diff options
Diffstat (limited to 'poky/meta')
114 files changed, 2294 insertions, 426 deletions
diff --git a/poky/meta/classes-global/sstate.bbclass b/poky/meta/classes-global/sstate.bbclass index 5b27a1f0f9..08e6421093 100644 --- a/poky/meta/classes-global/sstate.bbclass +++ b/poky/meta/classes-global/sstate.bbclass @@ -336,7 +336,7 @@ def sstate_install(ss, d): for lock in locks: bb.utils.unlockfile(lock) -sstate_install[vardepsexclude] += "SSTATE_ALLOW_OVERLAP_FILES STATE_MANMACH SSTATE_MANFILEPREFIX" +sstate_install[vardepsexclude] += "SSTATE_ALLOW_OVERLAP_FILES SSTATE_MANMACH SSTATE_MANFILEPREFIX" sstate_install[vardeps] += "${SSTATEPOSTINSTFUNCS}" def sstate_installpkg(ss, d): @@ -703,7 +703,7 @@ def sstate_package(ss, d): if d.getVar('SSTATE_SKIP_CREATION') == '1': return - sstate_create_package = ['sstate_report_unihash', 'sstate_create_package'] + sstate_create_package = ['sstate_report_unihash', 'sstate_create_pkgdirs', 'sstate_create_package'] if d.getVar('SSTATE_SIG_KEY'): sstate_create_package.append('sstate_sign_package') @@ -810,6 +810,12 @@ python sstate_task_postfunc () { } sstate_task_postfunc[dirs] = "${WORKDIR}" +python sstate_create_pkgdirs () { + # report_unihash can change SSTATE_PKG and mkdir -p in shell doesn't own intermediate directories + # correctly so do this in an intermediate python task + with bb.utils.umask(0o002): + bb.utils.mkdirhier(os.path.dirname(d.getVar('SSTATE_PKG'))) +} # # Shell function to generate a sstate package from a directory @@ -822,7 +828,6 @@ sstate_create_package () { return fi - mkdir --mode=0775 -p `dirname ${SSTATE_PKG}` TFILE=`mktemp ${SSTATE_PKG}.XXXXXXXX` OPT="-cS" diff --git a/poky/meta/classes-recipe/allarch.bbclass b/poky/meta/classes-recipe/allarch.bbclass index 9138f40ed8..e429b92437 100644 --- a/poky/meta/classes-recipe/allarch.bbclass +++ b/poky/meta/classes-recipe/allarch.bbclass @@ -63,9 +63,9 @@ python () { d.appendVarFlag("emit_pkgdata", "vardepsexclude", " MULTILIB_VARIANTS") d.appendVarFlag("write_specfile", "vardepsexclude", " MULTILIBS") d.appendVarFlag("do_package", "vardepsexclude", " package_do_shlibs") + + d.setVar("qemu_wrapper_cmdline", "def qemu_wrapper_cmdline(data, rootfs_path, library_paths):\n return 'false'") elif bb.data.inherits_class('packagegroup', d) and not bb.data.inherits_class('nativesdk', d): bb.error("Please ensure recipe %s sets PACKAGE_ARCH before inherit packagegroup" % d.getVar("FILE")) } -def qemu_wrapper_cmdline(data, rootfs_path, library_paths): - return 'false' diff --git a/poky/meta/classes-recipe/populate_sdk_base.bbclass b/poky/meta/classes-recipe/populate_sdk_base.bbclass index dfd4bb1d4d..8fadfef942 100644 --- a/poky/meta/classes-recipe/populate_sdk_base.bbclass +++ b/poky/meta/classes-recipe/populate_sdk_base.bbclass @@ -285,7 +285,7 @@ python check_sdk_sysroots() { dir_walk(SCAN_ROOT) } -SDKTAROPTS = "--owner=root --group=root" +SDKTAROPTS = "--owner=root --group=root --clamp-mtime --mtime=@${SOURCE_DATE_EPOCH}" fakeroot archive_sdk() { # Package it up diff --git a/poky/meta/classes-recipe/qemu.bbclass b/poky/meta/classes-recipe/qemu.bbclass index 874b15127c..dbb5ee0b66 100644 --- a/poky/meta/classes-recipe/qemu.bbclass +++ b/poky/meta/classes-recipe/qemu.bbclass @@ -34,7 +34,7 @@ def qemu_wrapper_cmdline(data, rootfs_path, library_paths): if qemu_binary == "qemu-allarch": qemu_binary = "qemuwrapper" - qemu_options = data.getVar("QEMU_OPTIONS") + qemu_options = data.getVar("QEMU_OPTIONS") or "" return "PSEUDO_UNLOAD=1 " + qemu_binary + " " + qemu_options + " -L " + rootfs_path\ + " -E LD_LIBRARY_PATH=" + ":".join(library_paths) + " " diff --git a/poky/meta/classes/create-spdx-2.2.bbclass b/poky/meta/classes/create-spdx-2.2.bbclass index b0aef80db1..486efadba9 100644 --- a/poky/meta/classes/create-spdx-2.2.bbclass +++ b/poky/meta/classes/create-spdx-2.2.bbclass @@ -1075,7 +1075,7 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx "%s:%s" % (runtime_ref.externalDocumentId, runtime_doc.SPDXID), comment="Runtime dependencies for %s" % name ) - + bb.utils.mkdirhier(spdx_workdir) image_spdx_path = spdx_workdir / (rootfs_name + ".spdx.json") with image_spdx_path.open("wb") as f: diff --git a/poky/meta/classes/externalsrc.bbclass b/poky/meta/classes/externalsrc.bbclass index a54f316aa0..70e27a8d35 100644 --- a/poky/meta/classes/externalsrc.bbclass +++ b/poky/meta/classes/externalsrc.bbclass @@ -104,6 +104,7 @@ python () { # If we deltask do_patch, there's no dependency to ensure do_unpack gets run, so add one # Note that we cannot use d.appendVarFlag() here because deps is expected to be a list object, not a string d.setVarFlag('do_configure', 'deps', (d.getVarFlag('do_configure', 'deps', False) or []) + ['do_unpack']) + d.setVarFlag('do_populate_lic', 'deps', (d.getVarFlag('do_populate_lic', 'deps', False) or []) + ['do_unpack']) for task in d.getVar("SRCTREECOVEREDTASKS").split(): if local_srcuri and task in fetch_tasks: diff --git a/poky/meta/classes/multilib_global.bbclass b/poky/meta/classes/multilib_global.bbclass index dcd89b2f63..6095d278dd 100644 --- a/poky/meta/classes/multilib_global.bbclass +++ b/poky/meta/classes/multilib_global.bbclass @@ -195,6 +195,7 @@ python multilib_virtclass_handler_global () { # from a copy of the datastore localdata = bb.data.createCopy(d) localdata.delVar("KERNEL_VERSION") + localdata.delVar("KERNEL_VERSION_PKG_NAME") variants = (e.data.getVar("MULTILIB_VARIANTS") or "").split() diff --git a/poky/meta/conf/documentation.conf b/poky/meta/conf/documentation.conf index d03c497c0e..486c62b6e8 100644 --- a/poky/meta/conf/documentation.conf +++ b/poky/meta/conf/documentation.conf @@ -28,7 +28,7 @@ do_kernel_configcheck[doc] = "Validates the kernel configuration for a linux-yoc do_kernel_configme[doc] = "Assembles the kernel configuration for a linux-yocto style kernel" do_kernel_link_images[doc] = "Creates a symbolic link in arch/$arch/boot for vmlinux and vmlinuz kernel images" do_listtasks[doc] = "Lists all defined tasks for a target" -do_menuconfig[doc] = "Runs 'make menuconfig' for the kernel" +do_menuconfig[doc] = "Runs 'make menuconfig' in the compilation directory" do_package[doc] = "Analyzes the content of the holding area and splits it into subsets based on available packages and files" do_package_index[doc] = "Creates or updates the index in the Package Feed area" do_package_qa[doc] = "Runs QA checks on packaged files" diff --git a/poky/meta/lib/oe/cve_check.py b/poky/meta/lib/oe/cve_check.py index 3fa77bf9a7..ed5c714cb8 100644 --- a/poky/meta/lib/oe/cve_check.py +++ b/poky/meta/lib/oe/cve_check.py @@ -79,20 +79,19 @@ def get_patched_cves(d): import re import oe.patch - pn = d.getVar("PN") - cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") + cve_match = re.compile(r"CVE:( CVE-\d{4}-\d+)+") # Matches the last "CVE-YYYY-ID" in the file name, also if written # in lowercase. Possible to have multiple CVE IDs in a single # file name, but only the last one will be detected from the file name. # However, patch files contents addressing multiple CVE IDs are supported # (cve_match regular expression) - - cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)") + cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)", re.IGNORECASE) patched_cves = set() - bb.debug(2, "Looking for patches that solves CVEs for %s" % pn) - for url in oe.patch.src_patches(d): + patches = oe.patch.src_patches(d) + bb.debug(2, "Scanning %d patches for CVEs" % len(patches)) + for url in patches: patch_file = bb.fetch.decodeurl(url)[2] # Check patch file name for CVE ID @@ -100,7 +99,7 @@ def get_patched_cves(d): if fname_match: cve = fname_match.group(1).upper() patched_cves.add(cve) - bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) + bb.debug(2, "Found %s from patch file name %s" % (cve, patch_file)) # Remote patches won't be present and compressed patches won't be # unpacked, so say we're not scanning them @@ -231,7 +230,7 @@ def decode_cve_status(d, cve): Convert CVE_STATUS into status, detail and description. """ status = d.getVarFlag("CVE_STATUS", cve) - if status is None: + if not status: return ("", "", "") status_split = status.split(':', 1) @@ -240,7 +239,7 @@ def decode_cve_status(d, cve): status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail) if status_mapping is None: - bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status)) + bb.warn('Invalid detail "%s" for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status)) status_mapping = "Unpatched" return (status_mapping, detail, description) diff --git a/poky/meta/lib/oe/prservice.py b/poky/meta/lib/oe/prservice.py index 2f2a0c128a..c41242c878 100644 --- a/poky/meta/lib/oe/prservice.py +++ b/poky/meta/lib/oe/prservice.py @@ -78,8 +78,7 @@ def prserv_export_tofile(d, metainfo, datainfo, lockdown, nomax=False): bb.utils.mkdirhier(d.getVar('PRSERV_DUMPDIR')) df = d.getVar('PRSERV_DUMPFILE') #write data - lf = bb.utils.lockfile("%s.lock" % df) - with open(df, "a") as f: + with open(df, "a") as f, bb.utils.fileslocked(["%s.lock" % df]) as locks: if metainfo: #dump column info f.write("#PR_core_ver = \"%s\"\n\n" % metainfo['core_ver']); @@ -113,7 +112,6 @@ def prserv_export_tofile(d, metainfo, datainfo, lockdown, nomax=False): if not nomax: for i in idx: f.write("PRAUTO_%s_%s = \"%s\"\n" % (str(datainfo[idx[i]]['version']),str(datainfo[idx[i]]['pkgarch']),str(datainfo[idx[i]]['value']))) - bb.utils.unlockfile(lf) def prserv_check_avail(d): host_params = list([_f for _f in (d.getVar("PRSERV_HOST") or '').split(':') if _f]) diff --git a/poky/meta/lib/oe/reproducible.py b/poky/meta/lib/oe/reproducible.py index 9ac75c02e3..448befce33 100644 --- a/poky/meta/lib/oe/reproducible.py +++ b/poky/meta/lib/oe/reproducible.py @@ -131,6 +131,9 @@ def get_source_date_epoch_from_youngest_file(d, sourcedir): files = [f for f in files if not f[0] == '.'] for fname in files: + if fname == "singletask.lock": + # Ignore externalsrc/devtool lockfile [YOCTO #14921] + continue filename = os.path.join(root, fname) try: mtime = int(os.lstat(filename).st_mtime) diff --git a/poky/meta/lib/oe/rootfs.py b/poky/meta/lib/oe/rootfs.py index 1a48ed10b3..3f27164536 100644 --- a/poky/meta/lib/oe/rootfs.py +++ b/poky/meta/lib/oe/rootfs.py @@ -349,7 +349,8 @@ class Rootfs(object, metaclass=ABCMeta): bb.utils.mkdirhier(versioned_modules_dir) bb.note("Running depmodwrapper for %s ..." % versioned_modules_dir) - self._exec_shell_cmd(['depmodwrapper', '-a', '-b', self.image_rootfs, kernel_ver, kernel_package_name]) + if self._exec_shell_cmd(['depmodwrapper', '-a', '-b', self.image_rootfs, kernel_ver, kernel_package_name]): + bb.fatal("Kernel modules dependency generation failed") """ Create devfs: diff --git a/poky/meta/lib/oeqa/runtime/decorator/package.py b/poky/meta/lib/oeqa/runtime/decorator/package.py index 8aba3f325b..b78ac9fc38 100644 --- a/poky/meta/lib/oeqa/runtime/decorator/package.py +++ b/poky/meta/lib/oeqa/runtime/decorator/package.py @@ -38,11 +38,12 @@ class OEHasPackage(OETestDecorator): if isinstance(self.need_pkgs, str): self.need_pkgs = [self.need_pkgs,] + mlprefix = self.case.td.get("MLPREFIX") for pkg in self.need_pkgs: if pkg.startswith('!'): - unneed_pkgs.add(pkg[1:]) + unneed_pkgs.add(mlprefix + pkg[1:]) else: - need_pkgs.add(pkg) + need_pkgs.add(mlprefix + pkg) if unneed_pkgs: msg = 'Checking if %s is not installed' % ', '.join(unneed_pkgs) diff --git a/poky/meta/lib/oeqa/selftest/cases/prservice.py b/poky/meta/lib/oeqa/selftest/cases/prservice.py index 9fe3b80a31..8da3739c57 100644 --- a/poky/meta/lib/oeqa/selftest/cases/prservice.py +++ b/poky/meta/lib/oeqa/selftest/cases/prservice.py @@ -14,6 +14,8 @@ from oeqa.selftest.case import OESelftestTestCase from oeqa.utils.commands import runCmd, bitbake, get_bb_var from oeqa.utils.network import get_free_port +import bb.utils + class BitbakePrTests(OESelftestTestCase): @classmethod @@ -21,6 +23,16 @@ class BitbakePrTests(OESelftestTestCase): super(BitbakePrTests, cls).setUpClass() cls.pkgdata_dir = get_bb_var('PKGDATA_DIR') + cls.exported_db_path = os.path.join(cls.builddir, 'export.inc') + cls.current_db_path = os.path.join(get_bb_var('PERSISTENT_DIR'), 'prserv.sqlite3') + + def cleanup(self): + # Ensure any memory resident bitbake is stopped + bitbake("-m") + # Remove any existing export file or prserv database + bb.utils.remove(self.exported_db_path) + bb.utils.remove(self.current_db_path + "*") + def get_pr_version(self, package_name): package_data_file = os.path.join(self.pkgdata_dir, 'runtime', package_name) package_data = ftools.read_file(package_data_file) @@ -49,6 +61,7 @@ class BitbakePrTests(OESelftestTestCase): self.assertEqual(res.status, 0, msg=res.output) def config_pr_tests(self, package_name, package_type='rpm', pr_socket='localhost:0'): + self.cleanup() config_package_data = 'PACKAGE_CLASSES = "package_%s"' % package_type self.write_config(config_package_data) config_server_data = 'PRSERV_HOST = "%s"' % pr_socket @@ -68,24 +81,24 @@ class BitbakePrTests(OESelftestTestCase): self.assertTrue(pr_2 - pr_1 == 1, "New PR %s did not increment as expected (from %s), difference should be 1" % (pr_2, pr_1)) self.assertTrue(stamp_1 != stamp_2, "Different pkg rev. but same stamp: %s" % stamp_1) + self.cleanup() + def run_test_pr_export_import(self, package_name, replace_current_db=True): self.config_pr_tests(package_name) self.increment_package_pr(package_name) pr_1 = self.get_pr_version(package_name) - exported_db_path = os.path.join(self.builddir, 'export.inc') - export_result = runCmd("bitbake-prserv-tool export %s" % exported_db_path, ignore_status=True) + export_result = runCmd("bitbake-prserv-tool export %s" % self.exported_db_path, ignore_status=True) self.assertEqual(export_result.status, 0, msg="PR Service database export failed: %s" % export_result.output) - self.assertTrue(os.path.exists(exported_db_path), msg="%s didn't exist, tool output %s" % (exported_db_path, export_result.output)) + self.assertTrue(os.path.exists(self.exported_db_path), msg="%s didn't exist, tool output %s" % (self.exported_db_path, export_result.output)) if replace_current_db: - current_db_path = os.path.join(get_bb_var('PERSISTENT_DIR'), 'prserv.sqlite3') - self.assertTrue(os.path.exists(current_db_path), msg="Path to current PR Service database is invalid: %s" % current_db_path) - os.remove(current_db_path) + self.assertTrue(os.path.exists(self.current_db_path), msg="Path to current PR Service database is invalid: %s" % self.current_db_path) + os.remove(self.current_db_path) - import_result = runCmd("bitbake-prserv-tool import %s" % exported_db_path, ignore_status=True) - os.remove(exported_db_path) + import_result = runCmd("bitbake-prserv-tool import %s" % self.exported_db_path, ignore_status=True) + #os.remove(self.exported_db_path) self.assertEqual(import_result.status, 0, msg="PR Service database import failed: %s" % import_result.output) self.increment_package_pr(package_name) @@ -93,6 +106,8 @@ class BitbakePrTests(OESelftestTestCase): self.assertTrue(pr_2 - pr_1 == 1, "New PR %s did not increment as expected (from %s), difference should be 1" % (pr_2, pr_1)) + self.cleanup() + def test_import_export_replace_db(self): self.run_test_pr_export_import('m4') diff --git a/poky/meta/recipes-bsp/grub/files/0001-fs-fat-Don-t-error-when-mtime-is-0.patch b/poky/meta/recipes-bsp/grub/files/0001-fs-fat-Don-t-error-when-mtime-is-0.patch new file mode 100644 index 0000000000..a5fbd58f46 --- /dev/null +++ b/poky/meta/recipes-bsp/grub/files/0001-fs-fat-Don-t-error-when-mtime-is-0.patch @@ -0,0 +1,70 @@ +From e43f3d93b28cce852c110c7a8e40d8311bcd8bb1 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood <rharwood@redhat.com> +Date: Fri, 15 Jul 2022 16:13:02 -0400 +Subject: [PATCH] fs/fat: Don't error when mtime is 0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In the wild, we occasionally see valid ESPs where some file modification +times are 0. For instance: + + ├── [Dec 31 1979] EFI + │ ├── [Dec 31 1979] BOOT + │ │ ├── [Dec 31 1979] BOOTX64.EFI + │ │ └── [Dec 31 1979] fbx64.efi + │ └── [Jun 27 02:41] fedora + │ ├── [Dec 31 1979] BOOTX64.CSV + │ ├── [Dec 31 1979] fonts + │ ├── [Mar 14 03:35] fw + │ │ ├── [Mar 14 03:35] fwupd-359c1169-abd6-4a0d-8bce-e4d4713335c1.cap + │ │ ├── [Mar 14 03:34] fwupd-9d255c4b-2d88-4861-860d-7ee52ade9463.cap + │ │ └── [Mar 14 03:34] fwupd-b36438d8-9128-49d2-b280-487be02d948b.cap + │ ├── [Dec 31 1979] fwupdx64.efi + │ ├── [May 10 10:47] grub.cfg + │ ├── [Jun 3 12:38] grub.cfg.new.new + │ ├── [May 10 10:41] grub.cfg.old + │ ├── [Jun 27 02:41] grubenv + │ ├── [Dec 31 1979] grubx64.efi + │ ├── [Dec 31 1979] mmx64.efi + │ ├── [Dec 31 1979] shim.efi + │ ├── [Dec 31 1979] shimx64.efi + │ └── [Dec 31 1979] shimx64-fedora.efi + └── [Dec 31 1979] FSCK0000.REC + + 5 directories, 17 files + +This causes grub-probe failure, which in turn causes grub-mkconfig +failure. They are valid filesystems that appear intact, and the Linux +FAT stack is able to mount and manipulate them without complaint. + +The check for mtime of 0 has been present since +20def1a3c3952982395cd7c3ea7e78638527962b (fat: support file +modification times). + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e43f3d93b28cce852c110c7a8e40d8311bcd8bb1] + +Signed-off-by: Robbie Harwood <rharwood@redhat.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +Signed-off-by: Ming Liu <liu.ming50@gmail.com> +--- + grub-core/fs/fat.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/grub-core/fs/fat.c b/grub-core/fs/fat.c +index 0951b2e63..c5efed724 100644 +--- a/grub-core/fs/fat.c ++++ b/grub-core/fs/fat.c +@@ -1027,9 +1027,6 @@ grub_fat_dir (grub_device_t device, const char *path, grub_fs_dir_hook_t hook, + grub_le_to_cpu16 (ctxt.dir.w_date), + &info.mtime); + #endif +- if (info.mtimeset == 0) +- grub_error (GRUB_ERR_OUT_OF_RANGE, +- "invalid modification timestamp for %s", path); + + if (hook (ctxt.filename, &info, hook_data)) + break; +-- +2.34.1 + diff --git a/poky/meta/recipes-bsp/grub/grub2.inc b/poky/meta/recipes-bsp/grub/grub2.inc index f594e7d3a4..1215b24668 100644 --- a/poky/meta/recipes-bsp/grub/grub2.inc +++ b/poky/meta/recipes-bsp/grub/grub2.inc @@ -44,6 +44,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://0001-fs-ext2-Ignore-checksum-seed-incompat-feature.patch \ file://CVE-2023-4692.patch \ file://CVE-2023-4693.patch \ + file://0001-fs-fat-Don-t-error-when-mtime-is-0.patch \ " SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" diff --git a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb index bfd945c7ae..1f18d4491d 100644 --- a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -6,7 +6,7 @@ IPv4 Link-Local Addresses" (IETF RFC3927), a protocol for automatic IP address \ configuration from the link-local 169.254.0.0/16 range without the need for a central \ server.' HOMEPAGE = "http://avahi.org" -BUGTRACKER = "https://github.com/lathiat/avahi/issues" +BUGTRACKER = "https://github.com/avahi/avahi/issues" SECTION = "network" # major part is under LGPL-2.1-or-later, but several .dtd, .xsl, initscripts and @@ -37,8 +37,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \ file://CVE-2023-38473.patch \ " -GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/" -SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7" +GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/" SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda" CVE_STATUS[CVE-2021-26720] = "not-applicable-platform: Issue only affects Debian/SUSE" diff --git a/poky/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch b/poky/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch index 451b409c88..5b135b3aee 100644 --- a/poky/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch +++ b/poky/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch @@ -1,4 +1,4 @@ -From d027b1d85a8c1a0193b6e4a00083d3038d699a59 Mon Sep 17 00:00:00 2001 +From 06ebd1b2ced426c420ed162980eca194f9f918ae Mon Sep 17 00:00:00 2001 From: Kai Kang <kai.kang@windriver.com> Date: Tue, 22 Sep 2020 15:02:33 +0800 Subject: [PATCH] There are conflict of config files between kea and lib32-kea: @@ -35,10 +35,10 @@ index e6ae8b8..50a3092 100644 // "param1": "foo" // } diff --git a/src/bin/keactrl/kea-dhcp4.conf.pre b/src/bin/keactrl/kea-dhcp4.conf.pre -index 26bf163..49ddb0a 100644 +index 6edb8a1..b2a7385 100644 --- a/src/bin/keactrl/kea-dhcp4.conf.pre +++ b/src/bin/keactrl/kea-dhcp4.conf.pre -@@ -252,7 +252,7 @@ +@@ -255,7 +255,7 @@ // // of all devices serviced by Kea, including their identifiers // // (like MAC address), their location in the network, times // // when they were active etc. @@ -47,7 +47,7 @@ index 26bf163..49ddb0a 100644 // "parameters": { // "path": "/var/lib/kea", // "base-name": "kea-forensic4" -@@ -269,7 +269,7 @@ +@@ -272,7 +272,7 @@ // // of specific options or perhaps even a combination of several // // options and fields to uniquely identify a client. Those scenarios // // are addressed by the Flexible Identifiers hook application. diff --git a/poky/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch b/poky/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch index b7c2fd4f0d..63a6a2805b 100644 --- a/poky/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch +++ b/poky/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch @@ -1,4 +1,4 @@ -From 18f4f6206c248d6169aa67b3ecf16bf54e9292e8 Mon Sep 17 00:00:00 2001 +From c878a356712606549f7f188b62f7d1cae08a176e Mon Sep 17 00:00:00 2001 From: Armin kuster <akuster808@gmail.com> Date: Wed, 14 Oct 2020 22:48:31 -0700 Subject: [PATCH] Busybox does not support ps -p so use pgrep @@ -13,10 +13,10 @@ Signed-off-by: Armin kuster <akuster808@gmail.com> 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/bin/keactrl/keactrl.in b/src/bin/keactrl/keactrl.in -index ae5bd8e..e9f9b73 100644 +index 450e997..c353ca9 100644 --- a/src/bin/keactrl/keactrl.in +++ b/src/bin/keactrl/keactrl.in -@@ -151,8 +151,8 @@ check_running() { +@@ -149,8 +149,8 @@ check_running() { # Get the PID from the PID file (if it exists) get_pid_from_file "${proc_name}" if [ ${_pid} -gt 0 ]; then diff --git a/poky/meta/recipes-connectivity/kea/kea_2.4.0.bb b/poky/meta/recipes-connectivity/kea/kea_2.4.1.bb index 316468754e..c3aa4dc8f0 100644 --- a/poky/meta/recipes-connectivity/kea/kea_2.4.0.bb +++ b/poky/meta/recipes-connectivity/kea/kea_2.4.1.bb @@ -19,7 +19,7 @@ SRC_URI = "http://ftp.isc.org/isc/kea/${PV}/${BP}.tar.gz \ file://0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch \ file://0001-kea-fix-reproducible-build-failure.patch \ " -SRC_URI[sha256sum] = "3a33cd08dc3319ff544e6bbf2c0429042106f4051ebe115dc1bb2625c95003f7" +SRC_URI[sha256sum] = "815c61f5c271caa4a1db31dd656eb50a7f6ea973da3690f7c8581408e180131a" inherit autotools systemd update-rc.d upstream-version-is-even diff --git a/poky/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-configure.ac-libevent-and-libsqlite3-checked-when-nf.patch b/poky/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-configure.ac-libevent-and-libsqlite3-checked-when-nf.patch deleted file mode 100644 index 5afc714f19..0000000000 --- a/poky/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-configure.ac-libevent-and-libsqlite3-checked-when-nf.patch +++ /dev/null @@ -1,80 +0,0 @@ -From b62a3fe424026b73ec6b1934483b16863c7dff23 Mon Sep 17 00:00:00 2001 -From: Wiktor Jaskulski <wjaskulski@adva.com> -Date: Thu, 11 May 2023 15:28:23 -0400 -Subject: [PATCH] configure.ac: libevent and libsqlite3 checked when nfsv4 is - disabled - -Upstream-Status: Backport -(http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=bc4a5deef9f820c55fdac3c0070364c17cd91cca) - -Signed-off-by: Steve Dickson <steved@redhat.com> -Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> ---- - configure.ac | 38 +++++++++++++++----------------------- - 1 file changed, 15 insertions(+), 23 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 4ade528d..519cacbf 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -335,42 +335,34 @@ AC_CHECK_HEADER(rpc/rpc.h, , - AC_MSG_ERROR([Header file rpc/rpc.h not found - maybe try building with --enable-tirpc])) - CPPFLAGS="${nfsutils_save_CPPFLAGS}" - -+dnl check for libevent libraries and headers -+AC_LIBEVENT -+ -+dnl Check for sqlite3 -+AC_SQLITE3_VERS -+ -+case $libsqlite3_cv_is_recent in -+yes) ;; -+unknown) -+ dnl do not fail when cross-compiling -+ AC_MSG_WARN([assuming sqlite is at least v3.3]) ;; -+*) -+ AC_MSG_ERROR([nfsdcld requires sqlite-devel]) ;; -+esac -+ - if test "$enable_nfsv4" = yes; then -- dnl check for libevent libraries and headers -- AC_LIBEVENT - - dnl check for the keyutils libraries and headers - AC_KEYUTILS - -- dnl Check for sqlite3 -- AC_SQLITE3_VERS -- - if test "$enable_nfsdcld" = "yes"; then - AC_CHECK_HEADERS([libgen.h sys/inotify.h], , - AC_MSG_ERROR([Cannot find header needed for nfsdcld])) -- -- case $libsqlite3_cv_is_recent in -- yes) ;; -- unknown) -- dnl do not fail when cross-compiling -- AC_MSG_WARN([assuming sqlite is at least v3.3]) ;; -- *) -- AC_MSG_ERROR([nfsdcld requires sqlite-devel]) ;; -- esac - fi - - if test "$enable_nfsdcltrack" = "yes"; then - AC_CHECK_HEADERS([libgen.h sys/inotify.h], , - AC_MSG_ERROR([Cannot find header needed for nfsdcltrack])) -- -- case $libsqlite3_cv_is_recent in -- yes) ;; -- unknown) -- dnl do not fail when cross-compiling -- AC_MSG_WARN([assuming sqlite is at least v3.3]) ;; -- *) -- AC_MSG_ERROR([nfsdcltrack requires sqlite-devel]) ;; -- esac - fi - - else --- -2.41.0 - diff --git a/poky/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch b/poky/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch new file mode 100644 index 0000000000..57d4660571 --- /dev/null +++ b/poky/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch @@ -0,0 +1,34 @@ +From 45597a58e98f351b18db8444292b1cf6dd0cd810 Mon Sep 17 00:00:00 2001 +From: Robert Yang <liezhi.yang@windriver.com> +Date: Sat, 9 Dec 2023 23:34:08 -0800 +Subject: [PATCH] reexport.h: Include unistd.h to compile with musl + +Fixed error when compile with musl +reexport.c: In function 'reexpdb_init': +reexport.c:62:17: error: implicit declaration of function 'sleep' [-Werror=implicit-function-declaration] + 62 | sleep(1); + + +Upstream-Status: Submitted [https://marc.info/?l=linux-nfs&m=170254661824522&w=2] + +Signed-off-by: Robert Yang <liezhi.yang@windriver.com> +--- + support/reexport/reexport.h | 1 + + 1 files changed, 1 insertions(+) + +diff --git a/support/reexport/reexport.h b/support/reexport/reexport.h +index 85fd59c..02f8684 100644 +--- a/support/reexport/reexport.h ++++ b/support/reexport/reexport.h +@@ -1,6 +1,8 @@ + #ifndef REEXPORT_H + #define REEXPORT_H + ++#include <unistd.h> ++ + #include "nfslib.h" + + enum { +-- +2.42.0 + diff --git a/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.3.bb b/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb index 35cf6af6d4..2f2644f9a8 100644 --- a/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.3.bb +++ b/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb @@ -30,11 +30,11 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.x file://bugfix-adjust-statd-service-name.patch \ file://0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch \ file://clang-warnings.patch \ - file://0001-configure.ac-libevent-and-libsqlite3-checked-when-nf.patch \ - file://0001-locktest-Makefile.am-Do-not-use-build-flags.patch \ - file://0001-tools-locktest-Use-intmax_t-to-print-off_t.patch \ + file://0001-locktest-Makefile.am-Do-not-use-build-flags.patch \ + file://0001-tools-locktest-Use-intmax_t-to-print-off_t.patch \ + file://0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch \ " -SRC_URI[sha256sum] = "38d89e853a71d3c560ff026af3d969d75e24f782ff68324e76261fe0344459e1" +SRC_URI[sha256sum] = "01b3b0fb9c7d0bbabf5114c736542030748c788ec2fd9734744201e9b0a1119d" # Only kernel-module-nfsd is required here (but can be built-in) - the nfsd module will # pull in the remainder of the dependencies. diff --git a/poky/meta/recipes-core/base-passwd/base-passwd_3.6.2.bb b/poky/meta/recipes-core/base-passwd/base-passwd_3.6.3.bb index bb4b49e6ab..9d7703b1c0 100644 --- a/poky/meta/recipes-core/base-passwd/base-passwd_3.6.2.bb +++ b/poky/meta/recipes-core/base-passwd/base-passwd_3.6.3.bb @@ -15,7 +15,7 @@ SRC_URI = "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar file://0001-base-passwd-Add-the-sgx-group.patch \ " -SRC_URI[sha256sum] = "06dc78352bf38a8df76ff295e15ab5654cdefe41e62368b15bfcbbab8e4ec2a0" +SRC_URI[sha256sum] = "83575327d8318a419caf2d543341215c046044073d1afec2acc0ac4d8095ff39" # the package is taken from launchpad; that source is static and goes stale # so we check the latest upstream from a directory that does get updated diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Do-not-write-bindir-into-pkg-config-files.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Do-not-write-bindir-into-pkg-config-files.patch index 0d44ddf299..0e5f371cb5 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Do-not-write-bindir-into-pkg-config-files.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Do-not-write-bindir-into-pkg-config-files.patch @@ -1,4 +1,4 @@ -From 9ec4eedeb3f67db0bff09f5d859318d05ff47964 Mon Sep 17 00:00:00 2001 +From cf7df91cc8c3b4811235ef8aec144c5f0cf90bdb Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Fri, 15 Feb 2019 11:17:27 +0100 Subject: [PATCH] Do not write $bindir into pkg-config files @@ -16,7 +16,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/gio/meson.build b/gio/meson.build -index a320c0f..86ce7c4 100644 +index 5f91586..1a95f4f 100644 --- a/gio/meson.build +++ b/gio/meson.build @@ -884,14 +884,14 @@ pkg.generate(libgio, diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Fix-DATADIRNAME-on-uclibc-Linux.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Fix-DATADIRNAME-on-uclibc-Linux.patch index 16f2d31496..1254466063 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Fix-DATADIRNAME-on-uclibc-Linux.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Fix-DATADIRNAME-on-uclibc-Linux.patch @@ -1,4 +1,4 @@ -From c94e669de98a3892c699bd8d0d2b5164b2de747e Mon Sep 17 00:00:00 2001 +From b907a6681c4c24e5d3745538d9fcd471cf1c4c4a Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Sat, 15 Mar 2014 22:42:29 -0700 Subject: [PATCH] Fix DATADIRNAME on uclibc/Linux @@ -9,7 +9,6 @@ based systems therefore lets set DATADIRNAME to "share". Signed-off-by: Khem Raj <raj.khem@gmail.com> Upstream-Status: Pending - --- m4macros/glib-gettext.m4 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Install-gio-querymodules-as-libexec_PROGRAM.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Install-gio-querymodules-as-libexec_PROGRAM.patch index 597864d9ac..50d369c24e 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Install-gio-querymodules-as-libexec_PROGRAM.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Install-gio-querymodules-as-libexec_PROGRAM.patch @@ -1,4 +1,4 @@ -From 0015db45cd1bfefc04959dffab5dabeead93136f Mon Sep 17 00:00:00 2001 +From 6e2ddcb5465d10618345b12e0b4471ead0f14304 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen <jussi.kukkonen@intel.com> Date: Tue, 22 Mar 2016 15:14:58 +0200 Subject: [PATCH] Install gio-querymodules as libexec_PROGRAM @@ -14,10 +14,10 @@ Upstream-Status: Inappropriate [OE specific] 1 file changed, 1 insertion(+) diff --git a/gio/meson.build b/gio/meson.build -index 2ef60ed..532b086 100644 +index f9fdf6e..5f91586 100644 --- a/gio/meson.build +++ b/gio/meson.build -@@ -936,6 +936,7 @@ gio_querymodules = executable('gio-querymodules', 'gio-querymodules.c', 'giomodu +@@ -1005,6 +1005,7 @@ gio_querymodules = executable('gio-querymodules', 'gio-querymodules.c', 'giomodu c_args : gio_c_args, # intl.lib is not compatible with SAFESEH link_args : noseh_link_args, diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Remove-the-warning-about-deprecated-paths-in-schemas.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Remove-the-warning-about-deprecated-paths-in-schemas.patch index 6fd93526ce..f810574d97 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Remove-the-warning-about-deprecated-paths-in-schemas.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Remove-the-warning-about-deprecated-paths-in-schemas.patch @@ -1,4 +1,4 @@ -From 4f47b8a8d650d185aa61aec2f56a283522a723c4 Mon Sep 17 00:00:00 2001 +From c8c223045821cac97f798cfa63f19853621a8a2a Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Fri, 12 Jun 2015 17:08:46 +0300 Subject: [PATCH] Remove the warning about deprecated paths in schemas @@ -15,7 +15,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> 1 file changed, 13 deletions(-) diff --git a/gio/glib-compile-schemas.c b/gio/glib-compile-schemas.c -index 7888120..7acbd5b 100644 +index 04ef404..e791ce2 100644 --- a/gio/glib-compile-schemas.c +++ b/gio/glib-compile-schemas.c @@ -1232,19 +1232,6 @@ parse_state_start_schema (ParseState *state, diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Set-host_machine-correctly-when-building-with-mingw3.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Set-host_machine-correctly-when-building-with-mingw3.patch index 2e1e2313e8..e1d2fb0e54 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Set-host_machine-correctly-when-building-with-mingw3.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-Set-host_machine-correctly-when-building-with-mingw3.patch @@ -1,4 +1,4 @@ -From ba1728bc27c88597164957d000b70ec4be6edf28 Mon Sep 17 00:00:00 2001 +From bafde4eedc0a22b45e73ee6183b9a11393a1e400 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Wed, 13 Feb 2019 15:32:05 +0100 Subject: [PATCH] Set host_machine correctly when building with mingw32 @@ -13,7 +13,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/gio/tests/meson.build b/gio/tests/meson.build -index f644aa2..64a8684 100644 +index 4ef3343..e498e7e 100644 --- a/gio/tests/meson.build +++ b/gio/tests/meson.build @@ -29,7 +29,7 @@ endif @@ -25,7 +25,7 @@ index f644aa2..64a8684 100644 common_gio_tests_deps += [iphlpapi_dep, winsock2, cc.find_library ('secur32')] endif -@@ -210,7 +210,7 @@ if have_dbus_daemon +@@ -230,7 +230,7 @@ if have_dbus_daemon endif # Test programs buildable on UNIX only @@ -34,7 +34,7 @@ index f644aa2..64a8684 100644 gio_tests += { 'file' : {}, 'gdbus-peer-object-manager' : {}, -@@ -462,7 +462,7 @@ if host_machine.system() != 'windows' +@@ -562,7 +562,7 @@ if host_machine.system() != 'windows' endif # unix # Test programs buildable on Windows only @@ -43,7 +43,7 @@ index f644aa2..64a8684 100644 gio_tests += {'win32-streams' : {}} endif -@@ -532,7 +532,7 @@ if cc.get_id() != 'msvc' and cc.get_id() != 'clang-cl' +@@ -632,7 +632,7 @@ if cc.get_id() != 'msvc' and cc.get_id() != 'clang-cl' } endif @@ -53,10 +53,10 @@ index f644aa2..64a8684 100644 'gdbus-example-unix-fd-client' : { 'install' : false, diff --git a/glib/tests/meson.build b/glib/tests/meson.build -index db01b54..6950817 100644 +index d80c86e..5329cda 100644 --- a/glib/tests/meson.build +++ b/glib/tests/meson.build -@@ -188,7 +188,7 @@ if glib_conf.has('HAVE_EVENTFD') +@@ -216,7 +216,7 @@ if glib_conf.has('HAVE_EVENTFD') } endif @@ -66,10 +66,10 @@ index db01b54..6950817 100644 glib_tests += { 'gpoll' : { diff --git a/meson.build b/meson.build -index 43bb468..5f9b59c 100644 +index f7e936e..122f8b5 100644 --- a/meson.build +++ b/meson.build -@@ -43,6 +43,9 @@ else +@@ -54,6 +54,9 @@ else endif host_system = host_machine.system() diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch index d33fdd4d8b..e4c2f77459 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch @@ -1,4 +1,4 @@ -From 92de6c7eb30b961b24a2dce812d5276487b7d23d Mon Sep 17 00:00:00 2001 +From 3f05b9418c88bbb83c08b57cc5529b006f26fff4 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Wed, 8 Jan 2020 18:22:46 +0100 Subject: [PATCH] gio/tests/resources.c: comment out a build host-only test @@ -14,10 +14,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gio/tests/resources.c b/gio/tests/resources.c -index c44d214..e289a01 100644 +index f567914..b21b616 100644 --- a/gio/tests/resources.c +++ b/gio/tests/resources.c -@@ -993,7 +993,7 @@ main (int argc, +@@ -1068,7 +1068,7 @@ main (int argc, g_test_add_func ("/resource/automatic", test_resource_automatic); /* This only uses automatic resources too, so it tests the constructors and destructors */ g_test_add_func ("/resource/module", test_resource_module); diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-meson-Run-atomics-test-on-clang-as-well.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-meson-Run-atomics-test-on-clang-as-well.patch index 44482dd2b7..071e4a7c4d 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-meson-Run-atomics-test-on-clang-as-well.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-meson-Run-atomics-test-on-clang-as-well.patch @@ -1,4 +1,4 @@ -From 4b97f457b7b44117e27d2a218c4b68e7fe3fe4ce Mon Sep 17 00:00:00 2001 +From 17d718640ae6f953e5eea714c1bd64eeb6e4799f Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Sat, 12 Oct 2019 17:46:26 -0700 Subject: [PATCH] meson: Run atomics test on clang as well @@ -15,10 +15,10 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com> 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meson.build b/meson.build -index afb6eaa..6aa70f5 100644 +index 122f8b5..f055079 100644 --- a/meson.build +++ b/meson.build -@@ -1692,7 +1692,7 @@ atomicdefine = ''' +@@ -1938,7 +1938,7 @@ atomicdefine = ''' # We know that we can always use real ("lock free") atomic operations with MSVC if cc.get_id() == 'msvc' or cc.get_id() == 'clang-cl' or cc.links(atomictest, name : 'atomic ops') have_atomic_lock_free = true diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch index 788f420d11..e03f9a3c84 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch @@ -1,4 +1,4 @@ -From 9aa9574861fad39d0679025e35fe1e188345f685 Mon Sep 17 00:00:00 2001 +From 7865d698b5d392aac3a3d32e9ebd5fea45017d15 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex@linutronix.de> Date: Sat, 16 Sep 2023 22:28:27 +0200 Subject: [PATCH] meson.build: do not enable pidfd features on native glib @@ -9,12 +9,13 @@ where these features are not implemented. Upstream-Status: Inappropriate [oe-core specific] Signed-off-by: Alexander Kanavin <alex@linutronix.de> + --- meson.build | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meson.build b/meson.build -index 1c36993..bbf97fc 100644 +index f055079..77d78aa 100644 --- a/meson.build +++ b/meson.build @@ -981,7 +981,8 @@ if cc.links('''#include <sys/syscall.h> @@ -27,6 +28,3 @@ index 1c36993..bbf97fc 100644 endif # Check for __uint128_t (gcc) by checking for 128-bit division --- -2.30.2 - diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0010-Do-not-hardcode-python-path-into-various-tools.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0010-Do-not-hardcode-python-path-into-various-tools.patch index 1c645f3a9a..4b75167da6 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/0010-Do-not-hardcode-python-path-into-various-tools.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0010-Do-not-hardcode-python-path-into-various-tools.patch @@ -1,4 +1,4 @@ -From 79ce7e545dd3a93f77d2146d50b6fa061fbceed9 Mon Sep 17 00:00:00 2001 +From 53bcd4b6cd3fe3fe4246914462e6724761eecf51 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Tue, 3 Oct 2017 10:45:55 +0300 Subject: [PATCH] Do not hardcode python path into various tools @@ -23,7 +23,7 @@ index 67d3675..4e92a7a 100755 # GDBus - GLib D-Bus Library # diff --git a/gobject/glib-genmarshal.in b/gobject/glib-genmarshal.in -index 7380f24..c8abeaa 100755 +index aa5af43..56e8e2e 100755 --- a/gobject/glib-genmarshal.in +++ b/gobject/glib-genmarshal.in @@ -1,4 +1,4 @@ @@ -33,7 +33,7 @@ index 7380f24..c8abeaa 100755 # pylint: disable=too-many-lines, missing-docstring, invalid-name diff --git a/gobject/glib-mkenums.in b/gobject/glib-mkenums.in -index 91ad779..3ebef62 100755 +index 353e53a..8ed6c39 100755 --- a/gobject/glib-mkenums.in +++ b/gobject/glib-mkenums.in @@ -1,4 +1,4 @@ diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/relocate-modules.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/relocate-modules.patch index 841fedef8a..95a73298d8 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0/relocate-modules.patch +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/relocate-modules.patch @@ -1,4 +1,4 @@ -From b90d13900dd2777c2ab90c5b0be1a872c10a17da Mon Sep 17 00:00:00 2001 +From 03a069cb8066d3e8ef72a43f7b1db5c9625e9cc2 Mon Sep 17 00:00:00 2001 From: Ross Burton <ross.burton@intel.com> Date: Fri, 11 Mar 2016 15:35:55 +0000 Subject: [PATCH] glib-2.0: relocate the GIO module directory for native builds diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0_2.78.1.bb b/poky/meta/recipes-core/glib-2.0/glib-2.0_2.78.3.bb index a490262112..13d4b38e22 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0_2.78.1.bb +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0_2.78.3.bb @@ -19,7 +19,7 @@ SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ " -SRC_URI[sha256sum] = "915bc3d0f8507d650ead3832e2f8fb670fce59aac4d7754a7dab6f1e6fed78b2" +SRC_URI[sha256sum] = "609801dd373796e515972bf95fc0b2daa44545481ee2f465c4f204d224b2bc21" # Find any meson cross files in FILESPATH that are relevant for the current # build (using siteinfo) and add them to EXTRA_OEMESON. diff --git a/poky/meta/recipes-core/glibc/glibc-version.inc b/poky/meta/recipes-core/glibc/glibc-version.inc index 0ef4289557..212f960cb5 100644 --- a/poky/meta/recipes-core/glibc/glibc-version.inc +++ b/poky/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.38/master" PV = "2.38+git" -SRCREV_glibc ?= "44f757a6364a546359809d48c76b3debd26e77d4" +SRCREV_glibc ?= "d37c2b20a4787463d192b32041c3406c2bd91de0" SRCREV_localedef ?= "e0eca29583b9e0f62645c4316ced93cf4e4e26e1" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https" @@ -10,4 +10,9 @@ UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+(\.(?!90)\d+)*)" CVE_STATUS[CVE-2023-4527] = "fixed-version: Fixed in stable branch updates" CVE_STATUS[CVE-2023-4911] = "fixed-version: Fixed in stable branch updates" CVE_STATUS[CVE-2023-4806] = "fixed-version: Fixed in stable branch updates" +CVE_STATUS[CVE-2023-5156] = "fixed-version: Fixed in stable branch updates" CVE_STATUS[CVE-2023-4527] = "fixed-version: Fixed in stable branch updates" +CVE_STATUS[CVE-2023-0687] = "fixed-version: Fixed in stable branch updates" +CVE_STATUS[CVE-2023-6246] = "fixed-version: Fixed in stable branch updates" +CVE_STATUS[CVE-2023-6779] = "fixed-version: Fixed in stable branch updates" +CVE_STATUS[CVE-2023-6780] = "fixed-version: Fixed in stable branch updates" diff --git a/poky/meta/recipes-core/glibc/glibc/run-ptest b/poky/meta/recipes-core/glibc/glibc/run-ptest index c394b49866..cb71c75682 100755 --- a/poky/meta/recipes-core/glibc/glibc/run-ptest +++ b/poky/meta/recipes-core/glibc/glibc/run-ptest @@ -22,12 +22,12 @@ tst_time64=$(ls -r ${PWD}/tests/glibc-ptest/*-time64) # related tst_time_tmp=$(sed -e "s/-time64$//" <<< ${tst_time64}) -# Run tests supporting only 32 bit time -for i in ${tst_time_tmp} -do - $i >/dev/null 2>&1 - output -done +# Do not run tests supporting only 32 bit time +#for i in ${tst_time_tmp} +#do +# $i >/dev/null 2>&1 +# output +#done # Run tests supporting only 64 bit time for i in ${tst_time64} diff --git a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb index 3a049b8e37..d63079bb34 100644 --- a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb @@ -26,7 +26,7 @@ inherit core-image setuptools3 features_check REQUIRED_DISTRO_FEATURES += "xattr" -SRCREV ?= "59e8c565ef9cddb4cab90017d187368aa34f361b" +SRCREV ?= "17635c5e4d2460a762152f550ac98d66b9090904" SRC_URI = "git://git.yoctoproject.org/poky;branch=nanbield \ file://Yocto_Build_Appliance.vmx \ file://Yocto_Build_Appliance.vmxf \ diff --git a/poky/meta/recipes-core/ncurses/files/0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch b/poky/meta/recipes-core/ncurses/files/0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch new file mode 100644 index 0000000000..121db6bffe --- /dev/null +++ b/poky/meta/recipes-core/ncurses/files/0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch @@ -0,0 +1,499 @@ +From 135d37072755704b8d018e5de74e62ff3f28c930 Mon Sep 17 00:00:00 2001 +From: Thomas E. Dickey <dickey@invisible-island.net> +Date: Sun, 5 Nov 2023 05:54:54 +0530 +Subject: [PATCH] Updating reset code - ncurses 6.4 - patch 20231104 + ++ modify reset command to avoid altering clocal if the terminal uses a + modem (prompted by discussion with Werner Fink, Michal Suchanek, + OpenSUSE #1201384, Debian #60377). ++ build-fixes for --with-caps variations. ++ correct a couple of section-references in INSTALL. + +Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net> + +Upstream-Status: Backport [https://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=135d37072755704b8d018e5de74e62ff3f28c930] + +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> +--- + INSTALL | 8 +- + include/curses.events | 2 +- + ncurses/tinfo/lib_tparm.c | 2 + + progs/reset_cmd.c | 281 +++++++++++++++++++++----------------- + progs/tabs.c | 10 +- + progs/tic.c | 4 + + 6 files changed, 176 insertions(+), 131 deletions(-) + +diff --git a/INSTALL b/INSTALL +index d9c1dd12..d0a39af0 100644 +--- a/INSTALL ++++ b/INSTALL +@@ -47,7 +47,7 @@ If you are converting from BSD curses and do not have root access, be sure + to read the BSD CONVERSION NOTES section below. + + If you are trying to build applications using gpm with ncurses, +-read the USING NCURSES WITH GPM section below. ++read the USING GPM section below. + + If you are cross-compiling, see the note below on BUILDING WITH A CROSS-COMPILER. + +@@ -79,7 +79,7 @@ INSTALLATION PROCEDURE: + The --prefix option to configure changes the root directory for installing + ncurses. The default is normally in subdirectories of /usr/local, except + for systems where ncurses is normally installed as a system library (see +- "IF YOU ARE A SYSTEM INTEGRATOR"). Use --prefix=/usr to replace your ++ "FOR SYSTEM INTEGRATORS"). Use --prefix=/usr to replace your + default curses distribution. + + The package gets installed beneath the --prefix directory as follows: +@@ -176,7 +176,7 @@ INSTALLATION PROCEDURE: + You can make curses and terminfo fall back to an existing file of termcap + definitions by configuring with --enable-termcap. If you do this, the + library will search /etc/termcap before the terminfo database, and will +- also interpret the contents of the TERM environment variable. See the ++ also interpret the contents of the $TERM environment variable. See the + section BSD CONVERSION NOTES below. + + 3. Type `make'. Ignore any warnings, no error messages should be produced. +@@ -1231,7 +1231,7 @@ CONFIGURE OPTIONS: + Specify a search-list of terminfo directories which will be compiled + into the ncurses library (default: DATADIR/terminfo) + +- This is a colon-separated list, like the TERMINFO_DIRS environment ++ This is a colon-separated list, like the $TERMINFO_DIRS environment + variable. + + --with-termlib[=XXX] +diff --git a/include/curses.events b/include/curses.events +index 25a2583f..468bde18 100644 +--- a/include/curses.events ++++ b/include/curses.events +@@ -50,6 +50,6 @@ typedef struct + extern NCURSES_EXPORT(int) wgetch_events (WINDOW *, _nc_eventlist *) GCC_DEPRECATED(experimental option); /* experimental */ + extern NCURSES_EXPORT(int) wgetnstr_events (WINDOW *,char *,int,_nc_eventlist *) GCC_DEPRECATED(experimental option); /* experimental */ + +-#define KEY_EVENT 0633 /* We were interrupted by an event */ ++#define KEY_EVENT 0634 /* We were interrupted by an event */ + + #endif /* NCURSES_WGETCH_EVENTS */ +diff --git a/ncurses/tinfo/lib_tparm.c b/ncurses/tinfo/lib_tparm.c +index a10a3877..cd972c0f 100644 +--- a/ncurses/tinfo/lib_tparm.c ++++ b/ncurses/tinfo/lib_tparm.c +@@ -1113,8 +1113,10 @@ check_string_caps(TPARM_DATA *data, const char *string) + want_type = 2; /* function key #1, transmit string #2 */ + else if (CHECK_CAP(plab_norm)) + want_type = 2; /* label #1, show string #2 */ ++#ifdef pkey_plab + else if (CHECK_CAP(pkey_plab)) + want_type = 6; /* function key #1, type string #2, show string #3 */ ++#endif + #if NCURSES_XNAMES + else { + char *check; +diff --git a/progs/reset_cmd.c b/progs/reset_cmd.c +index eff3af72..aec4b077 100644 +--- a/progs/reset_cmd.c ++++ b/progs/reset_cmd.c +@@ -75,6 +75,9 @@ MODULE_ID("$Id: reset_cmd.c,v 1.28 2021/10/02 18:08:44 tom Exp $") + # endif + #endif + ++#define set_flags(target, mask) target |= mask ++#define clear_flags(target, mask) target &= ~((unsigned)(mask)) ++ + static FILE *my_file; + + static bool use_reset = FALSE; /* invoked as reset */ +@@ -188,6 +191,79 @@ out_char(int c) + #define reset_char(item, value) \ + tty_settings->c_cc[item] = CHK(tty_settings->c_cc[item], value) + ++/* ++ * Simplify ifdefs ++ */ ++#ifndef BSDLY ++#define BSDLY 0 ++#endif ++#ifndef CRDLY ++#define CRDLY 0 ++#endif ++#ifndef ECHOCTL ++#define ECHOCTL 0 ++#endif ++#ifndef ECHOKE ++#define ECHOKE 0 ++#endif ++#ifndef ECHOPRT ++#define ECHOPRT 0 ++#endif ++#ifndef FFDLY ++#define FFDLY 0 ++#endif ++#ifndef IMAXBEL ++#define IMAXBEL 0 ++#endif ++#ifndef IUCLC ++#define IUCLC 0 ++#endif ++#ifndef IXANY ++#define IXANY 0 ++#endif ++#ifndef NLDLY ++#define NLDLY 0 ++#endif ++#ifndef OCRNL ++#define OCRNL 0 ++#endif ++#ifndef OFDEL ++#define OFDEL 0 ++#endif ++#ifndef OFILL ++#define OFILL 0 ++#endif ++#ifndef OLCUC ++#define OLCUC 0 ++#endif ++#ifndef ONLCR ++#define ONLCR 0 ++#endif ++#ifndef ONLRET ++#define ONLRET 0 ++#endif ++#ifndef ONOCR ++#define ONOCR 0 ++#endif ++#ifndef OXTABS ++#define OXTABS 0 ++#endif ++#ifndef TAB3 ++#define TAB3 0 ++#endif ++#ifndef TABDLY ++#define TABDLY 0 ++#endif ++#ifndef TOSTOP ++#define TOSTOP 0 ++#endif ++#ifndef VTDLY ++#define VTDLY 0 ++#endif ++#ifndef XCASE ++#define XCASE 0 ++#endif ++ + /* + * Reset the terminal mode bits to a sensible state. Very useful after + * a child program dies in raw mode. +@@ -195,6 +271,10 @@ out_char(int c) + void + reset_tty_settings(int fd, TTY * tty_settings, int noset) + { ++ unsigned mask; ++#ifdef TIOCMGET ++ int modem_bits; ++#endif + GET_TTY(fd, tty_settings); + + #ifdef TERMIOS +@@ -228,106 +308,65 @@ reset_tty_settings(int fd, TTY * tty_settings, int noset) + reset_char(VWERASE, CWERASE); + #endif + +- tty_settings->c_iflag &= ~((unsigned) (IGNBRK +- | PARMRK +- | INPCK +- | ISTRIP +- | INLCR +- | IGNCR +-#ifdef IUCLC +- | IUCLC +-#endif +-#ifdef IXANY +- | IXANY +-#endif +- | IXOFF)); +- +- tty_settings->c_iflag |= (BRKINT +- | IGNPAR +- | ICRNL +- | IXON +-#ifdef IMAXBEL +- | IMAXBEL +-#endif +- ); +- +- tty_settings->c_oflag &= ~((unsigned) (0 +-#ifdef OLCUC +- | OLCUC +-#endif +-#ifdef OCRNL +- | OCRNL +-#endif +-#ifdef ONOCR +- | ONOCR +-#endif +-#ifdef ONLRET +- | ONLRET +-#endif +-#ifdef OFILL +- | OFILL +-#endif +-#ifdef OFDEL +- | OFDEL +-#endif +-#ifdef NLDLY +- | NLDLY +-#endif +-#ifdef CRDLY +- | CRDLY +-#endif +-#ifdef TABDLY +- | TABDLY +-#endif +-#ifdef BSDLY +- | BSDLY +-#endif +-#ifdef VTDLY +- | VTDLY +-#endif +-#ifdef FFDLY +- | FFDLY +-#endif +- )); +- +- tty_settings->c_oflag |= (OPOST +-#ifdef ONLCR +- | ONLCR +-#endif +- ); +- +- tty_settings->c_cflag &= ~((unsigned) (CSIZE +- | CSTOPB +- | PARENB +- | PARODD +- | CLOCAL)); +- tty_settings->c_cflag |= (CS8 | CREAD); +- tty_settings->c_lflag &= ~((unsigned) (ECHONL +- | NOFLSH +-#ifdef TOSTOP +- | TOSTOP +-#endif +-#ifdef ECHOPTR +- | ECHOPRT +-#endif +-#ifdef XCASE +- | XCASE +-#endif +- )); +- +- tty_settings->c_lflag |= (ISIG +- | ICANON +- | ECHO +- | ECHOE +- | ECHOK +-#ifdef ECHOCTL +- | ECHOCTL +-#endif +-#ifdef ECHOKE +- | ECHOKE +-#endif +- ); +-#endif ++ clear_flags(tty_settings->c_iflag, (IGNBRK ++ | PARMRK ++ | INPCK ++ | ISTRIP ++ | INLCR ++ | IGNCR ++ | IUCLC ++ | IXANY ++ | IXOFF)); ++ ++ set_flags(tty_settings->c_iflag, (BRKINT ++ | IGNPAR ++ | ICRNL ++ | IXON ++ | IMAXBEL)); ++ ++ clear_flags(tty_settings->c_oflag, (0 ++ | OLCUC ++ | OCRNL ++ | ONOCR ++ | ONLRET ++ | OFILL ++ | OFDEL ++ | NLDLY ++ | CRDLY ++ | TABDLY ++ | BSDLY ++ | VTDLY ++ | FFDLY)); ++ ++ set_flags(tty_settings->c_oflag, (OPOST ++ | ONLCR)); ++ ++ mask = (CSIZE | CSTOPB | PARENB | PARODD); ++#ifdef TIOCMGET ++ /* leave clocal alone if this appears to use a modem */ ++ if (ioctl(fd, TIOCMGET, &modem_bits) == -1) ++ mask |= CLOCAL; ++#else ++ /* cannot check - use the behavior from tset */ ++ mask |= CLOCAL; ++#endif ++ clear_flags(tty_settings->c_cflag, mask); ++ ++ set_flags(tty_settings->c_cflag, (CS8 | CREAD)); ++ clear_flags(tty_settings->c_lflag, (ECHONL ++ | NOFLSH ++ | TOSTOP ++ | ECHOPRT ++ | XCASE)); ++ ++ set_flags(tty_settings->c_lflag, (ISIG ++ | ICANON ++ | ECHO ++ | ECHOE ++ | ECHOK ++ | ECHOCTL ++ | ECHOKE)); ++#endif /* TERMIOS */ + + if (!noset) { + SET_TTY(fd, tty_settings); +@@ -402,29 +441,23 @@ set_conversions(TTY * tty_settings) + #if defined(EXP_WIN32_DRIVER) + /* FIXME */ + #else +-#ifdef ONLCR +- tty_settings->c_oflag |= ONLCR; +-#endif +- tty_settings->c_iflag |= ICRNL; +- tty_settings->c_lflag |= ECHO; +-#ifdef OXTABS +- tty_settings->c_oflag |= OXTABS; +-#endif /* OXTABS */ ++ set_flags(tty_settings->c_oflag, ONLCR); ++ set_flags(tty_settings->c_iflag, ICRNL); ++ set_flags(tty_settings->c_lflag, ECHO); ++ set_flags(tty_settings->c_oflag, OXTABS); + + /* test used to be tgetflag("NL") */ + if (VALID_STRING(newline) && newline[0] == '\n' && !newline[1]) { + /* Newline, not linefeed. */ +-#ifdef ONLCR +- tty_settings->c_oflag &= ~((unsigned) ONLCR); +-#endif +- tty_settings->c_iflag &= ~((unsigned) ICRNL); ++ clear_flags(tty_settings->c_oflag, ONLCR); ++ clear_flags(tty_settings->c_iflag, ICRNL); + } +-#ifdef OXTABS ++#if OXTABS + /* test used to be tgetflag("pt") */ + if (VALID_STRING(set_tab) && VALID_STRING(clear_all_tabs)) +- tty_settings->c_oflag &= ~OXTABS; ++ clear_flags(tty_settings->c_oflag, OXTABS); + #endif /* OXTABS */ +- tty_settings->c_lflag |= (ECHOE | ECHOK); ++ set_flags(tty_settings->c_lflag, (ECHOE | ECHOK)); + #endif + } + +@@ -490,7 +523,7 @@ send_init_strings(int fd GCC_UNUSED, TTY * old_settings) + bool need_flush = FALSE; + + (void) old_settings; +-#ifdef TAB3 ++#if TAB3 + if (old_settings != 0 && + old_settings->c_oflag & (TAB3 | ONLCR | OCRNL | ONLRET)) { + old_settings->c_oflag &= (TAB3 | ONLCR | OCRNL | ONLRET); +@@ -512,22 +545,22 @@ send_init_strings(int fd GCC_UNUSED, TTY * old_settings) + + if (VALID_STRING(clear_margins)) { + need_flush |= sent_string(clear_margins); +- } else ++ } + #if defined(set_lr_margin) +- if (VALID_STRING(set_lr_margin)) { ++ else if (VALID_STRING(set_lr_margin)) { + need_flush |= sent_string(TIPARM_2(set_lr_margin, 0, columns - 1)); +- } else ++ } + #endif + #if defined(set_left_margin_parm) && defined(set_right_margin_parm) +- if (VALID_STRING(set_left_margin_parm) +- && VALID_STRING(set_right_margin_parm)) { ++ else if (VALID_STRING(set_left_margin_parm) ++ && VALID_STRING(set_right_margin_parm)) { + need_flush |= sent_string(TIPARM_1(set_left_margin_parm, 0)); + need_flush |= sent_string(TIPARM_1(set_right_margin_parm, + columns - 1)); +- } else ++ } + #endif +- if (VALID_STRING(set_left_margin) +- && VALID_STRING(set_right_margin)) { ++ else if (VALID_STRING(set_left_margin) ++ && VALID_STRING(set_right_margin)) { + need_flush |= to_left_margin(); + need_flush |= sent_string(set_left_margin); + if (VALID_STRING(parm_right_cursor)) { +diff --git a/progs/tabs.c b/progs/tabs.c +index 7378d116..d904330b 100644 +--- a/progs/tabs.c ++++ b/progs/tabs.c +@@ -370,7 +370,9 @@ do_set_margin(int margin, bool no_op) + } + tputs(set_left_margin, 1, putch); + } +- } else if (VALID_STRING(set_left_margin_parm)) { ++ } ++#if defined(set_left_margin_parm) && defined(set_right_margin_parm) ++ else if (VALID_STRING(set_left_margin_parm)) { + result = TRUE; + if (!no_op) { + if (VALID_STRING(set_right_margin_parm)) { +@@ -379,12 +381,16 @@ do_set_margin(int margin, bool no_op) + tputs(TIPARM_2(set_left_margin_parm, margin, max_cols), 1, putch); + } + } +- } else if (VALID_STRING(set_lr_margin)) { ++ } ++#endif ++#if defined(set_lr_margin) ++ else if (VALID_STRING(set_lr_margin)) { + result = TRUE; + if (!no_op) { + tputs(TIPARM_2(set_lr_margin, margin, max_cols), 1, putch); + } + } ++#endif + return result; + } + +diff --git a/progs/tic.c b/progs/tic.c +index 888927e2..78b568fa 100644 +--- a/progs/tic.c ++++ b/progs/tic.c +@@ -3142,6 +3142,7 @@ guess_ANSI_VTxx(TERMTYPE2 *tp) + * In particular, any ECMA-48 terminal should support these, though the details + * for u9 are implementation dependent. + */ ++#if defined(user6) && defined(user7) && defined(user8) && defined(user9) + static void + check_user_6789(TERMTYPE2 *tp) + { +@@ -3177,6 +3178,9 @@ check_user_6789(TERMTYPE2 *tp) + break; + } + } ++#else ++#define check_user_6789(tp) /* nothing */ ++#endif + + /* other sanity-checks (things that we don't want in the normal + * logic that reads a terminfo entry) +-- +2.40.0 diff --git a/poky/meta/recipes-core/ncurses/ncurses_6.4.bb b/poky/meta/recipes-core/ncurses/ncurses_6.4.bb index 388cd8d407..2c621525f9 100644 --- a/poky/meta/recipes-core/ncurses/ncurses_6.4.bb +++ b/poky/meta/recipes-core/ncurses/ncurses_6.4.bb @@ -5,6 +5,7 @@ SRC_URI += "file://0001-tic-hang.patch \ file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \ file://exit_prototype.patch \ file://0001-Fix-CVE-2023-29491.patch \ + file://0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch \ " # commit id corresponds to the revision in package version SRCREV = "79b9071f2be20a24c7be031655a5638f6032f29f" diff --git a/poky/meta/recipes-core/udev/udev-extraconf/mount.sh b/poky/meta/recipes-core/udev/udev-extraconf/mount.sh index b7e86dbc0e..6cb0a9fea8 100644 --- a/poky/meta/recipes-core/udev/udev-extraconf/mount.sh +++ b/poky/meta/recipes-core/udev/udev-extraconf/mount.sh @@ -196,7 +196,7 @@ if [ "$ACTION" = "remove" ] || [ "$ACTION" = "change" ] && [ -x "$UMOUNT" ] && [ logger "mount.sh/remove" "cleaning up $DEVNAME, was mounted by the auto-mounter" for mnt in `cat /proc/mounts | grep "$DEVNAME" | cut -f 2 -d " " ` do - $UMOUNT $mnt + $UMOUNT "`printf $mnt`" done # Remove mount directory created by the auto-mounter # and clean up our tmp cache file diff --git a/poky/meta/recipes-core/zlib/zlib_1.3.bb b/poky/meta/recipes-core/zlib/zlib_1.3.bb index 1ed18172fa..ede75f90bd 100644 --- a/poky/meta/recipes-core/zlib/zlib_1.3.bb +++ b/poky/meta/recipes-core/zlib/zlib_1.3.bb @@ -47,3 +47,4 @@ do_install_ptest() { BBCLASSEXTEND = "native nativesdk" CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip" +CVE_STATUS[CVE-2023-6992] = "cpe-incorrect: this CVE is for cloudflare zlib" diff --git a/poky/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake b/poky/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake index d6a1e0464c..6434b27371 100644 --- a/poky/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake +++ b/poky/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake @@ -18,3 +18,6 @@ file( GLOB toolchain_config_files "${CMAKE_CURRENT_LIST_FILE}.d/*.cmake" ) foreach(config ${toolchain_config_files}) include(${config}) endforeach() + +unset(CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES) +unset(CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES) diff --git a/poky/meta/recipes-devtools/elfutils/elfutils_0.189.bb b/poky/meta/recipes-devtools/elfutils/elfutils_0.189.bb index d8bf82b022..67494cd35a 100644 --- a/poky/meta/recipes-devtools/elfutils/elfutils_0.189.bb +++ b/poky/meta/recipes-devtools/elfutils/elfutils_0.189.bb @@ -2,7 +2,7 @@ SUMMARY = "Utilities and libraries for handling compiled object files" HOMEPAGE = "https://sourceware.org/elfutils" DESCRIPTION = "elfutils is a collection of utilities and libraries to read, create and modify ELF binary files, find and handle DWARF debug data, symbols, thread state and stacktraces for processes and core files on GNU/Linux." SECTION = "base" -LICENSE = "GPL-2.0-only & GPL-2.0-or-later & LGPL-3.0-or-later & GPL-3.0-or-later" +LICENSE = "( GPL-2.0-or-later | LGPL-3.0-or-later ) & GPL-3.0-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \ file://debuginfod/debuginfod-client.c;endline=28;md5=f0a7c3170776866ee94e8f9225a6ad79 \ " @@ -106,19 +106,18 @@ EXTRA_OEMAKE:class-nativesdk = "" BBCLASSEXTEND = "native nativesdk" -# Package utilities separately +# Package utilities and libraries are listed separately PACKAGES =+ "${PN}-binutils libelf libasm libdw libdebuginfod" -# Shared libraries are licensed GPL-2.0-only or GPL-3.0-or-later, binaries -# GPL-3.0-or-later. According to NEWS file: -# "The license is now GPLv2/LGPLv3+ for the libraries and GPLv3+ for stand-alone -# programs. There is now also a formal CONTRIBUTING document describing how to -# submit patches." +# According to the upstream website https://sourceware.org/elfutils, the latest +# license policy is as follows: +# "License. The libraries and backends are dual GPLv2+/LGPLv3+. The utilities +# are GPLv3+." LICENSE:${PN}-binutils = "GPL-3.0-or-later" LICENSE:${PN} = "GPL-3.0-or-later" -LICENSE:libelf = "GPL-2.0-only | LGPL-3.0-or-later" -LICENSE:libasm = "GPL-2.0-only | LGPL-3.0-or-later" -LICENSE:libdw = "GPL-2.0-only | LGPL-3.0-or-later" +LICENSE:libelf = "GPL-2.0-or-later | LGPL-3.0-or-later" +LICENSE:libasm = "GPL-2.0-or-later | LGPL-3.0-or-later" +LICENSE:libdw = "GPL-2.0-or-later | LGPL-3.0-or-later" LICENSE:libdebuginfod = "GPL-2.0-or-later | LGPL-3.0-or-later" FILES:${PN}-binutils = "\ diff --git a/poky/meta/recipes-devtools/gcc/gcc-13.2.inc b/poky/meta/recipes-devtools/gcc/gcc-13.2.inc index 359db1e278..32fddd11c2 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-13.2.inc +++ b/poky/meta/recipes-devtools/gcc/gcc-13.2.inc @@ -115,3 +115,4 @@ EXTRA_OECONF_PATHS = "\ " CVE_STATUS[CVE-2021-37322] = "cpe-incorrect: Is a binutils 2.26 issue, not gcc" +CVE_STATUS[CVE-2023-4039] = "fixed-version: Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source" diff --git a/poky/meta/recipes-devtools/go/go-1.20.10.inc b/poky/meta/recipes-devtools/go/go-1.20.12.inc index 39509ed986..9be56c6707 100644 --- a/poky/meta/recipes-devtools/go/go-1.20.10.inc +++ b/poky/meta/recipes-devtools/go/go-1.20.12.inc @@ -15,4 +15,4 @@ SRC_URI += "\ file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ " -SRC_URI[main.sha256sum] = "72d2f51805c47150066c103754c75fddb2c19d48c9219fa33d1e46696c841dbb" +SRC_URI[main.sha256sum] = "c5bf934751d31c315c1d0bb5fb02296545fa6d08923566f7a5afec81f2ed27d6" diff --git a/poky/meta/recipes-devtools/go/go-binary-native_1.20.10.bb b/poky/meta/recipes-devtools/go/go-binary-native_1.20.12.bb index 691670c31e..e555412a19 100644 --- a/poky/meta/recipes-devtools/go/go-binary-native_1.20.10.bb +++ b/poky/meta/recipes-devtools/go/go-binary-native_1.20.12.bb @@ -9,9 +9,9 @@ PROVIDES = "go-native" # Checksums available at https://go.dev/dl/ SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}" -SRC_URI[go_linux_amd64.sha256sum] = "80d34f1fd74e382d86c2d6102e0e60d4318461a7c2f457ec1efc4042752d4248" -SRC_URI[go_linux_arm64.sha256sum] = "fb3c7e15fc4413c5b81eb9f26dbd7cd4faedd5c720b30fa8e2ff77457f74cab6" -SRC_URI[go_linux_ppc64le.sha256sum] = "ebac6e713810174f9ffd7f48c17c373fbf359d50d8e6233b1dfbbdebd524fd1c" +SRC_URI[go_linux_amd64.sha256sum] = "9c5d48c54dd8b0a3b2ef91b0f92a1190aa01f11d26e98033efa64c46a30bba7b" +SRC_URI[go_linux_arm64.sha256sum] = "8afe8e3fb6972eaa2179ef0a71678c67f26509fab4f0f67c4b00f4cdfa92dc87" +SRC_URI[go_linux_ppc64le.sha256sum] = "2ae0ec3736216dfbd7b01ff679842dc1bed365e53a024d522645bcffd01c7328" UPSTREAM_CHECK_URI = "https://golang.org/dl/" UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux" diff --git a/poky/meta/recipes-devtools/go/go-cross-canadian_1.20.10.bb b/poky/meta/recipes-devtools/go/go-cross-canadian_1.20.12.bb index 7ac9449e47..7ac9449e47 100644 --- a/poky/meta/recipes-devtools/go/go-cross-canadian_1.20.10.bb +++ b/poky/meta/recipes-devtools/go/go-cross-canadian_1.20.12.bb diff --git a/poky/meta/recipes-devtools/go/go-cross_1.20.10.bb b/poky/meta/recipes-devtools/go/go-cross_1.20.12.bb index 80b5a03f6c..80b5a03f6c 100644 --- a/poky/meta/recipes-devtools/go/go-cross_1.20.10.bb +++ b/poky/meta/recipes-devtools/go/go-cross_1.20.12.bb diff --git a/poky/meta/recipes-devtools/go/go-crosssdk_1.20.10.bb b/poky/meta/recipes-devtools/go/go-crosssdk_1.20.12.bb index 1857c8a577..1857c8a577 100644 --- a/poky/meta/recipes-devtools/go/go-crosssdk_1.20.10.bb +++ b/poky/meta/recipes-devtools/go/go-crosssdk_1.20.12.bb diff --git a/poky/meta/recipes-devtools/go/go-native_1.20.10.bb b/poky/meta/recipes-devtools/go/go-native_1.20.12.bb index ddf25b2c9b..ddf25b2c9b 100644 --- a/poky/meta/recipes-devtools/go/go-native_1.20.10.bb +++ b/poky/meta/recipes-devtools/go/go-native_1.20.12.bb diff --git a/poky/meta/recipes-devtools/go/go-runtime_1.20.10.bb b/poky/meta/recipes-devtools/go/go-runtime_1.20.12.bb index 63464a1501..63464a1501 100644 --- a/poky/meta/recipes-devtools/go/go-runtime_1.20.10.bb +++ b/poky/meta/recipes-devtools/go/go-runtime_1.20.12.bb diff --git a/poky/meta/recipes-devtools/go/go_1.20.10.bb b/poky/meta/recipes-devtools/go/go_1.20.12.bb index 46f5fbc6be..46f5fbc6be 100644 --- a/poky/meta/recipes-devtools/go/go_1.20.10.bb +++ b/poky/meta/recipes-devtools/go/go_1.20.12.bb diff --git a/poky/meta/recipes-devtools/pseudo/files/glibc238.patch b/poky/meta/recipes-devtools/pseudo/files/glibc238.patch index 76ca8c11eb..da4b8caee3 100644 --- a/poky/meta/recipes-devtools/pseudo/files/glibc238.patch +++ b/poky/meta/recipes-devtools/pseudo/files/glibc238.patch @@ -44,19 +44,6 @@ Index: git/pseudo_util.c #include <ctype.h> #include <errno.h> -Index: git/pseudolog.c -=================================================================== ---- git.orig/pseudolog.c -+++ git/pseudolog.c -@@ -8,7 +8,7 @@ - */ - /* We need _XOPEN_SOURCE for strptime(), but if we define that, - * we then don't get S_IFSOCK... _GNU_SOURCE turns on everything. */ --#define _GNU_SOURCE -+#define _DEFAULT_SOURCE - - #include <ctype.h> - #include <limits.h> Index: git/pseudo_client.c =================================================================== --- git.orig/pseudo_client.c diff --git a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb index 4a894ebdd0..025cf0fc9c 100644 --- a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb +++ b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb @@ -14,7 +14,7 @@ SRC_URI:append:class-nativesdk = " \ file://older-glibc-symbols.patch" SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa" -SRCREV = "ec6151a2b057109b3f798f151a36690af582e166" +SRCREV = "516a0a3c4b46f046895d27bfa019d685fe462dfa" S = "${WORKDIR}/git" PV = "1.9.0+git" diff --git a/poky/meta/recipes-devtools/python/python3-license-expression/run-ptest b/poky/meta/recipes-devtools/python/python3-license-expression/run-ptest index 5cec711696..8d2017d39c 100644 --- a/poky/meta/recipes-devtools/python/python3-license-expression/run-ptest +++ b/poky/meta/recipes-devtools/python/python3-license-expression/run-ptest @@ -1,3 +1,3 @@ #!/bin/sh -pytest +pytest --automake diff --git a/poky/meta/recipes-devtools/python/python3-license-expression_30.1.1.bb b/poky/meta/recipes-devtools/python/python3-license-expression_30.1.1.bb index 31fb88d6e5..92ca419e4a 100644 --- a/poky/meta/recipes-devtools/python/python3-license-expression_30.1.1.bb +++ b/poky/meta/recipes-devtools/python/python3-license-expression_30.1.1.bb @@ -26,6 +26,7 @@ SRC_URI += " \ RDEPENDS:${PN}-ptest += " \ ${PYTHON_PN}-pytest \ + ${PYTHON_PN}-unittest-automake-output \ " do_install_ptest() { @@ -33,4 +34,5 @@ do_install_ptest() { install -d ${D}${PTEST_PATH}/src cp -rf ${S}/tests/* ${D}${PTEST_PATH}/tests/ cp -rf ${S}/src/* ${D}${PTEST_PATH}/src/ + cp -rf ${S}/setup.cfg ${D}${PTEST_PATH}/ } diff --git a/poky/meta/recipes-devtools/qemu/qemu-native_8.1.2.bb b/poky/meta/recipes-devtools/qemu/qemu-native_8.1.4.bb index 73a0f63f2b..73a0f63f2b 100644 --- a/poky/meta/recipes-devtools/qemu/qemu-native_8.1.2.bb +++ b/poky/meta/recipes-devtools/qemu/qemu-native_8.1.4.bb diff --git a/poky/meta/recipes-devtools/qemu/qemu-system-native_8.1.2.bb b/poky/meta/recipes-devtools/qemu/qemu-system-native_8.1.4.bb index 558a416f7b..558a416f7b 100644 --- a/poky/meta/recipes-devtools/qemu/qemu-system-native_8.1.2.bb +++ b/poky/meta/recipes-devtools/qemu/qemu-system-native_8.1.4.bb diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index 5ab2cb83b4..0ea23ecdc3 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -37,7 +37,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" -SRC_URI[sha256sum] = "541526a764576eb494d2ff5ec46aeb253e62ea29035d1c23c0a8af4e6cd4f087" +SRC_URI[sha256sum] = "176dd6d0bdcc4c71a94172d12ddb7a3b2e8e20d638e5db26138165a382be2dbd" SRC_URI:append:class-target = " file://cross.patch" SRC_URI:append:class-nativesdk = " file://cross.patch" diff --git a/poky/meta/recipes-devtools/qemu/qemu_8.1.2.bb b/poky/meta/recipes-devtools/qemu/qemu_8.1.4.bb index 84ee0bcc49..84ee0bcc49 100644 --- a/poky/meta/recipes-devtools/qemu/qemu_8.1.2.bb +++ b/poky/meta/recipes-devtools/qemu/qemu_8.1.4.bb diff --git a/poky/meta/recipes-devtools/tcltk/tcl_8.6.13.bb b/poky/meta/recipes-devtools/tcltk/tcl_8.6.13.bb index b33a78e147..bb75353a5a 100644 --- a/poky/meta/recipes-devtools/tcltk/tcl_8.6.13.bb +++ b/poky/meta/recipes-devtools/tcltk/tcl_8.6.13.bb @@ -88,7 +88,7 @@ do_install_ptest() { do_install_ptest:append:libc-musl () { # Assumes locales other than provided by musl-locales - sed -i -e 's|SKIPPED_TESTS=|SKIPPED_TESTS="unixInit-3*"|' ${D}${PTEST_PATH}/run-ptest + sed -i -e "s|SKIPPED_TESTS='|SKIPPED_TESTS='unixInit-3* |" ${D}${PTEST_PATH}/run-ptest } # Fix some paths that might be used by Tcl extensions diff --git a/poky/meta/recipes-extended/cpio/cpio_2.14.bb b/poky/meta/recipes-extended/cpio/cpio_2.15.bb index 560038d2a6..55e9add5cd 100644 --- a/poky/meta/recipes-extended/cpio/cpio_2.14.bb +++ b/poky/meta/recipes-extended/cpio/cpio_2.15.bb @@ -7,12 +7,11 @@ LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949" SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \ - file://0001-configure-Include-needed-header-for-major-minor-macr.patch \ file://run-ptest \ file://test.sh \ " -SRC_URI[sha256sum] = "145a340fd9d55f0b84779a44a12d5f79d77c99663967f8cfa168d7905ca52454" +SRC_URI[sha256sum] = "efa50ef983137eefc0a02fdb51509d624b5e3295c980aa127ceee4183455499e" inherit autotools gettext texinfo ptest diff --git a/poky/meta/recipes-extended/cpio/files/0001-configure-Include-needed-header-for-major-minor-macr.patch b/poky/meta/recipes-extended/cpio/files/0001-configure-Include-needed-header-for-major-minor-macr.patch deleted file mode 100644 index 95ece0bbf3..0000000000 --- a/poky/meta/recipes-extended/cpio/files/0001-configure-Include-needed-header-for-major-minor-macr.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 8179be21e664cedb2e9d238cc2f6d04965e97275 Mon Sep 17 00:00:00 2001 -From: Sergey Poznyakoff <gray@gnu.org> -Date: Thu, 11 May 2023 10:18:44 +0300 -Subject: [PATCH] configure: Include needed header for major/minor macros - -This helps in avoiding the warning about implicit function declaration -which is elevated as error with newer compilers e.g. clang 16 - -Signed-off-by: Khem Raj <raj.khem@gmail.com> - -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> ---- - configure.ac | 18 ++++++++++++++++-- - 1 file changed, 16 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index de479e7..c601029 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -43,8 +43,22 @@ AC_TYPE_UID_T - AC_CHECK_TYPE(gid_t, int) - - AC_HEADER_DIRENT --AX_COMPILE_CHECK_RETTYPE([major], [0]) --AX_COMPILE_CHECK_RETTYPE([minor], [0]) -+AX_COMPILE_CHECK_RETTYPE([major], [0], [ -+#include <sys/types.h> -+#ifdef MAJOR_IN_MKDEV -+# include <sys/mkdev.h> -+#endif -+#ifdef MAJOR_IN_SYSMACROS -+# include <sys/sysmacros.h> -+#endif]) -+AX_COMPILE_CHECK_RETTYPE([minor], [0], [ -+#include <sys/types.h> -+#ifdef MAJOR_IN_MKDEV -+# include <sys/mkdev.h> -+#endif -+#ifdef MAJOR_IN_SYSMACROS -+# include <sys/sysmacros.h> -+#endif]) - - AC_CHECK_FUNCS([fchmod fchown]) - # This is needed for mingw build --- -2.34.1 - diff --git a/poky/meta/recipes-extended/rpcbind/rpcbind_1.2.6.bb b/poky/meta/recipes-extended/rpcbind/rpcbind_1.2.6.bb index dd89726afc..dbd4d32e0a 100644 --- a/poky/meta/recipes-extended/rpcbind/rpcbind_1.2.6.bb +++ b/poky/meta/recipes-extended/rpcbind/rpcbind_1.2.6.bb @@ -40,7 +40,7 @@ PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}/ systemd \ " -EXTRA_OECONF += " --enable-warmstarts --with-rpcuser=rpc" +EXTRA_OECONF += " --enable-warmstarts --with-rpcuser=rpc --with-statedir=${runtimedir}/rpcbind" do_install:append () { install -d ${D}${sysconfdir}/init.d diff --git a/poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch b/poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch new file mode 100644 index 0000000000..1fabfe928e --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch @@ -0,0 +1,147 @@ +From 25dbe2ce166a13322b7536ff2f738786ea2e61e7 Mon Sep 17 00:00:00 2001 +From: Alejandro Colomar <alx@kernel.org> +Date: Sat, 10 Jun 2023 16:20:05 +0200 +Subject: [PATCH] gpasswd(1): Fix password leak + +How to trigger this password leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When gpasswd(1) asks for the new password, it asks twice (as is usual +for confirming the new password). Each of those 2 password prompts +uses agetpass() to get the password. If the second agetpass() fails, +the first password, which has been copied into the 'static' buffer +'pass' via STRFCPY(), wasn't being zeroed. + +agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and +can fail for any of the following reasons: + +- malloc(3) or readpassphrase(3) failure. + + These are going to be difficult to trigger. Maybe getting the system + to the limits of memory utilization at that exact point, so that the + next malloc(3) gets ENOMEM, and possibly even the OOM is triggered. + About readpassphrase(3), ENFILE and EINTR seem the only plausible + ones, and EINTR probably requires privilege or being the same user; + but I wouldn't discard ENFILE so easily, if a process starts opening + files. + +- The password is longer than PASS_MAX. + + The is plausible with physical access. However, at that point, a + keylogger will be a much simpler attack. + +And, the attacker must be able to know when the second password is being +introduced, which is not going to be easy. + +How to read the password after the leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Provoking the leak yourself at the right point by entering a very long +password is easy, and inspecting the process stack at that point should +be doable. Try to find some consistent patterns. + +Then, search for those patterns in free memory, right after the victim +leaks their password. + +Once you get the leak, a program should read all the free memory +searching for patterns that gpasswd(1) leaves nearby the leaked +password. + +On 6/10/23 03:14, Seth Arnold wrote: +> An attacker process wouldn't be able to use malloc(3) for this task. +> There's a handful of tools available for userspace to allocate memory: +> +> - brk / sbrk +> - mmap MAP_ANONYMOUS +> - mmap /dev/zero +> - mmap some other file +> - shm_open +> - shmget +> +> Most of these return only pages of zeros to a process. Using mmap of an +> existing file, you can get some of the contents of the file demand-loaded +> into the memory space on the first use. +> +> The MAP_UNINITIALIZED flag only works if the kernel was compiled with +> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare. +> +> malloc(3) doesn't zero memory, to our collective frustration, but all the +> garbage in the allocations is from previous allocations in the current +> process. It isn't leftover from other processes. +> +> The avenues available for reading the memory: +> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot) +> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA) +> - ptrace (requires ptrace privileges, mediated by YAMA) +> - causing memory to be swapped to disk, and then inspecting the swap +> +> These all require a certain amount of privileges. + +How to fix it? +~~~~~~~~~~~~~~ + +memzero(), which internally calls explicit_bzero(3), or whatever +alternative the system provides with a slightly different name, will +make sure that the buffer is zeroed in memory, and optimizations are not +allowed to impede this zeroing. + +This is not really 100% effective, since compilers may place copies of +the string somewhere hidden in the stack. Those copies won't get zeroed +by explicit_bzero(3). However, that's arguably a compiler bug, since +compilers should make everything possible to avoid optimizing strings +that are later passed to explicit_bzero(3). But we all know that +sometimes it's impossible to have perfect knowledge in the compiler, so +this is plausible. Nevertheless, there's nothing we can do against such +issues, except minimizing the time such passwords are stored in plain +text. + +Security concerns +~~~~~~~~~~~~~~~~~ + +We believe this isn't easy to exploit. Nevertheless, and since the fix +is trivial, this fix should probably be applied soon, and backported to +all supported distributions, to prevent someone else having more +imagination than us to find a way. + +Affected versions +~~~~~~~~~~~~~~~~~ + +All. Bug introduced in shadow 19990709. That's the second commit in +the git history. + +Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)") + +CVE: CVE-2023-4641 +Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904] + +Reported-by: Alejandro Colomar <alx@kernel.org> +Cc: Serge Hallyn <serge@hallyn.com> +Cc: Iker Pedrosa <ipedrosa@redhat.com> +Cc: Seth Arnold <seth.arnold@canonical.com> +Cc: Christian Brauner <christian@brauner.io> +Cc: Balint Reczey <rbalint@debian.org> +Cc: Sam James <sam@gentoo.org> +Cc: David Runge <dvzrv@archlinux.org> +Cc: Andreas Jaeger <aj@suse.de> +Cc: <~hallyn/shadow@lists.sr.ht> +Signed-off-by: Alejandro Colomar <alx@kernel.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + src/gpasswd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/gpasswd.c b/src/gpasswd.c +index 5983f787..2d8869ef 100644 +--- a/src/gpasswd.c ++++ b/src/gpasswd.c +@@ -896,6 +896,7 @@ static void change_passwd (struct group *gr) + strzero (cp); + cp = getpass (_("Re-enter new password: ")); + if (NULL == cp) { ++ memzero (pass, sizeof pass); + exit (1); + } + +-- +2.34.1 + diff --git a/poky/meta/recipes-extended/shadow/shadow.inc b/poky/meta/recipes-extended/shadow/shadow.inc index 83e1a84769..ce3ce62715 100644 --- a/poky/meta/recipes-extended/shadow/shadow.inc +++ b/poky/meta/recipes-extended/shadow/shadow.inc @@ -17,6 +17,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.gz \ file://0001-Fix-can-not-print-full-login.patch \ file://CVE-2023-29383.patch \ file://0001-Overhaul-valid_field.patch \ + file://CVE-2023-4641.patch \ " SRC_URI:append:class-target = " \ diff --git a/poky/meta/recipes-extended/sudo/sudo_1.9.14p3.bb b/poky/meta/recipes-extended/sudo/sudo_1.9.15p5.bb index d5c5718ea5..8e542015ad 100644 --- a/poky/meta/recipes-extended/sudo/sudo_1.9.14p3.bb +++ b/poky/meta/recipes-extended/sudo/sudo_1.9.15p5.bb @@ -7,7 +7,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ PAM_SRC_URI = "file://sudo.pam" -SRC_URI[sha256sum] = "a08318b1c4bc8582c004d4cd9ae2903abc549e7e46ba815e41fe81d1c0782b62" +SRC_URI[sha256sum] = "558d10b9a1991fb3b9fa7fa7b07ec4405b7aefb5b3cb0b0871dbc81e3a88e558" DEPENDS += " virtual/crypt ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" RDEPENDS:${PN} += " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-limits pam-plugin-keyinit', '', d)}" diff --git a/poky/meta/recipes-extended/zstd/zstd_1.5.5.bb b/poky/meta/recipes-extended/zstd/zstd_1.5.5.bb index 5c5fb5e734..2d72af50a4 100644 --- a/poky/meta/recipes-extended/zstd/zstd_1.5.5.bb +++ b/poky/meta/recipes-extended/zstd/zstd_1.5.5.bb @@ -5,7 +5,7 @@ It's backed by a very fast entropy stage, provided by Huff0 and FSE library." HOMEPAGE = "http://www.zstd.net/" SECTION = "console/utils" -LICENSE = "BSD-3-Clause & GPL-2.0-only" +LICENSE = "BSD-3-Clause | GPL-2.0-only" LIC_FILES_CHKSUM = "file://LICENSE;md5=0822a32f7acdbe013606746641746ee8 \ file://COPYING;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0 \ " diff --git a/poky/meta/recipes-gnome/gtk+/gtk+3_3.24.38.bb b/poky/meta/recipes-gnome/gtk+/gtk+3_3.24.38.bb index 37fa0a7290..c23c46a689 100644 --- a/poky/meta/recipes-gnome/gtk+/gtk+3_3.24.38.bb +++ b/poky/meta/recipes-gnome/gtk+/gtk+3_3.24.38.bb @@ -13,3 +13,5 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2 \ file://gtk/gtk.h;endline=25;md5=1d8dc0fccdbfa26287a271dce88af737 \ file://gdk/gdk.h;endline=25;md5=c920ce39dc88c6f06d3e7c50e08086f2 \ file://tests/testgtk.c;endline=25;md5=cb732daee1d82af7a2bf953cf3cf26f1" + +CVE_PRODUCT = "gnome:gtk" diff --git a/poky/meta/recipes-gnome/gtk+/gtk4_4.12.3.bb b/poky/meta/recipes-gnome/gtk+/gtk4_4.12.3.bb index 001b06934e..2c85e7e75f 100644 --- a/poky/meta/recipes-gnome/gtk+/gtk4_4.12.3.bb +++ b/poky/meta/recipes-gnome/gtk+/gtk4_4.12.3.bb @@ -41,6 +41,8 @@ SRC_URI[sha256sum] = "148ce262f6c86487455fb1d9793c3f58bc3e1da477a29617fadb0420f5 S = "${WORKDIR}/gtk-${PV}" +CVE_PRODUCT = "gnome:gtk" + inherit meson gettext pkgconfig gi-docgen update-alternatives gsettings features_check gobject-introspection # TBD: nativesdk diff --git a/poky/meta/recipes-gnome/libadwaita/libadwaita_1.4.0.bb b/poky/meta/recipes-gnome/libadwaita/libadwaita_1.4.2.bb index d8aa2cd697..64b7473b0a 100644 --- a/poky/meta/recipes-gnome/libadwaita/libadwaita_1.4.0.bb +++ b/poky/meta/recipes-gnome/libadwaita/libadwaita_1.4.2.bb @@ -12,7 +12,7 @@ DEPENDS = " \ inherit gnomebase gobject-introspection gi-docgen vala features_check -SRC_URI[archive.sha256sum] = "e51a098a54d43568218fc48fcf52e80e36f469b3ce912d8ce9c308a37e9f47c2" +SRC_URI[archive.sha256sum] = "33fa16754e7370c841767298b3ff5f23003ee1d2515cc2ff255e65ef3d4e8713" ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}" REQUIRED_DISTRO_FEATURES = "opengl" diff --git a/poky/meta/recipes-graphics/libva/libva-utils_2.20.0.bb b/poky/meta/recipes-graphics/libva/libva-utils_2.20.1.bb index 2e1fd09406..3bce9a1e32 100644 --- a/poky/meta/recipes-graphics/libva/libva-utils_2.20.0.bb +++ b/poky/meta/recipes-graphics/libva/libva-utils_2.20.1.bb @@ -15,7 +15,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=b148fc8adf19dc9aec17cf9cd29a9a5e" SRC_URI = "git://github.com/intel/libva-utils.git;branch=v2.20-branch;protocol=https" -SRCREV = "0c8373e62af3e4d9a3831334c5402ad255797e67" +SRCREV = "2ad888bb463dc9bfb3deb512ec9faf78f1d3bfa8" S = "${WORKDIR}/git" UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))$" diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.9.bb b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.11.bb index 43c06181e3..6506d775ca 100644 --- a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.9.bb +++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.11.bb @@ -3,7 +3,7 @@ require xserver-xorg.inc SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \ file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \ " -SRC_URI[sha256sum] = "ff697be2011b4c4966b7806929e51b7a08e9d33800d505305d26d9ccde4b533a" +SRC_URI[sha256sum] = "1d3dadbd57fb86b16a018e9f5f957aeeadf744f56c0553f55737628d06d326ef" # These extensions are now integrated into the server, so declare the migration # path for in-place upgrades. diff --git a/poky/meta/recipes-graphics/xwayland/xwayland_23.2.2.bb b/poky/meta/recipes-graphics/xwayland/xwayland_23.2.3.bb index 9feac147db..9aa7b4dfcd 100644 --- a/poky/meta/recipes-graphics/xwayland/xwayland_23.2.2.bb +++ b/poky/meta/recipes-graphics/xwayland/xwayland_23.2.3.bb @@ -10,7 +10,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=5df87950af51ac2c5822094553ea1880" SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz" -SRC_URI[sha256sum] = "9f7c0938d2a41e941ffa04f99c35e5db2bcd3eec034afe8d35d5c810a22eb0a8" +SRC_URI[sha256sum] = "eb9d9aa7232c47412c8835ec15a97c575f03563726c787754ff0c019bd07e302" UPSTREAM_CHECK_REGEX = "xwayland-(?P<pver>\d+(\.(?!90\d)\d+)+)\.tar" diff --git a/poky/meta/recipes-kernel/dtc/dtc/0001-meson.build-bump-version-to-1.7.0.patch b/poky/meta/recipes-kernel/dtc/dtc/0001-meson.build-bump-version-to-1.7.0.patch new file mode 100644 index 0000000000..79a3b92b44 --- /dev/null +++ b/poky/meta/recipes-kernel/dtc/dtc/0001-meson.build-bump-version-to-1.7.0.patch @@ -0,0 +1,29 @@ +From 9153522103bd4ed7e3299c4d073f66bb37cb2d42 Mon Sep 17 00:00:00 2001 +From: Nikolay Letov <letov.nikolay@gmail.com> +Date: Wed, 22 Feb 2023 13:36:07 +0300 +Subject: [PATCH 1/2] meson.build: bump version to 1.7.0 + +[This was botched in the actual 1.7.0 release :( - David Gibson] + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/dtc/dtc.git/commit/?id=64a907f08b9bedd89833c1eee674148cff2343c6] + +Signed-off-by: Nikolay Letov <letov.nikolay@gmail.com> +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/meson.build b/meson.build +index 78251eb..d88cd9f 100644 +--- a/meson.build ++++ b/meson.build +@@ -1,5 +1,5 @@ + project('dtc', 'c', +- version: '1.6.0', ++ version: '1.7.0', + license: ['GPL2+', 'BSD-2'], + default_options: 'werror=true', + ) +-- +2.30.2 + diff --git a/poky/meta/recipes-kernel/dtc/dtc/0002-meson-allow-building-from-shallow-clones.patch b/poky/meta/recipes-kernel/dtc/dtc/0002-meson-allow-building-from-shallow-clones.patch new file mode 100644 index 0000000000..0284905913 --- /dev/null +++ b/poky/meta/recipes-kernel/dtc/dtc/0002-meson-allow-building-from-shallow-clones.patch @@ -0,0 +1,38 @@ +From 4415b0baece3c4351a6d3637c2754abbefd4795d Mon Sep 17 00:00:00 2001 +From: Peter Marko <peter.marko@siemens.com> +Date: Sat, 16 Dec 2023 18:58:31 +0100 +Subject: [PATCH 2/2] meson: allow building from shallow clones + +When building from shallow clone, tag is not available +and version defaults to git hash. +Problem is that some builds check DTC version and fail the comparison. +Example is https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git +Which fails to build with following error: +dtc version too old (039a994), you need at least version 1.4.4 + +Drop --always from git describe command, see +https://github.com/mesonbuild/meson/blob/1.3.0/mesonbuild/utils/universal.py#L773 +This will make it more closer to build via Makefile. + +Upstream-Status: Submitted [https://github.com/dgibson/dtc/pull/122] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + meson.build | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/meson.build b/meson.build +index 78251eb..fc0c92a 100644 +--- a/meson.build ++++ b/meson.build +@@ -56,6 +56,7 @@ py = py.find_installation(required: get_option('python')) + swig = find_program('swig', required: get_option('python')) + + version_gen_h = vcs_tag( ++ command: ['git', 'describe', '--dirty=+'], + input: 'version_gen.h.in', + output: 'version_gen.h', + ) +-- +2.30.2 + diff --git a/poky/meta/recipes-kernel/dtc/dtc_1.7.0.bb b/poky/meta/recipes-kernel/dtc/dtc_1.7.0.bb index 1a78a0c079..0702fc16df 100644 --- a/poky/meta/recipes-kernel/dtc/dtc_1.7.0.bb +++ b/poky/meta/recipes-kernel/dtc/dtc_1.7.0.bb @@ -8,7 +8,11 @@ LIC_FILES_CHKSUM = "file://GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://BSD-2-Clause;md5=5d6306d1b08f8df623178dfd81880927 \ file://README.license;md5=a1eb22e37f09df5b5511b8a278992d0e" -SRC_URI = "git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https" +SRC_URI = " \ + git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https \ + file://0001-meson.build-bump-version-to-1.7.0.patch \ + file://0002-meson-allow-building-from-shallow-clones.patch \ +" SRCREV = "039a99414e778332d8f9c04cbd3072e1dcc62798" UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" diff --git a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20231030.bb b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20231211.bb index c0394b9b3b..0ed4d91f8a 100644 --- a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20231030.bb +++ b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20231211.bb @@ -151,7 +151,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ " # WHENCE checksum is defined separately to ease overriding it if # class-devupstream is selected. -WHENCE_CHKSUM = "ceb5248746d24d165b603e71b288cf75" +WHENCE_CHKSUM = "3113c4ea08e5171555f3bf49eceb5b07" # These are not common licenses, set NO_GENERIC_LICENSE for them # so that the license files will be copied from fetched source @@ -237,7 +237,7 @@ SRC_URI:class-devupstream = "git://git.kernel.org/pub/scm/linux/kernel/git/firmw # Pin this to the 20220509 release, override this in local.conf SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae" -SRC_URI[sha256sum] = "c98d200fc4a3120de1a594713ce34e135819dff23e883a4ed387863ba25679c7" +SRC_URI[sha256sum] = "96af7e4b5eabd37869cdb3dcbb7ab36911106d39b76e799fa1caab16a9dbe8bb" inherit allarch @@ -248,7 +248,8 @@ do_compile() { } do_install() { - oe_runmake 'DESTDIR=${D}' 'FIRMWAREDIR=${nonarch_base_libdir}/firmware' install + # install-nodedup avoids rdfind dependency + oe_runmake 'DESTDIR=${D}' 'FIRMWAREDIR=${nonarch_base_libdir}/firmware' install-nodedup cp GPL-2 LICEN[CS]E.* WHENCE ${D}${nonarch_base_libdir}/firmware/ } @@ -340,7 +341,8 @@ PACKAGES =+ "${PN}-amphion-vpu-license ${PN}-amphion-vpu \ ${PN}-ice-license ${PN}-ice \ ${PN}-ice-enhanced-license ${PN}-ice-enhanced \ ${PN}-adsp-sst-license ${PN}-adsp-sst \ - ${PN}-bnx2-mips \ + ${PN}-bnx2 \ + ${PN}-bnx2x \ ${PN}-liquidio \ ${PN}-nvidia-license \ ${PN}-nvidia-tegra-k1 ${PN}-nvidia-tegra \ @@ -1070,6 +1072,7 @@ FILES:${PN}-bcm4373 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.bi ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373.bin \ ${nonarch_base_libdir}/firmware/cypress/cyfmac4373-sdio.bin \ ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.clm_blob \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4373-sdio.clm_blob \ " LICENSE:${PN}-bcm-0bb4-0306 = "Firmware-cypress" @@ -1087,18 +1090,28 @@ RDEPENDS:${PN}-bcm4356-pcie += "${PN}-cypress-license" LICENSE:${PN}-bcm4373 = "Firmware-cypress" RDEPENDS:${PN}-bcm4373 += "${PN}-cypress-license" -# For Broadcom bnx2-mips +# For Broadcom bnx2 # # which is a separate case to the other Broadcom firmwares since its # license is contained in the shared WHENCE file. -LICENSE:${PN}-bnx2-mips = "WHENCE" +LICENSE:${PN}-bnx2 = "WHENCE" LICENSE:${PN}-whence-license = "WHENCE" -FILES:${PN}-bnx2-mips = "${nonarch_base_libdir}/firmware/bnx2/bnx2-mips-09-6.2.1b.fw" +FILES:${PN}-bnx2 = " \ + ${nonarch_base_libdir}/firmware/bnx2/bnx2-mips*.fw \ + ${nonarch_base_libdir}/firmware/bnx2/bnx2-rv2p*.fw \ +" FILES:${PN}-whence-license = "${nonarch_base_libdir}/firmware/WHENCE" -RDEPENDS:${PN}-bnx2-mips += "${PN}-whence-license" +RDEPENDS:${PN}-bnx2 += "${PN}-whence-license" +RPROVIDES:${PN}-bnx2 = "${PN}-bnx2-mips" + +LICENSE:${PN}-bnx2x = "WHENCE" + +FILES:${PN}-bnx2x = "${nonarch_base_libdir}/firmware/bnx2x/bnx2x*.fw" + +RDEPENDS:${PN}-bnx2x += "${PN}-whence-license" # For cirrus LICENSE:${PN}-cirrus = "Firmware-cirrus" @@ -1187,7 +1200,10 @@ FILES:${PN}-iwlwifi-7265d = "${nonarch_base_libdir}/firmware/iwlwifi-7265D-*.u FILES:${PN}-iwlwifi-8000c = "${nonarch_base_libdir}/firmware/iwlwifi-8000C-*.ucode" FILES:${PN}-iwlwifi-8265 = "${nonarch_base_libdir}/firmware/iwlwifi-8265-*.ucode" FILES:${PN}-iwlwifi-9000 = "${nonarch_base_libdir}/firmware/iwlwifi-9000-*.ucode" -FILES:${PN}-iwlwifi-misc = "${nonarch_base_libdir}/firmware/iwlwifi-*.ucode" +FILES:${PN}-iwlwifi-misc = " \ + ${nonarch_base_libdir}/firmware/iwlwifi-*.ucode \ + ${nonarch_base_libdir}/firmware/iwlwifi-*.pnvm \ +" RDEPENDS:${PN}-iwlwifi-135-6 = "${PN}-iwlwifi-license" RDEPENDS:${PN}-iwlwifi-3160-7 = "${PN}-iwlwifi-license" diff --git a/poky/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/poky/meta/recipes-kernel/linux/cve-exclusion_6.1.inc index 1b51737c7d..45fcc7b260 100644 --- a/poky/meta/recipes-kernel/linux/cve-exclusion_6.1.inc +++ b/poky/meta/recipes-kernel/linux/cve-exclusion_6.1.inc @@ -1,9 +1,9 @@ # Auto-generated CVE metadata, DO NOT EDIT BY HAND. -# Generated at 2023-12-23 08:44:42.304531+00:00 for version 6.1.68 +# Generated at 2024-01-18 21:10:06.148505+00:00 for version 6.1.73 python check_kernel_cve_status_version() { - this_version = "6.1.68" + this_version = "6.1.73" kernel_version = d.getVar("LINUX_VERSION") if kernel_version != this_version: bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version)) @@ -4584,6 +4584,8 @@ CVE_STATUS[CVE-2022-48425] = "cpe-stable-backport: Backported in 6.1.33" CVE_STATUS[CVE-2022-48502] = "cpe-stable-backport: Backported in 6.1.40" +CVE_STATUS[CVE-2022-48619] = "fixed-version: Fixed from version 5.18rc1" + CVE_STATUS[CVE-2023-0030] = "fixed-version: Fixed from version 5.0rc1" CVE_STATUS[CVE-2023-0045] = "cpe-stable-backport: Backported in 6.1.5" @@ -4644,7 +4646,7 @@ CVE_STATUS[CVE-2023-1118] = "cpe-stable-backport: Backported in 6.1.16" CVE_STATUS[CVE-2023-1192] = "cpe-stable-backport: Backported in 6.1.33" -# CVE-2023-1193 needs backporting (fixed from 6.3rc6) +CVE_STATUS[CVE-2023-1193] = "cpe-stable-backport: Backported in 6.1.71" CVE_STATUS[CVE-2023-1194] = "cpe-stable-backport: Backported in 6.1.34" @@ -4666,6 +4668,8 @@ CVE_STATUS[CVE-2023-1382] = "fixed-version: Fixed from version 6.1rc7" CVE_STATUS[CVE-2023-1390] = "fixed-version: Fixed from version 5.11rc4" +# CVE-2023-1476 has no known resolution + CVE_STATUS[CVE-2023-1513] = "cpe-stable-backport: Backported in 6.1.13" CVE_STATUS[CVE-2023-1582] = "fixed-version: Fixed from version 5.17rc4" @@ -5088,7 +5092,7 @@ CVE_STATUS[CVE-2023-45871] = "cpe-stable-backport: Backported in 6.1.53" CVE_STATUS[CVE-2023-45898] = "fixed-version: only affects 6.5rc1 onwards" -# CVE-2023-4610 needs backporting (fixed from 6.4) +CVE_STATUS[CVE-2023-4610] = "fixed-version: only affects 6.4rc1 onwards" CVE_STATUS[CVE-2023-4611] = "fixed-version: only affects 6.4rc1 onwards" @@ -5106,11 +5110,21 @@ CVE_STATUS[CVE-2023-4881] = "cpe-stable-backport: Backported in 6.1.54" CVE_STATUS[CVE-2023-4921] = "cpe-stable-backport: Backported in 6.1.54" +# CVE-2023-50431 has no known resolution + CVE_STATUS[CVE-2023-5090] = "cpe-stable-backport: Backported in 6.1.62" CVE_STATUS[CVE-2023-5158] = "cpe-stable-backport: Backported in 6.1.57" -# CVE-2023-5178 needs backporting (fixed from 6.1.60) +CVE_STATUS[CVE-2023-51779] = "cpe-stable-backport: Backported in 6.1.70" + +CVE_STATUS[CVE-2023-5178] = "cpe-stable-backport: Backported in 6.1.60" + +CVE_STATUS[CVE-2023-51780] = "cpe-stable-backport: Backported in 6.1.69" + +CVE_STATUS[CVE-2023-51781] = "cpe-stable-backport: Backported in 6.1.69" + +CVE_STATUS[CVE-2023-51782] = "cpe-stable-backport: Backported in 6.1.69" CVE_STATUS[CVE-2023-5197] = "cpe-stable-backport: Backported in 6.1.56" @@ -5120,10 +5134,12 @@ CVE_STATUS[CVE-2023-5633] = "fixed-version: only affects 6.2 onwards" # CVE-2023-5717 needs backporting (fixed from 6.1.60) -# CVE-2023-5972 needs backporting (fixed from 6.6rc7) +CVE_STATUS[CVE-2023-5972] = "fixed-version: only affects 6.2rc1 onwards" # CVE-2023-6039 needs backporting (fixed from 6.5rc5) +CVE_STATUS[CVE-2023-6040] = "fixed-version: Fixed from version 5.18rc1" + CVE_STATUS[CVE-2023-6111] = "fixed-version: only affects 6.6rc3 onwards" CVE_STATUS[CVE-2023-6121] = "cpe-stable-backport: Backported in 6.1.65" @@ -5132,3 +5148,43 @@ CVE_STATUS[CVE-2023-6176] = "cpe-stable-backport: Backported in 6.1.54" # CVE-2023-6238 has no known resolution +# CVE-2023-6270 has no known resolution + +# CVE-2023-6356 has no known resolution + +CVE_STATUS[CVE-2023-6531] = "cpe-stable-backport: Backported in 6.1.68" + +# CVE-2023-6535 has no known resolution + +# CVE-2023-6536 has no known resolution + +CVE_STATUS[CVE-2023-6546] = "cpe-stable-backport: Backported in 6.1.47" + +# CVE-2023-6560 needs backporting (fixed from 6.7rc4) + +CVE_STATUS[CVE-2023-6606] = "cpe-stable-backport: Backported in 6.1.70" + +# CVE-2023-6610 needs backporting (fixed from 6.7rc7) + +CVE_STATUS[CVE-2023-6622] = "cpe-stable-backport: Backported in 6.1.68" + +CVE_STATUS[CVE-2023-6679] = "fixed-version: only affects 6.7rc1 onwards" + +CVE_STATUS[CVE-2023-6817] = "cpe-stable-backport: Backported in 6.1.68" + +CVE_STATUS[CVE-2023-6931] = "cpe-stable-backport: Backported in 6.1.68" + +CVE_STATUS[CVE-2023-6932] = "cpe-stable-backport: Backported in 6.1.66" + +# CVE-2023-7042 has no known resolution + +CVE_STATUS[CVE-2023-7192] = "cpe-stable-backport: Backported in 6.1.18" + +CVE_STATUS[CVE-2024-0193] = "fixed-version: only affects 6.5rc6 onwards" + +# CVE-2024-0340 needs backporting (fixed from 6.4rc6) + +CVE_STATUS[CVE-2024-0443] = "fixed-version: only affects 6.2rc1 onwards" + +# Skipping dd=CVE-2023-1476, no affected_versions + diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb index 5cfc5a7dd8..06c07b70c8 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb @@ -14,13 +14,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "739b3001f20153a66d2723de81faae18cd61892b" -SRCREV_meta ?= "991713c8765172cb5d18703d15589f3ec6e1b772" +SRCREV_machine ?= "6fd0860ac9846438f226257ab515bcd612fdc379" +SRCREV_meta ?= "40dede8a165ea5894f172fede6baa0dd94d23fec" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.1;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "6.1.68" +LINUX_VERSION ?= "6.1.73" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb index e19b0ec132..e391074f8b 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb @@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc # CVE exclusions include recipes-kernel/linux/cve-exclusion_6.1.inc -LINUX_VERSION ?= "6.1.68" +LINUX_VERSION ?= "6.1.73" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_meta ?= "991713c8765172cb5d18703d15589f3ec6e1b772" +SRCREV_machine ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_meta ?= "40dede8a165ea5894f172fede6baa0dd94d23fec" PV = "${LINUX_VERSION}+git" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_6.1.bb b/poky/meta/recipes-kernel/linux/linux-yocto_6.1.bb index 1329ccc958..f520954646 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_6.1.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_6.1.bb @@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.1/standard/base" KBRANCH:qemuloongarch64 ?= "v6.1/standard/base" KBRANCH:qemumips64 ?= "v6.1/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "85915187700314cb7ac70fd33da3e9dfd7c20063" -SRCREV_machine:qemuarm64 ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_machine:qemuloongarch64 ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_machine:qemumips ?= "24b06ee00fc3b65a24d7e867148b08a85296e67c" -SRCREV_machine:qemuppc ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_machine:qemuriscv64 ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_machine:qemuriscv32 ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_machine:qemux86 ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_machine:qemux86-64 ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_machine:qemumips64 ?= "d4659a339611a02e4ffc2861e697c1a278707d70" -SRCREV_machine ?= "db1e71dc5c31557828fae0084b0f9cc83882eacd" -SRCREV_meta ?= "991713c8765172cb5d18703d15589f3ec6e1b772" +SRCREV_machine:qemuarm ?= "45e6b64447b888e94af6fa8529cf976bf8116624" +SRCREV_machine:qemuarm64 ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_machine:qemuloongarch64 ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_machine:qemumips ?= "90ea25826ce7ef511d0d93ae33c3888f3b583bf3" +SRCREV_machine:qemuppc ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_machine:qemuriscv64 ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_machine:qemuriscv32 ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_machine:qemux86 ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_machine:qemux86-64 ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_machine:qemumips64 ?= "59248cf67c17a987f898d9d0c81292cb5fcda858" +SRCREV_machine ?= "6c78fd37122b29c40bd8bb6f43aaa1ba7d6fb53a" +SRCREV_meta ?= "40dede8a165ea5894f172fede6baa0dd94d23fec" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the <version>/base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "ba6f5fb465114fcd48ddb2c7a7740915b2289d6b" +SRCREV_machine:class-devupstream ?= "fec3b1451d5febbc9e04250f879c10f8952e6bed" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v6.1/base" @@ -45,7 +45,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA SRC_URI += "file://0001-perf-cpumap-Make-counter-as-unsigned-ints.patch" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "6.1.68" +LINUX_VERSION ?= "6.1.73" PV = "${LINUX_VERSION}+git" diff --git a/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.9.bb index b545f020cf..f60234b528 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.9.bb @@ -12,7 +12,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-devtools/gst-devtools-${PV} file://0001-connect-has-a-different-signature-on-musl.patch \ " -SRC_URI[sha256sum] = "157cf93fb2741cf0c3dea731be3af2ffae703c9f2cd3c0c91b380fbc685eb9f9" +SRC_URI[sha256sum] = "02e29400b44e9cc603aa6444dee5726b57edabef6455e6d0921ffed6f13840ee" DEPENDS = "json-glib glib-2.0 glib-2.0-native gstreamer1.0 gstreamer1.0-plugins-base" RRECOMMENDS:${PN} = "git" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.9.bb index 7169223636..10536acc87 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.9.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=69333daa044cb77e486cc36129f7a770 \ " SRC_URI = "https://gstreamer.freedesktop.org/src/gst-libav/gst-libav-${PV}.tar.xz" -SRC_URI[sha256sum] = "1525b917141b895fe5cf618fe8867622b2528278a0286e9f727b5f37317daca1" +SRC_URI[sha256sum] = "192f7d27d21c1e7c72c339a2647a9b0c247fedc62ea5029115f8c3e22ebb87d8" S = "${WORKDIR}/gst-libav-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.9.bb index ad40cf5513..05d64748bb 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.22.9.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-omx/gst-omx-${PV}.tar.xz" -SRC_URI[sha256sum] = "d7a18ec47d40a472bd5cba2015e0be72b732f1699895398cec5cd8e6a3a53b44" +SRC_URI[sha256sum] = "9362d6117985d09dcf6e27bdaef377dc08efb7df01d00101d04fb644addac61e" S = "${WORKDIR}/gst-omx-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.9.bb index b7d787b611..6e5aa2f206 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.9.bb @@ -10,7 +10,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad file://0002-avoid-including-sys-poll.h-directly.patch \ file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \ " -SRC_URI[sha256sum] = "c716f8dffa8fac3fb646941af1c6ec72fff05a045131311bf2d049fdc87bce2e" +SRC_URI[sha256sum] = "1bc65d0fd5f53a3636564efd3fcf318c3edcdec39c4109a503c1fc8203840a1d" S = "${WORKDIR}/gst-plugins-bad-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.9.bb index 3b8923e8f2..980766c74b 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.9.bb @@ -11,7 +11,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba file://0003-viv-fb-Make-sure-config.h-is-included.patch \ file://0002-ssaparse-enhance-SSA-text-lines-parsing.patch \ " -SRC_URI[sha256sum] = "62519e0d8f969ebf62a9a7996f2d23efdda330217a635f4a32c0bf1c71577468" +SRC_URI[sha256sum] = "fac3e0dd2d8e9370388b34bf8c21b89d5f63bc3cfc12cd7fdc8fc6c1cba03334" S = "${WORKDIR}/gst-plugins-base-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.9.bb index b8496a1750..052ba1801b 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.9.bb @@ -8,7 +8,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ file://0001-v4l2-Define-ioctl_req_t-for-posix-linux-case.patch" -SRC_URI[sha256sum] = "b6db0e18e398b52665b7cdce301c34a8750483d5f4fbac1ede9f80b03743cd15" +SRC_URI[sha256sum] = "26959fcfebfff637d4ea08ef40316baf31b61bb7729820b0684e800c3a1478b6" S = "${WORKDIR}/gst-plugins-good-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.9.bb index 8a67531123..722f8e9fe3 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.22.9.bb @@ -14,7 +14,8 @@ LICENSE_FLAGS = "commercial" SRC_URI = " \ https://gstreamer.freedesktop.org/src/gst-plugins-ugly/gst-plugins-ugly-${PV}.tar.xz \ " -SRC_URI[sha256sum] = "520b46bca637189ad86a298ff245b2d89375dbcac8b05d74daea910f81a9e9da" + +SRC_URI[sha256sum] = "0bf685d66015a01dd3fc1671b64a1c8acb321dd9d4ab9e05a29ab19782aa6236" S = "${WORKDIR}/gst-plugins-ugly-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.9.bb index a387031635..e086fa6866 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.22.9.bb @@ -8,7 +8,7 @@ LICENSE = "LGPL-2.1-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=c34deae4e395ca07e725ab0076a5f740" SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz" -SRC_URI[sha256sum] = "1ef8df7608012fa469329799c950ec087737a6dabad3003c230658b58c710172" +SRC_URI[sha256sum] = "3f9d5c6ffefda268703744b592a6b3983aa6723273b1220ecbcb62c2a5800009" DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base python3-pygobject" RDEPENDS:${PN} += "gstreamer1.0 gstreamer1.0-plugins-base python3-pygobject" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.9.bb index af1c2ced44..e232263a46 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.9.bb @@ -10,7 +10,7 @@ PNREAL = "gst-rtsp-server" SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz" -SRC_URI[sha256sum] = "f7fac001e20ad21e36d18397741c4657c5d43571eb1cc3b49f9a93ae127dc88f" +SRC_URI[sha256sum] = "808af148f89404ff74850f8ca5272bed4bfe67f9620231dc4514fd07eb26d0a4" S = "${WORKDIR}/${PNREAL}-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.9.bb index 4cad50742d..c53ee29051 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.22.9.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=4fbd65380cdd255951079008b364516c" SRC_URI = "https://gstreamer.freedesktop.org/src/${REALPN}/${REALPN}-${PV}.tar.xz" -SRC_URI[sha256sum] = "0e9fff768b89de6d318b34146e4e781d82b9a0f4025dc541b2c8349c7bcb7f67" +SRC_URI[sha256sum] = "8ba20da8c4cbf5b2953dba904672c4275d0053e1528f97fdf8e59942c7883ca8" S = "${WORKDIR}/${REALPN}-${PV}" DEPENDS = "libva gstreamer1.0 gstreamer1.0-plugins-base gstreamer1.0-plugins-bad" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.7.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.9.bb index 72161b272f..b4ab6ad10c 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.7.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.9.bb @@ -22,7 +22,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gstreamer/gstreamer-${PV}.tar.x file://0003-tests-use-a-dictionaries-for-environment.patch;striplevel=3 \ file://0004-tests-add-helper-script-to-run-the-installed_tests.patch;striplevel=3 \ " -SRC_URI[sha256sum] = "01e42c6352a06bdfa4456e64b06ab7d98c5c487a25557c761554631cbda64217" +SRC_URI[sha256sum] = "1e7124d347e8cdc80f08ec1d370c201be513002af1102bb20e83c5279cb48ebd" PACKAGECONFIG ??= "${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)} \ check \ diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch new file mode 100644 index 0000000000..f5520fcafd --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch @@ -0,0 +1,238 @@ +From 335947359ce2dd3862cd9f7c49f92eba065dfed4 Mon Sep 17 00:00:00 2001 +From: Su_Laus <sulau@freenet.de> +Date: Thu, 1 Feb 2024 13:06:08 +0000 +Subject: [PATCH] manpage: Update TIFF documentation about TIFFOpenOptions.rst + and TIFFOpenOptionsSetMaxSingleMemAlloc() usage and some other small fixes. + +CVE: CVE-2023-52355 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + doc/functions/TIFFDeferStrileArrayWriting.rst | 5 +++ + doc/functions/TIFFError.rst | 3 ++ + doc/functions/TIFFOpen.rst | 13 +++--- + doc/functions/TIFFOpenOptions.rst | 44 ++++++++++++++++++- + doc/functions/TIFFStrileQuery.rst | 5 +++ + doc/libtiff.rst | 31 ++++++++++++- + 6 files changed, 91 insertions(+), 10 deletions(-) + +diff --git a/doc/functions/TIFFDeferStrileArrayWriting.rst b/doc/functions/TIFFDeferStrileArrayWriting.rst +index 60ee746..705aebc 100644 +--- a/doc/functions/TIFFDeferStrileArrayWriting.rst ++++ b/doc/functions/TIFFDeferStrileArrayWriting.rst +@@ -61,6 +61,11 @@ Diagnostics + All error messages are directed to the :c:func:`TIFFErrorExtR` routine. + Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine. + ++Note ++---- ++ ++This functionality was introduced with libtiff 4.1. ++ + See also + -------- + +diff --git a/doc/functions/TIFFError.rst b/doc/functions/TIFFError.rst +index 99924ad..cf4b37c 100644 +--- a/doc/functions/TIFFError.rst ++++ b/doc/functions/TIFFError.rst +@@ -65,6 +65,9 @@ or :c:func:`TIFFClientOpenExt`. + Furthermore, a **custom defined data structure** *user_data* for the + error handler can be given along. + ++Please refer to :doc:`/functions/TIFFOpenOptions` for how to setup the ++application-specific handler introduced with libtiff 4.5. ++ + Note + ---- + +diff --git a/doc/functions/TIFFOpen.rst b/doc/functions/TIFFOpen.rst +index db79d7b..adc474f 100644 +--- a/doc/functions/TIFFOpen.rst ++++ b/doc/functions/TIFFOpen.rst +@@ -94,8 +94,9 @@ TIFF structure without closing the file handle and afterwards the + file should be closed using its file descriptor *fd*. + + :c:func:`TIFFOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFOpen`, +-but options, such as re-entrant error and warning handlers may be passed +-with the *opts* argument. The *opts* argument may be NULL. ++but options, such as re-entrant error and warning handlers and a limit in byte ++that libtiff internal memory allocation functions are allowed to request per call ++may be passed with the *opts* argument. The *opts* argument may be NULL. + Refer to :doc:`TIFFOpenOptions` for allocating and filling the *opts* argument + parameters. The allocated memory for :c:type:`TIFFOpenOptions` + can be released straight after successful execution of the related +@@ -105,9 +106,7 @@ can be released straight after successful execution of the related + but opens a TIFF file with a Unicode filename. + + :c:func:`TIFFFdOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFFdOpen`, +-but options, such as re-entrant error and warning handlers may be passed +-with the *opts* argument. The *opts* argument may be NULL. +-Refer to :doc:`TIFFOpenOptions` for filling the *opts* argument. ++but options argument *opts* like for :c:func:`TIFFOpenExt` can be passed. + + :c:func:`TIFFSetFileName` sets the file name in the tif-structure + and returns the old file name. +@@ -326,5 +325,5 @@ See also + + :doc:`libtiff` (3tiff), + :doc:`TIFFClose` (3tiff), +-:doc:`TIFFStrileQuery`, +-:doc:`TIFFOpenOptions` +\ No newline at end of file ++:doc:`TIFFStrileQuery` (3tiff), ++:doc:`TIFFOpenOptions` +diff --git a/doc/functions/TIFFOpenOptions.rst b/doc/functions/TIFFOpenOptions.rst +index 5c67566..23f2975 100644 +--- a/doc/functions/TIFFOpenOptions.rst ++++ b/doc/functions/TIFFOpenOptions.rst +@@ -38,12 +38,17 @@ opaque structure and returns a :c:type:`TIFFOpenOptions` pointer. + :c:func:`TIFFOpenOptionsFree` releases the allocated memory for + :c:type:`TIFFOpenOptions`. The allocated memory for :c:type:`TIFFOpenOptions` + can be released straight after successful execution of the related +-TIFF open"Ext" functions like :c:func:`TIFFOpenExt`. ++TIFFOpen"Ext" functions like :c:func:`TIFFOpenExt`. + + :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` sets parameter for the + maximum single memory limit in byte that ``libtiff`` internal memory allocation + functions are allowed to request per call. + ++.. note:: ++ However, the ``libtiff`` external functions :c:func:`_TIFFmalloc` ++ and :c:func:`_TIFFrealloc` **do not apply** this internal memory ++ allocation limit set by :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`! ++ + :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` sets the function pointer to + an application-specific and per-TIFF handle (re-entrant) error handler. + Furthermore, a pointer to a **custom defined data structure** *errorhandler_user_data* +@@ -55,6 +60,43 @@ The *errorhandler_user_data* argument may be NULL. + :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` but for the warning handler, + which is invoked through :c:func:`TIFFWarningExtR` + ++Example ++------- ++ ++:: ++ ++ #include "tiffio.h" ++ ++ typedef struct MyErrorHandlerUserDataStruct ++ { ++ /* ... any user data structure ... */ ++ } MyErrorHandlerUserDataStruct; ++ ++ static int myErrorHandler(TIFF *tiff, void *user_data, const char *module, ++ const char *fmt, va_list ap) ++ { ++ MyErrorHandlerUserDataStruct *errorhandler_user_data = ++ (MyErrorHandlerUserDataStruct *)user_data; ++ /*... code of myErrorHandler ...*/ ++ return 1; ++ } ++ ++ ++ main() ++ { ++ tmsize_t limit = (256 * 1024 * 1024); ++ MyErrorHandlerUserDataStruct user_data = { /* ... any data ... */}; ++ ++ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc(); ++ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit); ++ TIFFOpenOptionsSetErrorHandlerExtR(opts, myErrorHandler, &user_data); ++ TIFF *tif = TIFFOpenExt("foo.tif", "r", opts); ++ TIFFOpenOptionsFree(opts); ++ /* ... go on here ... */ ++ ++ TIFFClose(tif); ++ } ++ + Note + ---- + +diff --git a/doc/functions/TIFFStrileQuery.rst b/doc/functions/TIFFStrileQuery.rst +index f8631af..7931fe4 100644 +--- a/doc/functions/TIFFStrileQuery.rst ++++ b/doc/functions/TIFFStrileQuery.rst +@@ -66,6 +66,11 @@ Diagnostics + All error messages are directed to the :c:func:`TIFFErrorExtR` routine. + Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine. + ++Note ++---- ++ ++This functionality was introduced with libtiff 4.1. ++ + See also + -------- + +diff --git a/doc/libtiff.rst b/doc/libtiff.rst +index 6a0054c..d96a860 100644 +--- a/doc/libtiff.rst ++++ b/doc/libtiff.rst +@@ -90,11 +90,15 @@ compatibility on machines with a segmented architecture. + :c:func:`realloc`, and :c:func:`free` routines in the C library.) + + To deal with segmented pointer issues ``libtiff`` also provides +-:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemmove` ++:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemcmp` + routines that mimic the equivalent ANSI C routines, but that are + intended for use with memory allocated through :c:func:`_TIFFmalloc` + and :c:func:`_TIFFrealloc`. + ++With ``libtiff`` 4.5 a method was introduced to limit the internal ++memory allocation that functions are allowed to request per call ++(see :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` and :c:func:`TIFFOpenExt`). ++ + Error Handling + -------------- + +@@ -106,6 +110,10 @@ routine that can be specified with a call to :c:func:`TIFFSetErrorHandler`. + Likewise warning messages are directed to a single handler routine + that can be specified with a call to :c:func:`TIFFSetWarningHandler` + ++Further application-specific and per-TIFF handle (re-entrant) error handler ++and warning handler can be set. Please refer to :doc:`/functions/TIFFError` ++and :doc:`/functions/TIFFOpenOptions`. ++ + Basic File Handling + ------------------- + +@@ -139,7 +147,7 @@ a ``"w"`` argument: + main() + { + TIFF* tif = TIFFOpen("foo.tif", "w"); +- ... do stuff ... ++ /* ... do stuff ... */ + TIFFClose(tif); + } + +@@ -157,6 +165,25 @@ to always call :c:func:`TIFFClose` or :c:func:`TIFFFlush` to flush any + buffered information to a file. Note that if you call :c:func:`TIFFClose` + you do not need to call :c:func:`TIFFFlush`. + ++.. warning:: ++ ++ In order to prevent out-of-memory issues when opening a TIFF file ++ :c:func:`TIFFOpenExt` can be used and then the maximum single memory ++ limit in byte that ``libtiff`` internal memory allocation functions ++ are allowed to request per call can be set with ++ :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`. ++ ++Example ++ ++:: ++ ++ tmsize_t limit = (256 * 1024 * 1024); ++ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc(); ++ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit); ++ TIFF *tif = TIFFOpenExt("foo.tif", "w", opts); ++ TIFFOpenOptionsFree(opts); ++ /* ... go on here ... */ ++ + TIFF Directories + ---------------- + +-- +2.40.0 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch new file mode 100644 index 0000000000..19a1ef727a --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch @@ -0,0 +1,28 @@ +From 16ab4a205cfc938c32686e8d697d048fabf97ed4 Mon Sep 17 00:00:00 2001 +From: Timothy Lyanguzov <theta682@gmail.com> +Date: Thu, 1 Feb 2024 11:19:06 +0000 +Subject: [PATCH] Fix typo. + +CVE: CVE-2023-52355 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/16ab4a205cfc938c32686e8d697d048fabf97ed4] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + doc/libtiff.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/libtiff.rst b/doc/libtiff.rst +index d96a860..4fedc3e 100644 +--- a/doc/libtiff.rst ++++ b/doc/libtiff.rst +@@ -169,7 +169,7 @@ you do not need to call :c:func:`TIFFFlush`. + + In order to prevent out-of-memory issues when opening a TIFF file + :c:func:`TIFFOpenExt` can be used and then the maximum single memory +- limit in byte that ``libtiff`` internal memory allocation functions ++ limit in bytes that ``libtiff`` internal memory allocation functions + are allowed to request per call can be set with + :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`. + +-- +2.40.0 diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch new file mode 100644 index 0000000000..75f5d8946a --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch @@ -0,0 +1,49 @@ +From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Thu, 1 Feb 2024 11:38:14 +0000 +Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of + col/row (fixes #622) + +CVE: CVE-2023-52356 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + libtiff/tif_getimage.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 41f7dfd..9cd6eee 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint32_t row, uint32_t *raster, + if (TIFFRGBAImageOK(tif, emsg) && + TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) + { ++ if (row >= img.height) ++ { ++ TIFFErrorExtR(tif, TIFFFileName(tif), ++ "Invalid row passed to TIFFReadRGBAStrip()."); ++ TIFFRGBAImageEnd(&img); ++ return (0); ++ } + + img.row_offset = row; + img.col_offset = 0; +@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint32_t col, uint32_t row, uint32_t *raster, + return (0); + } + ++ if (col >= img.width || row >= img.height) ++ { ++ TIFFErrorExtR(tif, TIFFFileName(tif), ++ "Invalid row/col passed to TIFFReadRGBATile()."); ++ TIFFRGBAImageEnd(&img); ++ return (0); ++ } ++ + /* + * The TIFFRGBAImageGet() function doesn't allow us to get off the + * edge of the image, even to fill an otherwise valid tile. So we +-- +2.40.0 diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch new file mode 100644 index 0000000000..2020508fdf --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch @@ -0,0 +1,31 @@ +From 1e7d217a323eac701b134afc4ae39b6bdfdbc96a Mon Sep 17 00:00:00 2001 +From: Su_Laus <sulau@freenet.de> +Date: Wed, 17 Jan 2024 06:57:08 +0000 +Subject: [PATCH] codec of input image is available, independently from codec + check of output image and return with error if not. + +Fixes #606. + +CVE: CVE-2023-6228 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + tools/tiffcp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index aff0626..a4f7f6b 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -846,6 +846,8 @@ static int tiffcp(TIFF *in, TIFF *out) + if (!TIFFIsCODECConfigured(compression)) + return FALSE; + TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression); ++ if (!TIFFIsCODECConfigured(input_compression)) ++ return FALSE; + TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric); + if (input_compression == COMPRESSION_JPEG) + { +-- +2.40.0 diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch new file mode 100644 index 0000000000..5d15dff1d9 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch @@ -0,0 +1,27 @@ +From e1640519208121f916da1772a5efb6ca28971b86 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Tue, 31 Oct 2023 15:04:37 +0000 +Subject: [PATCH 3/3] Apply 1 suggestion(s) to 1 file(s) + +CVE: CVE-2023-6277 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + libtiff/tif_dirread.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index fe8d6f8..58a4276 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5306,7 +5306,6 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir, + { + uint64_t space; + uint16_t n; +- filesize = TIFFGetFileSize(tif); + if (!(tif->tif_flags & TIFF_BIGTIFF)) + space = sizeof(TIFFHeaderClassic) + 2 + dircount * 12 + 4; + else +-- +2.43.0 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch new file mode 100644 index 0000000000..9fc8182fef --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch @@ -0,0 +1,36 @@ +From f500facf7723f1cae725dd288b2daad15e45131c Mon Sep 17 00:00:00 2001 +From: Su_Laus <sulau@freenet.de> +Date: Mon, 30 Oct 2023 21:21:57 +0100 +Subject: [PATCH 2/3] At image reading, compare data size of some tags / data + structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) with + file size to prevent provoked out-of-memory attacks. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +See issue #614. + +Correct declaration of ‘filesize’ shadows a previous local. + +CVE: CVE-2023-6277 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + libtiff/tif_dirread.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index c52d41f..fe8d6f8 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5305,7 +5305,6 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir, + if (td->td_compression != COMPRESSION_NONE) + { + uint64_t space; +- uint64_t filesize; + uint16_t n; + filesize = TIFFGetFileSize(tif); + if (!(tif->tif_flags & TIFF_BIGTIFF)) +-- +2.43.0 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch new file mode 100644 index 0000000000..d5854a9059 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch @@ -0,0 +1,162 @@ +From b33baa5d9c6aac8ce49b5180dd48e39697ab7a11 Mon Sep 17 00:00:00 2001 +From: Su_Laus <sulau@freenet.de> +Date: Fri, 27 Oct 2023 22:11:10 +0200 +Subject: [PATCH 1/3] At image reading, compare data size of some tags / data + structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) with + file size to prevent provoked out-of-memory attacks. + +See issue #614. + +CVE: CVE-2023-6277 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + libtiff/tif_dirread.c | 90 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 90 insertions(+) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 2c49dc6..c52d41f 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -1308,6 +1308,21 @@ TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry, + datasize = (*count) * typesize; + assert((tmsize_t)datasize > 0); + ++ /* Before allocating a huge amount of memory for corrupted files, check if ++ * size of requested memory is not greater than file size. ++ */ ++ uint64_t filesize = TIFFGetFileSize(tif); ++ if (datasize > filesize) ++ { ++ TIFFWarningExtR(tif, "ReadDirEntryArray", ++ "Requested memory size for tag %d (0x%x) %" PRIu32 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated, tag not read", ++ direntry->tdir_tag, direntry->tdir_tag, datasize, ++ filesize); ++ return (TIFFReadDirEntryErrAlloc); ++ } ++ + if (isMapped(tif) && datasize > (uint64_t)tif->tif_size) + return TIFFReadDirEntryErrIo; + +@@ -5266,6 +5281,20 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir, + if (!_TIFFFillStrilesInternal(tif, 0)) + return -1; + ++ /* Before allocating a huge amount of memory for corrupted files, check if ++ * size of requested memory is not greater than file size. */ ++ uint64_t filesize = TIFFGetFileSize(tif); ++ uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR(tif, module, ++ "Requested memory size for StripByteCounts of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ return -1; ++ } ++ + if (td->td_stripbytecount_p) + _TIFFfreeExt(tif, td->td_stripbytecount_p); + td->td_stripbytecount_p = (uint64_t *)_TIFFCheckMalloc( +@@ -5807,6 +5836,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff, + dircount16 = (uint16_t)dircount64; + dirsize = 20; + } ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ uint64_t filesize = TIFFGetFileSize(tif); ++ uint64_t allocsize = (uint64_t)dircount16 * dirsize; ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR( ++ tif, module, ++ "Requested memory size for TIFF directory of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated, TIFF directory not read", ++ allocsize, filesize); ++ return 0; ++ } + origdir = _TIFFCheckMalloc(tif, dircount16, dirsize, + "to read TIFF directory"); + if (origdir == NULL) +@@ -5921,6 +5964,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff, + "directories not supported"); + return 0; + } ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ uint64_t filesize = TIFFGetFileSize(tif); ++ uint64_t allocsize = (uint64_t)dircount16 * dirsize; ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR( ++ tif, module, ++ "Requested memory size for TIFF directory of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated, TIFF directory not read", ++ allocsize, filesize); ++ return 0; ++ } + origdir = _TIFFCheckMalloc(tif, dircount16, dirsize, + "to read TIFF directory"); + if (origdir == NULL) +@@ -5968,6 +6025,8 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff, + } + } + } ++ /* No check against filesize needed here because "dir" should have same size ++ * than "origdir" checked above. */ + dir = (TIFFDirEntry *)_TIFFCheckMalloc( + tif, dircount16, sizeof(TIFFDirEntry), "to read TIFF directory"); + if (dir == 0) +@@ -7164,6 +7223,20 @@ static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips, + return (0); + } + ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ uint64_t filesize = TIFFGetFileSize(tif); ++ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR(tif, module, ++ "Requested memory size for StripArray of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ _TIFFfreeExt(tif, data); ++ return (0); ++ } + resizeddata = (uint64_t *)_TIFFCheckMalloc( + tif, nstrips, sizeof(uint64_t), "for strip array"); + if (resizeddata == 0) +@@ -7263,6 +7336,23 @@ static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips, + } + bytecount = last_offset + last_bytecount - offset; + ++ /* Before allocating a huge amount of memory for corrupted files, check if ++ * size of StripByteCount and StripOffset tags is not greater than ++ * file size. ++ */ ++ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2; ++ uint64_t filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR(tif, "allocChoppedUpStripArrays", ++ "Requested memory size for StripByteCount and " ++ "StripOffsets %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ return; ++ } ++ + newcounts = + (uint64_t *)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), + "for chopped \"StripByteCounts\" array"); +-- +2.43.0 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/poky/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb index 49984f1125..a26e4694f6 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb +++ b/poky/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb @@ -9,6 +9,13 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3" CVE_PRODUCT = "libtiff" SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ + file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data.patch \ + file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \ + file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \ + file://CVE-2023-6228.patch \ + file://CVE-2023-52355-0001.patch \ + file://CVE-2023-52355-0002.patch \ + file://CVE-2023-52356.patch \ " SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a" diff --git a/poky/meta/recipes-sato/sato-icon-theme/icon-naming-utils_0.8.90.bb b/poky/meta/recipes-sato/sato-icon-theme/icon-naming-utils_0.8.90.bb index 67cbd03100..5502b66905 100644 --- a/poky/meta/recipes-sato/sato-icon-theme/icon-naming-utils_0.8.90.bb +++ b/poky/meta/recipes-sato/sato-icon-theme/icon-naming-utils_0.8.90.bb @@ -14,7 +14,7 @@ DEPENDS = "libxml-simple-perl-native" LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" -SRC_URI = "http://tango.freedesktop.org/releases/icon-naming-utils-${PV}.tar.gz" +SRC_URI = "${DEBIAN_MIRROR}/main/i/icon-naming-utils/icon-naming-utils_${PV}.orig.tar.gz" SRC_URI[sha256sum] = "044ab2199ed8c6a55ce36fd4fcd8b8021a5e21f5bab028c0a7cdcf52a5902e1c" inherit autotools allarch perlnative @@ -26,4 +26,4 @@ do_configure:append() { FILES:${PN} += "${datadir}/dtds" -BBCLASSEXTEND = "native"
\ No newline at end of file +BBCLASSEXTEND = "native" diff --git a/poky/meta/recipes-support/aspell/aspell_0.60.8.bb b/poky/meta/recipes-support/aspell/aspell_0.60.8.1.bb index 39b55f4ff2..0ea9b063e0 100644 --- a/poky/meta/recipes-support/aspell/aspell_0.60.8.bb +++ b/poky/meta/recipes-support/aspell/aspell_0.60.8.1.bb @@ -13,11 +13,8 @@ HOMEPAGE = "http://aspell.net/" LICENSE = "LGPL-2.0-only | LGPL-2.1-only" LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34" -SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz \ - file://CVE-2019-25051.patch \ -" -SRC_URI[md5sum] = "012fa9209203ae4e5a61c2a668fd10e3" -SRC_URI[sha256sum] = "f9b77e515334a751b2e60daab5db23499e26c9209f5e7b7443b05235ad0226f2" +SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz" +SRC_URI[sha256sum] = "d6da12b34d42d457fa604e435ad484a74b2effcd120ff40acd6bb3fb2887d21b" PACKAGECONFIG ??= "" PACKAGECONFIG[curses] = "--enable-curses,--disable-curses,ncurses" diff --git a/poky/meta/recipes-support/aspell/files/CVE-2019-25051.patch b/poky/meta/recipes-support/aspell/files/CVE-2019-25051.patch deleted file mode 100644 index 8513f6de79..0000000000 --- a/poky/meta/recipes-support/aspell/files/CVE-2019-25051.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001 -From: Kevin Atkinson <kevina@gnu.org> -Date: Sat, 21 Dec 2019 20:32:47 +0000 -Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk - to prevent a buffer overflow - -Bug found using OSS-Fuze. - -Upstream-Status: Backport -[https://github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324a] -CVE: CVE-2019-25051 -Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> ---- - common/objstack.hpp | 18 ++++++++++++++---- - 1 file changed, 14 insertions(+), 4 deletions(-) - -diff --git a/common/objstack.hpp b/common/objstack.hpp -index 3997bf7..bd97ccd 100644 ---- a/common/objstack.hpp -+++ b/common/objstack.hpp -@@ -5,6 +5,7 @@ - #include "parm_string.hpp" - #include <stdlib.h> - #include <assert.h> -+#include <stddef.h> - - namespace acommon { - -@@ -26,6 +27,12 @@ class ObjStack - byte * temp_end; - void setup_chunk(); - void new_chunk(); -+ bool will_overflow(size_t sz) const { -+ return offsetof(Node,data) + sz > chunk_size; -+ } -+ void check_size(size_t sz) { -+ assert(!will_overflow(sz)); -+ } - - ObjStack(const ObjStack &); - void operator=(const ObjStack &); -@@ -56,7 +63,7 @@ class ObjStack - void * alloc_bottom(size_t size) { - byte * tmp = bottom; - bottom += size; -- if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;} -+ if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;} - return tmp; - } - // This alloc_bottom will insure that the object is aligned based on the -@@ -66,7 +73,7 @@ class ObjStack - align_bottom(align); - byte * tmp = bottom; - bottom += size; -- if (bottom > top) {new_chunk(); goto loop;} -+ if (bottom > top) {check_size(size); new_chunk(); goto loop;} - return tmp; - } - char * dup_bottom(ParmString str) { -@@ -79,7 +86,7 @@ class ObjStack - // always be aligned as such. - void * alloc_top(size_t size) { - top -= size; -- if (top < bottom) {new_chunk(); top -= size;} -+ if (top < bottom) {check_size(size); new_chunk(); top -= size;} - return top; - } - // This alloc_top will insure that the object is aligned based on -@@ -88,7 +95,7 @@ class ObjStack - {loop: - top -= size; - align_top(align); -- if (top < bottom) {new_chunk(); goto loop;} -+ if (top < bottom) {check_size(size); new_chunk(); goto loop;} - return top; - } - char * dup_top(ParmString str) { -@@ -117,6 +124,7 @@ class ObjStack - void * alloc_temp(size_t size) { - temp_end = bottom + size; - if (temp_end > top) { -+ check_size(size); - new_chunk(); - temp_end = bottom + size; - } -@@ -131,6 +139,7 @@ class ObjStack - } else { - size_t s = temp_end - bottom; - byte * p = bottom; -+ check_size(size); - new_chunk(); - memcpy(bottom, p, s); - temp_end = bottom + size; -@@ -150,6 +159,7 @@ class ObjStack - } else { - size_t s = temp_end - bottom; - byte * p = bottom; -+ check_size(size); - new_chunk(); - memcpy(bottom, p, s); - temp_end = bottom + size; diff --git a/poky/meta/recipes-support/atk/at-spi2-core_2.50.0.bb b/poky/meta/recipes-support/atk/at-spi2-core_2.50.1.bb index 57958fb7f5..6996ebebcd 100644 --- a/poky/meta/recipes-support/atk/at-spi2-core_2.50.0.bb +++ b/poky/meta/recipes-support/atk/at-spi2-core_2.50.1.bb @@ -11,7 +11,7 @@ MAJ_VER = "${@oe.utils.trim_version("${PV}", 2)}" SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz" -SRC_URI[sha256sum] = "e9f5a8c8235c9dd963b2171de9120301129c677dde933955e1df618b949c4adc" +SRC_URI[sha256sum] = "5727b5c0687ac57ba8040e79bd6731b714a36b8fcf32190f236b8fb3698789e7" DEPENDS = " \ dbus \ diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-46219.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-46219.patch new file mode 100644 index 0000000000..d6c8925218 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-46219.patch @@ -0,0 +1,131 @@ +CVE: CVE-2023-46219 +Upstream-Status: Backport [ https://github.com/curl/curl/commit/73b65e94f3531179de45 ] +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + +From 73b65e94f3531179de45c6f3c836a610e3d0a846 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 23 Nov 2023 08:23:17 +0100 +Subject: [PATCH] fopen: create short(er) temporary file name + +Only using random letters in the name plus a ".tmp" extension. Not by +appending characters to the final file name. + +Reported-by: Maksymilian Arciemowicz + +Closes #12388 +--- + lib/fopen.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 60 insertions(+), 5 deletions(-) + +diff --git a/lib/fopen.c b/lib/fopen.c +index 75b8a7aa534085..a73ac068ea3016 100644 +--- a/lib/fopen.c ++++ b/lib/fopen.c +@@ -39,6 +39,51 @@ + #include "curl_memory.h" + #include "memdebug.h" + ++/* ++ The dirslash() function breaks a null-terminated pathname string into ++ directory and filename components then returns the directory component up ++ to, *AND INCLUDING*, a final '/'. If there is no directory in the path, ++ this instead returns a "" string. ++ ++ This function returns a pointer to malloc'ed memory. ++ ++ The input path to this function is expected to have a file name part. ++*/ ++ ++#ifdef _WIN32 ++#define PATHSEP "\\" ++#define IS_SEP(x) (((x) == '/') || ((x) == '\\')) ++#elif defined(MSDOS) || defined(__EMX__) || defined(OS2) ++#define PATHSEP "\\" ++#define IS_SEP(x) ((x) == '\\') ++#else ++#define PATHSEP "/" ++#define IS_SEP(x) ((x) == '/') ++#endif ++ ++static char *dirslash(const char *path) ++{ ++ size_t n; ++ struct dynbuf out; ++ DEBUGASSERT(path); ++ Curl_dyn_init(&out, CURL_MAX_INPUT_LENGTH); ++ n = strlen(path); ++ if(n) { ++ /* find the rightmost path separator, if any */ ++ while(n && !IS_SEP(path[n-1])) ++ --n; ++ /* skip over all the path separators, if any */ ++ while(n && IS_SEP(path[n-1])) ++ --n; ++ } ++ if(Curl_dyn_addn(&out, path, n)) ++ return NULL; ++ /* if there was a directory, append a single trailing slash */ ++ if(n && Curl_dyn_addn(&out, PATHSEP, 1)) ++ return NULL; ++ return Curl_dyn_ptr(&out); ++} ++ + /* + * Curl_fopen() opens a file for writing with a temp name, to be renamed + * to the final name when completed. If there is an existing file using this +@@ -50,25 +95,34 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + FILE **fh, char **tempname) + { + CURLcode result = CURLE_WRITE_ERROR; +- unsigned char randsuffix[9]; ++ unsigned char randbuf[41]; + char *tempstore = NULL; + struct_stat sb; + int fd = -1; ++ char *dir; + *tempname = NULL; + ++ dir = dirslash(filename); ++ if(!dir) ++ goto fail; ++ + *fh = fopen(filename, FOPEN_WRITETEXT); + if(!*fh) + goto fail; +- if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) ++ if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) { ++ free(dir); + return CURLE_OK; ++ } + fclose(*fh); + *fh = NULL; + +- result = Curl_rand_alnum(data, randsuffix, sizeof(randsuffix)); ++ result = Curl_rand_alnum(data, randbuf, sizeof(randbuf)); + if(result) + goto fail; + +- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); ++ /* The temp file name should not end up too long for the target file ++ system */ ++ tempstore = aprintf("%s%s.tmp", dir, randbuf); + if(!tempstore) { + result = CURLE_OUT_OF_MEMORY; + goto fail; +@@ -95,6 +149,7 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + if(!*fh) + goto fail; + ++ free(dir); + *tempname = tempstore; + return CURLE_OK; + +@@ -105,7 +160,7 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + } + + free(tempstore); +- ++ free(dir); + return result; + } + diff --git a/poky/meta/recipes-support/curl/curl/disable-tests b/poky/meta/recipes-support/curl/curl/disable-tests index fdac795662..89255d6034 100644 --- a/poky/meta/recipes-support/curl/curl/disable-tests +++ b/poky/meta/recipes-support/curl/curl/disable-tests @@ -1,9 +1,17 @@ +# Intermittently fails e.g. https://autobuilder.yocto.io/pub/non-release/20231220-28/testresults/qemux86-64-ptest/curl.log +# https://autobuilder.yocto.io/pub/non-release/20231220-27/testresults/qemux86-64-ptest/curl.log +337 # These CRL test (alt-avc) are failing 356 412 413 # These CRL tests are scanning docs 971 +# Intermittently hangs e.g http://autobuilder.yocto.io/pub/non-release/20231228-18/testresults/qemux86-64-ptest/curl.log +1091 +# Intermittently hangs e.g https://autobuilder.yocto.io/pub/non-release/20231220-27/testresults/qemux86-64-ptest/curl.log +1096 +# These CRL tests are scanning docs 1119 1132 1135 diff --git a/poky/meta/recipes-support/curl/curl_8.4.0.bb b/poky/meta/recipes-support/curl/curl_8.4.0.bb index 8f1ba52692..977404c963 100644 --- a/poky/meta/recipes-support/curl/curl_8.4.0.bb +++ b/poky/meta/recipes-support/curl/curl_8.4.0.bb @@ -14,6 +14,7 @@ SRC_URI = " \ file://run-ptest \ file://disable-tests \ file://CVE-2023-46218.patch \ + file://CVE-2023-46219.patch \ " SRC_URI[sha256sum] = "16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d" diff --git a/poky/meta/recipes-support/libatomic-ops/libatomic-ops_7.8.0.bb b/poky/meta/recipes-support/libatomic-ops/libatomic-ops_7.8.2.bb index d4b77f6244..824400e743 100644 --- a/poky/meta/recipes-support/libatomic-ops/libatomic-ops_7.8.0.bb +++ b/poky/meta/recipes-support/libatomic-ops/libatomic-ops_7.8.2.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/libatomic_ops-${PV}.tar.gz" GITHUB_BASE_URI = "https://github.com/ivmai/libatomic_ops/releases" -SRC_URI[sha256sum] = "15676e7674e11bda5a7e50a73f4d9e7d60452271b8acf6fd39a71fefdf89fa31" +SRC_URI[sha256sum] = "d305207fe207f2b3fb5cb4c019da12b44ce3fcbc593dfd5080d867b1a2419b51" S = "${WORKDIR}/libatomic_ops-${PV}" diff --git a/poky/meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch b/poky/meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch new file mode 100644 index 0000000000..ab0f419ac5 --- /dev/null +++ b/poky/meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch @@ -0,0 +1,466 @@ +From d4634630432594b139b3af6b9f254b890c0f275d Mon Sep 17 00:00:00 2001 +From: Michael Buckley <michael@buckleyisms.com> +Date: Thu, 30 Nov 2023 15:08:02 -0800 +Subject: [PATCH] src: add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack" + +Refs: +https://terrapin-attack.com/ +https://seclists.org/oss-sec/2023/q4/292 +https://osv.dev/list?ecosystem=&q=CVE-2023-48795 +https://github.com/advisories/GHSA-45x7-px36-x8w8 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795 + +Fixes #1290 +Closes #1291 + +CVE: CVE-2023-48795 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> +--- + src/kex.c | 63 +++++++++++++++++++++++------------ + src/libssh2_priv.h | 18 +++++++--- + src/packet.c | 83 +++++++++++++++++++++++++++++++++++++++++++--- + src/packet.h | 2 +- + src/session.c | 3 ++ + src/transport.c | 12 ++++++- + 6 files changed, 149 insertions(+), 32 deletions(-) + +diff --git a/src/kex.c b/src/kex.c +index d4034a0a..b4b748ca 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -3037,6 +3037,13 @@ kex_method_extension_negotiation = { + 0, + }; + ++static const LIBSSH2_KEX_METHOD ++kex_method_strict_client_extension = { ++ "kex-strict-c-v00@openssh.com", ++ NULL, ++ 0, ++}; ++ + static const LIBSSH2_KEX_METHOD *libssh2_kex_methods[] = { + #if LIBSSH2_ED25519 + &kex_method_ssh_curve25519_sha256, +@@ -3055,6 +3062,7 @@ static const LIBSSH2_KEX_METHOD *libssh2_kex_methods[] = { + &kex_method_diffie_helman_group1_sha1, + &kex_method_diffie_helman_group_exchange_sha1, + &kex_method_extension_negotiation, ++ &kex_method_strict_client_extension, + NULL + }; + +@@ -3307,13 +3315,13 @@ static int kexinit(LIBSSH2_SESSION * session) + return 0; + } + +-/* kex_agree_instr ++/* _libssh2_kex_agree_instr + * Kex specific variant of strstr() + * Needle must be preceded by BOL or ',', and followed by ',' or EOL + */ +-static unsigned char * +-kex_agree_instr(unsigned char *haystack, size_t haystack_len, +- const unsigned char *needle, size_t needle_len) ++unsigned char * ++_libssh2_kex_agree_instr(unsigned char *haystack, size_t haystack_len, ++ const unsigned char *needle, size_t needle_len) + { + unsigned char *s; + unsigned char *end_haystack; +@@ -3398,7 +3406,7 @@ static int kex_agree_hostkey(LIBSSH2_SESSION * session, + while(s && *s) { + unsigned char *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); +- if(kex_agree_instr(hostkey, hostkey_len, s, method_len)) { ++ if(_libssh2_kex_agree_instr(hostkey, hostkey_len, s, method_len)) { + const LIBSSH2_HOSTKEY_METHOD *method = + (const LIBSSH2_HOSTKEY_METHOD *) + kex_get_method_by_name((char *) s, method_len, +@@ -3432,9 +3440,9 @@ static int kex_agree_hostkey(LIBSSH2_SESSION * session, + } + + while(hostkeyp && (*hostkeyp) && (*hostkeyp)->name) { +- s = kex_agree_instr(hostkey, hostkey_len, +- (unsigned char *) (*hostkeyp)->name, +- strlen((*hostkeyp)->name)); ++ s = _libssh2_kex_agree_instr(hostkey, hostkey_len, ++ (unsigned char *) (*hostkeyp)->name, ++ strlen((*hostkeyp)->name)); + if(s) { + /* So far so good, but does it suit our purposes? (Encrypting vs + Signing) */ +@@ -3468,6 +3476,12 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex, + { + const LIBSSH2_KEX_METHOD **kexp = libssh2_kex_methods; + unsigned char *s; ++ const unsigned char *strict = ++ (unsigned char *)"kex-strict-s-v00@openssh.com"; ++ ++ if(_libssh2_kex_agree_instr(kex, kex_len, strict, 28)) { ++ session->kex_strict = 1; ++ } + + if(session->kex_prefs) { + s = (unsigned char *) session->kex_prefs; +@@ -3475,7 +3489,7 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex, + while(s && *s) { + unsigned char *q, *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); +- q = kex_agree_instr(kex, kex_len, s, method_len); ++ q = _libssh2_kex_agree_instr(kex, kex_len, s, method_len); + if(q) { + const LIBSSH2_KEX_METHOD *method = (const LIBSSH2_KEX_METHOD *) + kex_get_method_by_name((char *) s, method_len, +@@ -3509,9 +3523,9 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex, + } + + while(*kexp && (*kexp)->name) { +- s = kex_agree_instr(kex, kex_len, +- (unsigned char *) (*kexp)->name, +- strlen((*kexp)->name)); ++ s = _libssh2_kex_agree_instr(kex, kex_len, ++ (unsigned char *) (*kexp)->name, ++ strlen((*kexp)->name)); + if(s) { + /* We've agreed on a key exchange method, + * Can we agree on a hostkey that works with this kex? +@@ -3555,7 +3569,7 @@ static int kex_agree_crypt(LIBSSH2_SESSION * session, + unsigned char *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); + +- if(kex_agree_instr(crypt, crypt_len, s, method_len)) { ++ if(_libssh2_kex_agree_instr(crypt, crypt_len, s, method_len)) { + const LIBSSH2_CRYPT_METHOD *method = + (const LIBSSH2_CRYPT_METHOD *) + kex_get_method_by_name((char *) s, method_len, +@@ -3577,9 +3591,9 @@ static int kex_agree_crypt(LIBSSH2_SESSION * session, + } + + while(*cryptp && (*cryptp)->name) { +- s = kex_agree_instr(crypt, crypt_len, +- (unsigned char *) (*cryptp)->name, +- strlen((*cryptp)->name)); ++ s = _libssh2_kex_agree_instr(crypt, crypt_len, ++ (unsigned char *) (*cryptp)->name, ++ strlen((*cryptp)->name)); + if(s) { + endpoint->crypt = *cryptp; + return 0; +@@ -3619,7 +3633,7 @@ static int kex_agree_mac(LIBSSH2_SESSION * session, + unsigned char *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); + +- if(kex_agree_instr(mac, mac_len, s, method_len)) { ++ if(_libssh2_kex_agree_instr(mac, mac_len, s, method_len)) { + const LIBSSH2_MAC_METHOD *method = (const LIBSSH2_MAC_METHOD *) + kex_get_method_by_name((char *) s, method_len, + (const LIBSSH2_COMMON_METHOD **) +@@ -3640,8 +3654,9 @@ static int kex_agree_mac(LIBSSH2_SESSION * session, + } + + while(*macp && (*macp)->name) { +- s = kex_agree_instr(mac, mac_len, (unsigned char *) (*macp)->name, +- strlen((*macp)->name)); ++ s = _libssh2_kex_agree_instr(mac, mac_len, ++ (unsigned char *) (*macp)->name, ++ strlen((*macp)->name)); + if(s) { + endpoint->mac = *macp; + return 0; +@@ -3672,7 +3687,7 @@ static int kex_agree_comp(LIBSSH2_SESSION *session, + unsigned char *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); + +- if(kex_agree_instr(comp, comp_len, s, method_len)) { ++ if(_libssh2_kex_agree_instr(comp, comp_len, s, method_len)) { + const LIBSSH2_COMP_METHOD *method = + (const LIBSSH2_COMP_METHOD *) + kex_get_method_by_name((char *) s, method_len, +@@ -3694,8 +3709,9 @@ static int kex_agree_comp(LIBSSH2_SESSION *session, + } + + while(*compp && (*compp)->name) { +- s = kex_agree_instr(comp, comp_len, (unsigned char *) (*compp)->name, +- strlen((*compp)->name)); ++ s = _libssh2_kex_agree_instr(comp, comp_len, ++ (unsigned char *) (*compp)->name, ++ strlen((*compp)->name)); + if(s) { + endpoint->comp = *compp; + return 0; +@@ -3876,6 +3892,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange, + session->local.kexinit = key_state->oldlocal; + session->local.kexinit_len = key_state->oldlocal_len; + key_state->state = libssh2_NB_state_idle; ++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX; + session->state &= ~LIBSSH2_STATE_KEX_ACTIVE; + session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS; + return -1; +@@ -3901,6 +3918,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange, + session->local.kexinit = key_state->oldlocal; + session->local.kexinit_len = key_state->oldlocal_len; + key_state->state = libssh2_NB_state_idle; ++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX; + session->state &= ~LIBSSH2_STATE_KEX_ACTIVE; + session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS; + return -1; +@@ -3949,6 +3967,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange, + session->remote.kexinit = NULL; + } + ++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX; + session->state &= ~LIBSSH2_STATE_KEX_ACTIVE; + session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS; + +diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h +index 82c3afe2..ee1d8b5c 100644 +--- a/src/libssh2_priv.h ++++ b/src/libssh2_priv.h +@@ -699,6 +699,9 @@ struct _LIBSSH2_SESSION + /* key signing algorithm preferences -- NULL yields server order */ + char *sign_algo_prefs; + ++ /* Whether to use the OpenSSH Strict KEX extension */ ++ int kex_strict; ++ + /* (remote as source of data -- packet_read ) */ + libssh2_endpoint_data remote; + +@@ -870,6 +873,7 @@ struct _LIBSSH2_SESSION + int fullpacket_macstate; + size_t fullpacket_payload_len; + int fullpacket_packet_type; ++ uint32_t fullpacket_required_type; + + /* State variables used in libssh2_sftp_init() */ + libssh2_nonblocking_states sftpInit_state; +@@ -910,10 +914,11 @@ struct _LIBSSH2_SESSION + }; + + /* session.state bits */ +-#define LIBSSH2_STATE_EXCHANGING_KEYS 0x00000001 +-#define LIBSSH2_STATE_NEWKEYS 0x00000002 +-#define LIBSSH2_STATE_AUTHENTICATED 0x00000004 +-#define LIBSSH2_STATE_KEX_ACTIVE 0x00000008 ++#define LIBSSH2_STATE_INITIAL_KEX 0x00000001 ++#define LIBSSH2_STATE_EXCHANGING_KEYS 0x00000002 ++#define LIBSSH2_STATE_NEWKEYS 0x00000004 ++#define LIBSSH2_STATE_AUTHENTICATED 0x00000008 ++#define LIBSSH2_STATE_KEX_ACTIVE 0x00000010 + + /* session.flag helpers */ + #ifdef MSG_NOSIGNAL +@@ -1144,6 +1149,11 @@ ssize_t _libssh2_send(libssh2_socket_t socket, const void *buffer, + int _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange, + key_exchange_state_t * state); + ++unsigned char *_libssh2_kex_agree_instr(unsigned char *haystack, ++ size_t haystack_len, ++ const unsigned char *needle, ++ size_t needle_len); ++ + /* Let crypt.c/hostkey.c expose their method structs */ + const LIBSSH2_CRYPT_METHOD **libssh2_crypt_methods(void); + const LIBSSH2_HOSTKEY_METHOD **libssh2_hostkey_methods(void); +diff --git a/src/packet.c b/src/packet.c +index b5b41981..35d4d39e 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -605,14 +605,13 @@ authagent_exit: + * layer when it has received a packet. + * + * The input pointer 'data' is pointing to allocated data that this function +- * is asked to deal with so on failure OR success, it must be freed fine. +- * The only exception is when the return code is LIBSSH2_ERROR_EAGAIN. ++ * will be freed unless return the code is LIBSSH2_ERROR_EAGAIN. + * + * This function will always be called with 'datalen' greater than zero. + */ + int + _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, +- size_t datalen, int macstate) ++ size_t datalen, int macstate, uint32_t seq) + { + int rc = 0; + unsigned char *message = NULL; +@@ -657,6 +656,70 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + break; + } + ++ if(session->state & LIBSSH2_STATE_INITIAL_KEX) { ++ if(msg == SSH_MSG_KEXINIT) { ++ if(!session->kex_strict) { ++ if(datalen < 17) { ++ LIBSSH2_FREE(session, data); ++ session->packAdd_state = libssh2_NB_state_idle; ++ return _libssh2_error(session, ++ LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting kex"); ++ } ++ else { ++ const unsigned char *strict = ++ (unsigned char *)"kex-strict-s-v00@openssh.com"; ++ struct string_buf buf; ++ unsigned char *algs = NULL; ++ size_t algs_len = 0; ++ ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr += 17; /* advance past type and cookie */ ++ ++ if(_libssh2_get_string(&buf, &algs, &algs_len)) { ++ LIBSSH2_FREE(session, data); ++ session->packAdd_state = libssh2_NB_state_idle; ++ return _libssh2_error(session, ++ LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Algs too short"); ++ } ++ ++ if(algs_len == 0 || ++ _libssh2_kex_agree_instr(algs, algs_len, strict, 28)) { ++ session->kex_strict = 1; ++ } ++ } ++ } ++ ++ if(session->kex_strict && seq) { ++ LIBSSH2_FREE(session, data); ++ session->socket_state = LIBSSH2_SOCKET_DISCONNECTED; ++ session->packAdd_state = libssh2_NB_state_idle; ++ libssh2_session_disconnect(session, "strict KEX violation: " ++ "KEXINIT was not the first packet"); ++ ++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT, ++ "strict KEX violation: " ++ "KEXINIT was not the first packet"); ++ } ++ } ++ ++ if(session->kex_strict && session->fullpacket_required_type && ++ session->fullpacket_required_type != msg) { ++ LIBSSH2_FREE(session, data); ++ session->socket_state = LIBSSH2_SOCKET_DISCONNECTED; ++ session->packAdd_state = libssh2_NB_state_idle; ++ libssh2_session_disconnect(session, "strict KEX violation: " ++ "unexpected packet type"); ++ ++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT, ++ "strict KEX violation: " ++ "unexpected packet type"); ++ } ++ } ++ + if(session->packAdd_state == libssh2_NB_state_allocated) { + /* A couple exceptions to the packet adding rule: */ + switch(msg) { +@@ -1341,6 +1404,15 @@ _libssh2_packet_ask(LIBSSH2_SESSION * session, unsigned char packet_type, + + return 0; + } ++ else if(session->kex_strict && ++ (session->state & LIBSSH2_STATE_INITIAL_KEX)) { ++ libssh2_session_disconnect(session, "strict KEX violation: " ++ "unexpected packet type"); ++ ++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT, ++ "strict KEX violation: " ++ "unexpected packet type"); ++ } + packet = _libssh2_list_next(&packet->node); + } + return -1; +@@ -1402,7 +1474,10 @@ _libssh2_packet_require(LIBSSH2_SESSION * session, unsigned char packet_type, + } + + while(session->socket_state == LIBSSH2_SOCKET_CONNECTED) { +- int ret = _libssh2_transport_read(session); ++ int ret; ++ session->fullpacket_required_type = packet_type; ++ ret = _libssh2_transport_read(session); ++ session->fullpacket_required_type = 0; + if(ret == LIBSSH2_ERROR_EAGAIN) + return ret; + else if(ret < 0) { +diff --git a/src/packet.h b/src/packet.h +index 79018bcf..6ea100a5 100644 +--- a/src/packet.h ++++ b/src/packet.h +@@ -71,6 +71,6 @@ int _libssh2_packet_burn(LIBSSH2_SESSION * session, + int _libssh2_packet_write(LIBSSH2_SESSION * session, unsigned char *data, + unsigned long data_len); + int _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, +- size_t datalen, int macstate); ++ size_t datalen, int macstate, uint32_t seq); + + #endif /* __LIBSSH2_PACKET_H */ +diff --git a/src/session.c b/src/session.c +index a4d602ba..f4bafb57 100644 +--- a/src/session.c ++++ b/src/session.c +@@ -464,6 +464,8 @@ libssh2_session_init_ex(LIBSSH2_ALLOC_FUNC((*my_alloc)), + session->abstract = abstract; + session->api_timeout = 0; /* timeout-free API by default */ + session->api_block_mode = 1; /* blocking API by default */ ++ session->state = LIBSSH2_STATE_INITIAL_KEX; ++ session->fullpacket_required_type = 0; + session->packet_read_timeout = LIBSSH2_DEFAULT_READ_TIMEOUT; + session->flag.quote_paths = 1; /* default behavior is to quote paths + for the scp subsystem */ +@@ -1186,6 +1188,7 @@ libssh2_session_disconnect_ex(LIBSSH2_SESSION *session, int reason, + const char *desc, const char *lang) + { + int rc; ++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX; + session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS; + BLOCK_ADJUST(rc, session, + session_disconnect(session, reason, desc, lang)); +diff --git a/src/transport.c b/src/transport.c +index 6d902d33..3b30ff84 100644 +--- a/src/transport.c ++++ b/src/transport.c +@@ -187,6 +187,7 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ ) + struct transportpacket *p = &session->packet; + int rc; + int compressed; ++ uint32_t seq = session->remote.seqno; + + if(session->fullpacket_state == libssh2_NB_state_idle) { + session->fullpacket_macstate = LIBSSH2_MAC_CONFIRMED; +@@ -318,7 +319,7 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ ) + if(session->fullpacket_state == libssh2_NB_state_created) { + rc = _libssh2_packet_add(session, p->payload, + session->fullpacket_payload_len, +- session->fullpacket_macstate); ++ session->fullpacket_macstate, seq); + if(rc == LIBSSH2_ERROR_EAGAIN) + return rc; + if(rc) { +@@ -329,6 +330,11 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ ) + + session->fullpacket_state = libssh2_NB_state_idle; + ++ if(session->kex_strict && ++ session->fullpacket_packet_type == SSH_MSG_NEWKEYS) { ++ session->remote.seqno = 0; ++ } ++ + return session->fullpacket_packet_type; + } + +@@ -1091,6 +1097,10 @@ int _libssh2_transport_send(LIBSSH2_SESSION *session, + + session->local.seqno++; + ++ if(session->kex_strict && data[0] == SSH_MSG_NEWKEYS) { ++ session->local.seqno = 0; ++ } ++ + ret = LIBSSH2_SEND(session, p->outbuf, total_length, + LIBSSH2_SOCKET_SEND_FLAGS(session)); + if(ret < 0) +-- +2.34.1 + diff --git a/poky/meta/recipes-support/libssh2/libssh2_1.11.0.bb b/poky/meta/recipes-support/libssh2/libssh2_1.11.0.bb index edc25db1b1..5100e6f7f9 100644 --- a/poky/meta/recipes-support/libssh2/libssh2_1.11.0.bb +++ b/poky/meta/recipes-support/libssh2/libssh2_1.11.0.bb @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=24a33237426720395ebb1dd1349ca225" SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \ file://run-ptest \ + file://CVE-2023-48795.patch \ " SRC_URI[sha256sum] = "3736161e41e2693324deb38c26cfdc3efe6209d634ba4258db1cecff6a5ad461" diff --git a/poky/meta/recipes-support/sqlite/sqlite3_3.43.1.bb b/poky/meta/recipes-support/sqlite/sqlite3_3.43.1.bb deleted file mode 100644 index 93146358c7..0000000000 --- a/poky/meta/recipes-support/sqlite/sqlite3_3.43.1.bb +++ /dev/null @@ -1,10 +0,0 @@ -require sqlite3.inc - -LICENSE = "PD" -LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66" - -SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz" -SRC_URI[sha256sum] = "39116c94e76630f22d54cd82c3cea308565f1715f716d1b2527f1c9c969ba4d9" - -CVE_STATUS[CVE-2023-36191] = "disputed: The error is a bug. It has been fixed upstream. But it is not a vulnerability" - diff --git a/poky/meta/recipes-support/sqlite/sqlite3_3.43.2.bb b/poky/meta/recipes-support/sqlite/sqlite3_3.43.2.bb new file mode 100644 index 0000000000..66d6255ac0 --- /dev/null +++ b/poky/meta/recipes-support/sqlite/sqlite3_3.43.2.bb @@ -0,0 +1,7 @@ +require sqlite3.inc + +LICENSE = "PD" +LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66" + +SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz" +SRC_URI[sha256sum] = "6d422b6f62c4de2ca80d61860e3a3fb693554d2f75bb1aaca743ccc4d6f609f0" |