diff options
Diffstat (limited to 'poky/meta/recipes-core')
28 files changed, 902 insertions, 123 deletions
diff --git a/poky/meta/recipes-core/busybox/busybox-inittab_1.36.0.bb b/poky/meta/recipes-core/busybox/busybox-inittab_1.36.1.bb index 868d7a230f..868d7a230f 100644 --- a/poky/meta/recipes-core/busybox/busybox-inittab_1.36.0.bb +++ b/poky/meta/recipes-core/busybox/busybox-inittab_1.36.1.bb diff --git a/poky/meta/recipes-core/busybox/busybox_1.36.0.bb b/poky/meta/recipes-core/busybox/busybox_1.36.1.bb index 8014a5c7bf..968dce65e4 100644 --- a/poky/meta/recipes-core/busybox/busybox_1.36.0.bb +++ b/poky/meta/recipes-core/busybox/busybox_1.36.1.bb @@ -53,4 +53,4 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ SRC_URI:append:libc-musl = " file://musl.cfg " # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html SRC_URI:append:x86 = " file://sha_accel.cfg" -SRC_URI[tarball.sha256sum] = "542750c8af7cb2630e201780b4f99f3dcceeb06f505b479ec68241c1e6af61a5" +SRC_URI[tarball.sha256sum] = "b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314" diff --git a/poky/meta/recipes-core/dbus/dbus_1.14.6.bb b/poky/meta/recipes-core/dbus/dbus_1.14.8.bb index da25155773..b6c245d40b 100644 --- a/poky/meta/recipes-core/dbus/dbus_1.14.6.bb +++ b/poky/meta/recipes-core/dbus/dbus_1.14.8.bb @@ -16,7 +16,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \ file://dbus-1.init \ " -SRC_URI[sha256sum] = "fd2bdf1bb89dc365a46531bff631536f22b0d1c6d5ce2c5c5e59b55265b3d66b" +SRC_URI[sha256sum] = "a6bd5bac5cf19f0c3c594bdae2565a095696980a683a0ef37cb6212e093bde35" EXTRA_OECONF = "--disable-xml-docs \ --disable-doxygen-docs \ diff --git a/poky/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch b/poky/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch new file mode 100644 index 0000000000..932503e507 --- /dev/null +++ b/poky/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch @@ -0,0 +1,144 @@ +From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001 +From: czurnieden <czurnieden@gmx.de> +Date: Fri, 8 Sep 2023 05:01:00 +0000 +Subject: [PATCH] Fix possible integer overflow + +CVE: CVE-2023-36328 + +Upstream-Status: Backport [https://github.com/libtom/libtommath/commit/beba892bc0d4e4ded4d667ab1d2a94f4d75109a9] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + libtommath/bn_mp_2expt.c | 4 ++++ + libtommath/bn_mp_grow.c | 4 ++++ + libtommath/bn_mp_init_size.c | 5 +++++ + libtommath/bn_mp_mul_2d.c | 4 ++++ + libtommath/bn_s_mp_mul_digs.c | 4 ++++ + libtommath/bn_s_mp_mul_digs_fast.c | 4 ++++ + libtommath/bn_s_mp_mul_high_digs.c | 4 ++++ + libtommath/bn_s_mp_mul_high_digs_fast.c | 4 ++++ + 8 files changed, 33 insertions(+) + +diff --git a/libtommath/bn_mp_2expt.c b/libtommath/bn_mp_2expt.c +index 0ae3df1..ca6fbc3 100644 +--- a/libtommath/bn_mp_2expt.c ++++ b/libtommath/bn_mp_2expt.c +@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b) + { + mp_err err; + ++ if (b < 0) { ++ return MP_VAL; ++ } ++ + /* zero a as per default */ + mp_zero(a); + +diff --git a/libtommath/bn_mp_grow.c b/libtommath/bn_mp_grow.c +index 9e904c5..b9321f7 100644 +--- a/libtommath/bn_mp_grow.c ++++ b/libtommath/bn_mp_grow.c +@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size) + int i; + mp_digit *tmp; + ++ if (size < 0) { ++ return MP_VAL; ++ } ++ + /* if the alloc size is smaller alloc more ram */ + if (a->alloc < size) { + /* reallocate the array a->dp +diff --git a/libtommath/bn_mp_init_size.c b/libtommath/bn_mp_init_size.c +index d622687..5fefa96 100644 +--- a/libtommath/bn_mp_init_size.c ++++ b/libtommath/bn_mp_init_size.c +@@ -6,6 +6,11 @@ + /* init an mp_init for a given size */ + mp_err mp_init_size(mp_int *a, int size) + { ++ ++ if (size < 0) { ++ return MP_VAL; ++ } ++ + size = MP_MAX(MP_MIN_PREC, size); + + /* alloc mem */ +diff --git a/libtommath/bn_mp_mul_2d.c b/libtommath/bn_mp_mul_2d.c +index 87354de..2744163 100644 +--- a/libtommath/bn_mp_mul_2d.c ++++ b/libtommath/bn_mp_mul_2d.c +@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, mp_int *c) + mp_digit d; + mp_err err; + ++ if (b < 0) { ++ return MP_VAL; ++ } ++ + /* copy */ + if (a != c) { + if ((err = mp_copy(a, c)) != MP_OKAY) { +diff --git a/libtommath/bn_s_mp_mul_digs.c b/libtommath/bn_s_mp_mul_digs.c +index 64509d4..2d2f5b0 100644 +--- a/libtommath/bn_s_mp_mul_digs.c ++++ b/libtommath/bn_s_mp_mul_digs.c +@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs) + mp_word r; + mp_digit tmpx, *tmpt, *tmpy; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* can we use the fast multiplier? */ + if ((digs < MP_WARRAY) && + (MP_MIN(a->used, b->used) < MP_MAXFAST)) { +diff --git a/libtommath/bn_s_mp_mul_digs_fast.c b/libtommath/bn_s_mp_mul_digs_fast.c +index b2a287b..d6dd3cc 100644 +--- a/libtommath/bn_s_mp_mul_digs_fast.c ++++ b/libtommath/bn_s_mp_mul_digs_fast.c +@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int digs) + mp_digit W[MP_WARRAY]; + mp_word _W; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* grow the destination as required */ + if (c->alloc < digs) { + if ((err = mp_grow(c, digs)) != MP_OKAY) { +diff --git a/libtommath/bn_s_mp_mul_high_digs.c b/libtommath/bn_s_mp_mul_high_digs.c +index 2bb2a50..860ebcb 100644 +--- a/libtommath/bn_s_mp_mul_high_digs.c ++++ b/libtommath/bn_s_mp_mul_high_digs.c +@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs) + mp_word r; + mp_digit tmpx, *tmpt, *tmpy; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* can we use the fast multiplier? */ + if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST) + && ((a->used + b->used + 1) < MP_WARRAY) +diff --git a/libtommath/bn_s_mp_mul_high_digs_fast.c b/libtommath/bn_s_mp_mul_high_digs_fast.c +index a2c4fb6..afe3e4b 100644 +--- a/libtommath/bn_s_mp_mul_high_digs_fast.c ++++ b/libtommath/bn_s_mp_mul_high_digs_fast.c +@@ -19,6 +19,10 @@ mp_err s_mp_mul_high_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int + mp_digit W[MP_WARRAY]; + mp_word _W; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* grow the destination as required */ + pa = a->used + b->used; + if (c->alloc < pa) { +-- +2.35.5 diff --git a/poky/meta/recipes-core/dropbear/dropbear_2022.83.bb b/poky/meta/recipes-core/dropbear/dropbear_2022.83.bb index 0c7a8f4caa..12ac732f58 100644 --- a/poky/meta/recipes-core/dropbear/dropbear_2022.83.bb +++ b/poky/meta/recipes-core/dropbear/dropbear_2022.83.bb @@ -21,6 +21,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ file://dropbear.default \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \ + file://CVE-2023-36328.patch \ " SRC_URI[sha256sum] = "bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b" diff --git a/poky/meta/recipes-core/ell/ell_0.56.bb b/poky/meta/recipes-core/ell/ell_0.57.bb index 0ace622835..09a0831fbe 100644 --- a/poky/meta/recipes-core/ell/ell_0.56.bb +++ b/poky/meta/recipes-core/ell/ell_0.57.bb @@ -15,7 +15,7 @@ DEPENDS = "dbus" inherit autotools pkgconfig SRC_URI = "https://mirrors.edge.kernel.org/pub/linux/libs/${BPN}/${BPN}-${PV}.tar.xz" -SRC_URI[sha256sum] = "58eb8b2b64087f7479d5db6a830a0656c536d93e5f11d4c9a4443ce8760a1b63" +SRC_URI[sha256sum] = "7603928ee584b758ca27c67e4dc513049a09b038d7d28459a9440f8443c91018" do_configure:prepend () { mkdir -p ${S}/build-aux diff --git a/poky/meta/recipes-core/glib-networking/glib-networking/eagain.patch b/poky/meta/recipes-core/glib-networking/glib-networking/eagain.patch index ac6592ffef..ee5b6a7beb 100644 --- a/poky/meta/recipes-core/glib-networking/glib-networking/eagain.patch +++ b/poky/meta/recipes-core/glib-networking/glib-networking/eagain.patch @@ -21,7 +21,7 @@ Index: glib-networking-2.74.0/tls/tests/connection.c MIN (TEST_DATA_LENGTH / 2, TEST_DATA_LENGTH - test->nread), NULL, &error); + -+ if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_BUSY)) ++ if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK)) + continue; + g_assert_no_error (error); diff --git a/poky/meta/recipes-core/glibc/glibc-locale.inc b/poky/meta/recipes-core/glibc/glibc-locale.inc index 760de9437b..289f58d4df 100644 --- a/poky/meta/recipes-core/glibc/glibc-locale.inc +++ b/poky/meta/recipes-core/glibc/glibc-locale.inc @@ -37,22 +37,22 @@ PACKAGES_DYNAMIC = "^locale-base-.* \ # Create a glibc-binaries package ALLOW_EMPTY:${BPN}-binaries = "1" PACKAGES += "${BPN}-binaries" -RRECOMMENDS:${BPN}-binaries = "${@" ".join([p for p in d.getVar('PACKAGES').split() if p.find("glibc-binary") != -1])}" +RRECOMMENDS:${BPN}-binaries = "${@" ".join([p for p in d.getVar('PACKAGES').split() if p.find("glibc-binary-") != -1])}" # Create a glibc-charmaps package ALLOW_EMPTY:${BPN}-charmaps = "1" PACKAGES += "${BPN}-charmaps" -RRECOMMENDS:${BPN}-charmaps = "${@" ".join([p for p in d.getVar('PACKAGES').split() if p.find("glibc-charmap") != -1])}" +RRECOMMENDS:${BPN}-charmaps = "${@" ".join([p for p in d.getVar('PACKAGES').split() if p.find("glibc-charmap-") != -1])}" # Create a glibc-gconvs package ALLOW_EMPTY:${BPN}-gconvs = "1" PACKAGES += "${BPN}-gconvs" -RRECOMMENDS:${BPN}-gconvs = "${@" ".join([p for p in d.getVar('PACKAGES').split() if p.find("glibc-gconv") != -1])}" +RRECOMMENDS:${BPN}-gconvs = "${@" ".join([p for p in d.getVar('PACKAGES').split() if p.find("glibc-gconv-") != -1])}" # Create a glibc-localedatas package ALLOW_EMPTY:${BPN}-localedatas = "1" PACKAGES += "${BPN}-localedatas" -RRECOMMENDS:${BPN}-localedatas = "${@" ".join([p for p in d.getVar('PACKAGES').split() if p.find("glibc-localedata") != -1])}" +RRECOMMENDS:${BPN}-localedatas = "${@" ".join([p for p in d.getVar('PACKAGES').split() if p.find("glibc-localedata-") != -1])}" DESCRIPTION:localedef = "glibc: compile locale definition files" diff --git a/poky/meta/recipes-core/glibc/glibc-testsuite_2.37.bb b/poky/meta/recipes-core/glibc/glibc-testsuite_2.37.bb index e8ad2a938b..2e076f4b0f 100644 --- a/poky/meta/recipes-core/glibc/glibc-testsuite_2.37.bb +++ b/poky/meta/recipes-core/glibc/glibc-testsuite_2.37.bb @@ -16,6 +16,7 @@ TOOLCHAIN_TEST_HOST_USER ??= "root" TOOLCHAIN_TEST_HOST_PORT ??= "2222" do_check[nostamp] = "1" +do_check[network] = "1" do_check:append () { chmod 0755 ${WORKDIR}/check-test-wrapper diff --git a/poky/meta/recipes-core/glibc/glibc-version.inc b/poky/meta/recipes-core/glibc/glibc-version.inc index 37bb9fd34f..ff2b2ade9d 100644 --- a/poky/meta/recipes-core/glibc/glibc-version.inc +++ b/poky/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.37/master" PV = "2.37" -SRCREV_glibc ?= "d8e1a7590d375159fb5aac07ad8111ab4699e994" +SRCREV_glibc ?= "58f7431fd77c0a6dd8df08d50c51ee3e7f09825f" SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https" diff --git a/poky/meta/recipes-core/glibc/glibc/0023-CVE-2023-4527.patch b/poky/meta/recipes-core/glibc/glibc/0023-CVE-2023-4527.patch new file mode 100644 index 0000000000..211249211a --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/0023-CVE-2023-4527.patch @@ -0,0 +1,219 @@ +From 4ea972b7edd7e36610e8cde18bf7a8149d7bac4f Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Wed, 13 Sep 2023 14:10:56 +0200 +Subject: [PATCH] CVE-2023-4527: Stack read overflow with large TCP responses + in no-aaaa mode + +Without passing alt_dns_packet_buffer, __res_context_search can only +store 2048 bytes (what fits into dns_packet_buffer). However, +the function returns the total packet size, and the subsequent +DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end +of the stack-allocated buffer. + +Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa +stub resolver option") and bug 30842. + +(cherry picked from commit bd77dd7e73e3530203be1c52c8a29d08270cb25d) + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=4ea972b7edd7e36610e8cde18bf7a8149d7bac4f] +CVE: CVE-2023-4527 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + NEWS | 7 ++ + resolv/Makefile | 2 + + resolv/nss_dns/dns-host.c | 2 +- + resolv/tst-resolv-noaaaa-vc.c | 129 ++++++++++++++++++++++++++++++++++ + 4 files changed, 139 insertions(+), 1 deletion(-) + create mode 100644 resolv/tst-resolv-noaaaa-vc.c + +diff --git a/NEWS b/NEWS +--- a/NEWS ++++ b/NEWS +@@ -25,6 +25,7 @@ + [30101] gmon: fix memory corruption issues + [30125] dynamic-link: [regression, bisected] glibc-2.37 creates new + symlink for libraries without soname ++ [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) + [30151] gshadow: Matching sgetsgent, sgetsgent_r ERANGE handling + [30163] posix: Fix system blocks SIGCHLD erroneously + [30305] x86_64: Fix asm constraints in feraiseexcept +@@ -54,6 +55,12 @@ + heap and prints it to the target log file, potentially revealing a + portion of the contents of the heap. + ++ CVE-2023-4527: If the system is configured in no-aaaa mode via ++ /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address ++ family, and a DNS response is received over TCP that is larger than ++ 2048 bytes, getaddrinfo may potentially disclose stack contents via ++ the returned address data, or crash. ++ + The following bugs are resolved with this release: + + [12154] network: Cannot resolve hosts which have wildcard aliases +diff --git a/resolv/Makefile b/resolv/Makefile +--- a/resolv/Makefile ++++ b/resolv/Makefile +@@ -101,6 +101,7 @@ + tst-resolv-invalid-cname \ + tst-resolv-network \ + tst-resolv-noaaaa \ ++ tst-resolv-noaaaa-vc \ + tst-resolv-nondecimal \ + tst-resolv-res_init-multi \ + tst-resolv-search \ +@@ -292,6 +293,7 @@ + $(objpfx)tst-resolv-invalid-cname: $(objpfx)libresolv.so \ + $(shared-thread-library) + $(objpfx)tst-resolv-noaaaa: $(objpfx)libresolv.so $(shared-thread-library) ++$(objpfx)tst-resolv-noaaaa-vc: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library) +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c +--- a/resolv/nss_dns/dns-host.c ++++ b/resolv/nss_dns/dns-host.c +@@ -427,7 +427,7 @@ + { + n = __res_context_search (ctx, name, C_IN, T_A, + dns_packet_buffer, sizeof (dns_packet_buffer), +- NULL, NULL, NULL, NULL, NULL); ++ &alt_dns_packet_buffer, NULL, NULL, NULL, NULL); + if (n >= 0) + status = gaih_getanswer_noaaaa (alt_dns_packet_buffer, n, + &abuf, pat, errnop, herrnop, ttlp); +diff --git a/resolv/tst-resolv-noaaaa-vc.c b/resolv/tst-resolv-noaaaa-vc.c +new file mode 100644 +--- /dev/null ++++ b/resolv/tst-resolv-noaaaa-vc.c +@@ -0,0 +1,129 @@ ++/* Test the RES_NOAAAA resolver option with a large response. ++ Copyright (C) 2022-2023 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <https://www.gnu.org/licenses/>. */ ++ ++#include <errno.h> ++#include <netdb.h> ++#include <resolv.h> ++#include <stdbool.h> ++#include <stdlib.h> ++#include <support/check.h> ++#include <support/check_nss.h> ++#include <support/resolv_test.h> ++#include <support/support.h> ++#include <support/xmemstream.h> ++ ++/* Used to keep track of the number of queries. */ ++static volatile unsigned int queries; ++ ++/* If true, add a large TXT record at the start of the answer section. */ ++static volatile bool stuff_txt; ++ ++static void ++response (const struct resolv_response_context *ctx, ++ struct resolv_response_builder *b, ++ const char *qname, uint16_t qclass, uint16_t qtype) ++{ ++ /* If not using TCP, just force its use. */ ++ if (!ctx->tcp) ++ { ++ struct resolv_response_flags flags = {.tc = true}; ++ resolv_response_init (b, flags); ++ resolv_response_add_question (b, qname, qclass, qtype); ++ return; ++ } ++ ++ /* The test needs to send four queries, the first three are used to ++ grow the NSS buffer via the ERANGE handshake. */ ++ ++queries; ++ TEST_VERIFY (queries <= 4); ++ ++ /* AAAA queries are supposed to be disabled. */ ++ TEST_COMPARE (qtype, T_A); ++ TEST_COMPARE (qclass, C_IN); ++ TEST_COMPARE_STRING (qname, "example.com"); ++ ++ struct resolv_response_flags flags = {}; ++ resolv_response_init (b, flags); ++ resolv_response_add_question (b, qname, qclass, qtype); ++ ++ resolv_response_section (b, ns_s_an); ++ ++ if (stuff_txt) ++ { ++ resolv_response_open_record (b, qname, qclass, T_TXT, 60); ++ int zero = 0; ++ for (int i = 0; i <= 15000; ++i) ++ resolv_response_add_data (b, &zero, sizeof (zero)); ++ resolv_response_close_record (b); ++ } ++ ++ for (int i = 0; i < 200; ++i) ++ { ++ resolv_response_open_record (b, qname, qclass, qtype, 60); ++ char ipv4[4] = {192, 0, 2, i + 1}; ++ resolv_response_add_data (b, &ipv4, sizeof (ipv4)); ++ resolv_response_close_record (b); ++ } ++} ++ ++static int ++do_test (void) ++{ ++ struct resolv_test *obj = resolv_test_start ++ ((struct resolv_redirect_config) ++ { ++ .response_callback = response ++ }); ++ ++ _res.options |= RES_NOAAAA; ++ ++ for (int do_stuff_txt = 0; do_stuff_txt < 2; ++do_stuff_txt) ++ { ++ queries = 0; ++ stuff_txt = do_stuff_txt; ++ ++ struct addrinfo *ai = NULL; ++ int ret; ++ ret = getaddrinfo ("example.com", "80", ++ &(struct addrinfo) ++ { ++ .ai_family = AF_UNSPEC, ++ .ai_socktype = SOCK_STREAM, ++ }, &ai); ++ ++ char *expected_result; ++ { ++ struct xmemstream mem; ++ xopen_memstream (&mem); ++ for (int i = 0; i < 200; ++i) ++ fprintf (mem.out, "address: STREAM/TCP 192.0.2.%d 80\n", i + 1); ++ xfclose_memstream (&mem); ++ expected_result = mem.buffer; ++ } ++ ++ check_addrinfo ("example.com", ai, ret, expected_result); ++ ++ free (expected_result); ++ freeaddrinfo (ai); ++ } ++ ++ resolv_test_end (obj); ++ return 0; ++} ++ ++#include <support/test-driver.c> diff --git a/poky/meta/recipes-core/glibc/glibc/check-test-wrapper b/poky/meta/recipes-core/glibc/glibc/check-test-wrapper index 6ec9b9b29e..5cc993f718 100644 --- a/poky/meta/recipes-core/glibc/glibc/check-test-wrapper +++ b/poky/meta/recipes-core/glibc/glibc/check-test-wrapper @@ -58,7 +58,7 @@ elif targettype == "ssh": user = os.environ.get("SSH_HOST_USER", None) port = os.environ.get("SSH_HOST_PORT", None) - command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no"] + command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", "-o", "LogLevel=quiet"] if port: command += ["-p", str(port)] if not host: diff --git a/poky/meta/recipes-core/glibc/glibc_2.37.bb b/poky/meta/recipes-core/glibc/glibc_2.37.bb index b27f98fb19..caf454f368 100644 --- a/poky/meta/recipes-core/glibc/glibc_2.37.bb +++ b/poky/meta/recipes-core/glibc/glibc_2.37.bb @@ -49,6 +49,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0020-tzselect.ksh-Use-bin-sh-default-shell-interpreter.patch \ file://0021-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \ + file://0023-CVE-2023-4527.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}" @@ -103,10 +104,12 @@ do_configure () { # version check and doesn't really help with anything (cd ${S} && gnu-configize) || die "failure in running gnu-configize" find ${S} -name "configure" | xargs touch - CPPFLAGS="" oe_runconf + CPPFLAGS="" LD="${HOST_PREFIX}ld.bfd ${TOOLCHAIN_OPTIONS}" oe_runconf } LDFLAGS += "-fuse-ld=bfd" +CC += "-fuse-ld=bfd" + do_compile () { base_do_compile echo "Adjust ldd script" diff --git a/poky/meta/recipes-core/ifupdown/ifupdown_0.8.41.bb b/poky/meta/recipes-core/ifupdown/ifupdown_0.8.41.bb index 5dbd6193b8..16425ea9e4 100644 --- a/poky/meta/recipes-core/ifupdown/ifupdown_0.8.41.bb +++ b/poky/meta/recipes-core/ifupdown/ifupdown_0.8.41.bb @@ -42,6 +42,11 @@ do_install () { install -m 0644 ifup.8 ${D}${mandir}/man8 install -m 0644 interfaces.5 ${D}${mandir}/man5 cd ${D}${mandir}/man8 && ln -s ifup.8 ifdown.8 + + install -d ${D}${sysconfdir}/network/if-pre-up.d + install -d ${D}${sysconfdir}/network/if-up.d + install -d ${D}${sysconfdir}/network/if-down.d + install -d ${D}${sysconfdir}/network/if-post-down.d } do_install_ptest () { diff --git a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb index 7ac9fddf2d..a70d2d16bb 100644 --- a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb @@ -26,7 +26,7 @@ inherit core-image setuptools3 features_check REQUIRED_DISTRO_FEATURES += "xattr" -SRCREV ?= "ad1f61d8667b7f3663883112e0cd36112659b603" +SRCREV ?= "500101cc152bdba0c69936be8d71682a731cf21d" SRC_URI = "git://git.yoctoproject.org/poky;branch=mickledore \ file://Yocto_Build_Appliance.vmx \ file://Yocto_Build_Appliance.vmxf \ diff --git a/poky/meta/recipes-core/images/core-image-ptest.bb b/poky/meta/recipes-core/images/core-image-ptest.bb index 90c26641ba..ddc56c8f9f 100644 --- a/poky/meta/recipes-core/images/core-image-ptest.bb +++ b/poky/meta/recipes-core/images/core-image-ptest.bb @@ -19,6 +19,7 @@ BBCLASSEXTEND = "${@' '.join(['mcextend:'+x for x in d.getVar('PTESTS').split()] # strace-ptest in particular needs more than 500MB IMAGE_OVERHEAD_FACTOR = "1.0" IMAGE_ROOTFS_EXTRA_SPACE = "324288" +IMAGE_ROOTFS_EXTRA_SPACE:virtclass-mcextend-mdadm = "1524288" IMAGE_ROOTFS_EXTRA_SPACE:virtclass-mcextend-strace = "1024288" IMAGE_ROOTFS_EXTRA_SPACE:virtclass-mcextend-lttng-tools = "1524288" diff --git a/poky/meta/recipes-core/libxcrypt/libxcrypt.inc b/poky/meta/recipes-core/libxcrypt/libxcrypt.inc index 61b0381076..454a55d73d 100644 --- a/poky/meta/recipes-core/libxcrypt/libxcrypt.inc +++ b/poky/meta/recipes-core/libxcrypt/libxcrypt.inc @@ -17,12 +17,6 @@ SRC_URI += "file://fix_cflags_handling.patch" PROVIDES = "virtual/crypt" -FILES:${PN} = "${libdir}/libcrypt*.so.* \ - ${libdir}/libcrypt-*.so \ - ${libdir}/libowcrypt*.so.* \ - ${libdir}/libowcrypt-*.so \ -" - S = "${WORKDIR}/git" BUILD_CPPFLAGS = "-I${STAGING_INCDIR_NATIVE}" diff --git a/poky/meta/recipes-core/libxml/libxml2_2.10.3.bb b/poky/meta/recipes-core/libxml/libxml2_2.10.4.bb index 0ccd48964f..4f3b17093e 100644 --- a/poky/meta/recipes-core/libxml/libxml2_2.10.3.bb +++ b/poky/meta/recipes-core/libxml/libxml2_2.10.4.bb @@ -21,7 +21,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt file://libxml-m4-use-pkgconfig.patch \ " -SRC_URI[archive.sha256sum] = "5d2cc3d78bec3dbe212a9d7fa629ada25a7da928af432c93060ff5c17ee28a9c" +SRC_URI[archive.sha256sum] = "ed0c91c5845008f1936739e4eee2035531c1c94742c6541f44ee66d885948d45" SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273" BINCONFIG = "${bindir}/xml2-config" @@ -40,6 +40,8 @@ inherit autotools pkgconfig binconfig-disabled ptest inherit ${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3targetconfig', '', d)} +LDFLAGS:append:riscv64 = "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-lld ptest', ' -fuse-ld=bfd', '', d)}" + RDEPENDS:${PN}-ptest += "bash make locale-base-en-us ${@bb.utils.contains('PACKAGECONFIG', 'python', 'libgcc python3-core python3-logging python3-shell python3-stringold python3-threading python3-unittest ${PN}-python', '', d)}" RDEPENDS:${PN}-python += "${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3-core', '', d)}" diff --git a/poky/meta/recipes-core/meta/build-sysroots.bb b/poky/meta/recipes-core/meta/build-sysroots.bb index ad22a75eb2..1a3b692a1b 100644 --- a/poky/meta/recipes-core/meta/build-sysroots.bb +++ b/poky/meta/recipes-core/meta/build-sysroots.bb @@ -1,5 +1,6 @@ -INHIBIT_DEFAULT_DEPS = "1" LICENSE = "MIT" +SUMMARY = "Build old style sysroot based on everything in the components directory that matches the current MACHINE" +INHIBIT_DEFAULT_DEPS = "1" STANDALONE_SYSROOT = "${STAGING_DIR}/${MACHINE}" STANDALONE_SYSROOT_NATIVE = "${STAGING_DIR}/${BUILD_ARCH}" @@ -16,6 +17,10 @@ deltask configure deltask compile deltask install deltask populate_sysroot +deltask create_spdx +deltask collect_spdx_deps +deltask create_runtime_spdx +deltask recipe_qa python do_build_native_sysroot () { targetsysroot = d.getVar("STANDALONE_SYSROOT") diff --git a/poky/meta/recipes-core/meta/cve-update-nvd2-native.bb b/poky/meta/recipes-core/meta/cve-update-nvd2-native.bb index 2b585983ac..2f7dad7e82 100644 --- a/poky/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/poky/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -17,6 +17,10 @@ deltask do_populate_sysroot NVDCVE_URL ?= "https://services.nvd.nist.gov/rest/json/cves/2.0" +# If you have a NVD API key (https://nvd.nist.gov/developers/request-an-api-key) +# then setting this to get higher rate limits. +NVDCVE_API_KEY ?= "" + # CVE database update interval, in seconds. By default: once a day (24*60*60). # Use 0 to force the update # Use a negative value to skip the update @@ -119,18 +123,16 @@ def nvd_request_next(url, api_key, args): import urllib.parse import gzip import http + import time - headers = {} + request = urllib.request.Request(url + "?" + urllib.parse.urlencode(args)) if api_key: - headers['apiKey'] = api_key - - data = urllib.parse.urlencode(args) - - full_request = url + '?' + data + request.add_header("apiKey", api_key) + bb.note("Requesting %s" % request.full_url) - for attempt in range(3): + for attempt in range(5): try: - r = urllib.request.urlopen(full_request) + r = urllib.request.urlopen(request) if (r.headers['content-encoding'] == 'gzip'): buf = r.read() @@ -140,13 +142,9 @@ def nvd_request_next(url, api_key, args): r.close() - except UnicodeDecodeError: - # Received garbage, retry - bb.debug(2, "CVE database: received malformed data, retrying (request: %s)" %(full_request)) - pass - except http.client.IncompleteRead: - # Read incomplete, let's try again - bb.debug(2, "CVE database: received incomplete data, retrying (request: %s)" %(full_request)) + except Exception as e: + bb.note("CVE database: received error (%s), retrying" % (e)) + time.sleep(6) pass else: return raw_data @@ -172,11 +170,11 @@ def update_db_file(db_tmp_file, d, database_time): # The maximum range for time is 120 days # Force a complete update if our range is longer if (database_time != 0): - database_date = datetime.datetime.combine(datetime.date.fromtimestamp(database_time), datetime.time()) - today_date = datetime.datetime.combine(datetime.date.today(), datetime.time()) + database_date = datetime.datetime.fromtimestamp(database_time, tz=datetime.timezone.utc) + today_date = datetime.datetime.now(tz=datetime.timezone.utc) delta = today_date - database_date if delta.days < 120: - bb.debug(2, "CVE database: performing partial update") + bb.note("CVE database: performing partial update") req_args['lastModStartDate'] = database_date.isoformat() req_args['lastModEndDate'] = today_date.isoformat() else: @@ -184,12 +182,14 @@ def update_db_file(db_tmp_file, d, database_time): with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f: - bb.debug(2, "Updating entries") + bb.note("Updating entries") index = 0 url = d.getVar("NVDCVE_URL") + api_key = d.getVar("NVDCVE_API_KEY") or None + while True: req_args['startIndex'] = index - raw_data = nvd_request_next(url, None, req_args) + raw_data = nvd_request_next(url, api_key, req_args) if raw_data is None: # We haven't managed to download data return False @@ -199,7 +199,7 @@ def update_db_file(db_tmp_file, d, database_time): index = data["startIndex"] total = data["totalResults"] per_page = data["resultsPerPage"] - + bb.note("Got %d entries" % per_page) for cve in data["vulnerabilities"]: update_db(conn, cve) @@ -312,22 +312,30 @@ def update_db(conn, elt): cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore'] except KeyError: cvssv2 = 0.0 + cvssv3 = None try: - accessVector = accessVector or elt['impact']['baseMetricV3']['cvssV3']['attackVector'] - cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore'] + accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector'] + cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore'] except KeyError: - accessVector = accessVector or "UNKNOWN" - cvssv3 = 0.0 + pass + try: + accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector'] + cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'] + except KeyError: + pass + accessVector = accessVector or "UNKNOWN" + cvssv3 = cvssv3 or 0.0 conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() try: - configurations = elt['cve']['configurations'][0]['nodes'] - for config in configurations: - parse_node_and_insert(conn, config, cveId) + for config in elt['cve']['configurations']: + # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing + for node in config["nodes"]: + parse_node_and_insert(conn, node, cveId) except KeyError: - bb.debug(2, "Entry without a configuration") + bb.note("CVE %s has no configurations" % cveId) do_fetch[nostamp] = "1" diff --git a/poky/meta/recipes-core/ncurses/files/0001-Fix-CVE-2023-29491.patch b/poky/meta/recipes-core/ncurses/files/0001-Fix-CVE-2023-29491.patch new file mode 100644 index 0000000000..1232c8c2a8 --- /dev/null +++ b/poky/meta/recipes-core/ncurses/files/0001-Fix-CVE-2023-29491.patch @@ -0,0 +1,462 @@ +From 3d54a41f12e9aa059f06e66e72d872f2283395b6 Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Sun, 30 Jul 2023 21:14:00 -0700 +Subject: [PATCH] Fix CVE-2023-29491 + +CVE: CVE-2023-29491 + +Upstream-Status: Backport [http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + ncurses/tinfo/lib_tgoto.c | 10 +++- + ncurses/tinfo/lib_tparm.c | 116 ++++++++++++++++++++++++++++++++----- + ncurses/tinfo/read_entry.c | 3 + + progs/tic.c | 6 ++ + progs/tparm_type.c | 9 +++ + progs/tparm_type.h | 2 + + progs/tput.c | 61 ++++++++++++++++--- + 7 files changed, 185 insertions(+), 22 deletions(-) + +diff --git a/ncurses/tinfo/lib_tgoto.c b/ncurses/tinfo/lib_tgoto.c +index 9cf5e100..c50ed4df 100644 +--- a/ncurses/tinfo/lib_tgoto.c ++++ b/ncurses/tinfo/lib_tgoto.c +@@ -207,6 +207,14 @@ tgoto(const char *string, int x, int y) + result = tgoto_internal(string, x, y); + else + #endif +- result = TIPARM_2(string, y, x); ++ if ((result = TIPARM_2(string, y, x)) == NULL) { ++ /* ++ * Because termcap did not provide a more general solution such as ++ * tparm(), it was necessary to handle single-parameter capabilities ++ * using tgoto(). The internal _nc_tiparm() function returns a NULL ++ * for that case; retry for the single-parameter case. ++ */ ++ result = TIPARM_1(string, y); ++ } + returnPtr(result); + } +diff --git a/ncurses/tinfo/lib_tparm.c b/ncurses/tinfo/lib_tparm.c +index d9bdfd8f..a10a3877 100644 +--- a/ncurses/tinfo/lib_tparm.c ++++ b/ncurses/tinfo/lib_tparm.c +@@ -1086,6 +1086,64 @@ tparam_internal(TPARM_STATE *tps, const char *string, TPARM_DATA *data) + return (TPS(out_buff)); + } + ++#ifdef CUR ++/* ++ * Only a few standard capabilities accept string parameters. The others that ++ * are parameterized accept only numeric parameters. ++ */ ++static bool ++check_string_caps(TPARM_DATA *data, const char *string) ++{ ++ bool result = FALSE; ++ ++#define CHECK_CAP(name) (VALID_STRING(name) && !strcmp(name, string)) ++ ++ /* ++ * Disallow string parameters unless we can check them against a terminal ++ * description. ++ */ ++ if (cur_term != NULL) { ++ int want_type = 0; ++ ++ if (CHECK_CAP(pkey_key)) ++ want_type = 2; /* function key #1, type string #2 */ ++ else if (CHECK_CAP(pkey_local)) ++ want_type = 2; /* function key #1, execute string #2 */ ++ else if (CHECK_CAP(pkey_xmit)) ++ want_type = 2; /* function key #1, transmit string #2 */ ++ else if (CHECK_CAP(plab_norm)) ++ want_type = 2; /* label #1, show string #2 */ ++ else if (CHECK_CAP(pkey_plab)) ++ want_type = 6; /* function key #1, type string #2, show string #3 */ ++#if NCURSES_XNAMES ++ else { ++ char *check; ++ ++ check = tigetstr("Cs"); ++ if (CHECK_CAP(check)) ++ want_type = 1; /* style #1 */ ++ ++ check = tigetstr("Ms"); ++ if (CHECK_CAP(check)) ++ want_type = 3; /* storage unit #1, content #2 */ ++ } ++#endif ++ ++ if (want_type == data->tparm_type) { ++ result = TRUE; ++ } else { ++ T(("unexpected string-parameter")); ++ } ++ } ++ return result; ++} ++ ++#define ValidCap() (myData.tparm_type == 0 || \ ++ check_string_caps(&myData, string)) ++#else ++#define ValidCap() 1 ++#endif ++ + #if NCURSES_TPARM_VARARGS + + NCURSES_EXPORT(char *) +@@ -1100,7 +1158,7 @@ tparm(const char *string, ...) + tps->tname = "tparm"; + #endif /* TRACE */ + +- if (tparm_setup(cur_term, string, &myData) == OK) { ++ if (tparm_setup(cur_term, string, &myData) == OK && ValidCap()) { + va_list ap; + + va_start(ap, string); +@@ -1135,7 +1193,7 @@ tparm(const char *string, + tps->tname = "tparm"; + #endif /* TRACE */ + +- if (tparm_setup(cur_term, string, &myData) == OK) { ++ if (tparm_setup(cur_term, string, &myData) == OK && ValidCap()) { + + myData.param[0] = a1; + myData.param[1] = a2; +@@ -1166,7 +1224,7 @@ tiparm(const char *string, ...) + tps->tname = "tiparm"; + #endif /* TRACE */ + +- if (tparm_setup(cur_term, string, &myData) == OK) { ++ if (tparm_setup(cur_term, string, &myData) == OK && ValidCap()) { + va_list ap; + + va_start(ap, string); +@@ -1179,7 +1237,25 @@ tiparm(const char *string, ...) + } + + /* +- * The internal-use flavor ensures that the parameters are numbers, not strings ++ * The internal-use flavor ensures that parameters are numbers, not strings. ++ * In addition to ensuring that they are numbers, it ensures that the parameter ++ * count is consistent with intended usage. ++ * ++ * Unlike the general-purpose tparm/tiparm, these internal calls are fairly ++ * well defined: ++ * ++ * expected == 0 - not applicable ++ * expected == 1 - set color, or vertical/horizontal addressing ++ * expected == 2 - cursor addressing ++ * expected == 4 - initialize color or color pair ++ * expected == 9 - set attributes ++ * ++ * Only for the last case (set attributes) should a parameter be optional. ++ * Also, a capability which calls for more parameters than expected should be ++ * ignored. ++ * ++ * Return a null if the parameter-checks fail. Otherwise, return a pointer to ++ * the formatted capability string. + */ + NCURSES_EXPORT(char *) + _nc_tiparm(int expected, const char *string, ...) +@@ -1189,22 +1265,36 @@ _nc_tiparm(int expected, const char *string, ...) + char *result = NULL; + + _nc_tparm_err = 0; ++ T((T_CALLED("_nc_tiparm(%d, %s, ...)"), expected, _nc_visbuf(string))); + #ifdef TRACE + tps->tname = "_nc_tiparm"; + #endif /* TRACE */ + +- if (tparm_setup(cur_term, string, &myData) == OK +- && myData.num_actual <= expected +- && myData.tparm_type == 0) { +- va_list ap; ++ if (tparm_setup(cur_term, string, &myData) == OK && ValidCap()) { ++ if (myData.num_actual == 0) { ++ T(("missing parameter%s, expected %s%d", ++ expected > 1 ? "s" : "", ++ expected == 9 ? "up to " : "", ++ expected)); ++ } else if (myData.num_actual > expected) { ++ T(("too many parameters, have %d, expected %d", ++ myData.num_actual, ++ expected)); ++ } else if (expected != 9 && myData.num_actual != expected) { ++ T(("expected %d parameters, have %d", ++ myData.num_actual, ++ expected)); ++ } else { ++ va_list ap; + +- va_start(ap, string); +- tparm_copy_valist(&myData, FALSE, ap); +- va_end(ap); ++ va_start(ap, string); ++ tparm_copy_valist(&myData, FALSE, ap); ++ va_end(ap); + +- result = tparam_internal(tps, string, &myData); ++ result = tparam_internal(tps, string, &myData); ++ } + } +- return result; ++ returnPtr(result); + } + + /* +diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c +index 2b1875ed..341337d2 100644 +--- a/ncurses/tinfo/read_entry.c ++++ b/ncurses/tinfo/read_entry.c +@@ -323,6 +323,9 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit) + || bool_count < 0 + || num_count < 0 + || str_count < 0 ++ || bool_count > BOOLCOUNT ++ || num_count > NUMCOUNT ++ || str_count > STRCOUNT + || str_size < 0) { + returnDB(TGETENT_NO); + } +diff --git a/progs/tic.c b/progs/tic.c +index 93a0b491..888927e2 100644 +--- a/progs/tic.c ++++ b/progs/tic.c +@@ -2270,9 +2270,15 @@ check_1_infotocap(const char *name, NCURSES_CONST char *value, int count) + + _nc_reset_tparm(NULL); + switch (actual) { ++ case Str: ++ result = TPARM_1(value, strings[1]); ++ break; + case Num_Str: + result = TPARM_2(value, numbers[1], strings[2]); + break; ++ case Str_Str: ++ result = TPARM_2(value, strings[1], strings[2]); ++ break; + case Num_Str_Str: + result = TPARM_3(value, numbers[1], strings[2], strings[3]); + break; +diff --git a/progs/tparm_type.c b/progs/tparm_type.c +index 3da4a077..644aa62a 100644 +--- a/progs/tparm_type.c ++++ b/progs/tparm_type.c +@@ -47,6 +47,7 @@ tparm_type(const char *name) + {code, {longname} }, \ + {code, {ti} }, \ + {code, {tc} } ++#define XD(code, onlyname) TD(code, onlyname, onlyname, onlyname) + TParams result = Numbers; + /* *INDENT-OFF* */ + static const struct { +@@ -58,6 +59,10 @@ tparm_type(const char *name) + TD(Num_Str, "pkey_xmit", "pfx", "px"), + TD(Num_Str, "plab_norm", "pln", "pn"), + TD(Num_Str_Str, "pkey_plab", "pfxl", "xl"), ++#if NCURSES_XNAMES ++ XD(Str, "Cs"), ++ XD(Str_Str, "Ms"), ++#endif + }; + /* *INDENT-ON* */ + +@@ -80,12 +85,16 @@ guess_tparm_type(int nparam, char **p_is_s) + case 1: + if (!p_is_s[0]) + result = Numbers; ++ if (p_is_s[0]) ++ result = Str; + break; + case 2: + if (!p_is_s[0] && !p_is_s[1]) + result = Numbers; + if (!p_is_s[0] && p_is_s[1]) + result = Num_Str; ++ if (p_is_s[0] && p_is_s[1]) ++ result = Str_Str; + break; + case 3: + if (!p_is_s[0] && !p_is_s[1] && !p_is_s[2]) +diff --git a/progs/tparm_type.h b/progs/tparm_type.h +index 7c102a30..af5bcf0f 100644 +--- a/progs/tparm_type.h ++++ b/progs/tparm_type.h +@@ -45,8 +45,10 @@ + typedef enum { + Other = -1 + ,Numbers = 0 ++ ,Str + ,Num_Str + ,Num_Str_Str ++ ,Str_Str + } TParams; + + extern TParams tparm_type(const char *name); +diff --git a/progs/tput.c b/progs/tput.c +index 4cd0c5ba..41508b72 100644 +--- a/progs/tput.c ++++ b/progs/tput.c +@@ -1,5 +1,5 @@ + /**************************************************************************** +- * Copyright 2018-2021,2022 Thomas E. Dickey * ++ * Copyright 2018-2022,2023 Thomas E. Dickey * + * Copyright 1998-2016,2017 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * +@@ -47,12 +47,15 @@ + #include <transform.h> + #include <tty_settings.h> + +-MODULE_ID("$Id: tput.c,v 1.99 2022/02/26 23:19:31 tom Exp $") ++MODULE_ID("$Id: tput.c,v 1.102 2023/04/08 16:26:36 tom Exp $") + + #define PUTS(s) fputs(s, stdout) + + const char *_nc_progname = "tput"; + ++static bool opt_v = FALSE; /* quiet, do not show warnings */ ++static bool opt_x = FALSE; /* clear scrollback if possible */ ++ + static bool is_init = FALSE; + static bool is_reset = FALSE; + static bool is_clear = FALSE; +@@ -81,6 +84,7 @@ usage(const char *optstring) + KEEP(" -S << read commands from standard input") + KEEP(" -T TERM use this instead of $TERM") + KEEP(" -V print curses-version") ++ KEEP(" -v verbose, show warnings") + KEEP(" -x do not try to clear scrollback") + KEEP("") + KEEP("Commands:") +@@ -148,7 +152,7 @@ exit_code(int token, int value) + * Returns nonzero on error. + */ + static int +-tput_cmd(int fd, TTY * settings, bool opt_x, int argc, char **argv, int *used) ++tput_cmd(int fd, TTY * settings, int argc, char **argv, int *used) + { + NCURSES_CONST char *name; + char *s; +@@ -231,7 +235,9 @@ tput_cmd(int fd, TTY * settings, bool opt_x, int argc, char **argv, int *used) + } else if (VALID_STRING(s)) { + if (argc > 1) { + int k; ++ int narg; + int analyzed; ++ int provided; + int popcount; + long numbers[1 + NUM_PARM]; + char *strings[1 + NUM_PARM]; +@@ -271,14 +277,45 @@ tput_cmd(int fd, TTY * settings, bool opt_x, int argc, char **argv, int *used) + + popcount = 0; + _nc_reset_tparm(NULL); ++ /* ++ * Count the number of numeric parameters which are provided. ++ */ ++ provided = 0; ++ for (narg = 1; narg < argc; ++narg) { ++ char *ending = NULL; ++ long check = strtol(argv[narg], &ending, 10); ++ if (check < 0 || ending == argv[narg] || *ending != '\0') ++ break; ++ provided = narg; ++ } + switch (paramType) { ++ case Str: ++ s = TPARM_1(s, strings[1]); ++ analyzed = 1; ++ if (provided == 0 && argc >= 1) ++ provided++; ++ break; ++ case Str_Str: ++ s = TPARM_2(s, strings[1], strings[2]); ++ analyzed = 2; ++ if (provided == 0 && argc >= 1) ++ provided++; ++ if (provided == 1 && argc >= 2) ++ provided++; ++ break; + case Num_Str: + s = TPARM_2(s, numbers[1], strings[2]); + analyzed = 2; ++ if (provided == 1 && argc >= 2) ++ provided++; + break; + case Num_Str_Str: + s = TPARM_3(s, numbers[1], strings[2], strings[3]); + analyzed = 3; ++ if (provided == 1 && argc >= 2) ++ provided++; ++ if (provided == 2 && argc >= 3) ++ provided++; + break; + case Numbers: + analyzed = _nc_tparm_analyze(NULL, s, p_is_s, &popcount); +@@ -316,7 +353,13 @@ tput_cmd(int fd, TTY * settings, bool opt_x, int argc, char **argv, int *used) + if (analyzed < popcount) { + analyzed = popcount; + } +- *used += analyzed; ++ if (opt_v && (analyzed != provided)) { ++ fprintf(stderr, "%s: %s parameters for \"%s\"\n", ++ _nc_progname, ++ (analyzed < provided ? "extra" : "missing"), ++ argv[0]); ++ } ++ *used += provided; + } + + /* use putp() in order to perform padding */ +@@ -339,7 +382,6 @@ main(int argc, char **argv) + int used; + TTY old_settings; + TTY tty_settings; +- bool opt_x = FALSE; /* clear scrollback if possible */ + bool is_alias; + bool need_tty; + +@@ -348,7 +390,7 @@ main(int argc, char **argv) + + term = getenv("TERM"); + +- while ((c = getopt(argc, argv, is_alias ? "T:Vx" : "ST:Vx")) != -1) { ++ while ((c = getopt(argc, argv, is_alias ? "T:Vvx" : "ST:Vvx")) != -1) { + switch (c) { + case 'S': + cmdline = FALSE; +@@ -361,6 +403,9 @@ main(int argc, char **argv) + case 'V': + puts(curses_version()); + ExitProgram(EXIT_SUCCESS); ++ case 'v': /* verbose */ ++ opt_v = TRUE; ++ break; + case 'x': /* do not try to clear scrollback */ + opt_x = TRUE; + break; +@@ -404,7 +449,7 @@ main(int argc, char **argv) + usage(NULL); + while (argc > 0) { + tty_settings = old_settings; +- code = tput_cmd(fd, &tty_settings, opt_x, argc, argv, &used); ++ code = tput_cmd(fd, &tty_settings, argc, argv, &used); + if (code != 0) + break; + argc -= used; +@@ -439,7 +484,7 @@ main(int argc, char **argv) + while (argnum > 0) { + int code; + tty_settings = old_settings; +- code = tput_cmd(fd, &tty_settings, opt_x, argnum, argnow, &used); ++ code = tput_cmd(fd, &tty_settings, argnum, argnow, &used); + if (code != 0) { + if (result == 0) + result = ErrSystem(0); /* will return value >4 */ +-- +2.40.0 + diff --git a/poky/meta/recipes-core/ncurses/ncurses_6.4.bb b/poky/meta/recipes-core/ncurses/ncurses_6.4.bb index 1eb15673d1..388cd8d407 100644 --- a/poky/meta/recipes-core/ncurses/ncurses_6.4.bb +++ b/poky/meta/recipes-core/ncurses/ncurses_6.4.bb @@ -4,6 +4,7 @@ SRC_URI += "file://0001-tic-hang.patch \ file://0002-configure-reproducible.patch \ file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \ file://exit_prototype.patch \ + file://0001-Fix-CVE-2023-29491.patch \ " # commit id corresponds to the revision in package version SRCREV = "79b9071f2be20a24c7be031655a5638f6032f29f" diff --git a/poky/meta/recipes-core/newlib/libgloss/fix_makefile_include_arm_h.patch b/poky/meta/recipes-core/newlib/libgloss/fix_makefile_include_arm_h.patch deleted file mode 100644 index 7645be7314..0000000000 --- a/poky/meta/recipes-core/newlib/libgloss/fix_makefile_include_arm_h.patch +++ /dev/null @@ -1,30 +0,0 @@ -Upstream-Status: Inappropriate [OE-Specific] - -When trying to build libgloss for an arm target, the build system -complains about missing some include files: - -| fatal error: acle-compiat.h: No such file or directory -| #include "acle-compat.h" -| ^~~~~~~~~~~~~~~ -| compilation terminated. - -These include files come from the newlib source, but since we -are building libgloss separately from newlib, libgloss is unaware -of where they are, this patch fixes the INCLUDES so the build system -can find such files. - -Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandr@xilinx.com> - -Index: newlib-3.0.0/libgloss/config/default.mh -=================================================================== ---- newlib-3.0.0.orig/libgloss/config/default.mh -+++ newlib-3.0.0/libgloss/config/default.mh -@@ -1,7 +1,7 @@ - NEWLIB_CFLAGS = `if [ -d ${objroot}/newlib ]; then echo -I${objroot}/newlib/targ-include -I${srcroot}/newlib/libc/include; fi` - NEWLIB_LDFLAGS = `if [ -d ${objroot}/newlib ]; then echo -B${objroot}/newlib/ -L${objroot}/newlib/; fi` - --INCLUDES = -I. -I$(srcdir)/.. -+INCLUDES = -I. -I$(srcdir)/.. -I$(srcdir)/../newlib/libc/machine/arm - # Note that when building the library, ${MULTILIB} is not the way multilib - # options are passed; they're passed in $(CFLAGS). - CFLAGS_FOR_TARGET = -O2 -g ${MULTILIB} ${INCLUDES} ${NEWLIB_CFLAGS} diff --git a/poky/meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb b/poky/meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb index c90a02f131..fd72cf4165 100644 --- a/poky/meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb +++ b/poky/meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb @@ -10,18 +10,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3d06403ea54c7574a9e581c6478cc393 \ file://lib/LGPL;md5=b75d069791103ffe1c0d6435deeff72e" PR = "r5" -SRC_URI = "${SOURCEFORGE_MIRROR}/linux-diag/sysfsutils-${PV}.tar.gz \ +SRC_URI = "git://github.com/linux-ras/sysfsutils.git;protocol=https;branch=master \ file://sysfsutils-2.0.0-class-dup.patch \ file://obsolete_automake_macros.patch \ file://separatebuild.patch" -SRC_URI[md5sum] = "14e7dcd0436d2f49aa403f67e1ef7ddc" -SRC_URI[sha256sum] = "e865de2c1f559fff0d3fc936e660c0efaf7afe662064f2fb97ccad1ec28d208a" +SRCREV = "0d5456e1c9d969cdad6accef2ae2d4881d5db085" -UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/linux-diag/files/sysfsutils/" -UPSTREAM_CHECK_REGEX = "/sysfsutils/(?P<pver>(\d+[\.\-_]*)+)/" - -S = "${WORKDIR}/sysfsutils-${PV}" +S = "${WORKDIR}/git" inherit autotools diff --git a/poky/meta/recipes-core/systemd/systemd-systemctl/systemctl b/poky/meta/recipes-core/systemd/systemd-systemctl/systemctl index b45a2dc2f7..7fe751b397 100755 --- a/poky/meta/recipes-core/systemd/systemd-systemctl/systemctl +++ b/poky/meta/recipes-core/systemd/systemd-systemctl/systemctl @@ -201,13 +201,8 @@ class SystemdUnit(): target = ROOT / location.relative_to(self.root) try: for dependent in config.get('Install', prop): - # determine whether or not dependent is a template with an actual - # instance (i.e. a '@%i') - dependent_is_template = re.match(r"[^@]+@(?P<instance>[^\.]*)\.", dependent) - if dependent_is_template: - # if so, replace with the actual instance to achieve - # svc-wants@a.service.wants/svc-wanted-by@a.service - dependent = re.sub(dependent_is_template.group('instance'), instance, dependent, 1) + # expand any %i to instance (ignoring escape sequence %%) + dependent = re.sub("([^%](%%)*)%i", "\\g<1>{}".format(instance), dependent) wants = systemdir / "{}.{}".format(dependent, dirstem) / service add_link(wants, target) diff --git a/poky/meta/recipes-core/systemd/systemd/0007-Add-sys-stat.h-for-S_IFDIR.patch b/poky/meta/recipes-core/systemd/systemd/0007-Add-sys-stat.h-for-S_IFDIR.patch deleted file mode 100644 index 479b9a1ca1..0000000000 --- a/poky/meta/recipes-core/systemd/systemd/0007-Add-sys-stat.h-for-S_IFDIR.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 1480ef4ea9f71befbc22272c219b62ee5cd71d43 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Fri, 21 Jan 2022 15:17:37 -0800 -Subject: [PATCH] Add sys/stat.h for S_IFDIR - -../git/src/shared/mkdir-label.c:13:61: error: use of undeclared identifier 'S_IFDIR' - r = mac_selinux_create_file_prepare_at(dirfd, path, S_IFDIR); - -Upstream-Status: Backport [29b7114c5d9624002aa7c17748d960cd1e45362d] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - src/shared/mkdir-label.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/shared/mkdir-label.c b/src/shared/mkdir-label.c -index e3afc2b666..f1df778966 100644 ---- a/src/shared/mkdir-label.c -+++ b/src/shared/mkdir-label.c -@@ -7,6 +7,7 @@ - #include "selinux-util.h" - #include "smack-util.h" - #include "user-util.h" -+#include <sys/stat.h> - - int mkdirat_label(int dirfd, const char *path, mode_t mode) { - int r; --- -2.39.2 - diff --git a/poky/meta/recipes-core/systemd/systemd_253.1.bb b/poky/meta/recipes-core/systemd/systemd_253.1.bb index 9c2b96d3c1..f306765168 100644 --- a/poky/meta/recipes-core/systemd/systemd_253.1.bb +++ b/poky/meta/recipes-core/systemd/systemd_253.1.bb @@ -47,7 +47,6 @@ SRC_URI_MUSL = "\ file://0023-Handle-missing-gshadow.patch \ file://0024-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch \ file://0005-pass-correct-parameters-to-getdents64.patch \ - file://0007-Add-sys-stat.h-for-S_IFDIR.patch \ file://0001-Adjust-for-musl-headers.patch \ file://0006-test-bus-error-strerror-is-assumed-to-be-GNU-specifi.patch \ file://0003-errno-util-Make-STRERROR-portable-for-musl.patch \ diff --git a/poky/meta/recipes-core/util-linux/util-linux_2.38.1.bb b/poky/meta/recipes-core/util-linux/util-linux_2.38.1.bb index 9ea7a04e8a..c81405533c 100644 --- a/poky/meta/recipes-core/util-linux/util-linux_2.38.1.bb +++ b/poky/meta/recipes-core/util-linux/util-linux_2.38.1.bb @@ -234,6 +234,8 @@ ALTERNATIVE_TARGET[getty] = "${base_sbindir}/agetty" ALTERNATIVE_LINK_NAME[hexdump] = "${bindir}/hexdump" ALTERNATIVE_LINK_NAME[hwclock] = "${base_sbindir}/hwclock" ALTERNATIVE_LINK_NAME[ionice] = "${bindir}/ionice" +ALTERNATIVE_LINK_NAME[ipcrm] = "${bindir}/ipcrm" +ALTERNATIVE_LINK_NAME[ipcs] = "${bindir}/ipcs" ALTERNATIVE_LINK_NAME[kill] = "${base_bindir}/kill" ALTERNATIVE:${PN}-last = "last lastb" ALTERNATIVE_LINK_NAME[last] = "${bindir}/last" |