From 5ffb1169cb6b3ed547d1b882cd9340cc7b7b6f07 Mon Sep 17 00:00:00 2001 From: Patrick Williams Date: Fri, 18 Feb 2022 12:44:47 -0600 Subject: subtree updates poky: 883341e9ca..e0ab08bb6a: Alexander Kanavin (1): libusb1: correct SRC_URI Anuj Mittal (1): poky.conf: bump version for 3.4.2 release Bruce Ashfield (5): linux-yocto/5.10: amdgpu: updates for CVE-2021-42327 linux-yocto/5.10: update to v5.10.91 kernel: introduce python3-dtschema-wrapper linux-yocto/5.10: update to v5.10.92 linux-yocto/5.10: update to v5.10.93 Carlos Rafael Giani (1): libxml2: Backport python3-lxml workaround patch Changqing Li (1): pigz: fix one failure of command "unpigz -l" Kai Kang (1): speex: fix CVE-2020-23903 Kory Maincent (1): icu: fix make_icudata dependencies Marek Vasut (1): bootchart2: Add missing python3-math dependency Mingli Yu (1): socat: update SRC_URI Peter Kjellerstedt (2): sstate: A third fix for for touching files inside pseudo insane.bbclass: Correct package_qa_check_empty_dirs() Pgowda (2): glibc : Fix CVE-2021-3998 glibc : Fix CVE-2021-3999 Richard Purdie (3): expat: Upgrade 2.4.2 -> 2.4.3 sstate: Improve failure to obtain archive message/handling build-appliance-image: Update to honister head revision Ross Burton (8): vim: upgrade to 8.2 patch 3752 vim: update to include latest CVE fixes lighttpd: backport a fix for CVE-2022-22707 tiff: backport fix for CVE-2022-22844 yocto-check-layer: add debug output for the layers that were found expat: upgrade to 2.4.4 vim: upgrade to patch 4269 core-image-sato-sdk: allocate more memory when in qemu Rudolf J Streif (1): linux-firmware: Add CLM blob to linux-firmware-bcm4373 package Sundeep KOKKONDA (2): glibc : Fix CVE-2022-23218 glibc : Fix CVE-2022-23219 wangmy (1): expat: upgrade 2.4.1 -> 2.4.2 meta-openembedded: 4647e3ea37..c05ae80ba6: Jan Luebbe (1): snappy: use main branch to fix fetch failure Khem Raj (1): python3-prctl: Use https protocol for git fetcher Leif Middelschulte (1): dbus-daemon-proxy: add missing `return` statement Mingli Yu (1): plymouth: switch to KillMode=mixed Tim Orling (2): cmocka: use https protocol for fetching tiptop: update download URL and HOMEPAGE Signed-off-by: Patrick Williams Change-Id: I6da7a831e4806bb83e7ed1b0d570b2fd1957cd12 --- ...-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch | 2 +- .../0001-systemd-switch-to-KillMode-mixed.patch | 43 +++ .../recipes-core/plymouth/plymouth_0.9.5.bb | 1 + .../recipes-extended/snappy/snappy_1.1.9.bb | 2 +- .../recipes-extended/tiptop/tiptop_2.3.1.bb | 6 +- .../meta-oe/recipes-test/cmocka/cmocka_1.1.5.bb | 2 +- .../recipes-devtools/python/python3-prctl_1.8.1.bb | 2 +- poky/meta-poky/conf/distro/poky.conf | 2 +- poky/meta/classes/insane.bbclass | 2 +- poky/meta/classes/sstate.bbclass | 18 +- poky/meta/conf/distro/include/maintainers.inc | 1 + .../recipes-connectivity/socat/socat_1.7.4.1.bb | 2 +- poky/meta/recipes-core/expat/expat_2.4.1.bb | 32 -- poky/meta/recipes-core/expat/expat_2.4.4.bb | 32 ++ .../glibc/glibc/0001-CVE-2021-3998.patch | 282 ++++++++++++++++ .../glibc/glibc/0001-CVE-2021-3999.patch | 36 +++ .../glibc/glibc/0001-CVE-2022-23218.patch | 178 ++++++++++ .../glibc/glibc/0001-CVE-2022-23219.patch | 55 ++++ .../glibc/glibc/0002-CVE-2021-3998.patch | 138 ++++++++ .../glibc/glibc/0002-CVE-2021-3999.patch | 357 +++++++++++++++++++++ .../glibc/glibc/0002-CVE-2022-23218.patch | 126 ++++++++ .../glibc/glibc/0002-CVE-2022-23219.patch | 89 +++++ poky/meta/recipes-core/glibc/glibc_2.34.bb | 8 + .../images/build-appliance-image_15.0.0.bb | 2 +- .../libxml2/0002-Work-around-lxml-API-abuse.patch | 213 ++++++++++++ poky/meta/recipes-core/libxml/libxml2_2.9.12.bb | 1 + .../bootchart2/bootchart2_0.14.9.bb | 2 +- ...ard-fix-out-of-bounds-OOB-write-fixes-313.patch | 97 ++++++ .../recipes-extended/lighttpd/lighttpd_1.4.59.bb | 1 + .../0001-Fix-bug-when-combining-l-with-d.patch | 50 +++ poky/meta/recipes-extended/pigz/pigz_2.6.bb | 3 +- .../dtc/python3-dtschema-wrapper/dt-doc-validate | 20 ++ .../dtc/python3-dtschema-wrapper/dt-mk-schema | 20 ++ .../dtc/python3-dtschema-wrapper/dt-validate | 20 ++ .../dtc/python3-dtschema-wrapper_2021.10.bb | 17 + .../linux-firmware/linux-firmware_20211216.bb | 1 + .../recipes-kernel/linux/linux-yocto-rt_5.10.bb | 6 +- .../recipes-kernel/linux/linux-yocto-tiny_5.10.bb | 8 +- poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +- ...-global-buffer-overflow-for-ASCII-tags-wh.patch | 43 +++ poky/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 3 +- .../speex/speex/CVE-2020-23903.patch | 30 ++ poky/meta/recipes-multimedia/speex/speex_1.2.0.bb | 4 +- .../recipes-sato/images/core-image-sato-sdk.bb | 3 + poky/meta/recipes-support/icu/icu_69.1.bb | 2 +- poky/meta/recipes-support/libusb/libusb1_1.0.24.bb | 6 +- ...2.3581-reading-character-past-end-of-line.patch | 62 ---- ...0001-src-Makefile-improve-reproducibility.patch | 13 +- ....2.3428-using-freed-memory-when-replacing.patch | 83 ----- ...582-reading-uninitialized-memory-when-giv.patch | 63 ---- ...611-crash-when-using-CTRL-W-f-without-fin.patch | 92 ------ ...487-illegal-memory-access-if-buffer-name-.patch | 86 ----- ...3489-ml_get-error-after-search-with-range.patch | 72 ----- ...564-invalid-memory-access-when-scrolling-.patch | 97 ------ .../recipes-support/vim/files/CVE-2021-3778.patch | 61 ---- .../b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch | 207 ------------ .../vim/files/disable_acl_header_check.patch | 15 +- .../recipes-support/vim/files/no-path-adjust.patch | 8 +- poky/meta/recipes-support/vim/files/racefix.patch | 6 +- .../vim-add-knob-whether-elf.h-are-checked.patch | 13 +- poky/meta/recipes-support/vim/vim.inc | 18 +- poky/scripts/yocto-check-layer | 13 + 62 files changed, 1959 insertions(+), 942 deletions(-) create mode 100644 meta-openembedded/meta-oe/recipes-core/plymouth/files/0001-systemd-switch-to-KillMode-mixed.patch delete mode 100644 poky/meta/recipes-core/expat/expat_2.4.1.bb create mode 100644 poky/meta/recipes-core/expat/expat_2.4.4.bb create mode 100644 poky/meta/recipes-core/glibc/glibc/0001-CVE-2021-3998.patch create mode 100644 poky/meta/recipes-core/glibc/glibc/0001-CVE-2021-3999.patch create mode 100644 poky/meta/recipes-core/glibc/glibc/0001-CVE-2022-23218.patch create mode 100644 poky/meta/recipes-core/glibc/glibc/0001-CVE-2022-23219.patch create mode 100644 poky/meta/recipes-core/glibc/glibc/0002-CVE-2021-3998.patch create mode 100644 poky/meta/recipes-core/glibc/glibc/0002-CVE-2021-3999.patch create mode 100644 poky/meta/recipes-core/glibc/glibc/0002-CVE-2022-23218.patch create mode 100644 poky/meta/recipes-core/glibc/glibc/0002-CVE-2022-23219.patch create mode 100644 poky/meta/recipes-core/libxml/libxml2/0002-Work-around-lxml-API-abuse.patch create mode 100644 poky/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch create mode 100644 poky/meta/recipes-extended/pigz/files/0001-Fix-bug-when-combining-l-with-d.patch create mode 100644 poky/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-doc-validate create mode 100644 poky/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-mk-schema create mode 100644 poky/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-validate create mode 100644 poky/meta/recipes-kernel/dtc/python3-dtschema-wrapper_2021.10.bb create mode 100644 poky/meta/recipes-multimedia/libtiff/files/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch create mode 100644 poky/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch delete mode 100644 poky/meta/recipes-support/vim/files/0001-patch-8.2.3581-reading-character-past-end-of-line.patch delete mode 100644 poky/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch delete mode 100644 poky/meta/recipes-support/vim/files/0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch delete mode 100644 poky/meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch delete mode 100644 poky/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch delete mode 100644 poky/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch delete mode 100644 poky/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch delete mode 100644 poky/meta/recipes-support/vim/files/CVE-2021-3778.patch delete mode 100644 poky/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch diff --git a/meta-openembedded/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch b/meta-openembedded/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch index 2c4ca057f2..1c2fc3813f 100644 --- a/meta-openembedded/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch +++ b/meta-openembedded/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch @@ -21,7 +21,7 @@ index 009e4fd..f3f0d80 100644 if (!dbus_conn) - return; -+ DBUS_HANDLER_RESULT_NOT_YET_HANDLED; ++ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; if (verbose) g_print ("New message from server: type='%d' path='%s' iface='%s'" diff --git a/meta-openembedded/meta-oe/recipes-core/plymouth/files/0001-systemd-switch-to-KillMode-mixed.patch b/meta-openembedded/meta-oe/recipes-core/plymouth/files/0001-systemd-switch-to-KillMode-mixed.patch new file mode 100644 index 0000000000..eb1c8db21c --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-core/plymouth/files/0001-systemd-switch-to-KillMode-mixed.patch @@ -0,0 +1,43 @@ +From 9d0f8b2e7bc2d1d2b0900fcdf119bb9a2cc4f474 Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Tue, 25 Aug 2020 10:49:11 -0400 +Subject: [PATCH] systemd: switch to KillMode=mixed + +KillMode=none is deprecated, so we need to stop using it. + +For now, use `KillMode=mixed` and `IgnoreOnIsolate=true` instead. + +In the future, we should change plymouth to be able to exit and +start again without restarting the active animation, but that's +going to require some effort. + +https://gitlab.freedesktop.org/plymouth/plymouth/-/issues/123 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/plymouth/plymouth/-/commit/9d0f8b2e7bc2d1d2b0900fcdf119bb9a2cc4f474] + +Signed-off-by: Mingli Yu +--- + systemd-units/plymouth-start.service.in | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/systemd-units/plymouth-start.service.in b/systemd-units/plymouth-start.service.in +index 3d00cc6..830a62d 100644 +--- a/systemd-units/plymouth-start.service.in ++++ b/systemd-units/plymouth-start.service.in +@@ -6,11 +6,12 @@ After=systemd-vconsole-setup.service systemd-udev-trigger.service systemd-udevd. + Before=systemd-ask-password-plymouth.service + ConditionKernelCommandLine=!plymouth.enable=0 + ConditionVirtualization=!container ++IgnoreOnIsolate=true + + [Service] + ExecStart=@PLYMOUTH_DAEMON_DIR@/plymouthd --mode=boot --pid-file=@plymouthruntimedir@/pid --attach-to-session + ExecStartPost=-@PLYMOUTH_CLIENT_DIR@/plymouth show-splash + Type=forking + RemainAfterExit=yes +-KillMode=none ++KillMode=mixed + SendSIGKILL=no +-- +2.17.1 + diff --git a/meta-openembedded/meta-oe/recipes-core/plymouth/plymouth_0.9.5.bb b/meta-openembedded/meta-oe/recipes-core/plymouth/plymouth_0.9.5.bb index e5d8c98195..d096462eed 100644 --- a/meta-openembedded/meta-oe/recipes-core/plymouth/plymouth_0.9.5.bb +++ b/meta-openembedded/meta-oe/recipes-core/plymouth/plymouth_0.9.5.bb @@ -20,6 +20,7 @@ RPROVIDES:${PN} = "virtual-psplash virtual-psplash-support" SRC_URI = " \ http://www.freedesktop.org/software/plymouth/releases/${BPN}-${PV}.tar.xz \ file://0001-Make-full-path-to-systemd-tty-ask-password-agent-con.patch \ + file://0001-systemd-switch-to-KillMode-mixed.patch \ " SRC_URI[md5sum] = "8a25d23f3ae732af300a56fa33cacff2" diff --git a/meta-openembedded/meta-oe/recipes-extended/snappy/snappy_1.1.9.bb b/meta-openembedded/meta-oe/recipes-extended/snappy/snappy_1.1.9.bb index 252ba9f3dc..0d58345d7a 100644 --- a/meta-openembedded/meta-oe/recipes-extended/snappy/snappy_1.1.9.bb +++ b/meta-openembedded/meta-oe/recipes-extended/snappy/snappy_1.1.9.bb @@ -10,7 +10,7 @@ compression ratio." LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=f62f3080324a97b3159a7a7e61812d0c" -SRC_URI = "gitsm://github.com/google/snappy.git;protocol=https;branch=master \ +SRC_URI = "gitsm://github.com/google/snappy.git;protocol=https;branch=main \ file://0001-Add-inline-with-SNAPPY_ATTRIBUTE_ALWAYS_INLINE.patch \ " SRCREV = "2b63814b15a2aaae54b7943f0cd935892fae628f" diff --git a/meta-openembedded/meta-oe/recipes-extended/tiptop/tiptop_2.3.1.bb b/meta-openembedded/meta-oe/recipes-extended/tiptop/tiptop_2.3.1.bb index 31d0dae25c..b4e5fd4d73 100644 --- a/meta-openembedded/meta-oe/recipes-extended/tiptop/tiptop_2.3.1.bb +++ b/meta-openembedded/meta-oe/recipes-extended/tiptop/tiptop_2.3.1.bb @@ -1,10 +1,10 @@ SUMMARY = "Hardware performance monitoring counters" -HOMEPAGE = "http://tiptop.gforge.inria.fr/" +HOMEPAGE = "https://team.inria.fr/pacap/software/tiptop/" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" DEPENDS = "ncurses libxml2 bison-native flex-native" -SRC_URI = "http://tiptop.gforge.inria.fr/releases/${BP}.tar.gz \ +SRC_URI = "http://files.inria.fr/pacap/${BPN}/${BP}.tar.gz \ file://0001-Fix-parallel-build-problems-by-Adrian-Bunk.patch \ file://0002-fix-reproducibility-of-build-process.patch \ file://0001-Fix-build-when-S-B.patch \ @@ -12,6 +12,8 @@ SRC_URI = "http://tiptop.gforge.inria.fr/releases/${BP}.tar.gz \ SRC_URI[md5sum] = "46ca0fdf0236f02dd2b96d347626d2a2" SRC_URI[sha256sum] = "51c4449c95bba34f16b429729c2f58431490665d8093efaa8643b2e1d1084182" +UPSTREAM_CHECK_URI = "https://team.inria.fr/pacap/software/tiptop/" + inherit autotools EXTRA_OECONF = "CFLAGS="$CFLAGS -I${STAGING_INCDIR}/libxml2"" diff --git a/meta-openembedded/meta-oe/recipes-test/cmocka/cmocka_1.1.5.bb b/meta-openembedded/meta-oe/recipes-test/cmocka/cmocka_1.1.5.bb index 2e34f6ab44..554d582a57 100644 --- a/meta-openembedded/meta-oe/recipes-test/cmocka/cmocka_1.1.5.bb +++ b/meta-openembedded/meta-oe/recipes-test/cmocka/cmocka_1.1.5.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3b83ef96387f14655fc854ddc3c6bd57" SRCREV = "a4fc3dd7705c277e3a57432895e9852ea105dac9" PV .= "+git${SRCPV}" -SRC_URI = "git://git.cryptomilk.org/projects/cmocka.git;branch=master \ +SRC_URI = "git://git.cryptomilk.org/projects/cmocka.git;protocol=https;branch=master \ file://run-ptest \ " diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-prctl_1.8.1.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-prctl_1.8.1.bb index b87a470b40..8426e48113 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-prctl_1.8.1.bb +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-prctl_1.8.1.bb @@ -13,7 +13,7 @@ B = "${S}" SRCREV = "5e12e398eb5c4e30d7b29b02458c76d2cc780700" PV = "1.8.1+git${SRCPV}" -SRC_URI = "git://github.com/seveas/python-prctl;branch=main\ +SRC_URI = "git://github.com/seveas/python-prctl;protocol=https;branch=main \ file://0001-support-cross-complication.patch \ " inherit setuptools3 python3native diff --git a/poky/meta-poky/conf/distro/poky.conf b/poky/meta-poky/conf/distro/poky.conf index 1884fd1783..51df0b6da6 100644 --- a/poky/meta-poky/conf/distro/poky.conf +++ b/poky/meta-poky/conf/distro/poky.conf @@ -1,6 +1,6 @@ DISTRO = "poky" DISTRO_NAME = "Poky (Yocto Project Reference Distro)" -DISTRO_VERSION = "3.4.1" +DISTRO_VERSION = "3.4.2" DISTRO_CODENAME = "honister" SDK_VENDOR = "-pokysdk" SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}" diff --git a/poky/meta/classes/insane.bbclass b/poky/meta/classes/insane.bbclass index bfaf2577d0..2c8f5338e5 100644 --- a/poky/meta/classes/insane.bbclass +++ b/poky/meta/classes/insane.bbclass @@ -945,7 +945,7 @@ def package_qa_check_empty_dirs(pkg, d, messages): recommendation = (d.getVar('QA_EMPTY_DIRS_RECOMMENDATION:' + dir) or "but it is expected to be empty") msg = "%s installs files in %s, %s" % (pkg, dir, recommendation) - oe.qa.add_message(messages, "empty-dirs", msg) + package_qa_add_message(messages, "empty-dirs", msg) def package_qa_check_encoding(keys, encode, d): def check_encoding(key, enc): diff --git a/poky/meta/classes/sstate.bbclass b/poky/meta/classes/sstate.bbclass index ba2c9fee35..103de01264 100644 --- a/poky/meta/classes/sstate.bbclass +++ b/poky/meta/classes/sstate.bbclass @@ -788,7 +788,9 @@ def sstate_setscene(d): shared_state = sstate_state_fromvars(d) accelerate = sstate_installpkg(shared_state, d) if not accelerate: - bb.fatal("No suitable staging package found") + msg = "No sstate archive obtainable, will run full task instead." + bb.warn(msg) + raise bb.BBHandledException(msg) python sstate_task_prefunc () { shared_state = sstate_state_fromvars(d) @@ -852,14 +854,18 @@ sstate_create_package () { fi chmod 0664 $TFILE # Skip if it was already created by some other process - if [ ! -e ${SSTATE_PKG} ]; then + if [ -h ${SSTATE_PKG} ] && [ ! -e ${SSTATE_PKG} ]; then + # There is a symbolic link, but it links to nothing. + # Forcefully replace it with the new file. + ln -f $TFILE ${SSTATE_PKG} || true + elif [ ! -e ${SSTATE_PKG} ]; then # Move into place using ln to attempt an atomic op. # Abort if it already exists - ln $TFILE ${SSTATE_PKG} && rm $TFILE + ln $TFILE ${SSTATE_PKG} || true else - rm $TFILE + touch ${SSTATE_PKG} 2>/dev/null || true fi - touch ${SSTATE_PKG} 2>/dev/null || true + rm $TFILE } python sstate_sign_package () { @@ -889,7 +895,7 @@ python sstate_report_unihash() { sstate_unpack_package () { tar -xvzf ${SSTATE_PKG} # update .siginfo atime on local/NFS mirror if it is a symbolic link - [ ! -h ${SSTATE_PKG}.siginfo ] || touch -a ${SSTATE_PKG}.siginfo 2>/dev/null || true + [ ! -h ${SSTATE_PKG}.siginfo ] || [ ! -e ${SSTATE_PKG}.siginfo ] || touch -a ${SSTATE_PKG}.siginfo 2>/dev/null || true # update each symbolic link instead of any referenced file touch --no-dereference ${SSTATE_PKG} 2>/dev/null || true [ ! -e ${SSTATE_PKG}.sig ] || touch --no-dereference ${SSTATE_PKG}.sig 2>/dev/null || true diff --git a/poky/meta/conf/distro/include/maintainers.inc b/poky/meta/conf/distro/include/maintainers.inc index b3b7711a0c..2b54d2d12f 100644 --- a/poky/meta/conf/distro/include/maintainers.inc +++ b/poky/meta/conf/distro/include/maintainers.inc @@ -592,6 +592,7 @@ RECIPE_MAINTAINER:pn-python3-cython = "Oleksandr Kravchuk +Date: Tue, 18 Jan 2022 13:29:36 +0530 +Subject: [PATCH] support: Add helpers to create paths longer than PATH_MAX + +Add new helpers support_create_and_chdir_toolong_temp_directory and +support_chdir_toolong_temp_directory to create and descend into +directory trees longer than PATH_MAX. + +Reviewed-by: Adhemerval Zanella +Signed-off-by: Siddhesh Poyarekar + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=062ff490c1467059f6cd64bb9c3d85f6cc6cf97a] +CVE: CVE-2021-3998 + +Signed-off-by: Pgowda +--- + support/temp_file.c | 159 +++++++++++++++++++++++++++++++++++++++++--- + support/temp_file.h | 9 +++ + 2 files changed, 159 insertions(+), 9 deletions(-) + +diff --git a/support/temp_file.c b/support/temp_file.c +index e7bb8aadb9..e41128c2d4 100644 +--- a/support/temp_file.c ++++ b/support/temp_file.c +@@ -1,5 +1,6 @@ + /* Temporary file handling for tests. + Copyright (C) 1998-2021 Free Software Foundation, Inc. ++ Copyright The GNU Tools Authors. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or +@@ -20,15 +21,17 @@ + some 32-bit platforms. */ + #define _FILE_OFFSET_BITS 64 + ++#include + #include + #include + #include + ++#include + #include + #include + #include + #include +-#include ++#include + + /* List of temporary files. */ + static struct temp_name_list +@@ -36,14 +39,20 @@ static struct temp_name_list + struct temp_name_list *next; + char *name; + pid_t owner; ++ bool toolong; + } *temp_name_list; + + /* Location of the temporary files. Set by the test skeleton via + support_set_test_dir. The string is not be freed. */ + static const char *test_dir = _PATH_TMP; + +-void +-add_temp_file (const char *name) ++/* Name of subdirectories in a too long temporary directory tree. */ ++static char toolong_subdir[NAME_MAX + 1]; ++static bool toolong_initialized; ++static size_t toolong_path_max; ++ ++static void ++add_temp_file_internal (const char *name, bool toolong) + { + struct temp_name_list *newp + = (struct temp_name_list *) xcalloc (sizeof (*newp), 1); +@@ -53,12 +62,19 @@ add_temp_file (const char *name) + newp->name = newname; + newp->next = temp_name_list; + newp->owner = getpid (); ++ newp->toolong = toolong; + temp_name_list = newp; + } + else + free (newp); + } + ++void ++add_temp_file (const char *name) ++{ ++ add_temp_file_internal (name, false); ++} ++ + int + create_temp_file_in_dir (const char *base, const char *dir, char **filename) + { +@@ -90,8 +106,8 @@ create_temp_file (const char *base, char + return create_temp_file_in_dir (base, test_dir, filename); + } + +-char * +-support_create_temp_directory (const char *base) ++static char * ++create_temp_directory_internal (const char *base, bool toolong) + { + char *path = xasprintf ("%s/%sXXXXXX", test_dir, base); + if (mkdtemp (path) == NULL) +@@ -99,16 +115,132 @@ support_create_temp_directory (const cha + printf ("error: mkdtemp (\"%s\"): %m", path); + exit (1); + } +- add_temp_file (path); ++ add_temp_file_internal (path, toolong); + return path; + } + +-/* Helper functions called by the test skeleton follow. */ ++char * ++support_create_temp_directory (const char *base) ++{ ++ return create_temp_directory_internal (base, false); ++} ++ ++static void ++ensure_toolong_initialized (void) ++{ ++ if (!toolong_initialized) ++ FAIL_EXIT1 ("uninitialized toolong directory tree\n"); ++} ++ ++static void ++initialize_toolong (const char *base) ++{ ++ long name_max = pathconf (base, _PC_NAME_MAX); ++ name_max = (name_max < 0 ? 64 ++ : (name_max < sizeof (toolong_subdir) ? name_max ++ : sizeof (toolong_subdir) - 1)); ++ ++ long path_max = pathconf (base, _PC_PATH_MAX); ++ path_max = (path_max < 0 ? 1024 ++ : path_max <= PTRDIFF_MAX ? path_max : PTRDIFF_MAX); ++ ++ /* Sanity check to ensure that the test does not create temporary directories ++ in different filesystems because this API doesn't support it. */ ++ if (toolong_initialized) ++ { ++ if (name_max != strlen (toolong_subdir)) ++ FAIL_UNSUPPORTED ("name_max: Temporary directories in different" ++ " filesystems not supported yet\n"); ++ if (path_max != toolong_path_max) ++ FAIL_UNSUPPORTED ("path_max: Temporary directories in different" ++ " filesystems not supported yet\n"); ++ return; ++ } ++ ++ toolong_path_max = path_max; ++ ++ size_t len = name_max; ++ memset (toolong_subdir, 'X', len); ++ toolong_initialized = true; ++} ++ ++char * ++support_create_and_chdir_toolong_temp_directory (const char *basename) ++{ ++ char *base = create_temp_directory_internal (basename, true); ++ xchdir (base); ++ ++ initialize_toolong (base); ++ ++ size_t sz = strlen (toolong_subdir); ++ ++ /* Create directories and descend into them so that the final path is larger ++ than PATH_MAX. */ ++ for (size_t i = 0; i <= toolong_path_max / sz; i++) ++ { ++ int ret = mkdir (toolong_subdir, S_IRWXU); ++ if (ret != 0 && errno == ENAMETOOLONG) ++ FAIL_UNSUPPORTED ("Filesystem does not support creating too long " ++ "directory trees\n"); ++ else if (ret != 0) ++ FAIL_EXIT1 ("Failed to create directory tree: %m\n"); ++ xchdir (toolong_subdir); ++ } ++ return base; ++} + + void +-support_set_test_dir (const char *path) ++support_chdir_toolong_temp_directory (const char *base) + { +- test_dir = path; ++ ensure_toolong_initialized (); ++ ++ xchdir (base); ++ ++ size_t sz = strlen (toolong_subdir); ++ for (size_t i = 0; i <= toolong_path_max / sz; i++) ++ xchdir (toolong_subdir); ++} ++ ++/* Helper functions called by the test skeleton follow. */ ++ ++static void ++remove_toolong_subdirs (const char *base) ++{ ++ ensure_toolong_initialized (); ++ ++ if (chdir (base) != 0) ++ { ++ printf ("warning: toolong cleanup base failed: chdir (\"%s\"): %m\n", ++ base); ++ return; ++ } ++ ++ /* Descend. */ ++ int levels = 0; ++ size_t sz = strlen (toolong_subdir); ++ for (levels = 0; levels <= toolong_path_max / sz; levels++) ++ if (chdir (toolong_subdir) != 0) ++ { ++ printf ("warning: toolong cleanup failed: chdir (\"%s\"): %m\n", ++ toolong_subdir); ++ break; ++ } ++ ++ /* Ascend and remove. */ ++ while (--levels >= 0) ++ { ++ if (chdir ("..") != 0) ++ { ++ printf ("warning: toolong cleanup failed: chdir (\"..\"): %m\n"); ++ return; ++ } ++ if (remove (toolong_subdir) != 0) ++ { ++ printf ("warning: could not remove subdirectory: %s: %m\n", ++ toolong_subdir); ++ return; ++ } ++ } + } + + void +@@ -123,6 +255,9 @@ support_delete_temp_files (void) + around, to prevent PID reuse.) */ + if (temp_name_list->owner == pid) + { ++ if (temp_name_list->toolong) ++ remove_toolong_subdirs (temp_name_list->name); ++ + if (remove (temp_name_list->name) != 0) + printf ("warning: could not remove temporary file: %s: %m\n", + temp_name_list->name); +@@ -147,3 +282,9 @@ support_print_temp_files (FILE *f) + fprintf (f, ")\n"); + } + } ++ ++void ++support_set_test_dir (const char *path) ++{ ++ test_dir = path; ++} +diff --git a/support/temp_file.h b/support/temp_file.h +index 50a443abe4..8459ddda72 100644 +--- a/support/temp_file.h ++++ b/support/temp_file.h +@@ -44,6 +44,15 @@ int create_temp_file_in_dir (const char + returns. The caller should free this string. */ + char *support_create_temp_directory (const char *base); + ++/* Create a temporary directory tree that is longer than PATH_MAX and schedule ++ it for deletion. BASENAME is used as a prefix for the unique directory ++ name, which the function returns. The caller should free this string. */ ++char *support_create_and_chdir_toolong_temp_directory (const char *basename); ++ ++/* Change into the innermost directory of the directory tree BASE, which was ++ created using support_create_and_chdir_toolong_temp_directory. */ ++void support_chdir_toolong_temp_directory (const char *base); ++ + __END_DECLS + + #endif /* SUPPORT_TEMP_FILE_H */ diff --git a/poky/meta/recipes-core/glibc/glibc/0001-CVE-2021-3999.patch b/poky/meta/recipes-core/glibc/glibc/0001-CVE-2021-3999.patch new file mode 100644 index 0000000000..64749390b5 --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/0001-CVE-2021-3999.patch @@ -0,0 +1,36 @@ +From 8c8a71c85f2ed5cc90d08d82ce645513fc907cb6 Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Mon, 24 Jan 2022 10:57:09 +0530 +Subject: [PATCH] tst-realpath-toolong: Fix hurd build + +Define PATH_MAX to a constant if it isn't already defined, like in hurd. + +Signed-off-by: Siddhesh Poyarekar +(cherry picked from commit 976db046bc3a3738f69255ae00b0a09b8e77fd9c) + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=8c8a71c85f2ed5cc90d08d82ce645513fc907cb6] +CVE: CVE-2021-3999 + +Signed-off-by: Pgowda +--- + stdlib/tst-realpath-toolong.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/stdlib/tst-realpath-toolong.c b/stdlib/tst-realpath-toolong.c +index 8bed772460..4388890294 100644 +--- a/stdlib/tst-realpath-toolong.c ++++ b/stdlib/tst-realpath-toolong.c +@@ -29,6 +29,10 @@ + + #define BASENAME "tst-realpath-toolong." + ++#ifndef PATH_MAX ++# define PATH_MAX 1024 ++#endif ++ + int + do_test (void) + { +-- +2.27.0 + diff --git a/poky/meta/recipes-core/glibc/glibc/0001-CVE-2022-23218.patch b/poky/meta/recipes-core/glibc/glibc/0001-CVE-2022-23218.patch new file mode 100644 index 0000000000..4eb1fb7fbe --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/0001-CVE-2022-23218.patch @@ -0,0 +1,178 @@ +From e368b12f6c16b6888dda99ba641e999b9c9643c8 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 17 Jan 2022 10:21:34 +0100 +Subject: [PATCH] socket: Add the __sockaddr_un_set function + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=e368b12f6c16b6888dda99ba641e999b9c9643c8] +CVE: CVE-2022-23219 + +Reviewed-by: Siddhesh Poyarekar +Signed-off-by: Pgowda +--- + include/sys/un.h | 12 +++++++ + socket/Makefile | 6 +++- + socket/sockaddr_un_set.c | 41 ++++++++++++++++++++++++ + socket/tst-sockaddr_un_set.c | 62 ++++++++++++++++++++++++++++++++++++ + 4 files changed, 120 insertions(+), 1 deletion(-) + create mode 100644 socket/sockaddr_un_set.c + create mode 100644 socket/tst-sockaddr_un_set.c + +diff --git a/include/sys/un.h b/include/sys/un.h +index bdbee99980..152afd9fc7 100644 +--- a/include/sys/un.h ++++ b/include/sys/un.h +@@ -1 +1,13 @@ + #include ++ ++#ifndef _ISOMAC ++ ++/* Set ADDR->sun_family to AF_UNIX and ADDR->sun_path to PATHNAME. ++ Return 0 on success or -1 on failure (due to overlong PATHNAME). ++ The caller should always use sizeof (struct sockaddr_un) as the ++ socket address length, disregaring the length of PATHNAME. ++ Only concrete (non-abstract) pathnames are supported. */ ++int __sockaddr_un_set (struct sockaddr_un *addr, const char *pathname) ++ attribute_hidden; ++ ++#endif /* _ISOMAC */ +diff --git a/socket/Makefile b/socket/Makefile +index 39333e10ca..156eec6c85 100644 +--- a/socket/Makefile ++++ b/socket/Makefile +@@ -29,13 +29,17 @@ headers := sys/socket.h sys/un.h bits/sockaddr.h bits/socket.h \ + routines := accept bind connect getpeername getsockname getsockopt \ + listen recv recvfrom recvmsg send sendmsg sendto \ + setsockopt shutdown socket socketpair isfdtype opensock \ +- sockatmark accept4 recvmmsg sendmmsg ++ sockatmark accept4 recvmmsg sendmmsg sockaddr_un_set + + tests := \ + tst-accept4 \ + tst-sockopt \ + # tests + ++tests-internal := \ ++ tst-sockaddr_un_set \ ++ # tests-internal ++ + tests-time64 := \ + tst-sockopt-time64 \ + # tests +diff --git a/socket/sockaddr_un_set.c b/socket/sockaddr_un_set.c +new file mode 100644 +index 0000000000..0bd40dc34e +--- /dev/null ++++ b/socket/sockaddr_un_set.c +@@ -0,0 +1,41 @@ ++/* Set the sun_path member of struct sockaddr_un. ++ Copyright (C) 2022 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++ ++int ++__sockaddr_un_set (struct sockaddr_un *addr, const char *pathname) ++{ ++ size_t name_length = strlen (pathname); ++ ++ /* The kernel supports names of exactly sizeof (addr->sun_path) ++ bytes, without a null terminator, but userspace does not; see the ++ SUN_LEN macro. */ ++ if (name_length >= sizeof (addr->sun_path)) ++ { ++ __set_errno (EINVAL); /* Error code used by the kernel. */ ++ return -1; ++ } ++ ++ addr->sun_family = AF_UNIX; ++ memcpy (addr->sun_path, pathname, name_length + 1); ++ return 0; ++} +diff --git a/socket/tst-sockaddr_un_set.c b/socket/tst-sockaddr_un_set.c +new file mode 100644 +index 0000000000..29c2a81afd +--- /dev/null ++++ b/socket/tst-sockaddr_un_set.c +@@ -0,0 +1,62 @@ ++/* Test the __sockaddr_un_set function. ++ Copyright (C) 2022 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++/* Re-compile the function because the version in libc is not ++ exported. */ ++#include "sockaddr_un_set.c" ++ ++#include ++ ++static int ++do_test (void) ++{ ++ struct sockaddr_un sun; ++ ++ memset (&sun, 0xcc, sizeof (sun)); ++ __sockaddr_un_set (&sun, ""); ++ TEST_COMPARE (sun.sun_family, AF_UNIX); ++ TEST_COMPARE (__sockaddr_un_set (&sun, ""), 0); ++ ++ memset (&sun, 0xcc, sizeof (sun)); ++ TEST_COMPARE (__sockaddr_un_set (&sun, "/example"), 0); ++ TEST_COMPARE_STRING (sun.sun_path, "/example"); ++ ++ { ++ char pathname[108]; /* Length of sun_path (ABI constant). */ ++ memset (pathname, 'x', sizeof (pathname)); ++ pathname[sizeof (pathname) - 1] = '\0'; ++ memset (&sun, 0xcc, sizeof (sun)); ++ TEST_COMPARE (__sockaddr_un_set (&sun, pathname), 0); ++ TEST_COMPARE (sun.sun_family, AF_UNIX); ++ TEST_COMPARE_STRING (sun.sun_path, pathname); ++ } ++ ++ { ++ char pathname[109]; ++ memset (pathname, 'x', sizeof (pathname)); ++ pathname[sizeof (pathname) - 1] = '\0'; ++ memset (&sun, 0xcc, sizeof (sun)); ++ errno = 0; ++ TEST_COMPARE (__sockaddr_un_set (&sun, pathname), -1); ++ TEST_COMPARE (errno, EINVAL); ++ } ++ ++ return 0; ++} ++ ++#include +-- +2.27.0 + diff --git a/poky/meta/recipes-core/glibc/glibc/0001-CVE-2022-23219.patch b/poky/meta/recipes-core/glibc/glibc/0001-CVE-2022-23219.patch new file mode 100644 index 0000000000..261c2909db --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/0001-CVE-2022-23219.patch @@ -0,0 +1,55 @@ +From 226b46770c82899b555986583294b049c6ec9b40 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 17 Jan 2022 10:21:34 +0100 +Subject: [PATCH] CVE-2022-23219: Buffer overflow in sunrpc clnt_create for + "unix" (bug 22542) + +Processing an overlong pathname in the sunrpc clnt_create function +results in a stack-based buffer overflow. + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=226b46770c82899b555986583294b049c6ec9b40] +CVE: CVE-2022-23219 + +Reviewed-by: Siddhesh Poyarekar +Signed-off-by: Pgowda +--- + NEWS | 4 +++- + sunrpc/clnt_gen.c | 10 +++++++--- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/NEWS b/NEWS +index ddd95a8329..38a9ddb2cf 100644 +--- a/NEWS ++++ b/NEWS +@@ -206,6 +206,10 @@ Security related changes: + CVE-2022-23218: Passing an overlong file name to the svcunix_create + legacy function could result in a stack-based buffer overflow. + ++ CVE-2022-23219: Passing an overlong file name to the clnt_create ++ legacy function could result in a stack-based buffer overflow when ++ using the "unix" protocol. Reported by Martin Sebor. ++ + The following bugs are resolved with this release: + + [4737] libc: fork is not async-signal-safe +diff --git a/sunrpc/clnt_gen.c b/sunrpc/clnt_gen.c +index 13ced8994e..b44357cd88 100644 +--- a/sunrpc/clnt_gen.c ++++ b/sunrpc/clnt_gen.c +@@ -57,9 +57,13 @@ clnt_create (const char *hostname, u_lon + + if (strcmp (proto, "unix") == 0) + { +- memset ((char *)&sun, 0, sizeof (sun)); +- sun.sun_family = AF_UNIX; +- strcpy (sun.sun_path, hostname); ++ if (__sockaddr_un_set (&sun, hostname) < 0) ++ { ++ struct rpc_createerr *ce = &get_rpc_createerr (); ++ ce->cf_stat = RPC_SYSTEMERROR; ++ ce->cf_error.re_errno = errno; ++ return NULL; ++ } + sock = RPC_ANYSOCK; + client = clntunix_create (&sun, prog, vers, &sock, 0, 0); + if (client == NULL) diff --git a/poky/meta/recipes-core/glibc/glibc/0002-CVE-2021-3998.patch b/poky/meta/recipes-core/glibc/glibc/0002-CVE-2021-3998.patch new file mode 100644 index 0000000000..0a4c34452d --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/0002-CVE-2021-3998.patch @@ -0,0 +1,138 @@ +From f7a79879c0b2bef0dadd6caaaeeb0d26423e04e5 Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Thu, 13 Jan 2022 11:28:36 +0530 +Subject: [PATCH] realpath: Set errno to ENAMETOOLONG for result larger than + PATH_MAX [BZ #28770] + +realpath returns an allocated string when the result exceeds PATH_MAX, +which is unexpected when its second argument is not NULL. This results +in the second argument (resolved) being uninitialized and also results +in a memory leak since the caller expects resolved to be the same as the +returned value. + +Return NULL and set errno to ENAMETOOLONG if the result exceeds +PATH_MAX. This fixes [BZ #28770], which is CVE-2021-3998. + +Reviewed-by: Adhemerval Zanella +Signed-off-by: Siddhesh Poyarekar +(cherry picked from commit ee8d5e33adb284601c00c94687bc907e10aec9bb) + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=f7a79879c0b2bef0dadd6caaaeeb0d26423e04e5] +CVE: CVE-2021-3998 + +Signed-off-by: Pgowda +--- + NEWS | 4 +++ + stdlib/Makefile | 1 + + stdlib/canonicalize.c | 12 +++++++-- + stdlib/tst-realpath-toolong.c | 49 +++++++++++++++++++++++++++++++++++ + 4 files changed, 64 insertions(+), 2 deletions(-) + create mode 100644 stdlib/tst-realpath-toolong.c + +diff --git a/NEWS b/NEWS +index 7e773bd005..b4f81c2668 100644 +--- a/NEWS ++++ b/NEWS +@@ -210,6 +210,10 @@ Security related changes: + legacy function could result in a stack-based buffer overflow when + using the "unix" protocol. Reported by Martin Sebor. + ++ CVE-2021-3998: Passing a path longer than PATH_MAX to the realpath ++ function could result in a memory leak and potential access of ++ uninitialized memory. Reported by Qualys. ++ + The following bugs are resolved with this release: + + [4737] libc: fork is not async-signal-safe +diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c +index 698f9ede25..7a23a51b3a 100644 +--- a/stdlib/canonicalize.c ++++ b/stdlib/canonicalize.c +@@ -400,8 +400,16 @@ realpath_stk (const char *name, char *re + + error: + *dest++ = '\0'; +- if (resolved != NULL && dest - rname <= get_path_max ()) +- rname = strcpy (resolved, rname); ++ if (resolved != NULL) ++ { ++ if (dest - rname <= get_path_max ()) ++ rname = strcpy (resolved, rname); ++ else ++ { ++ failed = true; ++ __set_errno (ENAMETOOLONG); ++ } ++ } + + error_nomem: + scratch_buffer_free (&extra_buffer); +diff --git a/stdlib/Makefile b/stdlib/Makefile +index 9bb5c221e8..a4ac30d1f6 100644 +--- a/stdlib/Makefile ++++ b/stdlib/Makefile +@@ -88,7 +88,8 @@ tests := tst-strtol tst-strtod testmb t + tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ + tst-setcontext6 tst-setcontext7 tst-setcontext8 \ + tst-setcontext9 tst-bz20544 tst-canon-bz26341 \ +- tst-realpath ++ tst-realpath \ ++ tst-realpath-toolong + + tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \ + tst-tls-atexit tst-tls-atexit-nodelete +diff --git a/stdlib/tst-realpath-toolong.c b/stdlib/tst-realpath-toolong.c +new file mode 100644 +index 0000000000..8bed772460 +--- /dev/null ++++ b/stdlib/tst-realpath-toolong.c +@@ -0,0 +1,49 @@ ++/* Verify that realpath returns NULL with ENAMETOOLONG if the result exceeds ++ NAME_MAX. ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#define BASENAME "tst-realpath-toolong." ++ ++int ++do_test (void) ++{ ++ char *base = support_create_and_chdir_toolong_temp_directory (BASENAME); ++ ++ char buf[PATH_MAX + 1]; ++ const char *res = realpath (".", buf); ++ ++ /* canonicalize.c states that if the real path is >= PATH_MAX, then ++ realpath returns NULL and sets ENAMETOOLONG. */ ++ TEST_VERIFY (res == NULL); ++ TEST_VERIFY (errno == ENAMETOOLONG); ++ ++ free (base); ++ return 0; ++} ++ ++#include diff --git a/poky/meta/recipes-core/glibc/glibc/0002-CVE-2021-3999.patch b/poky/meta/recipes-core/glibc/glibc/0002-CVE-2021-3999.patch new file mode 100644 index 0000000000..ef3a504fdf --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/0002-CVE-2021-3999.patch @@ -0,0 +1,357 @@ +From 472e799a5f2102bc0c3206dbd5a801765fceb39c Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Fri, 21 Jan 2022 23:32:56 +0530 +Subject: [PATCH] getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999) + +No valid path returned by getcwd would fit into 1 byte, so reject the +size early and return NULL with errno set to ERANGE. This change is +prompted by CVE-2021-3999, which describes a single byte buffer +underflow and overflow when all of the following conditions are met: + +- The buffer size (i.e. the second argument of getcwd) is 1 byte +- The current working directory is too long +- '/' is also mounted on the current working directory + +Sequence of events: + +- In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG + because the linux kernel checks for name length before it checks + buffer size + +- The code falls back to the generic getcwd in sysdeps/posix + +- In the generic func, the buf[0] is set to '\0' on line 250 + +- this while loop on line 262 is bypassed: + + while (!(thisdev == rootdev && thisino == rootino)) + + since the rootfs (/) is bind mounted onto the directory and the flow + goes on to line 449, where it puts a '/' in the byte before the + buffer. + +- Finally on line 458, it moves 2 bytes (the underflowed byte and the + '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow. + +- buf is returned on line 469 and errno is not set. + +This resolves BZ #28769. + +Reviewed-by: Andreas Schwab +Reviewed-by: Adhemerval Zanella +Signed-off-by: Qualys Security Advisory +Signed-off-by: Siddhesh Poyarekar +(cherry picked from commit 23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e) + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=472e799a5f2102bc0c3206dbd5a801765fceb39c] +CVE: CVE-2021-3999 + +Signed-off-by: Pgowda +--- + NEWS | 6 + + sysdeps/posix/getcwd.c | 7 + + sysdeps/unix/sysv/linux/Makefile | 7 +- + .../unix/sysv/linux/tst-getcwd-smallbuff.c | 241 ++++++++++++++++++ + 4 files changed, 260 insertions(+), 1 deletion(-) + create mode 100644 sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c + +diff --git a/NEWS b/NEWS +index b4f81c2668..8d7467d2c1 100644 +--- a/NEWS ++++ b/NEWS +@@ -214,6 +214,12 @@ Security related changes: + function could result in a memory leak and potential access of + uninitialized memory. Reported by Qualys. + ++ CVE-2021-3999: Passing a buffer of size exactly 1 byte to the getcwd ++ function may result in an off-by-one buffer underflow and overflow ++ when the current working directory is longer than PATH_MAX and also ++ corresponds to the / directory through an unprivileged mount ++ namespace. Reported by Qualys. ++ + The following bugs are resolved with this release: + + [4737] libc: fork is not async-signal-safe +diff --git a/sysdeps/posix/getcwd.c b/sysdeps/posix/getcwd.c +index 13680026ff..b6984a382c 100644 +--- a/sysdeps/posix/getcwd.c ++++ b/sysdeps/posix/getcwd.c +@@ -187,6 +187,13 @@ __getcwd_generic (char *buf, size_t size + size_t allocated = size; + size_t used; + ++ /* A size of 1 byte is never useful. */ ++ if (allocated == 1) ++ { ++ __set_errno (ERANGE); ++ return NULL; ++ } ++ + #if HAVE_MINIMALLY_WORKING_GETCWD + /* If AT_FDCWD is not defined, the algorithm below is O(N**2) and + this is much slower than the system getcwd (at least on +diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile +index 76ad06361c..9380d3848d 100644 +--- a/sysdeps/unix/sysv/linux/Makefile ++++ b/sysdeps/unix/sysv/linux/Makefile +@@ -331,7 +331,12 @@ sysdep_routines += xstatconv internal_st + + sysdep_headers += bits/fcntl-linux.h + +-tests += tst-fallocate tst-fallocate64 tst-o_path-locks ++tests += \ ++ tst-fallocate \ ++ tst-fallocate64 \ ++ tst-getcwd-smallbuff \ ++ tst-o_path-locks \ ++# tests + endif + + ifeq ($(subdir),elf) +diff --git a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c +new file mode 100644 +index 0000000000..d460d6e766 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c +@@ -0,0 +1,241 @@ ++/* Verify that getcwd returns ERANGE for size 1 byte and does not underflow ++ buffer when the CWD is too long and is also a mount target of /. See bug ++ #28769 or CVE-2021-3999 for more context. ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static char *base; ++#define BASENAME "tst-getcwd-smallbuff" ++#define MOUNT_NAME "mpoint" ++static int sockfd[2]; ++ ++static void ++do_cleanup (void) ++{ ++ support_chdir_toolong_temp_directory (base); ++ TEST_VERIFY_EXIT (rmdir (MOUNT_NAME) == 0); ++ free (base); ++} ++ ++static void ++send_fd (const int sock, const int fd) ++{ ++ struct msghdr msg = {0}; ++ union ++ { ++ struct cmsghdr hdr; ++ char buf[CMSG_SPACE (sizeof (int))]; ++ } cmsgbuf = {0}; ++ struct cmsghdr *cmsg; ++ struct iovec vec; ++ char ch = 'A'; ++ ssize_t n; ++ ++ msg.msg_control = &cmsgbuf.buf; ++ msg.msg_controllen = sizeof (cmsgbuf.buf); ++ ++ cmsg = CMSG_FIRSTHDR (&msg); ++ cmsg->cmsg_len = CMSG_LEN (sizeof (int)); ++ cmsg->cmsg_level = SOL_SOCKET; ++ cmsg->cmsg_type = SCM_RIGHTS; ++ memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd)); ++ ++ vec.iov_base = &ch; ++ vec.iov_len = 1; ++ msg.msg_iov = &vec; ++ msg.msg_iovlen = 1; ++ ++ while ((n = sendmsg (sock, &msg, 0)) == -1 && errno == EINTR); ++ ++ TEST_VERIFY_EXIT (n == 1); ++} ++ ++static int ++recv_fd (const int sock) ++{ ++ struct msghdr msg = {0}; ++ union ++ { ++ struct cmsghdr hdr; ++ char buf[CMSG_SPACE(sizeof(int))]; ++ } cmsgbuf = {0}; ++ struct cmsghdr *cmsg; ++ struct iovec vec; ++ ssize_t n; ++ char ch = '\0'; ++ int fd = -1; ++ ++ vec.iov_base = &ch; ++ vec.iov_len = 1; ++ msg.msg_iov = &vec; ++ msg.msg_iovlen = 1; ++ ++ msg.msg_control = &cmsgbuf.buf; ++ msg.msg_controllen = sizeof (cmsgbuf.buf); ++ ++ while ((n = recvmsg (sock, &msg, 0)) == -1 && errno == EINTR); ++ if (n != 1 || ch != 'A') ++ return -1; ++ ++ cmsg = CMSG_FIRSTHDR (&msg); ++ if (cmsg == NULL) ++ return -1; ++ if (cmsg->cmsg_type != SCM_RIGHTS) ++ return -1; ++ memcpy (&fd, CMSG_DATA (cmsg), sizeof (fd)); ++ if (fd < 0) ++ return -1; ++ return fd; ++} ++ ++static int ++child_func (void * const arg) ++{ ++ xclose (sockfd[0]); ++ const int sock = sockfd[1]; ++ char ch; ++ ++ TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1); ++ TEST_VERIFY_EXIT (ch == '1'); ++ ++ if (mount ("/", MOUNT_NAME, NULL, MS_BIND | MS_REC, NULL)) ++ FAIL_EXIT1 ("mount failed: %m\n"); ++ const int fd = xopen ("mpoint", ++ O_RDONLY | O_PATH | O_DIRECTORY | O_NOFOLLOW, 0); ++ ++ send_fd (sock, fd); ++ xclose (fd); ++ ++ TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1); ++ TEST_VERIFY_EXIT (ch == 'a'); ++ ++ xclose (sock); ++ return 0; ++} ++ ++static void ++update_map (char * const mapping, const char * const map_file) ++{ ++ const size_t map_len = strlen (mapping); ++ ++ const int fd = xopen (map_file, O_WRONLY, 0); ++ xwrite (fd, mapping, map_len); ++ xclose (fd); ++} ++ ++static void ++proc_setgroups_write (const long child_pid, const char * const str) ++{ ++ const size_t str_len = strlen(str); ++ ++ char setgroups_path[sizeof ("/proc//setgroups") + INT_STRLEN_BOUND (long)]; ++ ++ snprintf (setgroups_path, sizeof (setgroups_path), ++ "/proc/%ld/setgroups", child_pid); ++ ++ const int fd = open (setgroups_path, O_WRONLY); ++ ++ if (fd < 0) ++ { ++ TEST_VERIFY_EXIT (errno == ENOENT); ++ FAIL_UNSUPPORTED ("/proc/%ld/setgroups not found\n", child_pid); ++ } ++ ++ xwrite (fd, str, str_len); ++ xclose(fd); ++} ++ ++static char child_stack[1024 * 1024]; ++ ++int ++do_test (void) ++{ ++ base = support_create_and_chdir_toolong_temp_directory (BASENAME); ++ ++ xmkdir (MOUNT_NAME, S_IRWXU); ++ atexit (do_cleanup); ++ ++ TEST_VERIFY_EXIT (socketpair (AF_UNIX, SOCK_STREAM, 0, sockfd) == 0); ++ pid_t child_pid = xclone (child_func, NULL, child_stack, ++ sizeof (child_stack), ++ CLONE_NEWUSER | CLONE_NEWNS | SIGCHLD); ++ ++ xclose (sockfd[1]); ++ const int sock = sockfd[0]; ++ ++ char map_path[sizeof ("/proc//uid_map") + INT_STRLEN_BOUND (long)]; ++ char map_buf[sizeof ("0 1") + INT_STRLEN_BOUND (long)]; ++ ++ snprintf (map_path, sizeof (map_path), "/proc/%ld/uid_map", ++ (long) child_pid); ++ snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getuid()); ++ update_map (map_buf, map_path); ++ ++ proc_setgroups_write ((long) child_pid, "deny"); ++ snprintf (map_path, sizeof (map_path), "/proc/%ld/gid_map", ++ (long) child_pid); ++ snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getgid()); ++ update_map (map_buf, map_path); ++ ++ TEST_VERIFY_EXIT (send (sock, "1", 1, MSG_NOSIGNAL) == 1); ++ const int fd = recv_fd (sock); ++ TEST_VERIFY_EXIT (fd >= 0); ++ TEST_VERIFY_EXIT (fchdir (fd) == 0); ++ ++ static char buf[2 * 10 + 1]; ++ memset (buf, 'A', sizeof (buf)); ++ ++ /* Finally, call getcwd and check if it resulted in a buffer underflow. */ ++ char * cwd = getcwd (buf + sizeof (buf) / 2, 1); ++ TEST_VERIFY (cwd == NULL); ++ TEST_VERIFY (errno == ERANGE); ++ ++ for (int i = 0; i < sizeof (buf); i++) ++ if (buf[i] != 'A') ++ { ++ printf ("buf[%d] = %02x\n", i, (unsigned int) buf[i]); ++ support_record_failure (); ++ } ++ ++ TEST_VERIFY_EXIT (send (sock, "a", 1, MSG_NOSIGNAL) == 1); ++ xclose (sock); ++ TEST_VERIFY_EXIT (xwaitpid (child_pid, NULL, 0) == child_pid); ++ ++ return 0; ++} ++ ++#define CLEANUP_HANDLER do_cleanup ++#include diff --git a/poky/meta/recipes-core/glibc/glibc/0002-CVE-2022-23218.patch b/poky/meta/recipes-core/glibc/glibc/0002-CVE-2022-23218.patch new file mode 100644 index 0000000000..00fb3266c6 --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/0002-CVE-2022-23218.patch @@ -0,0 +1,126 @@ +From f545ad4928fa1f27a3075265182b38a4f939a5f7 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 17 Jan 2022 10:21:34 +0100 +Subject: [PATCH] CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug + 28768) + +The sunrpc function svcunix_create suffers from a stack-based buffer +overflow with overlong pathname arguments. + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=f545ad4928fa1f27a3075265182b38a4f939a5f7] +CVE: CVE-2022-23218 + +Reviewed-by: Siddhesh Poyarekar +Signed-off-by: Pgowda +--- + NEWS | 3 +++ + sunrpc/Makefile | 2 +- + sunrpc/svc_unix.c | 11 ++++------- + sunrpc/tst-bug28768.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 50 insertions(+), 8 deletions(-) + create mode 100644 sunrpc/tst-bug28768.c + +diff --git a/NEWS b/NEWS +index 38a9ddb2cf..38802f0673 100644 +--- a/NEWS ++++ b/NEWS +@@ -203,6 +203,9 @@ Security related changes: + parameter number when processing the expansion resulting in a crash. + Reported by Philippe Antoine. + ++ CVE-2022-23218: Passing an overlong file name to the svcunix_create ++ legacy function could result in a stack-based buffer overflow. ++ + The following bugs are resolved with this release: + + [4737] libc: fork is not async-signal-safe +diff --git a/sunrpc/Makefile b/sunrpc/Makefile +index 183ef3dc55..a79a7195fc 100644 +--- a/sunrpc/Makefile ++++ b/sunrpc/Makefile +@@ -65,7 +65,7 @@ shared-only-routines = $(routines) + endif + + tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ +- tst-udp-nonblocking ++ tst-udp-nonblocking tst-bug28768 + xtests := tst-getmyaddr + + ifeq ($(have-thread-library),yes) +diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c +index f2280b4c49..67177a2e78 100644 +--- a/sunrpc/svc_unix.c ++++ b/sunrpc/svc_unix.c +@@ -154,7 +154,10 @@ svcunix_create (int sock, u_int sendsize + SVCXPRT *xprt; + struct unix_rendezvous *r; + struct sockaddr_un addr; +- socklen_t len = sizeof (struct sockaddr_in); ++ socklen_t len = sizeof (addr); ++ ++ if (__sockaddr_un_set (&addr, path) < 0) ++ return NULL; + + if (sock == RPC_ANYSOCK) + { +@@ -165,12 +168,6 @@ svcunix_create (int sock, u_int sendsize + } + madesock = TRUE; + } +- memset (&addr, '\0', sizeof (addr)); +- addr.sun_family = AF_UNIX; +- len = strlen (path) + 1; +- memcpy (addr.sun_path, path, len); +- len += sizeof (addr.sun_family); +- + __bind (sock, (struct sockaddr *) &addr, len); + + if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0 +diff --git a/sunrpc/tst-bug28768.c b/sunrpc/tst-bug28768.c +new file mode 100644 +index 0000000000..35a4b7b0b3 +--- /dev/null ++++ b/sunrpc/tst-bug28768.c +@@ -0,0 +1,42 @@ ++/* Test to verify that long path is rejected by svcunix_create (bug 28768). ++ Copyright (C) 2022 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++/* svcunix_create does not have a default version in linkobj/libc.so. */ ++compat_symbol_reference (libc, svcunix_create, svcunix_create, GLIBC_2_1); ++ ++static int ++do_test (void) ++{ ++ char pathname[109]; ++ memset (pathname, 'x', sizeof (pathname)); ++ pathname[sizeof (pathname) - 1] = '\0'; ++ ++ errno = 0; ++ TEST_VERIFY (svcunix_create (RPC_ANYSOCK, 4096, 4096, pathname) == NULL); ++ TEST_COMPARE (errno, EINVAL); ++ ++ return 0; ++} ++ ++#include diff --git a/poky/meta/recipes-core/glibc/glibc/0002-CVE-2022-23219.patch b/poky/meta/recipes-core/glibc/glibc/0002-CVE-2022-23219.patch new file mode 100644 index 0000000000..6779e9afdf --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/0002-CVE-2022-23219.patch @@ -0,0 +1,89 @@ +From ef972a4c50014a16132b5c75571cfb6b30bef136 Mon Sep 17 00:00:00 2001 +From: Martin Sebor +Date: Mon, 17 Jan 2022 10:21:34 +0100 +Subject: [PATCH] sunrpc: Test case for clnt_create "unix" buffer overflow (bug + 22542) + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=ef972a4c50014a16132b5c75571cfb6b30bef136] +CVE: CVE-2022-23219 + +Reviewed-by: Siddhesh Poyarekar +Signed-off-by: Pgowda +--- + sunrpc/Makefile | 5 ++++- + sunrpc/tst-bug22542.c | 44 +++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 48 insertions(+), 1 deletion(-) + create mode 100644 sunrpc/tst-bug22542.c + +diff --git a/sunrpc/Makefile b/sunrpc/Makefile +index 9a31fe48b9..183ef3dc55 100644 +--- a/sunrpc/Makefile ++++ b/sunrpc/Makefile +@@ -65,7 +65,7 @@ shared-only-routines = $(routines) + endif + + tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ +- tst-udp-nonblocking tst-bug28768 ++ tst-udp-nonblocking tst-bug22542 tst-bug28768 + xtests := tst-getmyaddr + + ifeq ($(have-thread-library),yes) +@@ -110,6 +110,8 @@ $(objpfx)tst-udp-nonblocking: $(common-o + $(objpfx)tst-udp-garbage: \ + $(common-objpfx)linkobj/libc.so $(shared-thread-library) + ++$(objpfx)tst-bug22542: $(common-objpfx)linkobj/libc.so ++ + else # !have-GLIBC_2.31 + + routines = $(routines-for-nss) +diff --git a/sunrpc/tst-bug22542.c b/sunrpc/tst-bug22542.c +new file mode 100644 +index 0000000000..d6cd79787b +--- /dev/null ++++ b/sunrpc/tst-bug22542.c +@@ -0,0 +1,44 @@ ++/* Test to verify that overlong hostname is rejected by clnt_create ++ and doesn't cause a buffer overflow (bug 22542). ++ ++ Copyright (C) 2022 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ /* Create an arbitrary hostname that's longer than fits in sun_path. */ ++ char name [sizeof ((struct sockaddr_un*)0)->sun_path * 2]; ++ memset (name, 'x', sizeof name - 1); ++ name [sizeof name - 1] = '\0'; ++ ++ errno = 0; ++ CLIENT *clnt = clnt_create (name, 0, 0, "unix"); ++ ++ TEST_VERIFY (clnt == NULL); ++ TEST_COMPARE (errno, EINVAL); ++ return 0; ++} ++ ++#include diff --git a/poky/meta/recipes-core/glibc/glibc_2.34.bb b/poky/meta/recipes-core/glibc/glibc_2.34.bb index 7efc1ec1ef..6ceb677731 100644 --- a/poky/meta/recipes-core/glibc/glibc_2.34.bb +++ b/poky/meta/recipes-core/glibc/glibc_2.34.bb @@ -59,6 +59,14 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0002-CVE-2021-38604.patch \ file://0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ file://CVE-2021-43396.patch \ + file://0001-CVE-2022-23218.patch \ + file://0002-CVE-2022-23218.patch \ + file://0001-CVE-2022-23219.patch \ + file://0002-CVE-2022-23219.patch \ + file://0001-CVE-2021-3998.patch \ + file://0002-CVE-2021-3998.patch \ + file://0001-CVE-2021-3999.patch \ + file://0002-CVE-2021-3999.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}" diff --git a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb index 0a6a33b924..025ab5c66a 100644 --- a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb @@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk wic.vhd wic.vhdx" inherit core-image setuptools3 -SRCREV ?= "3837e8bb9faac630d1207b172eca5526946f2a59" +SRCREV ?= "3c5842ebfeab2404b15892ddd70f9b6e4f022ea2" SRC_URI = "git://git.yoctoproject.org/poky;branch=honister \ file://Yocto_Build_Appliance.vmx \ file://Yocto_Build_Appliance.vmxf \ diff --git a/poky/meta/recipes-core/libxml/libxml2/0002-Work-around-lxml-API-abuse.patch b/poky/meta/recipes-core/libxml/libxml2/0002-Work-around-lxml-API-abuse.patch new file mode 100644 index 0000000000..f09ce9707a --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/0002-Work-around-lxml-API-abuse.patch @@ -0,0 +1,213 @@ +From 85b1792e37b131e7a51af98a37f92472e8de5f3f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 18 May 2021 20:08:28 +0200 +Subject: [PATCH] Work around lxml API abuse + +Make xmlNodeDumpOutput and htmlNodeDumpFormatOutput work with corrupted +parent pointers. This used to work with the old recursive code but the +non-recursive rewrite required parent pointers to be set correctly. + +Unfortunately, lxml relies on the old behavior and passes subtrees with +a corrupted structure. Fall back to a recursive function call if an +invalid parent pointer is detected. + +Fixes #255. + +Upstream-Status: Backport [85b1792e37b131e7a51af98a37f92472e8de5f3f] +--- + HTMLtree.c | 46 ++++++++++++++++++++++++++++------------------ + xmlsave.c | 31 +++++++++++++++++++++---------- + 2 files changed, 49 insertions(+), 28 deletions(-) + +diff --git a/HTMLtree.c b/HTMLtree.c +index 24434d45..bdd639c7 100644 +--- a/HTMLtree.c ++++ b/HTMLtree.c +@@ -744,7 +744,7 @@ void + htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, + xmlNodePtr cur, const char *encoding ATTRIBUTE_UNUSED, + int format) { +- xmlNodePtr root; ++ xmlNodePtr root, parent; + xmlAttrPtr attr; + const htmlElemDesc * info; + +@@ -755,6 +755,7 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, + } + + root = cur; ++ parent = cur->parent; + while (1) { + switch (cur->type) { + case XML_HTML_DOCUMENT_NODE: +@@ -762,13 +763,25 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, + if (((xmlDocPtr) cur)->intSubset != NULL) { + htmlDtdDumpOutput(buf, (xmlDocPtr) cur, NULL); + } +- if (cur->children != NULL) { ++ /* Always validate cur->parent when descending. */ ++ if ((cur->parent == parent) && (cur->children != NULL)) { ++ parent = cur; + cur = cur->children; + continue; + } + break; + + case XML_ELEMENT_NODE: ++ /* ++ * Some users like lxml are known to pass nodes with a corrupted ++ * tree structure. Fall back to a recursive call to handle this ++ * case. ++ */ ++ if ((cur->parent != parent) && (cur->children != NULL)) { ++ htmlNodeDumpFormatOutput(buf, doc, cur, encoding, format); ++ break; ++ } ++ + /* + * Get specific HTML info for that node. + */ +@@ -817,6 +830,7 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, + (cur->name != NULL) && + (cur->name[0] != 'p')) /* p, pre, param */ + xmlOutputBufferWriteString(buf, "\n"); ++ parent = cur; + cur = cur->children; + continue; + } +@@ -825,9 +839,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, + (info != NULL) && (!info->isinline)) { + if ((cur->next->type != HTML_TEXT_NODE) && + (cur->next->type != HTML_ENTITY_REF_NODE) && +- (cur->parent != NULL) && +- (cur->parent->name != NULL) && +- (cur->parent->name[0] != 'p')) /* p, pre, param */ ++ (parent != NULL) && ++ (parent->name != NULL) && ++ (parent->name[0] != 'p')) /* p, pre, param */ + xmlOutputBufferWriteString(buf, "\n"); + } + +@@ -842,9 +856,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, + break; + if (((cur->name == (const xmlChar *)xmlStringText) || + (cur->name != (const xmlChar *)xmlStringTextNoenc)) && +- ((cur->parent == NULL) || +- ((xmlStrcasecmp(cur->parent->name, BAD_CAST "script")) && +- (xmlStrcasecmp(cur->parent->name, BAD_CAST "style"))))) { ++ ((parent == NULL) || ++ ((xmlStrcasecmp(parent->name, BAD_CAST "script")) && ++ (xmlStrcasecmp(parent->name, BAD_CAST "style"))))) { + xmlChar *buffer; + + buffer = xmlEncodeEntitiesReentrant(doc, cur->content); +@@ -902,13 +916,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, + break; + } + +- /* +- * The parent should never be NULL here but we want to handle +- * corrupted documents gracefully. +- */ +- if (cur->parent == NULL) +- return; +- cur = cur->parent; ++ cur = parent; ++ /* cur->parent was validated when descending. */ ++ parent = cur->parent; + + if ((cur->type == XML_HTML_DOCUMENT_NODE) || + (cur->type == XML_DOCUMENT_NODE)) { +@@ -939,9 +949,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, + (cur->next != NULL)) { + if ((cur->next->type != HTML_TEXT_NODE) && + (cur->next->type != HTML_ENTITY_REF_NODE) && +- (cur->parent != NULL) && +- (cur->parent->name != NULL) && +- (cur->parent->name[0] != 'p')) /* p, pre, param */ ++ (parent != NULL) && ++ (parent->name != NULL) && ++ (parent->name[0] != 'p')) /* p, pre, param */ + xmlOutputBufferWriteString(buf, "\n"); + } + } +diff --git a/xmlsave.c b/xmlsave.c +index 61a40459..aedbd5e7 100644 +--- a/xmlsave.c ++++ b/xmlsave.c +@@ -847,7 +847,7 @@ htmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { + static void + xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { + int format = ctxt->format; +- xmlNodePtr tmp, root, unformattedNode = NULL; ++ xmlNodePtr tmp, root, unformattedNode = NULL, parent; + xmlAttrPtr attr; + xmlChar *start, *end; + xmlOutputBufferPtr buf; +@@ -856,6 +856,7 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { + buf = ctxt->buf; + + root = cur; ++ parent = cur->parent; + while (1) { + switch (cur->type) { + case XML_DOCUMENT_NODE: +@@ -868,7 +869,9 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { + break; + + case XML_DOCUMENT_FRAG_NODE: +- if (cur->children != NULL) { ++ /* Always validate cur->parent when descending. */ ++ if ((cur->parent == parent) && (cur->children != NULL)) { ++ parent = cur; + cur = cur->children; + continue; + } +@@ -887,7 +890,18 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { + break; + + case XML_ELEMENT_NODE: +- if ((cur != root) && (ctxt->format == 1) && (xmlIndentTreeOutput)) ++ /* ++ * Some users like lxml are known to pass nodes with a corrupted ++ * tree structure. Fall back to a recursive call to handle this ++ * case. ++ */ ++ if ((cur->parent != parent) && (cur->children != NULL)) { ++ xmlNodeDumpOutputInternal(ctxt, cur); ++ break; ++ } ++ ++ if ((ctxt->level > 0) && (ctxt->format == 1) && ++ (xmlIndentTreeOutput)) + xmlOutputBufferWrite(buf, ctxt->indent_size * + (ctxt->level > ctxt->indent_nr ? + ctxt->indent_nr : ctxt->level), +@@ -942,6 +956,7 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { + xmlOutputBufferWrite(buf, 1, ">"); + if (ctxt->format == 1) xmlOutputBufferWrite(buf, 1, "\n"); + if (ctxt->level >= 0) ctxt->level++; ++ parent = cur; + cur = cur->children; + continue; + } +@@ -1058,13 +1073,9 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { + break; + } + +- /* +- * The parent should never be NULL here but we want to handle +- * corrupted documents gracefully. +- */ +- if (cur->parent == NULL) +- return; +- cur = cur->parent; ++ cur = parent; ++ /* cur->parent was validated when descending. */ ++ parent = cur->parent; + + if (cur->type == XML_ELEMENT_NODE) { + if (ctxt->level > 0) ctxt->level--; +-- +2.32.0 + diff --git a/poky/meta/recipes-core/libxml/libxml2_2.9.12.bb b/poky/meta/recipes-core/libxml/libxml2_2.9.12.bb index c387587dfd..a7939c9713 100644 --- a/poky/meta/recipes-core/libxml/libxml2_2.9.12.bb +++ b/poky/meta/recipes-core/libxml/libxml2_2.9.12.bb @@ -21,6 +21,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \ file://fix-execution-of-ptests.patch \ file://remove-fuzz-from-ptests.patch \ + file://0002-Work-around-lxml-API-abuse.patch \ " SRC_URI[libtar.sha256sum] = "c8d6681e38c56f172892c85ddc0852e1fd4b53b4209e7f4ebf17f7e2eae71d92" diff --git a/poky/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb b/poky/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb index 59fcd8c78a..413c9b9499 100644 --- a/poky/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb +++ b/poky/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb @@ -150,7 +150,7 @@ do_install () { PACKAGES =+ "pybootchartgui" FILES:pybootchartgui += "${PYTHON_SITEPACKAGES_DIR}/pybootchartgui ${bindir}/pybootchartgui" -RDEPENDS:pybootchartgui = "python3-pycairo python3-compression python3-image python3-shell python3-compression python3-codecs" +RDEPENDS:pybootchartgui = "python3-pycairo python3-compression python3-image python3-math python3-shell python3-compression python3-codecs" RDEPENDS:${PN}:class-target += "${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'sysvinit-pidof', 'procps', d)}" RDEPENDS:${PN}:class-target += "lsb-release" DEPENDS:append:class-native = " python3-pycairo-native" diff --git a/poky/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch b/poky/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch new file mode 100644 index 0000000000..f4e93d1065 --- /dev/null +++ b/poky/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch @@ -0,0 +1,97 @@ +Upstream-Status: Backport +CVE: CVE-2022-22707 +Signed-off-by: Ross Burton + +From 27103f3f8b1a2857aa45b889e775435f7daf141f Mon Sep 17 00:00:00 2001 +From: povcfe +Date: Wed, 5 Jan 2022 11:11:09 +0000 +Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134) + +(thx povcfe) + +(edited: gstrauss) + +There is a potential remote denial of service in lighttpd mod_extforward +under specific, non-default and uncommon 32-bit lighttpd mod_extforward +configurations. + +Under specific, non-default and uncommon lighttpd mod_extforward +configurations, a remote attacker can trigger a 4-byte out-of-bounds +write of value '-1' to the stack. This is not believed to be exploitable +in any way beyond triggering a crash of the lighttpd server on systems +where the lighttpd server has been built 32-bit and with compiler flags +which enable a stack canary -- gcc/clang -fstack-protector-strong or +-fstack-protector-all, but bug not visible with only -fstack-protector. + +With standard lighttpd builds using -O2 optimization on 64-bit x86_64, +this bug has not been observed to cause adverse behavior, even with +gcc/clang -fstack-protector-strong. + +For the bug to be reachable, the user must be using a non-default +lighttpd configuration which enables mod_extforward and configures +mod_extforward to accept and parse the "Forwarded" header from a trusted +proxy. At this time, support for RFC7239 Forwarded is not common in CDN +providers or popular web server reverse proxies. It bears repeating that +for the user to desire to configure lighttpd mod_extforward to accept +"Forwarded", the user must also be using a trusted proxy (in front of +lighttpd) which understands and actively modifies the "Forwarded" header +sent to lighttpd. + +lighttpd natively supports RFC7239 "Forwarded" +hiawatha natively supports RFC7239 "Forwarded" + +nginx can be manually configured to add a "Forwarded" header +https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ + +A 64-bit build of lighttpd on x86_64 (not known to be affected by bug) +in front of another 32-bit lighttpd will detect and reject a malicious +"Forwarded" request header, thereby thwarting an attempt to trigger +this bug in an upstream 32-bit lighttpd. + +The following servers currently do not natively support RFC7239 Forwarded: +nginx +apache2 +caddy +node.js +haproxy +squid +varnish-cache +litespeed + +Given the general dearth of support for RFC7239 Forwarded in popular +CDNs and web server reverse proxies, and given the prerequisites in +lighttpd mod_extforward needed to reach this bug, the number of lighttpd +servers vulnerable to this bug is estimated to be vanishingly small. +Large systems using reverse proxies are likely running 64-bit lighttpd, +which is not known to be adversely affected by this bug. + +In the future, it is desirable for more servers to implement RFC7239 +Forwarded. lighttpd developers would like to thank povcfe for reporting +this bug so that it can be fixed before more CDNs and web servers +implement RFC7239 Forwarded. + +x-ref: + "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1" + https://redmine.lighttpd.net/issues/3134 + (not yet written or published) + CVE-2022-22707 +--- + src/mod_extforward.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mod_extforward.c b/src/mod_extforward.c +index ba957e04..fdaef7f6 100644 +--- a/src/mod_extforward.c ++++ b/src/mod_extforward.c +@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c + while (s[i] == ' ' || s[i] == '\t') ++i; + if (s[i] == ';') { ++i; continue; } + if (s[i] == ',') { +- if (j >= (int)(sizeof(offsets)/sizeof(int))) break; ++ if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break; + offsets[++j] = -1; /*("offset" separating params from next proxy)*/ + ++i; + continue; +-- +2.25.1 + diff --git a/poky/meta/recipes-extended/lighttpd/lighttpd_1.4.59.bb b/poky/meta/recipes-extended/lighttpd/lighttpd_1.4.59.bb index 8cb3a9a18c..12d3db937d 100644 --- a/poky/meta/recipes-extended/lighttpd/lighttpd_1.4.59.bb +++ b/poky/meta/recipes-extended/lighttpd/lighttpd_1.4.59.bb @@ -14,6 +14,7 @@ RRECOMMENDS:${PN} = "lighttpd-module-access \ lighttpd-module-accesslog" SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \ + file://0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch \ file://index.html.lighttpd \ file://lighttpd.conf \ file://lighttpd \ diff --git a/poky/meta/recipes-extended/pigz/files/0001-Fix-bug-when-combining-l-with-d.patch b/poky/meta/recipes-extended/pigz/files/0001-Fix-bug-when-combining-l-with-d.patch new file mode 100644 index 0000000000..9c301f2054 --- /dev/null +++ b/poky/meta/recipes-extended/pigz/files/0001-Fix-bug-when-combining-l-with-d.patch @@ -0,0 +1,50 @@ +From 65986f3d12d434b9bc428ceb6fcb1f6eeeb2c47d Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Mon, 17 Jan 2022 15:36:56 +0800 +Subject: [PATCH] Fix bug when combining -l with -d. + +Though it makes no sense to do pigz -ld, that is implicit when +doing unpigz -l. This commit fixes a bug for that combination. + +Upstream-Status: Backport [https://github.com/madler/pigz/commit/326bba44aa102c707dd6ebcd2fc3f413b3119db0] + +Signed-off-by: Changqing Li +--- + pigz.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/pigz.c b/pigz.c +index f90157f..d648216 100644 +--- a/pigz.c ++++ b/pigz.c +@@ -4007,6 +4007,13 @@ local void process(char *path) { + } + SET_BINARY_MODE(g.ind); + ++ // if requested, just list information about the input file ++ if (g.list && g.decode != 2) { ++ list_info(); ++ load_end(); ++ return; ++ } ++ + // if decoding or testing, try to read gzip header + if (g.decode) { + in_init(); +@@ -4048,13 +4055,6 @@ local void process(char *path) { + } + } + +- // if requested, just list information about input file +- if (g.list) { +- list_info(); +- load_end(); +- return; +- } +- + // create output file out, descriptor outd + if (path == NULL || g.pipeout) { + // write to stdout +-- +2.17.1 + diff --git a/poky/meta/recipes-extended/pigz/pigz_2.6.bb b/poky/meta/recipes-extended/pigz/pigz_2.6.bb index 3566e18b7e..d490a6a722 100644 --- a/poky/meta/recipes-extended/pigz/pigz_2.6.bb +++ b/poky/meta/recipes-extended/pigz/pigz_2.6.bb @@ -8,7 +8,8 @@ SECTION = "console/utils" LICENSE = "Zlib & Apache-2.0" LIC_FILES_CHKSUM = "file://pigz.c;md5=9ae6dee8ceba9610596ed0ada493d142;beginline=7;endline=21" -SRC_URI = "http://zlib.net/${BPN}/fossils/${BP}.tar.gz" +SRC_URI = "http://zlib.net/${BPN}/fossils/${BP}.tar.gz \ + file://0001-Fix-bug-when-combining-l-with-d.patch" SRC_URI[sha256sum] = "2eed7b0d7449d1d70903f2a62cd6005d262eb3a8c9e98687bc8cbb5809db2a7d" PROVIDES:class-native += "gzip-native" diff --git a/poky/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-doc-validate b/poky/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-doc-validate new file mode 100644 index 0000000000..2aa57851c7 --- /dev/null +++ b/poky/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-doc-validate @@ -0,0 +1,20 @@ +#!/bin/sh +# dt-doc-validate wrapper to allow kernel dt-validation to pass +# +# Copyright (C) 2021 Bruce Ashfield +# License: MIT (see COPYING.MIT at the root of the repository for terms) + +for arg; do + case "$arg" in + --version) + echo "v2021.10" + ;; + esac +done + +# TBD: left for future consideration +# exec dt-doc-validate.real "$@" + +# we always succeed +exit 0 + diff --git a/poky/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-mk-schema b/poky/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-mk-schema new file mode 100644 index 0000000000..24b89d8619 --- /dev/null +++ b/poky/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-mk-schema @@ -0,0 +1,20 @@ +#!/bin/sh +# dt-mk-schema wrapper to allow kernel dt-validation to pass +# +# Copyright (C) 2021 Bruce Ashfield +# License: MIT (see COPYING.MIT at the root of the repository for terms) + +for arg; do + case "$arg" in + --version) + echo "v2021.10" + ;; + esac +done + +# TBD: left for future consideration +# exec dt-mk-schema.real "$@" + +# we always succeed +exit 0 + diff --git a/poky/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-validate b/poky/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-validate new file mode 100644 index 0000000000..8a4710a7ed --- /dev/null +++ b/poky/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-validate @@ -0,0 +1,20 @@ +#!/bin/sh +# dt-validate wrapper to allow kernel dt-validation to pass +# +# Copyright (C) 2021 Bruce Ashfield +# License: MIT (see COPYING.MIT at the root of the repository for terms) + +for arg; do + case "$arg" in + --version) + echo "v2021.10" + ;; + esac +done + +# TBD: left for future consideration +# exec dt-validate.real "$@" + +# we always succeed +exit 0 + diff --git a/poky/meta/recipes-kernel/dtc/python3-dtschema-wrapper_2021.10.bb b/poky/meta/recipes-kernel/dtc/python3-dtschema-wrapper_2021.10.bb new file mode 100644 index 0000000000..c869274d09 --- /dev/null +++ b/poky/meta/recipes-kernel/dtc/python3-dtschema-wrapper_2021.10.bb @@ -0,0 +1,17 @@ +DESCRIPTION = "Wrapper for tooling for devicetree validation using YAML and jsonschema" +HOMEPAGE = "https://yoctoproject.org" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +SRC_URI = "file://dt-doc-validate \ + file://dt-mk-schema \ + file://dt-validate" + +do_install() { + install -d ${D}${bindir}/ + install -m 755 ${WORKDIR}/dt-doc-validate ${D}${bindir}/ + install -m 755 ${WORKDIR}/dt-mk-schema ${D}${bindir}/ + install -m 755 ${WORKDIR}/dt-validate ${D}${bindir}/ +} + +BBCLASSEXTEND = "native nativesdk" diff --git a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20211216.bb b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20211216.bb index 65bfda1d9f..5f1b696092 100644 --- a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20211216.bb +++ b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20211216.bb @@ -751,6 +751,7 @@ FILES:${PN}-bcm4356-pcie = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-pc FILES:${PN}-bcm4373 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.bin \ ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373.bin \ ${nonarch_base_libdir}/firmware/cypress/cyfmac4373-sdio.bin \ + ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.clm_blob \ " LICENSE:${PN}-bcm-0bb4-0306 = "Firmware-cypress" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb index 52ba3b9f61..a8e8e604a3 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "e137d5d92c05530840f2e191ec471f8f0ea2d62e" -SRCREV_meta ?= "65d66ac9789372923b42be0683a87955e52705a5" +SRCREV_machine ?= "ba47a407fe04203adb0ab5e164597c958cd9e334" +SRCREV_meta ?= "7df27e6d296dfa16f289883c0661eed45059360c" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.10.90" +LINUX_VERSION ?= "5.10.93" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb index d0166f6c4f..32e42cbda4 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.10.90" +LINUX_VERSION ?= "5.10.93" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine:qemuarm ?= "c0774ebd6bc1c7541deb4f9a649a1a6bfa42853f" -SRCREV_machine ?= "ab201bf6e3f9d187c7c26a0ec6537fadb41de918" -SRCREV_meta ?= "65d66ac9789372923b42be0683a87955e52705a5" +SRCREV_machine:qemuarm ?= "ceb1f194e59c9dd3bdd83d51bb0994f3db23bf61" +SRCREV_machine ?= "878e5c1469550bb0f8778d16d4adbe7d48b0b28d" +SRCREV_meta ?= "7df27e6d296dfa16f289883c0661eed45059360c" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb index 43274a318f..3a0a43bc0b 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb @@ -13,17 +13,17 @@ KBRANCH:qemux86 ?= "v5.10/standard/base" KBRANCH:qemux86-64 ?= "v5.10/standard/base" KBRANCH:qemumips64 ?= "v5.10/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "d9597fe71e155c5a96452d23694188d6d4091673" -SRCREV_machine:qemuarm64 ?= "210fcd9ee603afb731beaa5833e7e3f1d1918786" -SRCREV_machine:qemumips ?= "8688d3707cea38bd7ed115a12005079c2215f77d" -SRCREV_machine:qemuppc ?= "933b47667b7549bb36a809cca90bc372a7182620" -SRCREV_machine:qemuriscv64 ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55" -SRCREV_machine:qemuriscv32 ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55" -SRCREV_machine:qemux86 ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55" -SRCREV_machine:qemux86-64 ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55" -SRCREV_machine:qemumips64 ?= "25fcfe4f5c4be9bbb67498f09b2dd088f8bb6dfd" -SRCREV_machine ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55" -SRCREV_meta ?= "65d66ac9789372923b42be0683a87955e52705a5" +SRCREV_machine:qemuarm ?= "50c0e06718fb2b264619ce8d82608877d1e62a81" +SRCREV_machine:qemuarm64 ?= "7907c5eb81e9a51307b5269d546999ebf47d9d59" +SRCREV_machine:qemumips ?= "e9c51de36554662082afc08c6e54599b310c7951" +SRCREV_machine:qemuppc ?= "77f361ea5eb293dcfe122ecb65f33ba32fd12501" +SRCREV_machine:qemuriscv64 ?= "a1bbb29fe30c94c21309aa8b8c0d06fa12f3368d" +SRCREV_machine:qemuriscv32 ?= "a1bbb29fe30c94c21309aa8b8c0d06fa12f3368d" +SRCREV_machine:qemux86 ?= "a1bbb29fe30c94c21309aa8b8c0d06fa12f3368d" +SRCREV_machine:qemux86-64 ?= "a1bbb29fe30c94c21309aa8b8c0d06fa12f3368d" +SRCREV_machine:qemumips64 ?= "b668a352c94a8c29e585608e8302cacb1350f5ed" +SRCREV_machine ?= "a1bbb29fe30c94c21309aa8b8c0d06fa12f3368d" +SRCREV_meta ?= "7df27e6d296dfa16f289883c0661eed45059360c" # remap qemuarm to qemuarma15 for the 5.8 kernel # KMACHINE:qemuarm ?= "qemuarma15" @@ -32,7 +32,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "5.10.90" +LINUX_VERSION ?= "5.10.93" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/poky/meta/recipes-multimedia/libtiff/files/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch b/poky/meta/recipes-multimedia/libtiff/files/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch new file mode 100644 index 0000000000..72776f09ba --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/files/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch @@ -0,0 +1,43 @@ +CVE: CVE-2022-22844 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From b12a0326e6064b6e0b051d1184a219877472f69b Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Tue, 25 Jan 2022 16:25:28 +0000 +Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where + count is required (fixes #355) + +--- + tools/tiffset.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/tools/tiffset.c b/tools/tiffset.c +index 8c9e23c5..e7a88c09 100644 +--- a/tools/tiffset.c ++++ b/tools/tiffset.c +@@ -146,9 +146,19 @@ main(int argc, char* argv[]) + + arg_index++; + if (TIFFFieldDataType(fip) == TIFF_ASCII) { +- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1) +- fprintf( stderr, "Failed to set %s=%s\n", +- TIFFFieldName(fip), argv[arg_index] ); ++ if(TIFFFieldPassCount( fip )) { ++ size_t len; ++ len = strlen(argv[arg_index]) + 1; ++ if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip), ++ (uint16_t)len, argv[arg_index]) != 1) ++ fprintf( stderr, "Failed to set %s=%s\n", ++ TIFFFieldName(fip), argv[arg_index] ); ++ } else { ++ if (TIFFSetField(tiff, TIFFFieldTag(fip), ++ argv[arg_index]) != 1) ++ fprintf( stderr, "Failed to set %s=%s\n", ++ TIFFFieldName(fip), argv[arg_index] ); ++ } + } else if (TIFFFieldWriteCount(fip) > 0 + || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { + int ret = 1; +-- +2.25.1 diff --git a/poky/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/poky/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 6852758c6a..ef8e8460fb 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/poky/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -9,7 +9,8 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf" CVE_PRODUCT = "libtiff" SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ - " + file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch" + SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" # exclude betas diff --git a/poky/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch b/poky/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch new file mode 100644 index 0000000000..eb16e95ffc --- /dev/null +++ b/poky/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch @@ -0,0 +1,30 @@ +Backport patch to fix CVE-2020-23903. + +CVE: CVE-2020-23903 +Upstream-Status: Backport [https://github.com/xiph/speex/commit/870ff84] + +Signed-off-by: Kai Kang + +From 870ff845b32f314aec0036641ffe18aba4916887 Mon Sep 17 00:00:00 2001 +From: Tristan Matthews +Date: Mon, 13 Jul 2020 23:25:03 -0400 +Subject: [PATCH] wav_io: guard against invalid channel numbers + +Fixes #13 +--- + src/wav_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/wav_io.c b/src/wav_io.c +index b5183015..09d62eb0 100644 +--- a/src/wav_io.c ++++ b/src/wav_io.c +@@ -111,7 +111,7 @@ int read_wav_header(FILE *file, int *rate, int *channels, int *format, spx_int32 + stmp = le_short(stmp); + *channels = stmp; + +- if (stmp>2) ++ if (stmp>2 || stmp<1) + { + fprintf (stderr, "Only mono and (intensity) stereo supported\n"); + return -1; diff --git a/poky/meta/recipes-multimedia/speex/speex_1.2.0.bb b/poky/meta/recipes-multimedia/speex/speex_1.2.0.bb index 3a0911d6f8..ea475f0f1b 100644 --- a/poky/meta/recipes-multimedia/speex/speex_1.2.0.bb +++ b/poky/meta/recipes-multimedia/speex/speex_1.2.0.bb @@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=314649d8ba9dd7045dfb6683f298d0a8 \ file://include/speex/speex.h;beginline=1;endline=34;md5=ef8c8ea4f7198d71cf3509c6ed05ea50" DEPENDS = "libogg speexdsp" -SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz" +SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz \ + file://CVE-2020-23903.patch \ + " UPSTREAM_CHECK_REGEX = "speex-(?P\d+(\.\d+)+)\.tar" SRC_URI[md5sum] = "8ab7bb2589110dfaf0ed7fa7757dc49c" diff --git a/poky/meta/recipes-sato/images/core-image-sato-sdk.bb b/poky/meta/recipes-sato/images/core-image-sato-sdk.bb index b52de0def0..afab473b52 100644 --- a/poky/meta/recipes-sato/images/core-image-sato-sdk.bb +++ b/poky/meta/recipes-sato/images/core-image-sato-sdk.bb @@ -10,3 +10,6 @@ IMAGE_FEATURES += "dev-pkgs tools-sdk \ IMAGE_INSTALL += "kernel-devsrc" +# Compiling stuff, specifically SystemTap probes, can require lots of memory +# See https://bugzilla.yoctoproject.org/show_bug.cgi?id=14673 +QB_MEM = "-m 768" diff --git a/poky/meta/recipes-support/icu/icu_69.1.bb b/poky/meta/recipes-support/icu/icu_69.1.bb index 4daf0fe82e..848ae9ab19 100644 --- a/poky/meta/recipes-support/icu/icu_69.1.bb +++ b/poky/meta/recipes-support/icu/icu_69.1.bb @@ -147,4 +147,4 @@ do_make_icudata() { : } -addtask make_icudata before do_configure after do_patch +addtask make_icudata before do_configure after do_patch do_prepare_recipe_sysroot diff --git a/poky/meta/recipes-support/libusb/libusb1_1.0.24.bb b/poky/meta/recipes-support/libusb/libusb1_1.0.24.bb index 95a20958a1..e70021f4f7 100644 --- a/poky/meta/recipes-support/libusb/libusb1_1.0.24.bb +++ b/poky/meta/recipes-support/libusb/libusb1_1.0.24.bb @@ -1,7 +1,7 @@ SUMMARY = "Userspace library to access USB (version 1.0)" DESCRIPTION = "A cross-platform library to access USB devices from Linux, \ macOS, Windows, OpenBSD/NetBSD, Haiku and Solaris userspace." -HOMEPAGE = "http://libusb.sf.net" +HOMEPAGE = "https://libusb.info" BUGTRACKER = "http://www.libusb.org/report" SECTION = "libs" @@ -10,10 +10,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" BBCLASSEXTEND = "native nativesdk" -SRC_URI = "${SOURCEFORGE_MIRROR}/libusb/libusb-${PV}.tar.bz2 \ +SRC_URI = "https://github.com/libusb/libusb/releases/download/v${PV}/libusb-${PV}.tar.bz2 \ file://run-ptest \ " +UPSTREAM_CHECK_URI = "https://github.com/libusb/libusb/releases" + SRC_URI[sha256sum] = "7efd2685f7b327326dcfb85cee426d9b871fd70e22caa15bb68d595ce2a2b12a" S = "${WORKDIR}/libusb-${PV}" diff --git a/poky/meta/recipes-support/vim/files/0001-patch-8.2.3581-reading-character-past-end-of-line.patch b/poky/meta/recipes-support/vim/files/0001-patch-8.2.3581-reading-character-past-end-of-line.patch deleted file mode 100644 index 28c61cd782..0000000000 --- a/poky/meta/recipes-support/vim/files/0001-patch-8.2.3581-reading-character-past-end-of-line.patch +++ /dev/null @@ -1,62 +0,0 @@ -CVE: CVE-2021-3927 -Upstream-Status: Backport -Signed-off-by: Ross Burton - -From 93b427c6e729260d0700c3b2804ec153bc8284fa Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar -Date: Thu, 4 Nov 2021 15:10:11 +0000 -Subject: [PATCH] patch 8.2.3581: reading character past end of line - -Problem: Reading character past end of line. -Solution: Correct the cursor column. ---- - src/ex_docmd.c | 1 + - src/testdir/test_put.vim | 12 ++++++++++++ - src/version.c | 2 ++ - 3 files changed, 15 insertions(+) - -diff --git a/src/ex_docmd.c b/src/ex_docmd.c -index fde726477..59e245bee 100644 ---- a/src/ex_docmd.c -+++ b/src/ex_docmd.c -@@ -6905,6 +6905,7 @@ ex_put(exarg_T *eap) - eap->forceit = TRUE; - } - curwin->w_cursor.lnum = eap->line2; -+ check_cursor_col(); - do_put(eap->regname, eap->forceit ? BACKWARD : FORWARD, 1L, - PUT_LINE|PUT_CURSLINE); - } -diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim -index 225ebd1f3..922e5b269 100644 ---- a/src/testdir/test_put.vim -+++ b/src/testdir/test_put.vim -@@ -113,3 +113,15 @@ func Test_put_p_indent_visual() - call assert_equal('select that text', getline(2)) - bwipe! - endfunc -+ -+func Test_put_above_first_line() -+ new -+ let @" = 'text' -+ silent! normal 0o00 -+ 0put -+ call assert_equal('text', getline(1)) -+ bwipe! -+endfunc -+ -+ -+" vim: shiftwidth=2 sts=2 expandtab -diff --git a/src/version.c b/src/version.c -index a9e8be0e7..df4ec9a47 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -742,6 +742,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 3581, - /**/ - 3564, - /**/ diff --git a/poky/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch b/poky/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch index 63a7b78f12..2fc11dbdc2 100644 --- a/poky/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch +++ b/poky/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch @@ -16,11 +16,11 @@ Signed-off-by: Mingli Yu src/Makefile | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) -diff --git a/src/Makefile b/src/Makefile -index f2fafa4dc..7148d4bd9 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -2845,16 +2845,10 @@ auto/pathdef.c: Makefile auto/config.mk +Index: git/src/Makefile +=================================================================== +--- git.orig/src/Makefile ++++ git/src/Makefile +@@ -3101,16 +3101,10 @@ auto/pathdef.c: Makefile auto/config.mk -@echo '#include "vim.h"' >> $@ -@echo 'char_u *default_vim_dir = (char_u *)"$(VIMRCLOC)";' | $(QUOTESED) >> $@ -@echo 'char_u *default_vimruntime_dir = (char_u *)"$(VIMRUNTIMEDIR)";' | $(QUOTESED) >> $@ @@ -41,6 +41,3 @@ index f2fafa4dc..7148d4bd9 100644 -@sh $(srcdir)/pathdef.sh GUI_GTK_RES_INPUTS = \ --- -2.17.1 - diff --git a/poky/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch b/poky/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch deleted file mode 100644 index ecfae0301e..0000000000 --- a/poky/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch +++ /dev/null @@ -1,83 +0,0 @@ -CVE: CVE-2021-3796 -Upstream-Status: Backport -Signed-off-by: Ross Burton - -From 1160e5f74b229336502fc376416f21108d36cfc2 Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar -Date: Sat, 11 Sep 2021 21:14:20 +0200 -Subject: [PATCH] patch 8.2.3428: using freed memory when replacing - -Problem: Using freed memory when replacing. (Dhiraj Mishra) -Solution: Get the line pointer after calling ins_copychar(). ---- - src/normal.c | 10 +++++++--- - src/testdir/test_edit.vim | 14 ++++++++++++++ - src/version.c | 2 ++ - 3 files changed, 23 insertions(+), 3 deletions(-) - -diff --git a/src/normal.c b/src/normal.c -index c4963e621..d6333b948 100644 ---- a/src/normal.c -+++ b/src/normal.c -@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap) - { - /* - * Get ptr again, because u_save and/or showmatch() will have -- * released the line. At the same time we let know that the -- * line will be changed. -+ * released the line. This may also happen in ins_copychar(). -+ * At the same time we let know that the line will be changed. - */ -- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); - if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y) - { - int c = ins_copychar(curwin->w_cursor.lnum - + (cap->nchar == Ctrl_Y ? -1 : 1)); -+ -+ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); - if (c != NUL) - ptr[curwin->w_cursor.col] = c; - } - else -+ { -+ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); - ptr[curwin->w_cursor.col] = cap->nchar; -+ } - if (p_sm && msg_silent == 0) - showmatch(cap->nchar); - ++curwin->w_cursor.col; -diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim -index 4e29e7fe1..f94e6c181 100644 ---- a/src/testdir/test_edit.vim -+++ b/src/testdir/test_edit.vim -@@ -1519,3 +1519,17 @@ func Test_edit_noesckeys() - bwipe! - set esckeys - endfunc -+ -+" Test for getting the character of the line below after "p" -+func Test_edit_put_CTRL_E() -+ set encoding=latin1 -+ new -+ let @" = '' -+ sil! norm orggRx -+ sil! norm pr -+ call assert_equal(['r', 'r'], getline(1, 2)) -+ bwipe! -+ set encoding=utf-8 -+endfunc -+ -+" vim: shiftwidth=2 sts=2 expandtab -diff --git a/src/version.c b/src/version.c -index 85bdfc601..1046993d6 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -742,6 +742,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 3428, - /**/ - 3409, - /**/ diff --git a/poky/meta/recipes-support/vim/files/0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch b/poky/meta/recipes-support/vim/files/0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch deleted file mode 100644 index d117a98893..0000000000 --- a/poky/meta/recipes-support/vim/files/0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch +++ /dev/null @@ -1,63 +0,0 @@ -CVE: CVE-2021-3928 -Upstream-Status: Backport -Signed-off-by: Ross Burton - -From ade0f0481969f1453c60e7c8354b00dfe4238739 Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar -Date: Thu, 4 Nov 2021 15:46:05 +0000 -Subject: [PATCH] patch 8.2.3582: reading uninitialized memory when giving - spell suggestions - -Problem: Reading uninitialized memory when giving spell suggestions. -Solution: Check that preword is not empty. ---- - src/spellsuggest.c | 2 +- - src/testdir/test_spell.vim | 8 ++++++++ - src/version.c | 2 ++ - 3 files changed, 11 insertions(+), 1 deletion(-) - -diff --git a/src/spellsuggest.c b/src/spellsuggest.c -index 9d6df7930..8615d5280 100644 ---- a/src/spellsuggest.c -+++ b/src/spellsuggest.c -@@ -1600,7 +1600,7 @@ suggest_trie_walk( - // char, e.g., "thes," -> "these". - p = fword + sp->ts_fidx; - MB_PTR_BACK(fword, p); -- if (!spell_iswordp(p, curwin)) -+ if (!spell_iswordp(p, curwin) && *preword != NUL) - { - p = preword + STRLEN(preword); - MB_PTR_BACK(preword, p); -diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim -index 79fb8927c..e435e9172 100644 ---- a/src/testdir/test_spell.vim -+++ b/src/testdir/test_spell.vim -@@ -498,6 +498,14 @@ func Test_spell_screendump() - call delete('XtestSpell') - endfunc - -+func Test_spell_single_word() -+ new -+ silent! norm 0R00 -+ spell! ß -+ silent 0norm 0r$ Dvz= -+ bwipe! -+endfunc -+ - let g:test_data_aff1 = [ - \"SET ISO8859-1", - \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ", -diff --git a/src/version.c b/src/version.c -index df4ec9a47..e1bc0d09b 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -742,6 +742,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 3582, - /**/ - 3581, - /**/ diff --git a/poky/meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch b/poky/meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch deleted file mode 100644 index 58d3442677..0000000000 --- a/poky/meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch +++ /dev/null @@ -1,92 +0,0 @@ -CVE: CVE-2021-3973 -Upstream-Status: Backport -Signed-off-by: Ross Burton - -From b6154e9f530544ddc3130d981caae0dabc053757 Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar -Date: Wed, 17 Nov 2021 18:00:31 +0000 -Subject: [PATCH] patch 8.2.3611: crash when using CTRL-W f without finding a - file name Problem: Crash when using CTRL-W f without finding - a file name. Solution: Bail out when the file name length is zero. - ---- - src/findfile.c | 8 ++++++++ - src/normal.c | 6 ++++-- - src/testdir/test_visual.vim | 8 ++++++++ - src/version.c | 2 ++ - 4 files changed, 22 insertions(+), 2 deletions(-) - -diff --git a/src/findfile.c b/src/findfile.c -index dba547da1..5764fd7b8 100644 ---- a/src/findfile.c -+++ b/src/findfile.c -@@ -1727,6 +1727,9 @@ find_file_in_path_option( - proc->pr_WindowPtr = (APTR)-1L; - # endif - -+ if (len == 0) -+ return NULL; -+ - if (first == TRUE) - { - // copy file name into NameBuff, expanding environment variables -@@ -2094,7 +2097,12 @@ find_file_name_in_path( - int c; - # if defined(FEAT_FIND_ID) && defined(FEAT_EVAL) - char_u *tofree = NULL; -+# endif - -+ if (len == 0) -+ return NULL; -+ -+# if defined(FEAT_FIND_ID) && defined(FEAT_EVAL) - if ((options & FNAME_INCL) && *curbuf->b_p_inex != NUL) - { - tofree = eval_includeexpr(ptr, len); -diff --git a/src/normal.c b/src/normal.c -index 7cb959257..f0084f2ac 100644 ---- a/src/normal.c -+++ b/src/normal.c -@@ -3778,8 +3778,10 @@ get_visual_text( - *pp = ml_get_pos(&VIsual); - *lenp = curwin->w_cursor.col - VIsual.col + 1; - } -- if (has_mbyte) -- // Correct the length to include the whole last character. -+ if (**pp == NUL) -+ *lenp = 0; -+ if (has_mbyte && *lenp > 0) -+ // Correct the length to include all bytes of the last character. - *lenp += (*mb_ptr2len)(*pp + (*lenp - 1)) - 1; - } - reset_VIsual_and_resel(); -diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim -index ae281238e..0705fdb57 100644 ---- a/src/testdir/test_visual.vim -+++ b/src/testdir/test_visual.vim -@@ -894,4 +894,12 @@ func Test_block_insert_replace_tabs() - bwipe! - endfunc - -+func Test_visual_block_ctrl_w_f() -+ " Emtpy block selected in new buffer should not result in an error. -+ au! BufNew foo sil norm f -+ edit foo -+ -+ au! BufNew -+endfunc -+ - " vim: shiftwidth=2 sts=2 expandtab -diff --git a/src/version.c b/src/version.c -index 52be3c39d..59a314b3a 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -742,6 +742,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 3611, - /**/ - 3582, - /**/ diff --git a/poky/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch b/poky/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch deleted file mode 100644 index 576664f436..0000000000 --- a/poky/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch +++ /dev/null @@ -1,86 +0,0 @@ -CVE: CVE-2021-3872 -Upstream-Status: Backport -Signed-off-by: Ross Burton - -From 61629ea24a2fff1f89c37479d3fb52f17c3480fc Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar -Date: Fri, 8 Oct 2021 18:39:28 +0100 -Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very - long - -Problem: Illegal memory access if buffer name is very long. -Solution: Make sure not to go over the end of the buffer. ---- - src/drawscreen.c | 10 +++++----- - src/testdir/test_statusline.vim | 11 +++++++++++ - src/version.c | 2 ++ - 3 files changed, 18 insertions(+), 5 deletions(-) - -diff --git a/src/drawscreen.c b/src/drawscreen.c -index 3a88ee979..9acb70552 100644 ---- a/src/drawscreen.c -+++ b/src/drawscreen.c -@@ -446,13 +446,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED) - *(p + len++) = ' '; - if (bt_help(wp->w_buffer)) - { -- STRCPY(p + len, _("[Help]")); -+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]")); - len += (int)STRLEN(p + len); - } - #ifdef FEAT_QUICKFIX - if (wp->w_p_pvw) - { -- STRCPY(p + len, _("[Preview]")); -+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]")); - len += (int)STRLEN(p + len); - } - #endif -@@ -462,12 +462,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED) - #endif - ) - { -- STRCPY(p + len, "[+]"); -- len += 3; -+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]"); -+ len += (int)STRLEN(p + len); - } - if (wp->w_buffer->b_p_ro) - { -- STRCPY(p + len, _("[RO]")); -+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]")); - len += (int)STRLEN(p + len); - } - -diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim -index 1f705b847..91bce1407 100644 ---- a/src/testdir/test_statusline.vim -+++ b/src/testdir/test_statusline.vim -@@ -393,3 +393,14 @@ func Test_statusline_visual() - bwipe! x1 - bwipe! x2 - endfunc -+" Used to write beyond allocated memory. This assumes MAXPATHL is 4096 bytes. -+func Test_statusline_verylong_filename() -+ let fname = repeat('x', 4090) -+ exe "new " .. fname -+ set buftype=help -+ set previewwindow -+ redraw -+ bwipe! -+endfunc -+ -+" vim: shiftwidth=2 sts=2 expandtab -diff --git a/src/version.c b/src/version.c -index 1046993d6..2b5de5ccf 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -742,6 +742,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 3487, - /**/ - 3428, - /**/ diff --git a/poky/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch b/poky/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch deleted file mode 100644 index 045081579c..0000000000 --- a/poky/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch +++ /dev/null @@ -1,72 +0,0 @@ -CVE: CVE-2021-3875 -Upstream-Status: Backport -Signed-off-by: Ross Burton - -From b8968e26d7508e7d64bfc86808142818b0a9288c Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar -Date: Sat, 9 Oct 2021 13:58:55 +0100 -Subject: [PATCH] patch 8.2.3489: ml_get error after search with range - -Problem: ml_get error after search with range. -Solution: Limit the line number to the buffer line count. ---- - src/ex_docmd.c | 6 ++++-- - src/testdir/test_search.vim | 17 +++++++++++++++++ - src/version.c | 2 ++ - 3 files changed, 23 insertions(+), 2 deletions(-) - -diff --git a/src/ex_docmd.c b/src/ex_docmd.c -index fb07450f8..fde726477 100644 ---- a/src/ex_docmd.c -+++ b/src/ex_docmd.c -@@ -3586,8 +3586,10 @@ get_address( - - // When '/' or '?' follows another address, start from - // there. -- if (lnum != MAXLNUM) -- curwin->w_cursor.lnum = lnum; -+ if (lnum > 0 && lnum != MAXLNUM) -+ curwin->w_cursor.lnum = -+ lnum > curbuf->b_ml.ml_line_count -+ ? curbuf->b_ml.ml_line_count : lnum; - - // Start a forward search at the end of the line (unless - // before the first line). -diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim -index 187671305..e142c3547 100644 ---- a/src/testdir/test_search.vim -+++ b/src/testdir/test_search.vim -@@ -1366,3 +1366,20 @@ func Test_searchdecl() - - bwipe! - endfunc -+ -+func Test_search_with_invalid_range() -+ new -+ let lines =<< trim END -+ /\%.v -+ 5/ -+ c -+ END -+ call writefile(lines, 'Xrangesearch') -+ source Xrangesearch -+ -+ bwipe! -+ call delete('Xrangesearch') -+endfunc -+ -+ -+" vim: shiftwidth=2 sts=2 expandtab -diff --git a/src/version.c b/src/version.c -index 2b5de5ccf..092864bbb 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -742,6 +742,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 3489, - /**/ - 3487, - /**/ diff --git a/poky/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch b/poky/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch deleted file mode 100644 index 7184b37cad..0000000000 --- a/poky/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch +++ /dev/null @@ -1,97 +0,0 @@ -CVE: CVE-2021-3903 -Upstream-Status: Backport -Signed-off-by: Ross Burton - -From b15919c1fe0f7fc3d98ff5207ed2feb43c59009d Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar -Date: Mon, 25 Oct 2021 17:07:04 +0100 -Subject: [PATCH] patch 8.2.3564: invalid memory access when scrolling without - valid screen - -Problem: Invalid memory access when scrolling without a valid screen. -Solution: Do not set VALID_BOTLINE in w_valid. ---- - src/move.c | 1 - - src/testdir/test_normal.vim | 23 ++++++++++++++++++++--- - src/version.c | 2 ++ - 3 files changed, 22 insertions(+), 4 deletions(-) - -diff --git a/src/move.c b/src/move.c -index 8e53d8bcb..10165ef4d 100644 ---- a/src/move.c -+++ b/src/move.c -@@ -198,7 +198,6 @@ update_topline(void) - { - curwin->w_topline = curwin->w_cursor.lnum; - curwin->w_botline = curwin->w_topline; -- curwin->w_valid |= VALID_BOTLINE|VALID_BOTLINE_AP; - curwin->w_scbind_pos = 1; - return; - } -diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim -index d45cf4159..ca87928f5 100644 ---- a/src/testdir/test_normal.vim -+++ b/src/testdir/test_normal.vim -@@ -33,14 +33,14 @@ func CountSpaces(type, ...) - else - silent exe "normal! `[v`]y" - endif -- let g:a=strlen(substitute(@@, '[^ ]', '', 'g')) -+ let g:a = strlen(substitute(@@, '[^ ]', '', 'g')) - let &selection = sel_save - let @@ = reg_save - endfunc - - func OpfuncDummy(type, ...) - " for testing operatorfunc -- let g:opt=&linebreak -+ let g:opt = &linebreak - - if a:0 " Invoked from Visual mode, use gv command. - silent exe "normal! gvy" -@@ -51,7 +51,7 @@ func OpfuncDummy(type, ...) - endif - " Create a new dummy window - new -- let g:bufnr=bufnr('%') -+ let g:bufnr = bufnr('%') - endfunc - - fun! Test_normal00_optrans() -@@ -718,6 +718,23 @@ func Test_normal17_z_scroll_hor2() - bw! - endfunc - -+ -+func Test_scroll_in_ex_mode() -+ " This was using invalid memory because w_botline was invalid. -+ let lines =<< trim END -+ diffsplit -+ norm os00( -+ call writefile(['done'], 'Xdone') -+ qa! -+ END -+ call writefile(lines, 'Xscript') -+ call assert_equal(1, RunVim([], [], '--clean -X -Z -e -s -S Xscript')) -+ call assert_equal(['done'], readfile('Xdone')) -+ -+ call delete('Xscript') -+ call delete('Xdone') -+endfunc -+ - func Test_normal18_z_fold() - " basic tests for foldopen/folddelete - if !has("folding") -diff --git a/src/version.c b/src/version.c -index 092864bbb..a9e8be0e7 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -742,6 +742,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 3564, - /**/ - 3489, - /**/ diff --git a/poky/meta/recipes-support/vim/files/CVE-2021-3778.patch b/poky/meta/recipes-support/vim/files/CVE-2021-3778.patch deleted file mode 100644 index 544af04458..0000000000 --- a/poky/meta/recipes-support/vim/files/CVE-2021-3778.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 6d351cec5b97cb72b226d03bd727e453a235ed8d Mon Sep 17 00:00:00 2001 -From: Minjae Kim -Date: Sun, 26 Sep 2021 23:48:00 +0000 -Subject: [PATCH] patch 8.2.3409: reading beyond end of line with invalid utf-8 - character - -Problem: Reading beyond end of line with invalid utf-8 character. -Solution: Check for NUL when advancing. - -Upstream-Status: Accepted [https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f] -CVE: CVE-2021-3778 -Signed-off-by: Minjae Kim - ---- - src/regexp_nfa.c | 3 ++- - src/testdir/test_regexp_utf8.vim | 7 +++++++ - src/version.c | 2 ++ - 3 files changed, 11 insertions(+), 1 deletion(-) - -diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c -index fb512f961..ace83a1a3 100644 ---- a/src/regexp_nfa.c -+++ b/src/regexp_nfa.c -@@ -5455,7 +5455,8 @@ find_match_text(colnr_T startcol, int regstart, char_u *match_text) - match = FALSE; - break; - } -- len2 += MB_CHAR2LEN(c2); -+ len2 += enc_utf8 ? utf_ptr2len(rex.line + col + len2) -+ : MB_CHAR2LEN(c2); - } - if (match - // check that no composing char follows -diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim -index 19ff882be..e0665818b 100644 ---- a/src/testdir/test_regexp_utf8.vim -+++ b/src/testdir/test_regexp_utf8.vim -@@ -215,3 +215,10 @@ func Test_optmatch_toolong() - set re=0 - endfunc - -+func Test_match_invalid_byte() -+ call writefile(0z630a.765d30aa0a.2e0a.790a.4030, 'Xinvalid') -+ new -+ source Xinvalid -+ bwipe! -+ call delete('Xinvalid') -+endfunc -diff --git a/src/version.c b/src/version.c -index 8912f6215..85bdfc601 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -742,6 +742,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 3409, - /**/ - 3402, - /**/ diff --git a/poky/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch b/poky/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch deleted file mode 100644 index 1cee759502..0000000000 --- a/poky/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch +++ /dev/null @@ -1,207 +0,0 @@ -From b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar -Date: Sat, 4 Sep 2021 18:47:28 +0200 -Subject: [PATCH] patch 8.2.3402: invalid memory access when using :retab with - large value - -Problem: Invalid memory access when using :retab with large value. -Solution: Check the number is positive. - -CVE: CVE-2021-3770 -Signed-off-by: Richard Purdie -Upstream-Status: Backport [https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9] ---- - src/indent.c | 34 +++++++++++++++++++++------------- - src/option.c | 12 ++++++------ - src/optionstr.c | 4 ++-- - src/testdir/test_retab.vim | 3 +++ - src/version.c | 2 ++ - 5 files changed, 34 insertions(+), 21 deletions(-) - -Index: git/src/indent.c -=================================================================== ---- git.orig/src/indent.c -+++ git/src/indent.c -@@ -18,18 +18,19 @@ - /* - * Set the integer values corresponding to the string setting of 'vartabstop'. - * "array" will be set, caller must free it if needed. -+ * Return FAIL for an error. - */ - int - tabstop_set(char_u *var, int **array) - { -- int valcount = 1; -- int t; -- char_u *cp; -+ int valcount = 1; -+ int t; -+ char_u *cp; - - if (var[0] == NUL || (var[0] == '0' && var[1] == NUL)) - { - *array = NULL; -- return TRUE; -+ return OK; - } - - for (cp = var; *cp != NUL; ++cp) -@@ -43,8 +44,8 @@ tabstop_set(char_u *var, int **array) - if (cp != end) - emsg(_(e_positive)); - else -- emsg(_(e_invarg)); -- return FALSE; -+ semsg(_(e_invarg2), cp); -+ return FAIL; - } - } - -@@ -55,26 +56,33 @@ tabstop_set(char_u *var, int **array) - ++valcount; - continue; - } -- emsg(_(e_invarg)); -- return FALSE; -+ semsg(_(e_invarg2), var); -+ return FAIL; - } - - *array = ALLOC_MULT(int, valcount + 1); - if (*array == NULL) -- return FALSE; -+ return FAIL; - (*array)[0] = valcount; - - t = 1; - for (cp = var; *cp != NUL;) - { -- (*array)[t++] = atoi((char *)cp); -- while (*cp != NUL && *cp != ',') -+ int n = atoi((char *)cp); -+ -+ if (n < 0 || n > 9999) -+ { -+ semsg(_(e_invarg2), cp); -+ return FAIL; -+ } -+ (*array)[t++] = n; -+ while (*cp != NUL && *cp != ',') - ++cp; - if (*cp != NUL) - ++cp; - } - -- return TRUE; -+ return OK; - } - - /* -@@ -1556,7 +1564,7 @@ ex_retab(exarg_T *eap) - - #ifdef FEAT_VARTABS - new_ts_str = eap->arg; -- if (!tabstop_set(eap->arg, &new_vts_array)) -+ if (tabstop_set(eap->arg, &new_vts_array) == FAIL) - return; - while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',') - ++(eap->arg); -Index: git/src/option.c -=================================================================== ---- git.orig/src/option.c -+++ git/src/option.c -@@ -2292,9 +2292,9 @@ didset_options2(void) - #endif - #ifdef FEAT_VARTABS - vim_free(curbuf->b_p_vsts_array); -- tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array); -+ (void)tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array); - vim_free(curbuf->b_p_vts_array); -- tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array); -+ (void)tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array); - #endif - } - -@@ -5756,7 +5756,7 @@ buf_copy_options(buf_T *buf, int flags) - buf->b_p_vsts = vim_strsave(p_vsts); - COPY_OPT_SCTX(buf, BV_VSTS); - if (p_vsts && p_vsts != empty_option) -- tabstop_set(p_vsts, &buf->b_p_vsts_array); -+ (void)tabstop_set(p_vsts, &buf->b_p_vsts_array); - else - buf->b_p_vsts_array = 0; - buf->b_p_vsts_nopaste = p_vsts_nopaste -@@ -5914,7 +5914,7 @@ buf_copy_options(buf_T *buf, int flags) - buf->b_p_isk = save_p_isk; - #ifdef FEAT_VARTABS - if (p_vts && p_vts != empty_option && !buf->b_p_vts_array) -- tabstop_set(p_vts, &buf->b_p_vts_array); -+ (void)tabstop_set(p_vts, &buf->b_p_vts_array); - else - buf->b_p_vts_array = NULL; - #endif -@@ -5929,7 +5929,7 @@ buf_copy_options(buf_T *buf, int flags) - buf->b_p_vts = vim_strsave(p_vts); - COPY_OPT_SCTX(buf, BV_VTS); - if (p_vts && p_vts != empty_option && !buf->b_p_vts_array) -- tabstop_set(p_vts, &buf->b_p_vts_array); -+ (void)tabstop_set(p_vts, &buf->b_p_vts_array); - else - buf->b_p_vts_array = NULL; - #endif -@@ -6634,7 +6634,7 @@ paste_option_changed(void) - if (buf->b_p_vsts_array) - vim_free(buf->b_p_vsts_array); - if (buf->b_p_vsts && buf->b_p_vsts != empty_option) -- tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array); -+ (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array); - else - buf->b_p_vsts_array = 0; - #endif -Index: git/src/optionstr.c -=================================================================== ---- git.orig/src/optionstr.c -+++ git/src/optionstr.c -@@ -2166,7 +2166,7 @@ did_set_string_option( - if (errmsg == NULL) - { - int *oldarray = curbuf->b_p_vsts_array; -- if (tabstop_set(*varp, &(curbuf->b_p_vsts_array))) -+ if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)) == OK) - { - if (oldarray) - vim_free(oldarray); -@@ -2205,7 +2205,7 @@ did_set_string_option( - { - int *oldarray = curbuf->b_p_vts_array; - -- if (tabstop_set(*varp, &(curbuf->b_p_vts_array))) -+ if (tabstop_set(*varp, &(curbuf->b_p_vts_array)) == OK) - { - vim_free(oldarray); - #ifdef FEAT_FOLDING -Index: git/src/testdir/test_retab.vim -=================================================================== ---- git.orig/src/testdir/test_retab.vim -+++ git/src/testdir/test_retab.vim -@@ -74,4 +74,7 @@ endfunc - func Test_retab_error() - call assert_fails('retab -1', 'E487:') - call assert_fails('retab! -1', 'E487:') -+ call assert_fails('ret -1000', 'E487:') -+ call assert_fails('ret 10000', 'E475:') -+ call assert_fails('ret 80000000000000000000', 'E475:') - endfunc -Index: git/src/version.c -=================================================================== ---- git.orig/src/version.c -+++ git/src/version.c -@@ -743,6 +743,8 @@ static char *(features[]) = - static int included_patches[] = - { /* Add new patch number below this line */ - /**/ -+ 3402, -+/**/ - 0 - }; - diff --git a/poky/meta/recipes-support/vim/files/disable_acl_header_check.patch b/poky/meta/recipes-support/vim/files/disable_acl_header_check.patch index 33089162b4..533138245d 100644 --- a/poky/meta/recipes-support/vim/files/disable_acl_header_check.patch +++ b/poky/meta/recipes-support/vim/files/disable_acl_header_check.patch @@ -13,11 +13,11 @@ Signed-off-by: Changqing Li src/configure.ac | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -diff --git a/src/configure.ac b/src/configure.ac -index 2d409b3ca06a..dbcaf6140263 100644 ---- a/src/configure.ac -+++ b/src/configure.ac -@@ -3257,7 +3257,7 @@ AC_CHECK_HEADERS(stdint.h stdlib.h string.h \ +Index: git/src/configure.ac +=================================================================== +--- git.orig/src/configure.ac ++++ git/src/configure.ac +@@ -3292,7 +3292,7 @@ AC_CHECK_HEADERS(stdint.h stdlib.h strin sys/systeminfo.h locale.h sys/stream.h termios.h \ libc.h sys/statfs.h poll.h sys/poll.h pwd.h \ utime.h sys/param.h sys/ptms.h libintl.h libgen.h \ @@ -26,7 +26,7 @@ index 2d409b3ca06a..dbcaf6140263 100644 sys/access.h sys/sysinfo.h wchar.h wctype.h) dnl sys/ptem.h depends on sys/stream.h on Solaris -@@ -3886,6 +3886,7 @@ AC_ARG_ENABLE(acl, +@@ -3974,6 +3974,7 @@ AC_ARG_ENABLE(acl, , [enable_acl="yes"]) if test "$enable_acl" = "yes"; then AC_MSG_RESULT(no) @@ -34,6 +34,3 @@ index 2d409b3ca06a..dbcaf6140263 100644 AC_CHECK_LIB(posix1e, acl_get_file, [LIBS="$LIBS -lposix1e"], AC_CHECK_LIB(acl, acl_get_file, [LIBS="$LIBS -lacl" AC_CHECK_LIB(attr, fgetxattr, LIBS="$LIBS -lattr",,)],,),) --- -2.7.4 - diff --git a/poky/meta/recipes-support/vim/files/no-path-adjust.patch b/poky/meta/recipes-support/vim/files/no-path-adjust.patch index 05c2d803f6..9d6da80913 100644 --- a/poky/meta/recipes-support/vim/files/no-path-adjust.patch +++ b/poky/meta/recipes-support/vim/files/no-path-adjust.patch @@ -7,9 +7,11 @@ Upstream-Status: Pending Signed-off-by: Joe Slater ---- a/src/Makefile -+++ b/src/Makefile -@@ -2507,11 +2507,14 @@ installtools: $(TOOLS) $(DESTDIR)$(exec_ +Index: git/src/Makefile +=================================================================== +--- git.orig/src/Makefile ++++ git/src/Makefile +@@ -2565,11 +2565,14 @@ installtools: $(TOOLS) $(DESTDIR)$(exec_ rm -rf $$cvs; \ fi -chmod $(FILEMOD) $(DEST_TOOLS)/* diff --git a/poky/meta/recipes-support/vim/files/racefix.patch b/poky/meta/recipes-support/vim/files/racefix.patch index 48dca44cad..1cb8fb442f 100644 --- a/poky/meta/recipes-support/vim/files/racefix.patch +++ b/poky/meta/recipes-support/vim/files/racefix.patch @@ -9,9 +9,9 @@ Index: git/src/po/Makefile =================================================================== --- git.orig/src/po/Makefile +++ git/src/po/Makefile -@@ -165,17 +165,16 @@ $(PACKAGE).pot: ../*.c ../if_perl.xs ../ - po/gvim.desktop.in po/vim.desktop.in - mv -f ../$(PACKAGE).po $(PACKAGE).pot +@@ -207,17 +207,16 @@ $(PACKAGE).pot: $(PO_INPUTLIST) $(PO_VIM + # Delete the temporary files + rm *.js -vim.desktop: vim.desktop.in $(POFILES) +LINGUAS: diff --git a/poky/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch b/poky/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch index 37914d4cd9..5284ba45b6 100644 --- a/poky/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch +++ b/poky/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch @@ -14,11 +14,11 @@ Signed-off-by: Changqing Li src/configure.ac | 7 +++++++ 1 file changed, 7 insertions(+) -diff --git a/src/configure.ac b/src/configure.ac -index 0ee86ad..64736f0 100644 ---- a/src/configure.ac -+++ b/src/configure.ac -@@ -3192,11 +3192,18 @@ AC_TRY_COMPILE([#include ], [int x __attribute__((unused));], +Index: git/src/configure.ac +=================================================================== +--- git.orig/src/configure.ac ++++ git/src/configure.ac +@@ -3264,11 +3264,18 @@ AC_TRY_COMPILE([#include ], [in AC_MSG_RESULT(no)) dnl Checks for header files. @@ -37,6 +37,3 @@ index 0ee86ad..64736f0 100644 AC_HEADER_DIRENT --- -2.7.4 - diff --git a/poky/meta/recipes-support/vim/vim.inc b/poky/meta/recipes-support/vim/vim.inc index 6cdf157cb6..6c70bb7529 100644 --- a/poky/meta/recipes-support/vim/vim.inc +++ b/poky/meta/recipes-support/vim/vim.inc @@ -8,8 +8,9 @@ BUGTRACKER = "https://github.com/vim/vim/issues" DEPENDS = "ncurses gettext-native" # vimdiff doesn't like busybox diff RSUGGESTS:${PN} = "diffutils" + LICENSE = "vim" -LIC_FILES_CHKSUM = "file://runtime/doc/uganda.txt;endline=287;md5=a19edd7ec70d573a005d9e509375a99a" +LIC_FILES_CHKSUM = "file://runtime/doc/uganda.txt;endline=287;md5=909f1394892b7e0f9c2a95306c0c552b" SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://disable_acl_header_check.patch \ @@ -17,25 +18,14 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ file://racefix.patch \ - file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \ - file://CVE-2021-3778.patch \ - file://0002-patch-8.2.3428-using-freed-memory-when-replacing.patch \ - file://0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch \ - file://0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch \ - file://0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch \ - file://0001-patch-8.2.3581-reading-character-past-end-of-line.patch \ - file://0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch \ - file://0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch \ " -SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44" +PV .= ".4269" +SRCREV = "48a604845e33399893d6bf293e71bcd2a412800d" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" -# CVE-2021-3968 is related to an issue which was introduced after 8.2, this can be removed after 8.3. -CVE_CHECK_WHITELIST += "CVE-2021-3968" - S = "${WORKDIR}/git" VIMDIR = "vim${@d.getVar('PV').split('.')[0]}${@d.getVar('PV').split('.')[1]}" diff --git a/poky/scripts/yocto-check-layer b/poky/scripts/yocto-check-layer index 2445ad5e43..f3cf139d8a 100755 --- a/poky/scripts/yocto-check-layer +++ b/poky/scripts/yocto-check-layer @@ -41,6 +41,12 @@ def test_layer(td, layer, test_software_layer_signatures): tc.loadTests(CASES_PATHS) return tc.runTests() +def dump_layer_debug(layer): + logger.debug("Found layer %s (%s)" % (layer["name"], layer["path"])) + collections = layer.get("collections", {}) + if collections: + logger.debug("%s collections: %s" % (layer["name"], ", ".join(collections))) + def main(): parser = argparse.ArgumentParser( description="Yocto Project layer checking tool", @@ -106,6 +112,13 @@ def main(): else: dep_layers = layers + logger.debug("Found additional layers:") + for l in additional_layers: + dump_layer_debug(l) + logger.debug("Found dependency layers:") + for l in dep_layers: + dump_layer_debug(l) + logger.info("Detected layers:") for layer in layers: if layer['type'] == LayerType.ERROR_BSP_DISTRO: -- cgit v1.2.3