid() failed"); ++ } + + #ifdef HAVE_SIGACTION + sigemptyset (&sigs); +diff --git a/src/rshd.c b/src/rshd.c +index 707790e7..3a153a18 100644 +--- a/src/rshd.c ++++ b/src/rshd.c +@@ -1848,16 +1848,16 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) + + /* Set the gid, then uid to become the user specified by "locuser" */ + if (setegid ((gid_t) pwd->pw_gid) == -1) +- { +- rshd_error ("Cannot drop privileges (setegid() failed)\n"); +- exit (EXIT_FAILURE); +- } ++ { ++ rshd_error ("Cannot drop privileges (setegid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } + + if (setgid ((gid_t) pwd->pw_gid) == -1) +- { +- rshd_error ("Cannot drop privileges (setgid() failed)\n"); +- exit (EXIT_FAILURE); +- } ++ { ++ rshd_error ("Cannot drop privileges (setgid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } + + #ifdef HAVE_INITGROUPS + initgroups (pwd->pw_name, pwd->pw_gid); /* BSD groups */ +@@ -1881,10 +1881,10 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) + #endif /* WITH_PAM */ + + if (setuid ((uid_t) pwd->pw_uid) == -1) +- { +- rshd_error ("Cannot drop privileges (setuid() failed)\n"); +- exit (EXIT_FAILURE); +- } ++ { ++ rshd_error ("Cannot drop privileges (setuid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } + + /* We'll execute the client's command in the home directory + * of locuser. Note, that the chdir must be executed after +diff --git a/src/uucpd.c b/src/uucpd.c +index 29cfce35..fde7b9c9 100644 +--- a/src/uucpd.c ++++ b/src/uucpd.c +@@ -254,10 +254,10 @@ doit (struct sockaddr *sap, socklen_t salen) + dologin (pw, sap, salen); + + if (setgid (pw->pw_gid) == -1) +- { +- fprintf (stderr, "setgid() failed"); +- return; +- } ++ { ++ fprintf (stderr, "setgid() failed"); ++ return; ++ } + #ifdef HAVE_INITGROUPS + initgroups (pw->pw_name, pw->pw_gid); + #endif +@@ -268,10 +268,10 @@ doit (struct sockaddr *sap, socklen_t salen) + } + + if (setuid (pw->pw_uid) == -1) +- { +- fprintf (stderr, "setuid() failed"); +- return; +- } ++ { ++ fprintf (stderr, "setuid() failed"); ++ return; ++ } + + execl (uucico_location, "uucico", NULL); + perror ("uucico server: execl"); diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch deleted file mode 100644 index 603d2baf9d..0000000000 --- a/poky/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch +++ /dev/null @@ -1,85 +0,0 @@ -From c7c27ba763c613f83c1561e56448b49315c271c5 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Wed, 6 Mar 2019 09:36:11 -0500 -Subject: [PATCH] Upstream: - http://www.mail-archive.com/bug-inetutils@gnu.org/msg02103.html - -Upstream-Status: Pending - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> - ---- - ping/ping_common.h | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/ping/ping_common.h b/ping/ping_common.h -index 65e3e60..3e84db0 100644 ---- a/ping/ping_common.h -+++ b/ping/ping_common.h -@@ -18,10 +18,14 @@ - You should have received a copy of the GNU General Public License - along with this program. If not, see `http://www.gnu.org/licenses/'. */ - -+#include <config.h> -+ - #include <netinet/in_systm.h> - #include <netinet/in.h> - #include <netinet/ip.h> -+#ifdef HAVE_IPV6 - #include <netinet/icmp6.h> -+#endif - #include <icmp.h> - #include <error.h> - #include <progname.h> -@@ -63,7 +67,12 @@ struct ping_stat - want to follow the traditional behaviour of ping. */ - #define DEFAULT_PING_COUNT 0 - -+#ifdef HAVE_IPV6 - #define PING_HEADER_LEN (USE_IPV6 ? sizeof (struct icmp6_hdr) : ICMP_MINLEN) -+#else -+#define PING_HEADER_LEN (ICMP_MINLEN) -+#endif -+ - #define PING_TIMING(s) ((s) >= sizeof (struct timeval)) - #define PING_DATALEN (64 - PING_HEADER_LEN) /* default data length */ - -@@ -78,13 +87,20 @@ struct ping_stat - - #define PING_MIN_USER_INTERVAL (200000/PING_PRECISION) - -+#ifdef HAVE_IPV6 - /* FIXME: Adjust IPv6 case for options and their consumption. */ - #define _PING_BUFLEN(p, u) ((u)? ((p)->ping_datalen + sizeof (struct icmp6_hdr)) : \ - (MAXIPLEN + (p)->ping_datalen + ICMP_TSLEN)) - -+#else -+#define _PING_BUFLEN(p, u) (MAXIPLEN + (p)->ping_datalen + ICMP_TSLEN) -+#endif -+ -+#ifdef HAVE_IPV6 - typedef int (*ping_efp6) (int code, void *closure, struct sockaddr_in6 * dest, - struct sockaddr_in6 * from, struct icmp6_hdr * icmp, - int datalen); -+#endif - - typedef int (*ping_efp) (int code, - void *closure, -@@ -93,13 +109,17 @@ typedef int (*ping_efp) (int code, - struct ip * ip, icmphdr_t * icmp, int datalen); - - union event { -+#ifdef HAVE_IPV6 - ping_efp6 handler6; -+#endif - ping_efp handler; - }; - - union ping_address { - struct sockaddr_in ping_sockaddr; -+#ifdef HAVE_IPV6 - struct sockaddr_in6 ping_sockaddr6; -+#endif - }; - - typedef struct ping_data PING; diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch deleted file mode 100644 index 2974bd4f94..0000000000 --- a/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch +++ /dev/null @@ -1,27 +0,0 @@ -From f7f785c21306010b2367572250b2822df5bc7728 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <vapier at gentoo.org> -Date: Thu, 18 Nov 2010 16:59:14 -0500 -Subject: [PATCH] printf-parse: pull in features.h for __GLIBC__ - -Upstream-Status: Pending - -Signed-off-by: Mike Frysinger <vapier at gentoo.org> - ---- - lib/printf-parse.h | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/lib/printf-parse.h b/lib/printf-parse.h -index e7d0f82..d7b4534 100644 ---- a/lib/printf-parse.h -+++ b/lib/printf-parse.h -@@ -28,6 +28,9 @@ - - #include "printf-args.h" - -+#ifdef HAVE_FEATURES_H -+# include <features.h> /* for __GLIBC__ */ -+#endif - - /* Flags */ - #define FLAG_GROUP 1 /* ' flag */ diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch deleted file mode 100644 index 1ef7e21073..0000000000 --- a/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 9089c6eafbf5903174dce87b68476e35db80beb9 Mon Sep 17 00:00:00 2001 -From: Martin Jansa <martin.jansa@gmail.com> -Date: Wed, 6 Mar 2019 09:36:11 -0500 -Subject: [PATCH] inetutils: Import version 1.9.4 - -Upstream-Status: Pending - ---- - lib/wchar.in.h | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/lib/wchar.in.h b/lib/wchar.in.h -index cdda680..043866a 100644 ---- a/lib/wchar.in.h -+++ b/lib/wchar.in.h -@@ -77,6 +77,9 @@ - /* The include_next requires a split double-inclusion guard. */ - #if @HAVE_WCHAR_H@ - # @INCLUDE_NEXT@ @NEXT_WCHAR_H@ -+#else -+# include <stddef.h> -+# define MB_CUR_MAX 1 - #endif - - #undef _GL_ALREADY_INCLUDING_WCHAR_H diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch deleted file mode 100644 index 460ddf9830..0000000000 --- a/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 101130f422dd5c01a1459645d7b2a5b8d19720ab Mon Sep 17 00:00:00 2001 -From: Martin Jansa <martin.jansa@gmail.com> -Date: Wed, 6 Mar 2019 09:36:11 -0500 -Subject: [PATCH] inetutils: define PATH_PROCNET_DEV if not already defined -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -this prevents the following compilation error : -system/linux.c:401:15: error: 'PATH_PROCNET_DEV' undeclared (first use in this function) - -this patch comes from : - http://repository.timesys.com/buildsources/i/inetutils/inetutils-1.9/ - -Upstream-Status: Inappropriate [not author] - -Signed-of-by: Eric Bénard <eric@eukrea.com> - ---- - ifconfig/system/linux.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/ifconfig/system/linux.c b/ifconfig/system/linux.c -index e453b46..4268ca9 100644 ---- a/ifconfig/system/linux.c -+++ b/ifconfig/system/linux.c -@@ -53,6 +53,10 @@ - #include "../ifconfig.h" - - -+#ifndef PATH_PROCNET_DEV -+ #define PATH_PROCNET_DEV "/proc/net/dev" -+#endif -+ - /* ARPHRD stuff. */ - - static void diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch deleted file mode 100644 index 2343c03cb4..0000000000 --- a/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch +++ /dev/null @@ -1,49 +0,0 @@ -From cc66e842e037fba9f06761f942abe5c4856492b8 Mon Sep 17 00:00:00 2001 -From: Kai Kang <kai.kang@windriver.com> -Date: Wed, 6 Mar 2019 09:36:11 -0500 -Subject: [PATCH] inetutils: Import version 1.9.4 - -Only check security/pam_appl.h which is provided by package libpam when pam is -enabled. - -Upstream-Status: Pending - -Signed-off-by: Kai Kang <kai.kang@windriver.com> - ---- - configure.ac | 15 ++++++++++++++- - 1 file changed, 14 insertions(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index 5e16c3a..18510a8 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -182,6 +182,19 @@ AC_SUBST(LIBUTIL) - - # See if we have libpam.a. Investigate PAM versus Linux-PAM. - if test "$with_pam" = yes ; then -+ AC_CHECK_HEADERS([security/pam_appl.h], [], [], [ -+#include <sys/types.h> -+#ifdef HAVE_NETINET_IN_SYSTM_H -+# include <netinet/in_systm.h> -+#endif -+#include <netinet/in.h> -+#ifdef HAVE_NETINET_IP_H -+# include <netinet/ip.h> -+#endif -+#ifdef HAVE_SYS_PARAM_H -+# include <sys/param.h> -+#endif -+]) - AC_CHECK_LIB(dl, dlopen, LIBDL=-ldl) - AC_CHECK_LIB(pam, pam_authenticate, LIBPAM=-lpam) - if test "$ac_cv_lib_pam_pam_authenticate" = yes ; then -@@ -617,7 +630,7 @@ AC_HEADER_DIRENT - AC_CHECK_HEADERS([arpa/nameser.h arpa/tftp.h fcntl.h features.h \ - glob.h memory.h netinet/ether.h netinet/in_systm.h \ - netinet/ip.h netinet/ip_icmp.h netinet/ip_var.h \ -- security/pam_appl.h shadow.h \ -+ shadow.h \ - stropts.h sys/tty.h \ - sys/utsname.h sys/ptyvar.h sys/msgbuf.h sys/filio.h \ - sys/ioctl_compat.h sys/cdefs.h sys/stream.h sys/mkdev.h \ diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils_2.4.bb b/poky/meta/recipes-connectivity/inetutils/inetutils_2.4.bb index bcc3a0258e..957f1feac6 100644 --- a/poky/meta/recipes-connectivity/inetutils/inetutils_2.4.bb +++ b/poky/meta/recipes-connectivity/inetutils/inetutils_2.4.bb @@ -13,23 +13,19 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=0c7051aef9219dc7237f206c5c4179a7" SRC_URI[sha256sum] = "1789d6b1b1a57dfe2a7ab7b533ee9f5dfd9cbf5b59bb1bb3c2612ed08d0f68b2" SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \ - file://inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch \ - file://inetutils-1.8-0003-wchar.patch \ - file://rexec.xinetd.inetutils \ + file://rexec.xinetd.inetutils \ file://rlogin.xinetd.inetutils \ file://rsh.xinetd.inetutils \ file://telnet.xinetd.inetutils \ file://tftpd.xinetd.inetutils \ - file://inetutils-1.9-PATH_PROCNET_DEV.patch \ - file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \ -" + file://0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch \ + file://0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch \ + " inherit autotools gettext update-alternatives texinfo acpaths = "-I ./m4" -SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', '', 'file://fix-disable-ipv6.patch', d)}" - PACKAGECONFIG ??= "ftp uucpd \ ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \ ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6 ping6', '', d)} \ @@ -41,21 +37,33 @@ PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6 gl_cv_socket_ipv6=no," PACKAGECONFIG[ping6] = "--enable-ping6,--disable-ping6," EXTRA_OECONF = "--with-ncurses-include-dir=${STAGING_INCDIR} \ - inetutils_cv_path_login=${base_bindir}/login \ --with-libreadline-prefix=${STAGING_LIBDIR} \ --enable-rpath=no \ -" + --with-path-login=${base_bindir}/login \ + --with-path-cp=${base_bindir}/cp \ + --with-path-uucico=${libexecdir}/uuico \ + --with-path-procnet-dev=/proc/net/dev \ + " + +EXTRA_OECONF:append:libc-musl = " --with-path-utmpx=/dev/null/utmpx --with-path-wtmpx=/dev/null/wtmpx" # These are horrible for security, disable them EXTRA_OECONF:append = " --disable-rsh --disable-rshd --disable-rcp \ --disable-rlogin --disable-rlogind --disable-rexec --disable-rexecd" +# The configure script guesses many paths in cross builds, check for this happening +do_configure_cross_check() { + if grep "may be incorrect because of cross-compilation" ${B}/config.log; then + bberror Default path values used, these must be set explicitly + fi +} +do_configure[postfuncs] += "do_configure_cross_check" + +# The --with-path options are not actually options, so this check needs to be silenced +ERROR_QA:remove = "unknown-configure-option" + do_configure:prepend () { export HELP2MAN='true' - cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${S}/build-aux/config.rpath - install -m 0755 ${STAGING_DATADIR_NATIVE}/gnu-config/config.guess ${S} - install -m 0755 ${STAGING_DATADIR_NATIVE}/gnu-config/config.sub ${S} - rm -f ${S}/glob/configure* } do_install:append () { diff --git a/poky/meta/recipes-connectivity/kea/files/0001-kea-fix-reproducible-build-failure.patch b/poky/meta/recipes-connectivity/kea/files/0001-kea-fix-reproducible-build-failure.patch new file mode 100644 index 0000000000..8a5bd00302 --- /dev/null +++ b/poky/meta/recipes-connectivity/kea/files/0001-kea-fix-reproducible-build-failure.patch @@ -0,0 +1,62 @@ +From f9bcfed5a1d44d9211c5f6eba403a9898c8c9057 Mon Sep 17 00:00:00 2001 +From: Sudip Mukherjee <sudipm.mukherjee@gmail.com> +Date: Tue, 8 Aug 2023 19:03:13 +0100 +Subject: [PATCH] kea: fix reproducible build failure + +New version of Kea has started using path of build-dir instead of +src-dir which results in reproducible builds failure. +Use src-dir as is used in v2.2.0 + +Upstream-Status: Pending +https://gitlab.isc.org/isc-projects/kea/-/issues/3007 + +Upstream has confirmed the patch will not be accepted but discussions +with upstream is still going on, we might have a proper solution later. + +Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com> +--- + src/bin/admin/kea-admin.in | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/bin/admin/kea-admin.in b/src/bin/admin/kea-admin.in +index 034a0ee..8ab11ab 100644 +--- a/src/bin/admin/kea-admin.in ++++ b/src/bin/admin/kea-admin.in +@@ -51,14 +51,14 @@ dump_qry="" + if test -f "@datarootdir@/@PACKAGE_NAME@/scripts/admin-utils.sh"; then + . "@datarootdir@/@PACKAGE_NAME@/scripts/admin-utils.sh" + else +- . "@abs_top_builddir@/src/bin/admin/admin-utils.sh" ++ . "@abs_top_srcdir@/src/bin/admin/admin-utils.sh" + fi + + # Find the installed kea-lfc if available. Fallback to sources otherwise. + if test -x "@sbindir@/kea-lfc"; then + kea_lfc="@sbindir@/kea-lfc" + else +- kea_lfc="@abs_top_builddir@/src/bin/lfc/kea-lfc" ++ kea_lfc="@abs_top_srcdir@/src/bin/lfc/kea-lfc" + fi + + # Prints out usage version. +@@ -355,7 +355,7 @@ mysql_upgrade() { + # Check if there are any files in it + num_files=$(find "${upgrade_scripts_dir}" -name 'upgrade*.sh' -type f | wc -l) + if [ "$num_files" -eq 0 ]; then +- upgrade_scripts_dir=@abs_top_builddir@/src/share/database/scripts/mysql ++ upgrade_scripts_dir=@abs_top_srcdir@/src/share/database/scripts/mysql + + # Check if the scripts directory exists at all. + if [ ! -d ${upgrade_scripts_dir} ]; then +@@ -405,7 +405,7 @@ pgsql_upgrade() { + # Check if there are any files in it + num_files=$(find "${upgrade_scripts_dir}" -name 'upgrade*.sh' -type f | wc -l) + if [ "$num_files" -eq 0 ]; then +- upgrade_scripts_dir=@abs_top_builddir@/src/share/database/scripts/pgsql ++ upgrade_scripts_dir=@abs_top_srcdir@/src/share/database/scripts/pgsql + + # Check if the scripts directory exists at all. + if [ ! -d ${upgrade_scripts_dir} ]; then +-- +2.39.2 + diff --git a/poky/meta/recipes-connectivity/kea/kea_2.2.0.bb b/poky/meta/recipes-connectivity/kea/kea_2.4.0.bb index 2c2e5a74dd..316468754e 100644 --- a/poky/meta/recipes-connectivity/kea/kea_2.2.0.bb +++ b/poky/meta/recipes-connectivity/kea/kea_2.4.0.bb @@ -3,7 +3,7 @@ DESCRIPTION = "Kea is the next generation of DHCP software developed by ISC. It HOMEPAGE = "http://kea.isc.org" SECTION = "connectivity" LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=97ce14bdd2733f5b84ab5e29380d057d" +LIC_FILES_CHKSUM = "file://COPYING;md5=ea061fa0188838072c4248c1318ec131" DEPENDS = "boost log4cplus openssl" @@ -17,8 +17,9 @@ SRC_URI = "http://ftp.isc.org/isc/kea/${PV}/${BP}.tar.gz \ file://fix-multilib-conflict.patch \ file://fix_pid_keactrl.patch \ file://0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch \ + file://0001-kea-fix-reproducible-build-failure.patch \ " -SRC_URI[sha256sum] = "da7d90ca62a772602dac6e77e507319038422895ad68eeb142f1487d67d531d2" +SRC_URI[sha256sum] = "3a33cd08dc3319ff544e6bbf2c0429042106f4051ebe115dc1bb2625c95003f7" inherit autotools systemd update-rc.d upstream-version-is-even diff --git a/poky/meta/recipes-connectivity/neard/neard_0.18.bb b/poky/meta/recipes-connectivity/neard/neard_0.19.bb index 362a7615b6..a98f436b98 100644 --- a/poky/meta/recipes-connectivity/neard/neard_0.18.bb +++ b/poky/meta/recipes-connectivity/neard/neard_0.19.bb @@ -15,7 +15,7 @@ SRC_URI = "git://git.kernel.org/pub/scm/network/nfc/neard.git;protocol=https;bra file://0001-Add-header-dependency-to-nciattach.o.patch \ " -SRCREV = "c781008d3786e03173f0a0f5dfcc0545c787d7fc" +SRCREV = "a1dc8a75cba999728e154a0f811ab9dd50c809f7" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.3.bb b/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.3.bb index e703395cc4..35cf6af6d4 100644 --- a/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.3.bb +++ b/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.3.bb @@ -84,6 +84,7 @@ CONFFILES:${PN}-client += "${localstatedir}/lib/nfs/etab \ ${sysconfdir}/nfsmount.conf" FILES:${PN}-client = "${sbindir}/*statd \ + ${libdir}/libnfsidmap.so.* \ ${sbindir}/rpc.idmapd ${sbindir}/sm-notify \ ${sbindir}/showmount ${sbindir}/nfsstat \ ${localstatedir}/lib/nfs \ diff --git a/poky/meta/recipes-connectivity/openssh/openssh/0001-openssh-regress-Makefile-print-logs-if-test-fails.patch b/poky/meta/recipes-connectivity/openssh/openssh/0001-openssh-regress-Makefile-print-logs-if-test-fails.patch new file mode 100644 index 0000000000..baa68dc6ff --- /dev/null +++ b/poky/meta/recipes-connectivity/openssh/openssh/0001-openssh-regress-Makefile-print-logs-if-test-fails.patch @@ -0,0 +1,34 @@ +From 554f7baed050f89ffc2a7192d3071e8c5420f6d3 Mon Sep 17 00:00:00 2001 +From: Mikko Rapeli <mikko.rapeli@linaro.org> +Date: Fri, 25 Aug 2023 10:35:28 +0000 +Subject: [PATCH] openssh regress/Makefile: print logs if test fails + +Some tests are failing in CI runs and reproduction has failed. Print +the captured sshd and ssh client logs if test fails. This should +help to fix the root causes. + +Reference: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178 + +Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> +--- + regress/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/437] + +diff --git a/regress/Makefile b/regress/Makefile +index d80bf59..a972dff 100644 +--- a/regress/Makefile ++++ b/regress/Makefile +@@ -229,7 +229,7 @@ t-exec: ${LTESTS:=.sh} + done; \ + if [ "x$${skip}" = "xno" ]; then \ + echo "run test $${TEST}" ... 1>&2; \ +- (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ ++ (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || (echo return value: $$?; echo capturing logs; cat *.log; exit 1); \ + else \ + echo skip test $${TEST} 1>&2; \ + fi; \ +-- +2.34.1 + diff --git a/poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch b/poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch deleted file mode 100644 index 4c8aa085f3..0000000000 --- a/poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch +++ /dev/null @@ -1,994 +0,0 @@ -From 7280401bdd77ca54be6867a154cc01e0d72612e0 Mon Sep 17 00:00:00 2001 -From: Damien Miller <djm@mindrot.org> -Date: Fri, 24 Mar 2023 13:56:25 +1100 -Subject: [PATCH] remove support for old libcrypto - -OpenSSH now requires LibreSSL 3.1.0 or greater or -OpenSSL 1.1.1 or greater - -with/ok dtucker@ - -Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/7280401bdd77ca54be6867a154cc01e0d72612e0] -Comment: Hunks are refreshed. -Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com> - ---- - .github/workflows/c-cpp.yml | 7 - - INSTALL | 8 +- - cipher-aes.c | 2 +- - configure.ac | 96 ++--- - openbsd-compat/libressl-api-compat.c | 556 +-------------------------- - openbsd-compat/openssl-compat.h | 151 +------- - 6 files changed, 40 insertions(+), 780 deletions(-) - -diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml -index 3d9aa22dba5..d299a32468d 100644 ---- a/.github/workflows/c-cpp.yml -+++ b/.github/workflows/c-cpp.yml -@@ -47,9 +47,6 @@ jobs: - - { target: ubuntu-20.04, config: tcmalloc } - - { target: ubuntu-20.04, config: musl } - - { target: ubuntu-latest, config: libressl-master } -- - { target: ubuntu-latest, config: libressl-2.2.9 } -- - { target: ubuntu-latest, config: libressl-2.8.3 } -- - { target: ubuntu-latest, config: libressl-3.0.2 } - - { target: ubuntu-latest, config: libressl-3.2.6 } - - { target: ubuntu-latest, config: libressl-3.3.6 } - - { target: ubuntu-latest, config: libressl-3.4.3 } -@@ -58,10 +55,6 @@ jobs: - - { target: ubuntu-latest, config: libressl-3.7.0 } - - { target: ubuntu-latest, config: openssl-master } - - { target: ubuntu-latest, config: openssl-noec } -- - { target: ubuntu-latest, config: openssl-1.0.1 } -- - { target: ubuntu-latest, config: openssl-1.0.1u } -- - { target: ubuntu-latest, config: openssl-1.0.2u } -- - { target: ubuntu-latest, config: openssl-1.1.0h } - - { target: ubuntu-latest, config: openssl-1.1.1 } - - { target: ubuntu-latest, config: openssl-1.1.1k } - - { target: ubuntu-latest, config: openssl-1.1.1n } -diff --git a/INSTALL b/INSTALL -index 68b15e13190..f99d1e2a809 100644 ---- a/INSTALL -+++ b/INSTALL -@@ -21,12 +21,8 @@ https://zlib.net/ - - libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto - is supported but severely restricts the available ciphers and algorithms. -- - LibreSSL (https://www.libressl.org/) -- - OpenSSL (https://www.openssl.org) with any of the following versions: -- - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1 -- --Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to --1.1.0g can't be used. -+ - LibreSSL (https://www.libressl.org/) 3.1.0 or greater -+ - OpenSSL (https://www.openssl.org) 1.1.1 or greater - - LibreSSL/OpenSSL should be compiled as a position-independent library - (i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC" -diff --git a/cipher-aes.c b/cipher-aes.c -index 8b101727284..87c763353d8 100644 ---- a/cipher-aes.c -+++ b/cipher-aes.c -@@ -69,7 +69,7 @@ ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, - - static int - ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, -- LIBCRYPTO_EVP_INL_TYPE len) -+ size_t len) - { - struct ssh_rijndael_ctx *c; - u_char buf[RIJNDAEL_BLOCKSIZE]; -diff --git a/configure.ac b/configure.ac -index 22fee70f604..1c0ccdf19c5 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -2802,42 +2802,40 @@ if test "x$openssl" = "xyes" ; then - #include <openssl/crypto.h> - #define DATA "conftest.ssllibver" - ]], [[ -- FILE *fd; -- int rc; -+ FILE *f; - -- fd = fopen(DATA,"w"); -- if(fd == NULL) -+ if ((f = fopen(DATA, "w")) == NULL) - exit(1); --#ifndef OPENSSL_VERSION --# define OPENSSL_VERSION SSLEAY_VERSION --#endif --#ifndef HAVE_OPENSSL_VERSION --# define OpenSSL_version SSLeay_version --#endif --#ifndef HAVE_OPENSSL_VERSION_NUM --# define OpenSSL_version_num SSLeay --#endif -- if ((rc = fprintf(fd, "%08lx (%s)\n", -+ if (fprintf(f, "%08lx (%s)", - (unsigned long)OpenSSL_version_num(), -- OpenSSL_version(OPENSSL_VERSION))) < 0) -+ OpenSSL_version(OPENSSL_VERSION)) < 0) -+ exit(1); -+#ifdef LIBRESSL_VERSION_NUMBER -+ if (fprintf(f, " libressl-%08lx", LIBRESSL_VERSION_NUMBER) < 0) -+ exit(1); -+#endif -+ if (fputc('\n', f) == EOF || fclose(f) == EOF) - exit(1); -- - exit(0); - ]])], - [ -- ssl_library_ver=`cat conftest.ssllibver` -+ sslver=`cat conftest.ssllibver` -+ ssl_showver=`echo "$sslver" | sed 's/ libressl-.*//'` - # Check version is supported. -- case "$ssl_library_ver" in -- 10000*|0*) -- AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")]) -- ;; -- 100*) ;; # 1.0.x -- 101000[[0123456]]*) -- # https://github.com/openssl/openssl/pull/4613 -- AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")]) -+ case "$sslver" in -+ 100*|10100*) # 1.0.x, 1.1.0x -+ AC_MSG_ERROR([OpenSSL >= 1.1.1 required (have "$ssl_showver")]) - ;; - 101*) ;; # 1.1.x -- 200*) ;; # LibreSSL -+ 200*) # LibreSSL -+ lver=`echo "$sslver" | sed 's/.*libressl-//'` -+ case "$lver" in -+ 2*|300*) # 2.x, 3.0.0 -+ AC_MSG_ERROR([LibreSSL >= 3.1.0 required (have "$ssl_showver")]) -+ ;; -+ *) ;; # Assume all other versions are good. -+ esac -+ ;; - 300*) - # OpenSSL 3; we use the 1.1x API - CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L" -@@ -2847,10 +2845,10 @@ if test "x$openssl" = "xyes" ; then - CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L" - ;; - *) -- AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")]) -+ AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_showver")]) - ;; - esac -- AC_MSG_RESULT([$ssl_library_ver]) -+ AC_MSG_RESULT([$ssl_showver]) - ], - [ - AC_MSG_RESULT([not found]) -@@ -2863,7 +2861,7 @@ if test "x$openssl" = "xyes" ; then - - case "$host" in - x86_64-*) -- case "$ssl_library_ver" in -+ case "$sslver" in - 3000004*) - AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)]) - ;; -@@ -2879,9 +2877,6 @@ if test "x$openssl" = "xyes" ; then - #include <openssl/opensslv.h> - #include <openssl/crypto.h> - ]], [[ --#ifndef HAVE_OPENSSL_VERSION_NUM --# define OpenSSL_version_num SSLeay --#endif - exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1); - ]])], - [ -@@ -2955,44 +2950,13 @@ if test "x$openssl" = "xyes" ; then - ) - ) - -- # LibreSSL/OpenSSL 1.1x API -+ # LibreSSL/OpenSSL API differences - AC_CHECK_FUNCS([ \ -- OPENSSL_init_crypto \ -- DH_get0_key \ -- DH_get0_pqg \ -- DH_set0_key \ -- DH_set_length \ -- DH_set0_pqg \ -- DSA_get0_key \ -- DSA_get0_pqg \ -- DSA_set0_key \ -- DSA_set0_pqg \ -- DSA_SIG_get0 \ -- DSA_SIG_set0 \ -- ECDSA_SIG_get0 \ -- ECDSA_SIG_set0 \ - EVP_CIPHER_CTX_iv \ - EVP_CIPHER_CTX_iv_noconst \ - EVP_CIPHER_CTX_get_iv \ - EVP_CIPHER_CTX_get_updated_iv \ - EVP_CIPHER_CTX_set_iv \ -- RSA_get0_crt_params \ -- RSA_get0_factors \ -- RSA_get0_key \ -- RSA_set0_crt_params \ -- RSA_set0_factors \ -- RSA_set0_key \ -- RSA_meth_free \ -- RSA_meth_dup \ -- RSA_meth_set1_name \ -- RSA_meth_get_finish \ -- RSA_meth_set_priv_enc \ -- RSA_meth_set_priv_dec \ -- RSA_meth_set_finish \ -- EVP_PKEY_get0_RSA \ -- EVP_MD_CTX_new \ -- EVP_MD_CTX_free \ -- EVP_chacha20 \ - ]) - - if test "x$openssl_engine" = "xyes" ; then -@@ -3050,8 +3014,8 @@ if test "x$openssl" = "xyes" ; then - ] - ) - -- # Check for SHA256, SHA384 and SHA512 support in OpenSSL -- AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512]) -+ # Check for various EVP support in OpenSSL -+ AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 EVP_chacha20]) - - # Check complete ECC support in OpenSSL - AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) -diff --git a/openbsd-compat/libressl-api-compat.c b/openbsd-compat/libressl-api-compat.c -index 498180dc894..59be17397c5 100644 ---- a/openbsd-compat/libressl-api-compat.c -+++ b/openbsd-compat/libressl-api-compat.c -@@ -1,129 +1,5 @@ --/* $OpenBSD: dsa_lib.c,v 1.29 2018/04/14 07:09:21 tb Exp $ */ --/* $OpenBSD: rsa_lib.c,v 1.37 2018/04/14 07:09:21 tb Exp $ */ --/* $OpenBSD: evp_lib.c,v 1.17 2018/09/12 06:35:38 djm Exp $ */ --/* $OpenBSD: dh_lib.c,v 1.32 2018/05/02 15:48:38 tb Exp $ */ --/* $OpenBSD: p_lib.c,v 1.24 2018/05/30 15:40:50 tb Exp $ */ --/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */ --/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -- * All rights reserved. -- * -- * This package is an SSL implementation written -- * by Eric Young (eay@cryptsoft.com). -- * The implementation was written so as to conform with Netscapes SSL. -- * -- * This library is free for commercial and non-commercial use as long as -- * the following conditions are aheared to. The following conditions -- * apply to all code found in this distribution, be it the RC4, RSA, -- * lhash, DES, etc., code; not just the SSL code. The SSL documentation -- * included with this distribution is covered by the same copyright terms -- * except that the holder is Tim Hudson (tjh@cryptsoft.com). -- * -- * Copyright remains Eric Young's, and as such any Copyright notices in -- * the code are not to be removed. -- * If this package is used in a product, Eric Young should be given attribution -- * as the author of the parts of the library used. -- * This can be in the form of a textual message at program startup or -- * in documentation (online or textual) provided with the package. -- * -- * Redistribution and use in source and binary forms, with or without -- * modification, are permitted provided that the following conditions -- * are met: -- * 1. Redistributions of source code must retain the copyright -- * notice, this list of conditions and the following disclaimer. -- * 2. Redistributions in binary form must reproduce the above copyright -- * notice, this list of conditions and the following disclaimer in the -- * documentation and/or other materials provided with the distribution. -- * 3. All advertising materials mentioning features or use of this software -- * must display the following acknowledgement: -- * "This product includes cryptographic software written by -- * Eric Young (eay@cryptsoft.com)" -- * The word 'cryptographic' can be left out if the rouines from the library -- * being used are not cryptographic related :-). -- * 4. If you include any Windows specific code (or a derivative thereof) from -- * the apps directory (application code) you must include an acknowledgement: -- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -- * -- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -- * SUCH DAMAGE. -- * -- * The licence and distribution terms for any publically available version or -- * derivative of this code cannot be changed. i.e. this code cannot simply be -- * copied and put under another distribution licence -- * [including the GNU Public Licence.] -- */ -- --/* $OpenBSD: dsa_asn1.c,v 1.22 2018/06/14 17:03:19 jsing Exp $ */ --/* $OpenBSD: ecs_asn1.c,v 1.9 2018/03/17 15:24:44 tb Exp $ */ --/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */ --/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -- * project 2000. -- */ --/* ==================================================================== -- * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved. -- * -- * Redistribution and use in source and binary forms, with or without -- * modification, are permitted provided that the following conditions -- * are met: -- * -- * 1. Redistributions of source code must retain the above copyright -- * notice, this list of conditions and the following disclaimer. -- * -- * 2. Redistributions in binary form must reproduce the above copyright -- * notice, this list of conditions and the following disclaimer in -- * the documentation and/or other materials provided with the -- * distribution. -- * -- * 3. All advertising materials mentioning features or use of this -- * software must display the following acknowledgment: -- * "This product includes software developed by the OpenSSL Project -- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -- * -- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -- * endorse or promote products derived from this software without -- * prior written permission. For written permission, please contact -- * licensing@OpenSSL.org. -- * -- * 5. Products derived from this software may not be called "OpenSSL" -- * nor may "OpenSSL" appear in their names without prior written -- * permission of the OpenSSL Project. -- * -- * 6. Redistributions of any form whatsoever must retain the following -- * acknowledgment: -- * "This product includes software developed by the OpenSSL Project -- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -- * -- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -- * OF THE POSSIBILITY OF SUCH DAMAGE. -- * ==================================================================== -- * -- * This product includes cryptographic software written by Eric Young -- * (eay@cryptsoft.com). This product includes software written by Tim -- * Hudson (tjh@cryptsoft.com). -- * -- */ -- --/* $OpenBSD: rsa_meth.c,v 1.2 2018/09/12 06:35:38 djm Exp $ */ - /* -- * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> -+ * Copyright (c) 2018 Damien Miller <djm@mindrot.org> - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above -@@ -147,192 +23,7 @@ - #include <stdlib.h> - #include <string.h> - --#include <openssl/err.h> --#include <openssl/bn.h> --#include <openssl/dsa.h> --#include <openssl/rsa.h> - #include <openssl/evp.h> --#ifdef OPENSSL_HAS_ECC --#include <openssl/ecdsa.h> --#endif --#include <openssl/dh.h> -- --#ifndef HAVE_DSA_GET0_PQG --void --DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) --{ -- if (p != NULL) -- *p = d->p; -- if (q != NULL) -- *q = d->q; -- if (g != NULL) -- *g = d->g; --} --#endif /* HAVE_DSA_GET0_PQG */ -- --#ifndef HAVE_DSA_SET0_PQG --int --DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) --{ -- if ((d->p == NULL && p == NULL) || (d->q == NULL && q == NULL) || -- (d->g == NULL && g == NULL)) -- return 0; -- -- if (p != NULL) { -- BN_free(d->p); -- d->p = p; -- } -- if (q != NULL) { -- BN_free(d->q); -- d->q = q; -- } -- if (g != NULL) { -- BN_free(d->g); -- d->g = g; -- } -- -- return 1; --} --#endif /* HAVE_DSA_SET0_PQG */ -- --#ifndef HAVE_DSA_GET0_KEY --void --DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key) --{ -- if (pub_key != NULL) -- *pub_key = d->pub_key; -- if (priv_key != NULL) -- *priv_key = d->priv_key; --} --#endif /* HAVE_DSA_GET0_KEY */ -- --#ifndef HAVE_DSA_SET0_KEY --int --DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) --{ -- if (d->pub_key == NULL && pub_key == NULL) -- return 0; -- -- if (pub_key != NULL) { -- BN_free(d->pub_key); -- d->pub_key = pub_key; -- } -- if (priv_key != NULL) { -- BN_free(d->priv_key); -- d->priv_key = priv_key; -- } -- -- return 1; --} --#endif /* HAVE_DSA_SET0_KEY */ -- --#ifndef HAVE_RSA_GET0_KEY --void --RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) --{ -- if (n != NULL) -- *n = r->n; -- if (e != NULL) -- *e = r->e; -- if (d != NULL) -- *d = r->d; --} --#endif /* HAVE_RSA_GET0_KEY */ -- --#ifndef HAVE_RSA_SET0_KEY --int --RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) --{ -- if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) -- return 0; -- -- if (n != NULL) { -- BN_free(r->n); -- r->n = n; -- } -- if (e != NULL) { -- BN_free(r->e); -- r->e = e; -- } -- if (d != NULL) { -- BN_free(r->d); -- r->d = d; -- } -- -- return 1; --} --#endif /* HAVE_RSA_SET0_KEY */ -- --#ifndef HAVE_RSA_GET0_CRT_PARAMS --void --RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, -- const BIGNUM **iqmp) --{ -- if (dmp1 != NULL) -- *dmp1 = r->dmp1; -- if (dmq1 != NULL) -- *dmq1 = r->dmq1; -- if (iqmp != NULL) -- *iqmp = r->iqmp; --} --#endif /* HAVE_RSA_GET0_CRT_PARAMS */ -- --#ifndef HAVE_RSA_SET0_CRT_PARAMS --int --RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) --{ -- if ((r->dmp1 == NULL && dmp1 == NULL) || -- (r->dmq1 == NULL && dmq1 == NULL) || -- (r->iqmp == NULL && iqmp == NULL)) -- return 0; -- -- if (dmp1 != NULL) { -- BN_free(r->dmp1); -- r->dmp1 = dmp1; -- } -- if (dmq1 != NULL) { -- BN_free(r->dmq1); -- r->dmq1 = dmq1; -- } -- if (iqmp != NULL) { -- BN_free(r->iqmp); -- r->iqmp = iqmp; -- } -- -- return 1; --} --#endif /* HAVE_RSA_SET0_CRT_PARAMS */ -- --#ifndef HAVE_RSA_GET0_FACTORS --void --RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) --{ -- if (p != NULL) -- *p = r->p; -- if (q != NULL) -- *q = r->q; --} --#endif /* HAVE_RSA_GET0_FACTORS */ -- --#ifndef HAVE_RSA_SET0_FACTORS --int --RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) --{ -- if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) -- return 0; -- -- if (p != NULL) { -- BN_free(r->p); -- r->p = p; -- } -- if (q != NULL) { -- BN_free(r->q); -- r->q = q; -- } -- -- return 1; --} --#endif /* HAVE_RSA_SET0_FACTORS */ - - #ifndef HAVE_EVP_CIPHER_CTX_GET_IV - int -@@ -392,249 +83,4 @@ EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, const unsigned char *iv, size_t len) - } - #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */ - --#ifndef HAVE_DSA_SIG_GET0 --void --DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) --{ -- if (pr != NULL) -- *pr = sig->r; -- if (ps != NULL) -- *ps = sig->s; --} --#endif /* HAVE_DSA_SIG_GET0 */ -- --#ifndef HAVE_DSA_SIG_SET0 --int --DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) --{ -- if (r == NULL || s == NULL) -- return 0; -- -- BN_clear_free(sig->r); -- sig->r = r; -- BN_clear_free(sig->s); -- sig->s = s; -- -- return 1; --} --#endif /* HAVE_DSA_SIG_SET0 */ -- --#ifdef OPENSSL_HAS_ECC --#ifndef HAVE_ECDSA_SIG_GET0 --void --ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) --{ -- if (pr != NULL) -- *pr = sig->r; -- if (ps != NULL) -- *ps = sig->s; --} --#endif /* HAVE_ECDSA_SIG_GET0 */ -- --#ifndef HAVE_ECDSA_SIG_SET0 --int --ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) --{ -- if (r == NULL || s == NULL) -- return 0; -- -- BN_clear_free(sig->r); -- BN_clear_free(sig->s); -- sig->r = r; -- sig->s = s; -- return 1; --} --#endif /* HAVE_ECDSA_SIG_SET0 */ --#endif /* OPENSSL_HAS_ECC */ -- --#ifndef HAVE_DH_GET0_PQG --void --DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) --{ -- if (p != NULL) -- *p = dh->p; -- if (q != NULL) -- *q = dh->q; -- if (g != NULL) -- *g = dh->g; --} --#endif /* HAVE_DH_GET0_PQG */ -- --#ifndef HAVE_DH_SET0_PQG --int --DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) --{ -- if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL)) -- return 0; -- -- if (p != NULL) { -- BN_free(dh->p); -- dh->p = p; -- } -- if (q != NULL) { -- BN_free(dh->q); -- dh->q = q; -- } -- if (g != NULL) { -- BN_free(dh->g); -- dh->g = g; -- } -- -- return 1; --} --#endif /* HAVE_DH_SET0_PQG */ -- --#ifndef HAVE_DH_GET0_KEY --void --DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) --{ -- if (pub_key != NULL) -- *pub_key = dh->pub_key; -- if (priv_key != NULL) -- *priv_key = dh->priv_key; --} --#endif /* HAVE_DH_GET0_KEY */ -- --#ifndef HAVE_DH_SET0_KEY --int --DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) --{ -- if (pub_key != NULL) { -- BN_free(dh->pub_key); -- dh->pub_key = pub_key; -- } -- if (priv_key != NULL) { -- BN_free(dh->priv_key); -- dh->priv_key = priv_key; -- } -- -- return 1; --} --#endif /* HAVE_DH_SET0_KEY */ -- --#ifndef HAVE_DH_SET_LENGTH --int --DH_set_length(DH *dh, long length) --{ -- if (length < 0 || length > INT_MAX) -- return 0; -- -- dh->length = length; -- return 1; --} --#endif /* HAVE_DH_SET_LENGTH */ -- --#ifndef HAVE_RSA_METH_FREE --void --RSA_meth_free(RSA_METHOD *meth) --{ -- if (meth != NULL) { -- free((char *)meth->name); -- free(meth); -- } --} --#endif /* HAVE_RSA_METH_FREE */ -- --#ifndef HAVE_RSA_METH_DUP --RSA_METHOD * --RSA_meth_dup(const RSA_METHOD *meth) --{ -- RSA_METHOD *copy; -- -- if ((copy = calloc(1, sizeof(*copy))) == NULL) -- return NULL; -- memcpy(copy, meth, sizeof(*copy)); -- if ((copy->name = strdup(meth->name)) == NULL) { -- free(copy); -- return NULL; -- } -- -- return copy; --} --#endif /* HAVE_RSA_METH_DUP */ -- --#ifndef HAVE_RSA_METH_SET1_NAME --int --RSA_meth_set1_name(RSA_METHOD *meth, const char *name) --{ -- char *copy; -- -- if ((copy = strdup(name)) == NULL) -- return 0; -- free((char *)meth->name); -- meth->name = copy; -- return 1; --} --#endif /* HAVE_RSA_METH_SET1_NAME */ -- --#ifndef HAVE_RSA_METH_GET_FINISH --int --(*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa) --{ -- return meth->finish; --} --#endif /* HAVE_RSA_METH_GET_FINISH */ -- --#ifndef HAVE_RSA_METH_SET_PRIV_ENC --int --RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen, -- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) --{ -- meth->rsa_priv_enc = priv_enc; -- return 1; --} --#endif /* HAVE_RSA_METH_SET_PRIV_ENC */ -- --#ifndef HAVE_RSA_METH_SET_PRIV_DEC --int --RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen, -- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) --{ -- meth->rsa_priv_dec = priv_dec; -- return 1; --} --#endif /* HAVE_RSA_METH_SET_PRIV_DEC */ -- --#ifndef HAVE_RSA_METH_SET_FINISH --int --RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)) --{ -- meth->finish = finish; -- return 1; --} --#endif /* HAVE_RSA_METH_SET_FINISH */ -- --#ifndef HAVE_EVP_PKEY_GET0_RSA --RSA * --EVP_PKEY_get0_RSA(EVP_PKEY *pkey) --{ -- if (pkey->type != EVP_PKEY_RSA) { -- /* EVPerror(EVP_R_EXPECTING_AN_RSA_KEY); */ -- return NULL; -- } -- return pkey->pkey.rsa; --} --#endif /* HAVE_EVP_PKEY_GET0_RSA */ -- --#ifndef HAVE_EVP_MD_CTX_NEW --EVP_MD_CTX * --EVP_MD_CTX_new(void) --{ -- return calloc(1, sizeof(EVP_MD_CTX)); --} --#endif /* HAVE_EVP_MD_CTX_NEW */ -- --#ifndef HAVE_EVP_MD_CTX_FREE --void --EVP_MD_CTX_free(EVP_MD_CTX *ctx) --{ -- if (ctx == NULL) -- return; -- -- EVP_MD_CTX_cleanup(ctx); -- -- free(ctx); --} --#endif /* HAVE_EVP_MD_CTX_FREE */ -- - #endif /* WITH_OPENSSL */ -diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h -index 61a69dd56eb..d0dd2c3450d 100644 ---- a/openbsd-compat/openssl-compat.h -+++ b/openbsd-compat/openssl-compat.h -@@ -33,26 +33,13 @@ - int ssh_compatible_openssl(long, long); - void ssh_libcrypto_init(void); - --#if (OPENSSL_VERSION_NUMBER < 0x1000100fL) --# error OpenSSL 1.0.1 or greater is required -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) -+# error OpenSSL 1.1.0 or greater is required - #endif -- --#ifndef OPENSSL_VERSION --# define OPENSSL_VERSION SSLEAY_VERSION --#endif -- --#ifndef HAVE_OPENSSL_VERSION --# define OpenSSL_version(x) SSLeay_version(x) --#endif -- --#ifndef HAVE_OPENSSL_VERSION_NUM --# define OpenSSL_version_num SSLeay --#endif -- --#if OPENSSL_VERSION_NUMBER < 0x10000001L --# define LIBCRYPTO_EVP_INL_TYPE unsigned int --#else --# define LIBCRYPTO_EVP_INL_TYPE size_t -+#ifdef LIBRESSL_VERSION_NUMBER -+# if LIBRESSL_VERSION_NUMBER < 0x3010000fL -+# error LibreSSL 3.1.0 or greater is required -+# endif - #endif - - #ifndef OPENSSL_RSA_MAX_MODULUS_BITS -@@ -68,25 +55,6 @@ void ssh_libcrypto_init(void); - # endif - #endif - --/* LibreSSL/OpenSSL 1.1x API compat */ --#ifndef HAVE_DSA_GET0_PQG --void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, -- const BIGNUM **g); --#endif /* HAVE_DSA_GET0_PQG */ -- --#ifndef HAVE_DSA_SET0_PQG --int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g); --#endif /* HAVE_DSA_SET0_PQG */ -- --#ifndef HAVE_DSA_GET0_KEY --void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, -- const BIGNUM **priv_key); --#endif /* HAVE_DSA_GET0_KEY */ -- --#ifndef HAVE_DSA_SET0_KEY --int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key); --#endif /* HAVE_DSA_SET0_KEY */ -- - #ifndef HAVE_EVP_CIPHER_CTX_GET_IV - # ifdef HAVE_EVP_CIPHER_CTX_GET_UPDATED_IV - # define EVP_CIPHER_CTX_get_iv EVP_CIPHER_CTX_get_updated_iv -@@ -101,112 +69,5 @@ int EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, - const unsigned char *iv, size_t len); - #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */ - --#ifndef HAVE_RSA_GET0_KEY --void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, -- const BIGNUM **d); --#endif /* HAVE_RSA_GET0_KEY */ -- --#ifndef HAVE_RSA_SET0_KEY --int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); --#endif /* HAVE_RSA_SET0_KEY */ -- --#ifndef HAVE_RSA_GET0_CRT_PARAMS --void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, -- const BIGNUM **iqmp); --#endif /* HAVE_RSA_GET0_CRT_PARAMS */ -- --#ifndef HAVE_RSA_SET0_CRT_PARAMS --int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); --#endif /* HAVE_RSA_SET0_CRT_PARAMS */ -- --#ifndef HAVE_RSA_GET0_FACTORS --void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); --#endif /* HAVE_RSA_GET0_FACTORS */ -- --#ifndef HAVE_RSA_SET0_FACTORS --int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); --#endif /* HAVE_RSA_SET0_FACTORS */ -- --#ifndef DSA_SIG_GET0 --void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); --#endif /* DSA_SIG_GET0 */ -- --#ifndef DSA_SIG_SET0 --int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s); --#endif /* DSA_SIG_SET0 */ -- --#ifdef OPENSSL_HAS_ECC --#ifndef HAVE_ECDSA_SIG_GET0 --void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); --#endif /* HAVE_ECDSA_SIG_GET0 */ -- --#ifndef HAVE_ECDSA_SIG_SET0 --int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); --#endif /* HAVE_ECDSA_SIG_SET0 */ --#endif /* OPENSSL_HAS_ECC */ -- --#ifndef HAVE_DH_GET0_PQG --void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, -- const BIGNUM **g); --#endif /* HAVE_DH_GET0_PQG */ -- --#ifndef HAVE_DH_SET0_PQG --int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); --#endif /* HAVE_DH_SET0_PQG */ -- --#ifndef HAVE_DH_GET0_KEY --void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); --#endif /* HAVE_DH_GET0_KEY */ -- --#ifndef HAVE_DH_SET0_KEY --int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); --#endif /* HAVE_DH_SET0_KEY */ -- --#ifndef HAVE_DH_SET_LENGTH --int DH_set_length(DH *dh, long length); --#endif /* HAVE_DH_SET_LENGTH */ -- --#ifndef HAVE_RSA_METH_FREE --void RSA_meth_free(RSA_METHOD *meth); --#endif /* HAVE_RSA_METH_FREE */ -- --#ifndef HAVE_RSA_METH_DUP --RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); --#endif /* HAVE_RSA_METH_DUP */ -- --#ifndef HAVE_RSA_METH_SET1_NAME --int RSA_meth_set1_name(RSA_METHOD *meth, const char *name); --#endif /* HAVE_RSA_METH_SET1_NAME */ -- --#ifndef HAVE_RSA_METH_GET_FINISH --int (*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa); --#endif /* HAVE_RSA_METH_GET_FINISH */ -- --#ifndef HAVE_RSA_METH_SET_PRIV_ENC --int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen, -- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); --#endif /* HAVE_RSA_METH_SET_PRIV_ENC */ -- --#ifndef HAVE_RSA_METH_SET_PRIV_DEC --int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen, -- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); --#endif /* HAVE_RSA_METH_SET_PRIV_DEC */ -- --#ifndef HAVE_RSA_METH_SET_FINISH --int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)); --#endif /* HAVE_RSA_METH_SET_FINISH */ -- --#ifndef HAVE_EVP_PKEY_GET0_RSA --RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); --#endif /* HAVE_EVP_PKEY_GET0_RSA */ -- --#ifndef HAVE_EVP_MD_CTX_new --EVP_MD_CTX *EVP_MD_CTX_new(void); --#endif /* HAVE_EVP_MD_CTX_new */ -- --#ifndef HAVE_EVP_MD_CTX_free --void EVP_MD_CTX_free(EVP_MD_CTX *ctx); --#endif /* HAVE_EVP_MD_CTX_free */ -- - #endif /* WITH_OPENSSL */ - #endif /* _OPENSSL_COMPAT_H */ diff --git a/poky/meta/recipes-connectivity/openssh/openssh_9.3p2.bb b/poky/meta/recipes-connectivity/openssh/openssh_9.4p1.bb index 5fb2dccdfc..2c85780e4d 100644 --- a/poky/meta/recipes-connectivity/openssh/openssh_9.3p2.bb +++ b/poky/meta/recipes-connectivity/openssh/openssh_9.4p1.bb @@ -24,9 +24,9 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ file://sshd_check_keys \ file://add-test-support-for-busybox.patch \ - file://7280401bdd77ca54be6867a154cc01e0d72612e0.patch \ + file://0001-openssh-regress-Makefile-print-logs-if-test-fails.patch \ " -SRC_URI[sha256sum] = "200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8" +SRC_URI[sha256sum] = "3608fd9088db2163ceb3e600c85ab79d0de3d221e59192ea1923e23263866a85" CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here." diff --git a/poky/meta/recipes-connectivity/openssl/openssl_3.1.1.bb b/poky/meta/recipes-connectivity/openssl/openssl_3.1.2.bb index c2a7173c84..3f77c218c8 100644 --- a/poky/meta/recipes-connectivity/openssl/openssl_3.1.1.bb +++ b/poky/meta/recipes-connectivity/openssl/openssl_3.1.2.bb @@ -18,9 +18,9 @@ SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674" +SRC_URI[sha256sum] = "a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539" -inherit lib_package multilib_header multilib_script ptest perlnative +inherit lib_package multilib_header multilib_script ptest perlnative manpages MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" PACKAGECONFIG ?= "" @@ -30,6 +30,7 @@ PACKAGECONFIG:class-nativesdk = "" PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module" PACKAGECONFIG[no-tls1] = "no-tls1" PACKAGECONFIG[no-tls1_1] = "no-tls1_1" +PACKAGECONFIG[manpages] = "" B = "${WORKDIR}/build" do_configure[cleandirs] = "${B}" @@ -145,7 +146,7 @@ do_configure () { } do_install () { - oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install + oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} oe_multilib_header openssl/opensslconf.h oe_multilib_header openssl/configuration.h |