From 67107382f0ac2ad2ff42819a3d3189dc838a7ed5 Mon Sep 17 00:00:00 2001 From: Patrick Williams Date: Thu, 27 May 2021 08:04:48 -0500 Subject: subtree updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit meta-raspberrypi: b601818301..11209a4981: sss22213 (1): recipes-bsp: Add support for Raspberry Pi HD quality camera poky: 05a8aad57c..fd33741e27: Alexander Kanavin (1): bitbake: fetch2/wget: when checking latest versions, consider all numerical directories Bastian Krause (1): ccache: add packageconfig docs option Michael Halstead (1): uninative: Upgrade to 3.2 (gcc11 support) Richard Purdie (19): bitbake: server/process: Handle error in heartbeat funciton in OOM case glibc: Document and whitelist CVE-2019-1010022-25 qemu: Exclude CVE-2017-5957 from cve-check qemu: Exclude CVE-2007-0998 from cve-check qemu: Exclude CVE-2018-18438 from cve-check jquery: Exclude CVE-2007-2379 from cve-check logrotate: Exclude CVE-2011-1548,1549,1550 from cve-check openssh: Exclude CVE-2007-2768 from cve-check openssh: Exclude CVE-2008-3844 from cve-check unzip: Exclude CVE-2008-0888 from cve-check cpio: Exclude CVE-2010-4226 from cve-check ghostscript: Exclude CVE-2013-6629 from cve-check bluez: Exclude CVE-2020-12352 CVE-2020-24490 from cve-check tiff: Exclude CVE-2015-7313 from cve-check coreutils: Exclude CVE-2016-2781 from cve-check librsvg: Exclude CVE-2018-1000041 from cve-check avahi: Exclude CVE-2021-26720 from cve-check glibc: Add 8GB VM usage cap for usermode test suite sstate: Handle manifest 'corruption' issue Robert P. J. Day (2): image.bbclass: fix comment "pacackages" -> "packages" meta/lib/oe/rootfs.py: Fix typo "Restoreing" -> "Restoring" Ross Burton (3): libnotify: whitelist CVE-2013-7381 (specific to the NodeJS bindings) builder: whitelist CVE-2008-4178 (a different builder) cups: whitelist CVE-2021-25317 Tony Tascioglu (3): libxml2: fix CVE-2021-3517 libxml2: fix CVE-2021-3516 libxml2: fix CVE-2021-3537 meta-openembedded: bbe3855ec7..cf5bd6a830: Andreas Müller (2): zsh: reduce priority slightly to avoid conflict with bash xfce4-settings: upgrade 4.16.0 -> 4.16.1 Khem Raj (3): aom: Match the name for AOM-Patent-License-1.0 libdevmapper,lvm2: Do not inherit license python3-jinja2_2.%.bbappend: Delete Saul Wold (2): tbb: Disable PPC as COMPATIBLE_MACHINE packagegroup-meta-oe: conditional remove tbb for powerpc Silcet (1): ufw: fix python shebang zangrc (3): fetchmail: upgrade 6.4.18 -> 6.4.19 openvpn: upgrade 2.5.1 -> 2.5.2 wireshark: upgrade 3.4.4 -> 3.4.5 Signed-off-by: Patrick Williams Change-Id: I84a4b5733ff5d04c39580402b64c5c649ac991a9 --- .../recipes-multimedia/aom/aom_3.0.0.bb | 2 +- .../ufw/fix-dynamic-update-of-python-shebang.patch | 57 ++++++++++++++ .../recipes-connectivity/ufw/ufw_0.33.bb | 1 + .../recipes-support/fetchmail/fetchmail_6.4.18.bb | 22 ------ .../recipes-support/fetchmail/fetchmail_6.4.19.bb | 22 ++++++ .../recipes-support/openvpn/openvpn_2.5.1.bb | 73 ------------------ .../recipes-support/openvpn/openvpn_2.5.2.bb | 73 ++++++++++++++++++ .../recipes-support/wireshark/wireshark_3.4.4.bb | 87 ---------------------- .../recipes-support/wireshark/wireshark_3.4.5.bb | 87 ++++++++++++++++++++++ .../packagegroups/packagegroup-meta-oe.bb | 2 +- .../meta-oe/recipes-shells/zsh/zsh_5.4.2.bb | 2 +- .../meta-oe/recipes-support/lvm2/lvm2.inc | 5 +- .../meta-oe/recipes-support/tbb/tbb_2021.2.0.bb | 3 + .../python/python3-jinja2_2.%.bbappend | 13 ---- .../xfce4-settings/xfce4-settings_4.16.0.bb | 30 -------- .../xfce4-settings/xfce4-settings_4.16.1.bb | 30 ++++++++ meta-raspberrypi/conf/machine/include/rpi-base.inc | 1 + .../recipes-bsp/bootfiles/rpi-cmdline.bb | 2 + .../recipes-bsp/bootfiles/rpi-config_git.bb | 8 +- poky/bitbake/lib/bb/fetch2/wget.py | 2 +- poky/bitbake/lib/bb/server/process.py | 7 +- poky/meta/classes/image.bbclass | 2 +- poky/meta/classes/sstate.bbclass | 16 +++- poky/meta/conf/distro/include/yocto-uninative.inc | 8 +- poky/meta/lib/oe/rootfs.py | 2 +- poky/meta/recipes-connectivity/avahi/avahi_0.8.bb | 3 + .../recipes-connectivity/bluez5/bluez5_5.56.bb | 3 + .../recipes-connectivity/openssh/openssh_8.5p1.bb | 6 ++ poky/meta/recipes-core/coreutils/coreutils_8.32.bb | 4 + .../recipes-core/glibc/glibc/check-test-wrapper | 9 +++ poky/meta/recipes-core/glibc/glibc_2.33.bb | 13 ++++ .../libxml/libxml2/CVE-2021-3516.patch | 36 +++++++++ .../libxml/libxml2/CVE-2021-3517.patch | 54 ++++++++++++++ .../libxml/libxml2/CVE-2021-3537.patch | 49 ++++++++++++ poky/meta/recipes-core/libxml/libxml2_2.9.10.bb | 3 + ...-make-build-of-documentation-optional-842.patch | 36 +++++++++ poky/meta/recipes-devtools/ccache/ccache_4.2.bb | 4 + poky/meta/recipes-devtools/jquery/jquery_3.6.0.bb | 5 ++ poky/meta/recipes-devtools/qemu/qemu.inc | 11 +++ poky/meta/recipes-extended/cpio/cpio_2.13.bb | 3 + poky/meta/recipes-extended/cups/cups.inc | 4 + .../ghostscript/ghostscript_9.53.3.bb | 4 + .../recipes-extended/logrotate/logrotate_3.18.0.bb | 3 + poky/meta/recipes-extended/unzip/unzip_6.0.bb | 3 + .../recipes-gnome/libnotify/libnotify_0.7.9.bb | 3 + poky/meta/recipes-gnome/librsvg/librsvg_2.40.21.bb | 3 + poky/meta/recipes-graphics/builder/builder_0.1.bb | 2 + poky/meta/recipes-multimedia/libtiff/tiff_4.2.0.bb | 4 + 48 files changed, 581 insertions(+), 241 deletions(-) create mode 100644 meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw/fix-dynamic-update-of-python-shebang.patch delete mode 100644 meta-openembedded/meta-networking/recipes-support/fetchmail/fetchmail_6.4.18.bb create mode 100644 meta-openembedded/meta-networking/recipes-support/fetchmail/fetchmail_6.4.19.bb delete mode 100644 meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.1.bb create mode 100644 meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb delete mode 100644 meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.4.bb create mode 100644 meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.5.bb delete mode 100644 meta-openembedded/meta-python/recipes-devtools/python/python3-jinja2_2.%.bbappend delete mode 100644 meta-openembedded/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.0.bb create mode 100644 meta-openembedded/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.1.bb create mode 100644 poky/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch create mode 100644 poky/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch create mode 100644 poky/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch create mode 100644 poky/meta/recipes-devtools/ccache/ccache/0001-CMake-make-build-of-documentation-optional-842.patch diff --git a/meta-openembedded/meta-multimedia/recipes-multimedia/aom/aom_3.0.0.bb b/meta-openembedded/meta-multimedia/recipes-multimedia/aom/aom_3.0.0.bb index 7ea9b199bf..f5a42fb860 100644 --- a/meta-openembedded/meta-multimedia/recipes-multimedia/aom/aom_3.0.0.bb +++ b/meta-openembedded/meta-multimedia/recipes-multimedia/aom/aom_3.0.0.bb @@ -1,7 +1,7 @@ SUMMARY = "Alliance for Open Media - AV1 Codec Library" DESCRIPTION = "Alliance for Open Media AV1 codec library" -LICENSE = "BSD-2-Clause & AOM-Patent-1.0" +LICENSE = "BSD-2-Clause & AOM-Patent-License-1.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=6ea91368c1bbdf877159435572b931f5 \ file://PATENTS;md5=e69ad12202bd20da3c76a5d3648cfa83 \ " diff --git a/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw/fix-dynamic-update-of-python-shebang.patch b/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw/fix-dynamic-update-of-python-shebang.patch new file mode 100644 index 0000000000..0bb0315ccd --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw/fix-dynamic-update-of-python-shebang.patch @@ -0,0 +1,57 @@ +From b961a7fceb5654c283c3f987bee593d52abaf1f5 Mon Sep 17 00:00:00 2001 +From: Silcet +Date: Mon, 26 Apr 2021 07:47:02 +0000 +Subject: [PATCH] ufw: Fix dynamic update of python shebang + +[meta-openembedded ticket #327] -- https://github.com/openembedded/meta-openembedded/issues/327 + +The python version in the shebang at the begining of the ufw script +should be the same one as the version the setup.py script was called +with. + +The fix in patch "setup-only-make-one-reference-to-env.patch" +depends on sys.executable returning "/usr/bin/env pythonX". However, +it returns "/usr/bin/pythonX". Using sys.version_info we can get the +major version of the python used to called the script and append +that to the shebang line so it works as intended. + +Upstream-status: Pending + +Signed-off-by: Silcet +--- + setup.py | 21 ++++++--------------- + 1 file changed, 6 insertions(+), 15 deletions(-) + +diff --git a/setup.py b/setup.py +index ca730b7..941bbf6 100644 +--- a/setup.py ++++ b/setup.py +@@ -112,22 +112,13 @@ class Install(_install, object): + for f in [ script, manpage, manpage_f ]: + self.mkpath(os.path.dirname(f)) + +- # if sys.executable == /usr/bin/env python* the result will be the top +- # of ufw getting: +- # +- # #! /usr/bin/env /usr/bin/env python +- # +- # which is not ideal +- # + # update the interpreter to that of the one the user specified for setup +- print("Updating staging/ufw to use (%s)" % (sys.executable)) +- +- if re.search("(/usr/bin/env)", sys.executable): +- print("found 'env' in sys.executable (%s)" % (sys.executable)) +- subprocess.call(["sed", +- "-i.jjm", +- "1s%^#.*python.*%#! " + sys.executable + "%g", +- 'staging/ufw']) ++ python_major = sys.version_info.major ++ print("Updating staging/ufw to use (python%s)" % (python_major)) ++ subprocess.call(["sed", ++ "-i.jjm", ++ "1s%^#.*python.*%#! " + sys.executable + "%g", ++ 'staging/ufw']) + + self.copy_file('staging/ufw', script) + self.copy_file('doc/ufw.8', manpage) diff --git a/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb b/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb index 42fc262589..ee366aa665 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb @@ -16,6 +16,7 @@ SRC_URI = " \ file://0003-fix-typeerror-on-error.patch \ file://0004-lp1039729.patch \ file://0005-lp1191197.patch \ + file://fix-dynamic-update-of-python-shebang.patch \ " UPSTREAM_CHECK_URI = "https://launchpad.net/ufw" diff --git a/meta-openembedded/meta-networking/recipes-support/fetchmail/fetchmail_6.4.18.bb b/meta-openembedded/meta-networking/recipes-support/fetchmail/fetchmail_6.4.18.bb deleted file mode 100644 index 7254a4713a..0000000000 --- a/meta-openembedded/meta-networking/recipes-support/fetchmail/fetchmail_6.4.18.bb +++ /dev/null @@ -1,22 +0,0 @@ -SUMMARY = "Fetchmail retrieves mail from remote mail servers and forwards it via SMTP" -HOMEPAGE = "http://www.fetchmail.info/" -DESCRIPTION = "Fetchmail is a full-featured, robust, well-documented remote-mail retrieval \ -and forwarding utility intended to be used over on-demand TCP/IP links (such as SLIP or PPP \ -connections). It supports every remote-mail protocol now in use on the Internet: POP2, POP3, \ -RPOP, APOP, KPOP, all flavors of IMAP, ETRN, and ODMR. It can even support IPv6 and IPSEC." -SECTION = "mail" -LICENSE = "GPLv2 & MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=06a8d16599e1d0b131390bec01fb571c" - -DEPENDS = "openssl" - -SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.xz \ - " -SRC_URI[sha256sum] = "302dc9bcdc6927dedf375d2baaead2347557faa70d98b1da83f2409fa6fb259f" - -inherit autotools gettext python3-dir python3native - -EXTRA_OECONF = "--with-ssl=${STAGING_DIR_HOST}${prefix}" - -PACKAGES =+ "fetchmail-python" -FILES_fetchmail-python = "${libdir}/${PYTHON_DIR}/*" diff --git a/meta-openembedded/meta-networking/recipes-support/fetchmail/fetchmail_6.4.19.bb b/meta-openembedded/meta-networking/recipes-support/fetchmail/fetchmail_6.4.19.bb new file mode 100644 index 0000000000..aead5e9f0f --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/fetchmail/fetchmail_6.4.19.bb @@ -0,0 +1,22 @@ +SUMMARY = "Fetchmail retrieves mail from remote mail servers and forwards it via SMTP" +HOMEPAGE = "http://www.fetchmail.info/" +DESCRIPTION = "Fetchmail is a full-featured, robust, well-documented remote-mail retrieval \ +and forwarding utility intended to be used over on-demand TCP/IP links (such as SLIP or PPP \ +connections). It supports every remote-mail protocol now in use on the Internet: POP2, POP3, \ +RPOP, APOP, KPOP, all flavors of IMAP, ETRN, and ODMR. It can even support IPv6 and IPSEC." +SECTION = "mail" +LICENSE = "GPLv2 & MIT" +LIC_FILES_CHKSUM = "file://COPYING;md5=ad73c6bd421c137fbf18cf8b92474186" + +DEPENDS = "openssl" + +SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.xz \ + " +SRC_URI[sha256sum] = "cd8d11a3d103e50caa2ec64bcda6307eb3d0783a4d4dfd88e668b81aaf9d6b5f" + +inherit autotools gettext python3-dir python3native + +EXTRA_OECONF = "--with-ssl=${STAGING_DIR_HOST}${prefix}" + +PACKAGES =+ "fetchmail-python" +FILES_fetchmail-python = "${libdir}/${PYTHON_DIR}/*" diff --git a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.1.bb b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.1.bb deleted file mode 100644 index 6aa7b17be6..0000000000 --- a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.1.bb +++ /dev/null @@ -1,73 +0,0 @@ -SUMMARY = "A full-featured SSL VPN solution via tun device." -HOMEPAGE = "https://openvpn.net/" -SECTION = "net" -LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://COPYING;md5=7aee596ed2deefe3e8a861e24292abba" -DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" - -inherit autotools systemd update-rc.d - -SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ - file://openvpn \ - file://openvpn@.service \ - file://openvpn-volatile.conf" - -UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" - -SRC_URI[md5sum] = "b1c279e89d97849d5fcde31d76812f04" -SRC_URI[sha256sum] = "e9582b8e9457994bd8d50012be82c23b2f465da51460c9b2360a81da0f4e06e6" - -SYSTEMD_SERVICE_${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service" -SYSTEMD_AUTO_ENABLE = "disable" - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME_${PN} = "openvpn" -INITSCRIPT_PARAMS_${PN} = "start 10 2 3 4 5 . stop 70 0 1 6 ." - -CFLAGS += "-fno-inline" - -# I want openvpn to be able to read password from file (hrw) -EXTRA_OECONF += "--enable-iproute2" -EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-plugin-auth-pam', d)}" - -# Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host. -EXTRA_OECONF += "IPROUTE=${base_sbindir}/ip" - -do_install_append() { - install -d ${D}/${sysconfdir}/init.d - install -m 755 ${WORKDIR}/openvpn ${D}/${sysconfdir}/init.d - - install -d ${D}/${sysconfdir}/openvpn - install -d ${D}/${sysconfdir}/openvpn/sample - install -m 755 ${S}/sample/sample-config-files/loopback-server ${D}${sysconfdir}/openvpn/sample/loopback-server.conf - install -m 755 ${S}/sample/sample-config-files/loopback-client ${D}${sysconfdir}/openvpn/sample/loopback-client.conf - install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-keys - install -m 644 ${S}/sample/sample-keys/* ${D}${sysconfdir}/openvpn/sample/sample-keys - - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}/${systemd_unitdir}/system - install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system - install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system/openvpn@loopback-server.service - install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system/openvpn@loopback-client.service - - install -d ${D}/${localstatedir} - install -d ${D}/${localstatedir}/lib - install -d -m 710 ${D}/${localstatedir}/lib/openvpn - - install -d ${D}${sysconfdir}/tmpfiles.d - install -m 0644 ${WORKDIR}/openvpn-volatile.conf ${D}${sysconfdir}/tmpfiles.d/openvpn.conf - sed -i -e 's#@LOCALSTATEDIR@#${localstatedir}#g' ${D}${sysconfdir}/tmpfiles.d/openvpn.conf - fi -} - -PACKAGES =+ " ${PN}-sample " - -RRECOMMENDS_${PN} = "kernel-module-tun" - -FILES_${PN}-dbg += "${libdir}/openvpn/plugins/.debug" -FILES_${PN} += "${systemd_unitdir}/system/openvpn@.service \ - ${sysconfdir}/tmpfiles.d \ - " -FILES_${PN}-sample += "${systemd_unitdir}/system/openvpn@loopback-server.service \ - ${systemd_unitdir}/system/openvpn@loopback-client.service \ - ${sysconfdir}/openvpn/sample/" diff --git a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb new file mode 100644 index 0000000000..f82107dbee --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb @@ -0,0 +1,73 @@ +SUMMARY = "A full-featured SSL VPN solution via tun device." +HOMEPAGE = "https://openvpn.net/" +SECTION = "net" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://COPYING;md5=7aee596ed2deefe3e8a861e24292abba" +DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" + +inherit autotools systemd update-rc.d + +SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ + file://openvpn \ + file://openvpn@.service \ + file://openvpn-volatile.conf" + +UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" + +SRC_URI[md5sum] = "7643f135b49aee49df7d83c1f434dc4e" +SRC_URI[sha256sum] = "b9d295988b34e39964ac475b619c3585d667b36c350cf1adec19e5e3c843ba11" + +SYSTEMD_SERVICE_${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service" +SYSTEMD_AUTO_ENABLE = "disable" + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME_${PN} = "openvpn" +INITSCRIPT_PARAMS_${PN} = "start 10 2 3 4 5 . stop 70 0 1 6 ." + +CFLAGS += "-fno-inline" + +# I want openvpn to be able to read password from file (hrw) +EXTRA_OECONF += "--enable-iproute2" +EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-plugin-auth-pam', d)}" + +# Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host. +EXTRA_OECONF += "IPROUTE=${base_sbindir}/ip" + +do_install_append() { + install -d ${D}/${sysconfdir}/init.d + install -m 755 ${WORKDIR}/openvpn ${D}/${sysconfdir}/init.d + + install -d ${D}/${sysconfdir}/openvpn + install -d ${D}/${sysconfdir}/openvpn/sample + install -m 755 ${S}/sample/sample-config-files/loopback-server ${D}${sysconfdir}/openvpn/sample/loopback-server.conf + install -m 755 ${S}/sample/sample-config-files/loopback-client ${D}${sysconfdir}/openvpn/sample/loopback-client.conf + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-keys + install -m 644 ${S}/sample/sample-keys/* ${D}${sysconfdir}/openvpn/sample/sample-keys + + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + install -d ${D}/${systemd_unitdir}/system + install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system + install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system/openvpn@loopback-server.service + install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system/openvpn@loopback-client.service + + install -d ${D}/${localstatedir} + install -d ${D}/${localstatedir}/lib + install -d -m 710 ${D}/${localstatedir}/lib/openvpn + + install -d ${D}${sysconfdir}/tmpfiles.d + install -m 0644 ${WORKDIR}/openvpn-volatile.conf ${D}${sysconfdir}/tmpfiles.d/openvpn.conf + sed -i -e 's#@LOCALSTATEDIR@#${localstatedir}#g' ${D}${sysconfdir}/tmpfiles.d/openvpn.conf + fi +} + +PACKAGES =+ " ${PN}-sample " + +RRECOMMENDS_${PN} = "kernel-module-tun" + +FILES_${PN}-dbg += "${libdir}/openvpn/plugins/.debug" +FILES_${PN} += "${systemd_unitdir}/system/openvpn@.service \ + ${sysconfdir}/tmpfiles.d \ + " +FILES_${PN}-sample += "${systemd_unitdir}/system/openvpn@loopback-server.service \ + ${systemd_unitdir}/system/openvpn@loopback-client.service \ + ${sysconfdir}/openvpn/sample/" diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.4.bb b/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.4.bb deleted file mode 100644 index b75f41835b..0000000000 --- a/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.4.bb +++ /dev/null @@ -1,87 +0,0 @@ -DESCRIPTION = "wireshark - a popular network protocol analyzer" -HOMEPAGE = "http://www.wireshark.org" -SECTION = "net" -LICENSE = "GPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=6e271234ba1a13c6e512e76b94ac2f77" - -DEPENDS = "pcre expat glib-2.0 glib-2.0-native libgcrypt libgpg-error libxml2 bison-native c-ares" - -DEPENDS_append_class-target = " wireshark-native chrpath-replacement-native " - -SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz" - -SRC_URI += " \ - file://0001-wireshark-src-improve-reproducibility.patch \ - file://0002-flex-Remove-line-directives.patch \ - file://0003-bison-Remove-line-directives.patch \ - file://0004-lemon-Remove-line-directives.patch \ -" - -UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" - -SRC_URI[sha256sum] = "729cd11e9715c600e5ad74ca472bacf8af32c20902192d5f2b271268511d4d29" - -PE = "1" - -inherit cmake pkgconfig python3native perlnative upstream-version-is-even mime mime-xdg - -PACKAGECONFIG ?= "libpcap gnutls libnl libcap sbc" - -PACKAGECONFIG_class-native = "libpcap gnutls ssl libssh" - -PACKAGECONFIG[libcap] = "-DENABLE_CAP=ON,-DENABLE_CAP=OFF -DENABLE_PCAP_NG_DEFAULT=ON, libcap" -PACKAGECONFIG[libpcap] = "-DENABLE_PCAP=ON,-DENABLE_PCAP=OFF -DENABLE_PCAP_NG_DEFAULT=ON , libpcap" -PACKAGECONFIG[libsmi] = "-DENABLE_SMI=ON,-DENABLE_SMI=OFF,libsmi" -PACKAGECONFIG[libnl] = ",,libnl" -PACKAGECONFIG[portaudio] = "-DENABLE_PORTAUDIO=ON,-DENABLE_PORTAUDIO=OFF, portaudio-v19" -PACKAGECONFIG[gnutls] = "-DENABLE_GNUTLS=ON,-DENABLE_GNUTLS=OFF, gnutls" -PACKAGECONFIG[ssl] = ",,openssl" -PACKAGECONFIG[krb5] = "-DENABLE_KRB5=ON,-DENABLE_KRB5=OFF, krb5" -PACKAGECONFIG[lua] = "-DENABLE_LUA=ON,-DENABLE_LUA=OFF, lua" -PACKAGECONFIG[zlib] = "-DENABLE_ZLIB=ON,-DENABLE_ZLIB=OFF, zlib" -PACKAGECONFIG[geoip] = ",, geoip" -PACKAGECONFIG[plugins] = "-DENABLE_PLUGINS=ON,-DENABLE_PLUGINS=OFF" -PACKAGECONFIG[sbc] = "-DENABLE_SBC=ON,-DENABLE_SBC=OFF, sbc" -PACKAGECONFIG[libssh] = ",,libssh2" -PACKAGECONFIG[lz4] = "-DENABLE_LZ4=ON,-DENABLE_LZ4=OFF, lz4" - -# these next two options require addional layers -PACKAGECONFIG[c-ares] = "-DENABLE_CARES=ON,-DENABLE_CARES=OFF, c-ares" -PACKAGECONFIG[qt5] = "-DENABLE_QT5=ON -DBUILD_wireshark=ON, -DENABLE_QT5=OFF -DBUILD_wireshark=OFF, qttools-native qtmultimedia qtsvg" - -inherit ${@bb.utils.contains('PACKAGECONFIG', 'qt5', 'cmake_qt5', '', d)} - -EXTRA_OECMAKE += "-DENABLE_NETLINK=ON \ - -DBUILD_mmdbresolve=OFF \ - -DBUILD_randpktdump=OFF \ - -DBUILD_androiddump=OFF \ - -DBUILD_dcerpcidl2wrs=OFF \ - -DM_INCLUDE_DIR=${includedir} \ - -DM_LIBRARY=${libdir} \ - " -CFLAGS_append = " -lm" - -do_install_append_class-native() { - install -d ${D}${bindir} - for f in lemon - do - install -m 0755 ${B}/run/$f ${D}${bindir} - done -} - -do_install_append_class-target() { - for f in `find ${D}${libdir} ${D}${bindir} -type f -executable` - do - chrpath --delete $f - done -} - -PACKAGE_BEFORE_PN += "tshark" - -FILES_tshark = "${bindir}/tshark ${mandir}/man1/tshark.*" - -FILES_${PN} += "${datadir}*" - -RDEPENDS_tshark = "wireshark" - -BBCLASSEXTEND = "native" diff --git a/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.5.bb b/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.5.bb new file mode 100644 index 0000000000..f440328027 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_3.4.5.bb @@ -0,0 +1,87 @@ +DESCRIPTION = "wireshark - a popular network protocol analyzer" +HOMEPAGE = "http://www.wireshark.org" +SECTION = "net" +LICENSE = "GPL-2.0" +LIC_FILES_CHKSUM = "file://COPYING;md5=6e271234ba1a13c6e512e76b94ac2f77" + +DEPENDS = "pcre expat glib-2.0 glib-2.0-native libgcrypt libgpg-error libxml2 bison-native c-ares" + +DEPENDS_append_class-target = " wireshark-native chrpath-replacement-native " + +SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz" + +SRC_URI += " \ + file://0001-wireshark-src-improve-reproducibility.patch \ + file://0002-flex-Remove-line-directives.patch \ + file://0003-bison-Remove-line-directives.patch \ + file://0004-lemon-Remove-line-directives.patch \ +" + +UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" + +SRC_URI[sha256sum] = "de1aafd100a1e1207c850d180e97dd91ab8da0f5eb6beec545f725cdb145d333" + +PE = "1" + +inherit cmake pkgconfig python3native perlnative upstream-version-is-even mime mime-xdg + +PACKAGECONFIG ?= "libpcap gnutls libnl libcap sbc" + +PACKAGECONFIG_class-native = "libpcap gnutls ssl libssh" + +PACKAGECONFIG[libcap] = "-DENABLE_CAP=ON,-DENABLE_CAP=OFF -DENABLE_PCAP_NG_DEFAULT=ON, libcap" +PACKAGECONFIG[libpcap] = "-DENABLE_PCAP=ON,-DENABLE_PCAP=OFF -DENABLE_PCAP_NG_DEFAULT=ON , libpcap" +PACKAGECONFIG[libsmi] = "-DENABLE_SMI=ON,-DENABLE_SMI=OFF,libsmi" +PACKAGECONFIG[libnl] = ",,libnl" +PACKAGECONFIG[portaudio] = "-DENABLE_PORTAUDIO=ON,-DENABLE_PORTAUDIO=OFF, portaudio-v19" +PACKAGECONFIG[gnutls] = "-DENABLE_GNUTLS=ON,-DENABLE_GNUTLS=OFF, gnutls" +PACKAGECONFIG[ssl] = ",,openssl" +PACKAGECONFIG[krb5] = "-DENABLE_KRB5=ON,-DENABLE_KRB5=OFF, krb5" +PACKAGECONFIG[lua] = "-DENABLE_LUA=ON,-DENABLE_LUA=OFF, lua" +PACKAGECONFIG[zlib] = "-DENABLE_ZLIB=ON,-DENABLE_ZLIB=OFF, zlib" +PACKAGECONFIG[geoip] = ",, geoip" +PACKAGECONFIG[plugins] = "-DENABLE_PLUGINS=ON,-DENABLE_PLUGINS=OFF" +PACKAGECONFIG[sbc] = "-DENABLE_SBC=ON,-DENABLE_SBC=OFF, sbc" +PACKAGECONFIG[libssh] = ",,libssh2" +PACKAGECONFIG[lz4] = "-DENABLE_LZ4=ON,-DENABLE_LZ4=OFF, lz4" + +# these next two options require addional layers +PACKAGECONFIG[c-ares] = "-DENABLE_CARES=ON,-DENABLE_CARES=OFF, c-ares" +PACKAGECONFIG[qt5] = "-DENABLE_QT5=ON -DBUILD_wireshark=ON, -DENABLE_QT5=OFF -DBUILD_wireshark=OFF, qttools-native qtmultimedia qtsvg" + +inherit ${@bb.utils.contains('PACKAGECONFIG', 'qt5', 'cmake_qt5', '', d)} + +EXTRA_OECMAKE += "-DENABLE_NETLINK=ON \ + -DBUILD_mmdbresolve=OFF \ + -DBUILD_randpktdump=OFF \ + -DBUILD_androiddump=OFF \ + -DBUILD_dcerpcidl2wrs=OFF \ + -DM_INCLUDE_DIR=${includedir} \ + -DM_LIBRARY=${libdir} \ + " +CFLAGS_append = " -lm" + +do_install_append_class-native() { + install -d ${D}${bindir} + for f in lemon + do + install -m 0755 ${B}/run/$f ${D}${bindir} + done +} + +do_install_append_class-target() { + for f in `find ${D}${libdir} ${D}${bindir} -type f -executable` + do + chrpath --delete $f + done +} + +PACKAGE_BEFORE_PN += "tshark" + +FILES_tshark = "${bindir}/tshark ${mandir}/man1/tshark.*" + +FILES_${PN} += "${datadir}*" + +RDEPENDS_tshark = "wireshark" + +BBCLASSEXTEND = "native" diff --git a/meta-openembedded/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb b/meta-openembedded/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb index 59908e2c0f..eb095a2374 100644 --- a/meta-openembedded/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb +++ b/meta-openembedded/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb @@ -921,7 +921,7 @@ RDEPENDS_packagegroup-meta-oe-support_remove_arm ="numactl" RDEPENDS_packagegroup-meta-oe-support_remove_mipsarch = "gperftools" RDEPENDS_packagegroup-meta-oe-support_remove_riscv64 = "gperftools uim" RDEPENDS_packagegroup-meta-oe-support_remove_riscv32 = "gperftools uim" -RDEPENDS_packagegroup-meta-oe-support_remove_powerpc = "ssiapi" +RDEPENDS_packagegroup-meta-oe-support_remove_powerpc = "ssiapi tbb" RDEPENDS_packagegroup-meta-oe-support_remove_powerpc64le = "ssiapi" RDEPENDS_packagegroup-meta-oe-test ="\ diff --git a/meta-openembedded/meta-oe/recipes-shells/zsh/zsh_5.4.2.bb b/meta-openembedded/meta-oe/recipes-shells/zsh/zsh_5.4.2.bb index 3aab65bf5b..aa372b70a3 100644 --- a/meta-openembedded/meta-oe/recipes-shells/zsh/zsh_5.4.2.bb +++ b/meta-openembedded/meta-oe/recipes-shells/zsh/zsh_5.4.2.bb @@ -38,7 +38,7 @@ EXTRA_OEMAKE = "-e MAKEFLAGS=" ALTERNATIVE_${PN} = "sh" ALTERNATIVE_LINK_NAME[sh] = "${base_bindir}/sh" ALTERNATIVE_TARGET[sh] = "${base_bindir}/${BPN}" -ALTERNATIVE_PRIORITY = "100" +ALTERNATIVE_PRIORITY = "90" export AUTOHEADER = "true" diff --git a/meta-openembedded/meta-oe/recipes-support/lvm2/lvm2.inc b/meta-openembedded/meta-oe/recipes-support/lvm2/lvm2.inc index 6618e21f3b..ccb4f7ac14 100644 --- a/meta-openembedded/meta-oe/recipes-support/lvm2/lvm2.inc +++ b/meta-openembedded/meta-oe/recipes-support/lvm2/lvm2.inc @@ -21,12 +21,11 @@ SRC_URI = "git://sourceware.org/git/lvm2.git;branch=main \ SRCREV = "3e8bd8d1bd70691f09a170785836aeb4f83154e6" S = "${WORKDIR}/git" -inherit autotools-brokensep pkgconfig systemd license +inherit autotools-brokensep pkgconfig systemd LVM2_PACKAGECONFIG = "dmeventd" LVM2_PACKAGECONFIG_append_class-target = " \ ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ - ${@incompatible_license_contains('GPLv3', '', 'thin-provisioning-tools', d)} \ " # odirect is always enabled because there currently is a bug in @@ -39,6 +38,7 @@ PACKAGECONFIG[dmeventd] = "--enable-dmeventd,--disable-dmeventd" PACKAGECONFIG[odirect] = "--enable-o_direct,--disable-o_direct" PACKAGECONFIG[readline] = "--enable-readline,--disable-readline,readline" PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" +# NOTE: Add thin-provisioning-tools only if your distro policy allows GPL-3.0 license PACKAGECONFIG[thin-provisioning-tools] = "--with-thin=internal,--with-thin=none,,thin-provisioning-tools" # Unset user/group to unbreak install. @@ -55,4 +55,3 @@ EXTRA_OECONF = "--with-user= \ --with-thin-repair=${sbindir}/thin_repair \ --with-thin-restore=${sbindir}/thin_restore \ " - diff --git a/meta-openembedded/meta-oe/recipes-support/tbb/tbb_2021.2.0.bb b/meta-openembedded/meta-oe/recipes-support/tbb/tbb_2021.2.0.bb index 7e57ebf555..771ddd49b8 100644 --- a/meta-openembedded/meta-oe/recipes-support/tbb/tbb_2021.2.0.bb +++ b/meta-openembedded/meta-oe/recipes-support/tbb/tbb_2021.2.0.bb @@ -45,3 +45,6 @@ LDFLAGS_append_mips = " -latomic" LDFLAGS_append_mipsel = " -latomic" LDFLAGS_append_libc-musl = " -lucontext" + +# The latest version of oneTBB does not support PPC +COMPATIBLE_MACHINE_powerpc = "(!.*ppc).*" diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-jinja2_2.%.bbappend b/meta-openembedded/meta-python/recipes-devtools/python/python3-jinja2_2.%.bbappend deleted file mode 100644 index 9fe358427a..0000000000 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-jinja2_2.%.bbappend +++ /dev/null @@ -1,13 +0,0 @@ -# Main recipe was moved to oe-core, but with ptest disabled -inherit ${@bb.utils.filter('DISTRO_FEATURES', 'ptest', d)} - -do_install_ptest() { - install -d ${D}${PTEST_PATH}/tests - cp -rf ${S}/tests/* ${D}${PTEST_PATH}/tests/ -} - -RDEPENDS_${PN}-ptest += " \ - ${PYTHON_PN}-pytest \ - ${PYTHON_PN}-toml \ - ${PYTHON_PN}-unixadmin \ -" diff --git a/meta-openembedded/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.0.bb b/meta-openembedded/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.0.bb deleted file mode 100644 index 47de8c571e..0000000000 --- a/meta-openembedded/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.0.bb +++ /dev/null @@ -1,30 +0,0 @@ -SUMMARY = "Xfce4 settings" -SECTION = "x11/wm" -LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" -DEPENDS = "exo garcon libxi virtual/libx11 xrandr libxcursor libxklavier upower" - -inherit xfce features_check mime-xdg - -REQUIRED_DISTRO_FEATURES = "x11" - -SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch" -SRC_URI[sha256sum] = "67a1404fc754c675c6431e22a8fe0e5d79644fdfadbfe25a4523d68e1442ddc2" - -EXTRA_OECONF += "--enable-maintainer-mode --disable-debug" - -PACKAGECONFIG ??= " \ - ${@bb.utils.contains('DISTRO_FEATURES','alsa','sound-setter', bb.utils.contains('DISTRO_FEATURES','pulseaudio','sound-setter','',d),d)} \ -" -PACKAGECONFIG[notify] = "--enable-libnotify,--disable-libnotify,libnotify" -PACKAGECONFIG[sound-setter] = "--enable-sound-settings, --disable-sound-settings, libcanberra, libcanberra-gtk2 sound-theme-freedesktop" - -FILES_${PN} += " \ - ${libdir}/xfce4 \ - ${datadir}/xfce4 \ -" - -RRECOMMENDS_${PN} += "adwaita-icon-theme" -RRECOMMENDS_${PN} += "${@bb.utils.contains('DISTRO_FEATURES','alsa','libcanberra-alsa','',d)}" -RRECOMMENDS_${PN} += "${@bb.utils.contains('DISTRO_FEATURES','pulseaudio','libcanberra-pulse','',d)}" -RRECOMMENDS_${PN} += "${@bb.utils.contains('DISTRO_FEATURES','systemd','xfce4-datetime-setter','',d)}" diff --git a/meta-openembedded/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.1.bb b/meta-openembedded/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.1.bb new file mode 100644 index 0000000000..ccd55723ab --- /dev/null +++ b/meta-openembedded/meta-xfce/recipes-xfce/xfce4-settings/xfce4-settings_4.16.1.bb @@ -0,0 +1,30 @@ +SUMMARY = "Xfce4 settings" +SECTION = "x11/wm" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" +DEPENDS = "exo garcon libxi virtual/libx11 xrandr libxcursor libxklavier upower" + +inherit xfce features_check mime-xdg + +REQUIRED_DISTRO_FEATURES = "x11" + +SRC_URI += "file://0001-xsettings.xml-Set-default-themes.patch" +SRC_URI[sha256sum] = "bb28e1be7aa34d0edb1cfbaacc509a4267db56828b36cd6be312a202973635c6" + +EXTRA_OECONF += "--enable-maintainer-mode --disable-debug" + +PACKAGECONFIG ??= " \ + ${@bb.utils.contains('DISTRO_FEATURES','alsa','sound-setter', bb.utils.contains('DISTRO_FEATURES','pulseaudio','sound-setter','',d),d)} \ +" +PACKAGECONFIG[notify] = "--enable-libnotify,--disable-libnotify,libnotify" +PACKAGECONFIG[sound-setter] = "--enable-sound-settings, --disable-sound-settings, libcanberra, libcanberra-gtk2 sound-theme-freedesktop" + +FILES_${PN} += " \ + ${libdir}/xfce4 \ + ${datadir}/xfce4 \ +" + +RRECOMMENDS_${PN} += "adwaita-icon-theme" +RRECOMMENDS_${PN} += "${@bb.utils.contains('DISTRO_FEATURES','alsa','libcanberra-alsa','',d)}" +RRECOMMENDS_${PN} += "${@bb.utils.contains('DISTRO_FEATURES','pulseaudio','libcanberra-pulse','',d)}" +RRECOMMENDS_${PN} += "${@bb.utils.contains('DISTRO_FEATURES','systemd','xfce4-datetime-setter','',d)}" diff --git a/meta-raspberrypi/conf/machine/include/rpi-base.inc b/meta-raspberrypi/conf/machine/include/rpi-base.inc index 77cada7436..a800078473 100644 --- a/meta-raspberrypi/conf/machine/include/rpi-base.inc +++ b/meta-raspberrypi/conf/machine/include/rpi-base.inc @@ -31,6 +31,7 @@ RPI_KERNEL_DEVICETREE_OVERLAYS ?= " \ overlays/justboom-digi.dtbo \ overlays/i2c-rtc.dtbo \ overlays/imx219.dtbo \ + overlays/imx477.dtbo \ overlays/iqaudio-dac.dtbo \ overlays/iqaudio-dacplus.dtbo \ overlays/mcp2515-can0.dtbo \ diff --git a/meta-raspberrypi/recipes-bsp/bootfiles/rpi-cmdline.bb b/meta-raspberrypi/recipes-bsp/bootfiles/rpi-cmdline.bb index 40a9949a14..3ebd1e61c2 100644 --- a/meta-raspberrypi/recipes-bsp/bootfiles/rpi-cmdline.bb +++ b/meta-raspberrypi/recipes-bsp/bootfiles/rpi-cmdline.bb @@ -13,6 +13,8 @@ CMDLINE_SERIAL ?= "${@oe.utils.conditional("ENABLE_UART", "1", "console=serial0, CMDLINE_CMA ?= "${@oe.utils.conditional("RASPBERRYPI_CAMERA_V2", "1", "cma=64M", "", d)}" +CMDLINE_CMA ?= "${@oe.utils.conditional("RASPBERRYPI_HD_CAMERA", "1", "cma=64M", "", d)}" + CMDLINE_PITFT ?= "${@bb.utils.contains("MACHINE_FEATURES", "pitft", "fbcon=map:10 fbcon=font:VGA8x8", "", d)}" # Add the kernel debugger over console kernel command line option if enabled diff --git a/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb b/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb index c4b441182b..052206acfa 100644 --- a/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb +++ b/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb @@ -189,10 +189,16 @@ do_deploy() { # Choose Camera Sensor to be used, default imx219 sensor if [ "${RASPBERRYPI_CAMERA_V2}" = "1" ]; then - echo "# Enable Sony RaspberryPi Camera" >> $CONFIG + echo "# Enable Sony RaspberryPi Camera(imx219)" >> $CONFIG echo "dtoverlay=imx219" >> $CONFIG fi + # Choose Camera Sensor to be used, default imx477 sensor + #if [ "${RASPBERRYPI_HD_CAMERA}" = "1" ]; then + # echo "# Enable Sony RaspberryPi Camera(imx477)" >> $CONFIG + # echo "dtoverlay=imx477" >> $CONFIG + #fi + # Waveshare "C" 1024x600 7" Rev2.1 IPS capacitive touch (http://www.waveshare.com/7inch-HDMI-LCD-C.htm) if [ "${WAVESHARE_1024X600_C_2_1}" = "1" ]; then echo "# Waveshare \"C\" 1024x600 7\" Rev2.1 IPS capacitive touch screen" >> $CONFIG diff --git a/poky/bitbake/lib/bb/fetch2/wget.py b/poky/bitbake/lib/bb/fetch2/wget.py index 6d82f3af07..784df70c9f 100644 --- a/poky/bitbake/lib/bb/fetch2/wget.py +++ b/poky/bitbake/lib/bb/fetch2/wget.py @@ -472,7 +472,7 @@ class Wget(FetchMethod): version_dir = ['', '', ''] version = ['', '', ''] - dirver_regex = re.compile(r"(?P\D*)(?P(\d+[\.\-_])+(\d+))") + dirver_regex = re.compile(r"(?P\D*)(?P(\d+[\.\-_])*(\d+))") s = dirver_regex.search(dirver) if s: version_dir[1] = s.group('ver') diff --git a/poky/bitbake/lib/bb/server/process.py b/poky/bitbake/lib/bb/server/process.py index 3e99bcef8f..155e8d131f 100644 --- a/poky/bitbake/lib/bb/server/process.py +++ b/poky/bitbake/lib/bb/server/process.py @@ -367,7 +367,12 @@ class ProcessServer(): self.next_heartbeat = now + self.heartbeat_seconds if hasattr(self.cooker, "data"): heartbeat = bb.event.HeartbeatEvent(now) - bb.event.fire(heartbeat, self.cooker.data) + try: + bb.event.fire(heartbeat, self.cooker.data) + except Exception as exc: + if not isinstance(exc, bb.BBHandledException): + logger.exception('Running heartbeat function') + self.quit = True if nextsleep and now + nextsleep > self.next_heartbeat: # Shorten timeout so that we we wake up in time for # the heartbeat. diff --git a/poky/meta/classes/image.bbclass b/poky/meta/classes/image.bbclass index 353cc67175..67603d958d 100644 --- a/poky/meta/classes/image.bbclass +++ b/poky/meta/classes/image.bbclass @@ -38,7 +38,7 @@ IMAGE_FEATURES[validitems] += "debug-tweaks read-only-rootfs read-only-rootfs-de # Generate companion debugfs? IMAGE_GEN_DEBUGFS ?= "0" -# These pacackages will be installed as additional into debug rootfs +# These packages will be installed as additional into debug rootfs IMAGE_INSTALL_DEBUGFS ?= "" # These packages will be removed from a read-only rootfs after all other diff --git a/poky/meta/classes/sstate.bbclass b/poky/meta/classes/sstate.bbclass index 8e8efd18d5..79588df2cd 100644 --- a/poky/meta/classes/sstate.bbclass +++ b/poky/meta/classes/sstate.bbclass @@ -319,6 +319,8 @@ def sstate_install(ss, d): if os.path.exists(i): with open(i, "r") as f: manifests = f.readlines() + # We append new entries, we don't remove older entries which may have the same + # manifest name but different versions from stamp/workdir. See below. if filedata not in manifests: with open(i, "a+") as f: f.write(filedata) @@ -1183,11 +1185,21 @@ python sstate_eventhandler_reachablestamps() { i = d.expand("${SSTATE_MANIFESTS}/index-" + a) if not os.path.exists(i): continue + manseen = set() + ignore = [] with open(i, "r") as f: lines = f.readlines() - for l in lines: + for l in reversed(lines): try: (stamp, manifest, workdir) = l.split() + # The index may have multiple entries for the same manifest as the code above only appends + # new entries and there may be an entry with matching manifest but differing version in stamp/workdir. + # The last entry in the list is the valid one, any earlier entries with matching manifests + # should be ignored. + if manifest in manseen: + ignore.append(l) + continue + manseen.add(manifest) if stamp not in stamps and stamp not in preservestamps and stamp in machineindex: toremove.append(l) if stamp not in seen: @@ -1218,6 +1230,8 @@ python sstate_eventhandler_reachablestamps() { with open(i, "w") as f: for l in lines: + if l in ignore: + continue f.write(l) machineindex |= set(stamps) with open(mi, "w") as f: diff --git a/poky/meta/conf/distro/include/yocto-uninative.inc b/poky/meta/conf/distro/include/yocto-uninative.inc index 05b79d14c3..740cca0ecf 100644 --- a/poky/meta/conf/distro/include/yocto-uninative.inc +++ b/poky/meta/conf/distro/include/yocto-uninative.inc @@ -8,7 +8,7 @@ UNINATIVE_MAXGLIBCVERSION = "2.33" -UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/3.1/" -UNINATIVE_CHECKSUM[aarch64] ?= "7fa12b9fe7a95934cc09beb0e8a25ff97179ef3105116015d32548eadd27b024" -UNINATIVE_CHECKSUM[i686] ?= "bbfcdd48336800b5af97e294918c6586a0a8fa903f127f813b0bd5110de8c55c" -UNINATIVE_CHECKSUM[x86_64] ?= "5d0611df544edff6428cef7d871257a91aa6ba1bd92f5365a2df8deb54b6b31e" +UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/3.2/" +UNINATIVE_CHECKSUM[aarch64] ?= "4f0872cdca2775b637a8a99815ca5c8dd42146abe903a24a50ee0448358c764b" +UNINATIVE_CHECKSUM[i686] ?= "e2eeab92e67263db37d9bb6d4c58579abd1f47ff4cded3171bde572fece124b2" +UNINATIVE_CHECKSUM[x86_64] ?= "3ee8c7d55e2d4c7ae3887cddb97219f97b94efddfeee2e24923c0cb0e8ce84c6" diff --git a/poky/meta/lib/oe/rootfs.py b/poky/meta/lib/oe/rootfs.py index d634adda4e..16493577e3 100644 --- a/poky/meta/lib/oe/rootfs.py +++ b/poky/meta/lib/oe/rootfs.py @@ -167,7 +167,7 @@ class Rootfs(object, metaclass=ABCMeta): pass os.rename(self.image_rootfs, self.image_rootfs + '-dbg') - bb.note(" Restoreing original rootfs...") + bb.note(" Restoring original rootfs...") os.rename(self.image_rootfs + '-orig', self.image_rootfs) def _exec_shell_cmd(self, cmd): diff --git a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb index c8a3f876aa..23c0e8d823 100644 --- a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -30,6 +30,9 @@ UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7" SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda" +# Issue only affects Debian/SUSE, not us +CVE_CHECK_WHITELIST += "CVE-2021-26720" + DEPENDS = "expat libcap libdaemon glib-2.0 intltool-native" # For gtk related PACKAGECONFIGs: gtk, gtk3 diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5_5.56.bb b/poky/meta/recipes-connectivity/bluez5/bluez5_5.56.bb index 676cb2dbb2..ae0f72b678 100644 --- a/poky/meta/recipes-connectivity/bluez5/bluez5_5.56.bb +++ b/poky/meta/recipes-connectivity/bluez5/bluez5_5.56.bb @@ -3,6 +3,9 @@ require bluez5.inc SRC_URI[md5sum] = "e6c51b2aefa7c56ff072819a78611fa5" SRC_URI[sha256sum] = "59c4dba9fc8aae2a6a5f8f12f19bc1b0c2dc27355c7ca3123eed3fe6bd7d0b9d" +# These issues have kernel fixes rather than bluez fixes so exclude here +CVE_CHECK_WHITELIST += "CVE-2020-12352 CVE-2020-24490" + # noinst programs in Makefile.tools that are conditional on READLINE # support NOINST_TOOLS_READLINE ?= " \ diff --git a/poky/meta/recipes-connectivity/openssh/openssh_8.5p1.bb b/poky/meta/recipes-connectivity/openssh/openssh_8.5p1.bb index 6a49cf71cc..c6de519884 100644 --- a/poky/meta/recipes-connectivity/openssh/openssh_8.5p1.bb +++ b/poky/meta/recipes-connectivity/openssh/openssh_8.5p1.bb @@ -27,10 +27,16 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar " SRC_URI[sha256sum] = "f52f3f41d429aa9918e38cf200af225ccdd8e66f052da572870c89737646ec25" +# This CVE is specific to OpenSSH with the pam opie which we don't build/use here +CVE_CHECK_WHITELIST += "CVE-2007-2768" + # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded CVE_CHECK_WHITELIST += "CVE-2014-9278" +# CVE only applies to some distributed RHEL binaries +CVE_CHECK_WHITELIST += "CVE-2008-3844" + PAM_SRC_URI = "file://sshd" inherit manpages useradd update-rc.d update-alternatives systemd diff --git a/poky/meta/recipes-core/coreutils/coreutils_8.32.bb b/poky/meta/recipes-core/coreutils/coreutils_8.32.bb index c1962ccb90..f3fe31fd3b 100644 --- a/poky/meta/recipes-core/coreutils/coreutils_8.32.bb +++ b/poky/meta/recipes-core/coreutils/coreutils_8.32.bb @@ -26,6 +26,10 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \ SRC_URI[md5sum] = "022042695b7d5bcf1a93559a9735e668" SRC_URI[sha256sum] = "4458d8de7849df44ccab15e16b1548b285224dbba5f08fac070c1c0e0bcc4cfa" +# http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842 +# runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue. +CVE_CHECK_WHITELIST += "CVE-2016-2781" + EXTRA_OECONF_class-native = "--without-gmp" EXTRA_OECONF_class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}" EXTRA_OECONF_class-nativesdk = "--enable-install-program=arch,hostname" diff --git a/poky/meta/recipes-core/glibc/glibc/check-test-wrapper b/poky/meta/recipes-core/glibc/glibc/check-test-wrapper index f8e04e02d2..6ec9b9b29e 100644 --- a/poky/meta/recipes-core/glibc/glibc/check-test-wrapper +++ b/poky/meta/recipes-core/glibc/glibc/check-test-wrapper @@ -2,6 +2,7 @@ import sys import os import subprocess +import resource env = os.environ.copy() args = sys.argv[1:] @@ -44,6 +45,14 @@ if targettype == "user": qemuargs += ["-L", sysroot] qemuargs += ["-E", "LD_LIBRARY_PATH={}".format(":".join(libpaths))] command = qemuargs + args + + # We've seen qemu-arm using up all system memory for some glibc + # tests e.g. nptl/tst-pthread-timedlock-lockloop + # Cap at 8GB since no test should need more than that + # (5GB adds 7 failures for qemuarm glibc test run) + limit = 8*1024*1024*1024 + resource.setrlimit(resource.RLIMIT_AS, (limit, limit)) + elif targettype == "ssh": host = os.environ.get("SSH_HOST", None) user = os.environ.get("SSH_HOST_USER", None) diff --git a/poky/meta/recipes-core/glibc/glibc_2.33.bb b/poky/meta/recipes-core/glibc/glibc_2.33.bb index 5e0baa53e8..75a1f36d6b 100644 --- a/poky/meta/recipes-core/glibc/glibc_2.33.bb +++ b/poky/meta/recipes-core/glibc/glibc_2.33.bb @@ -3,6 +3,19 @@ require glibc-version.inc CVE_CHECK_WHITELIST += "CVE-2020-10029" +# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022 +# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023 +# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024 +# Upstream glibc maintainers dispute there is any issue and have no plans to address it further. +# "this is being treated as a non-security bug and no real threat." +CVE_CHECK_WHITELIST += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024" + +# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025 +# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow +# easier access for another. "ASLR bypass itself is not a vulnerability." +# Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853 +CVE_CHECK_WHITELIST += "CVE-2019-1010025" + DEPENDS += "gperf-native bison-native make-native" NATIVESDKFIXES ?= "" diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch new file mode 100644 index 0000000000..287a171924 --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch @@ -0,0 +1,36 @@ +From b76718876953e11bbd73dc6c9457323fd5aeda2e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 21 Apr 2021 13:23:27 +0200 +Subject: [PATCH 2/3] Fix use-after-free with `xmllint --html --push` + +Call htmlCtxtUseOptions to make sure that names aren't stored in +dictionaries. + +Note that this issue only affects xmllint using the HTML push parser. + +Fixes #230. + +CVE: CVE-2021-3516 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539] + +Signed-off-by: Tony Tascioglu +--- + xmllint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmllint.c b/xmllint.c +index c0712674..ba66676b 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -2204,7 +2204,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { + if (res > 0) { + ctxt = htmlCreatePushParserCtxt(NULL, NULL, + chars, res, filename, XML_CHAR_ENCODING_NONE); +- xmlCtxtUseOptions(ctxt, options); ++ htmlCtxtUseOptions(ctxt, options); + while ((res = fread(chars, 1, pushsize, f)) > 0) { + htmlParseChunk(ctxt, chars, res, 0); + } +-- +2.25.1 + diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch new file mode 100644 index 0000000000..b6204f655a --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch @@ -0,0 +1,54 @@ +From df3de1376585f7a273d70023f92a530395957324 Mon Sep 17 00:00:00 2001 +From: Joel Hockey +Date: Sun, 16 Aug 2020 17:19:35 -0700 +Subject: [PATCH 1/3] Validate UTF8 in xmlEncodeEntities + +Code is currently assuming UTF-8 without validating. Truncated UTF-8 +input can cause out-of-bounds array access. + +Adds further checks to partial fix in 50f06b3e. + +Fixes #178 + +CVE: CVE-2021-3517 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2] + +Signed-off-by: Tony Tascioglu +--- + entities.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/entities.c b/entities.c +index d575e9d1..7cdbc4de 100644 +--- a/entities.c ++++ b/entities.c +@@ -666,11 +666,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) { + } else { + /* + * We assume we have UTF-8 input. ++ * It must match either: ++ * 110xxxxx 10xxxxxx ++ * 1110xxxx 10xxxxxx 10xxxxxx ++ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx ++ * That is: ++ * cur[0] is 11xxxxxx ++ * cur[1] is 10xxxxxx ++ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx ++ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx ++ * cur[0] is not 11111xxx + */ + char buf[11], *ptr; + int val = 0, l = 1; + +- if (*cur < 0xC0) { ++ if (((cur[0] & 0xC0) != 0xC0) || ++ ((cur[1] & 0xC0) != 0x80) || ++ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) || ++ (((cur[0] & 0xF8) == 0xF8))) { + xmlEntitiesErr(XML_CHECK_NOT_UTF8, + "xmlEncodeEntities: input not UTF-8"); + if (doc != NULL) +-- +2.25.1 + diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch new file mode 100644 index 0000000000..defbe7867b --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch @@ -0,0 +1,49 @@ +From 5ae9c39401f679648301efa6d2d35e09cc376462 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 1 May 2021 16:53:33 +0200 +Subject: [PATCH 3/3] Propagate error in xmlParseElementChildrenContentDeclPriv + +Check return value of recursive calls to +xmlParseElementChildrenContentDeclPriv and return immediately in case +of errors. Otherwise, struct xmlElementContent could contain unexpected +null pointers, leading to a null deref when post-validating documents +which aren't well-formed and parsed in recovery mode. + +Fixes #243. + +CVE: CVE-2021-3537 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61] + +Signed-off-by: Tony Tascioglu +--- + parser.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/parser.c b/parser.c +index a34bb6cd..bbcff39f 100644 +--- a/parser.c ++++ b/parser.c +@@ -6195,6 +6195,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + SKIP_BLANKS; + cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); ++ if (cur == NULL) ++ return(NULL); + SKIP_BLANKS; + GROW; + } else { +@@ -6328,6 +6330,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, + SKIP_BLANKS; + last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, + depth + 1); ++ if (last == NULL) { ++ if (ret != NULL) ++ xmlFreeDocElementContent(ctxt->myDoc, ret); ++ return(NULL); ++ } + SKIP_BLANKS; + } else { + elem = xmlParseName(ctxt); +-- +2.25.1 + diff --git a/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb b/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb index 07ae68610c..b850164285 100644 --- a/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb @@ -24,6 +24,9 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ file://CVE-2019-20388.patch \ file://CVE-2020-24977.patch \ file://fix-python39.patch \ + file://CVE-2021-3517.patch \ + file://CVE-2021-3516.patch \ + file://CVE-2021-3537.patch \ " SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" diff --git a/poky/meta/recipes-devtools/ccache/ccache/0001-CMake-make-build-of-documentation-optional-842.patch b/poky/meta/recipes-devtools/ccache/ccache/0001-CMake-make-build-of-documentation-optional-842.patch new file mode 100644 index 0000000000..9f6bb1780b --- /dev/null +++ b/poky/meta/recipes-devtools/ccache/ccache/0001-CMake-make-build-of-documentation-optional-842.patch @@ -0,0 +1,36 @@ +From 857d74f2c5fff79589e9b35cd405bf8ffffafb54 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C5=A0tetiar?= +Date: Mon, 3 May 2021 18:44:53 +0200 +Subject: [PATCH] CMake: make build of documentation optional (#842) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +So we don't need to support corner cases as for example one fixed in +commit f6202db308e3 ("doc/MANUAL.adoc: Don't use non-ASCII quotes +(#761)") when the documentation is actually not needed at all as ccache +is used as a build tool only. + +Signed-off-by: Petr Štetiar +Upstream-Status: Backport [b96ca763c453a602b5516b4b9ca5e2829528e318] +Signed-off-by: Peter Kjellerstedt +--- + CMakeLists.txt | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 40e21a57..151cc5f7 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -131,7 +131,10 @@ target_link_libraries(ccache PRIVATE standard_settings standard_warnings ccache_ + # + # Documentation + # +-add_subdirectory(doc) ++option(ENABLE_DOCUMENTATION "Enable documentation" ON) ++if(ENABLE_DOCUMENTATION) ++ add_subdirectory(doc) ++endif() + + # + # Installation diff --git a/poky/meta/recipes-devtools/ccache/ccache_4.2.bb b/poky/meta/recipes-devtools/ccache/ccache_4.2.bb index 9957bc7e65..b76bf043f0 100644 --- a/poky/meta/recipes-devtools/ccache/ccache_4.2.bb +++ b/poky/meta/recipes-devtools/ccache/ccache_4.2.bb @@ -12,10 +12,14 @@ LIC_FILES_CHKSUM = "file://LICENSE.adoc;md5=28afb89f649f309e7ac1aab554564637" DEPENDS = "zstd" SRC_URI = "https://github.com/ccache/ccache/releases/download/v${PV}/${BP}.tar.gz" +SRC_URI += "file://0001-CMake-make-build-of-documentation-optional-842.patch" + SRC_URI[sha256sum] = "dbf139ff32031b54cb47f2d7983269f328df14b5a427882f89f7721e5c411b7e" UPSTREAM_CHECK_URI = "https://github.com/ccache/ccache/releases/" +PACKAGECONFIG[docs] = "-DENABLE_DOCUMENTATION=ON,-DENABLE_DOCUMENTATION=OFF,asciidoc" + inherit cmake PATCHTOOL = "patch" diff --git a/poky/meta/recipes-devtools/jquery/jquery_3.6.0.bb b/poky/meta/recipes-devtools/jquery/jquery_3.6.0.bb index 65905966c1..03792730fd 100644 --- a/poky/meta/recipes-devtools/jquery/jquery_3.6.0.bb +++ b/poky/meta/recipes-devtools/jquery/jquery_3.6.0.bb @@ -19,6 +19,11 @@ SRC_URI[map.sha256sum] = "399548fb0e7b146c12f5ba18099a47d594a970fee96212eee0ab48 UPSTREAM_CHECK_REGEX = "jquery-(?P\d+(\.\d+)+)\.js" +# https://github.com/jquery/jquery/issues/3927 +# There are ways jquery can expose security issues but any issues are in the apps exposing them +# and there is little we can directly do +CVE_CHECK_WHITELIST += "CVE-2007-2379" + inherit allarch do_install() { diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index 8b8cecd7a0..fbda0c9174 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -65,6 +65,17 @@ SRC_URI[sha256sum] = "cb18d889b628fbe637672b0326789d9b0e3b8027e0445b936537c78549 SRC_URI_append_class-target = " file://cross.patch" SRC_URI_append_class-nativesdk = " file://cross.patch" +# Applies against virglrender < 0.6.0 and not qemu itself +CVE_CHECK_WHITELIST += "CVE-2017-5957" + +# The VNC server can expose host files uder some circumstances. We don't +# enable it by default. +CVE_CHECK_WHITELIST += "CVE-2007-0998" + +# 'The issues identified by this CVE were determined to not constitute a vulnerability.' +# https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 +CVE_CHECK_WHITELIST += "CVE-2018-18438" + COMPATIBLE_HOST_mipsarchn32 = "null" COMPATIBLE_HOST_mipsarchn64 = "null" diff --git a/poky/meta/recipes-extended/cpio/cpio_2.13.bb b/poky/meta/recipes-extended/cpio/cpio_2.13.bb index 94d86100c7..f4df826ed9 100644 --- a/poky/meta/recipes-extended/cpio/cpio_2.13.bb +++ b/poky/meta/recipes-extended/cpio/cpio_2.13.bb @@ -16,6 +16,9 @@ SRC_URI[sha256sum] = "e87470d9c984317f658567c03bfefb6b0c829ff17dbf6b0de48d71a4c8 inherit autotools gettext texinfo +# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us +CVE_CHECK_WHITELIST += "CVE-2010-4226" + EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}" do_install () { diff --git a/poky/meta/recipes-extended/cups/cups.inc b/poky/meta/recipes-extended/cups/cups.inc index 244c87001f..beee614828 100644 --- a/poky/meta/recipes-extended/cups/cups.inc +++ b/poky/meta/recipes-extended/cups/cups.inc @@ -127,3 +127,7 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess" cups_sysroot_preprocess () { sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:' } + +# -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is +# root:root, so this doesn't apply. +CVE_CHECK_WHITELIST += "CVE-2021-25317" \ No newline at end of file diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb b/poky/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb index cbf60c8c85..35826c2549 100644 --- a/poky/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb +++ b/poky/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb @@ -19,6 +19,10 @@ DEPENDS_class-native = "libpng-native" UPSTREAM_CHECK_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases" UPSTREAM_CHECK_REGEX = "(?P\d+(\.\d+)+)\.tar" +# As of ghostscript 9.54.0 the jpeg issue in the CVE is present in the gs jpeg sources +# however we use an external jpeg which doesn't have the issue. +CVE_CHECK_WHITELIST += "CVE-2013-6629" + def gs_verdir(v): return "".join(v.split(".")) diff --git a/poky/meta/recipes-extended/logrotate/logrotate_3.18.0.bb b/poky/meta/recipes-extended/logrotate/logrotate_3.18.0.bb index 55684ac9fb..c2115e7142 100644 --- a/poky/meta/recipes-extended/logrotate/logrotate_3.18.0.bb +++ b/poky/meta/recipes-extended/logrotate/logrotate_3.18.0.bb @@ -21,6 +21,9 @@ SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz SRC_URI[sha256sum] = "841f81bf09d0014e4a2e11af166bb33fcd8429cc0c2d4a7d3d9ceb3858cfccc5" +# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used +CVE_CHECK_WHITELIST += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550" + PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}" PACKAGECONFIG[acl] = ",,acl" diff --git a/poky/meta/recipes-extended/unzip/unzip_6.0.bb b/poky/meta/recipes-extended/unzip/unzip_6.0.bb index 0c56a39d92..af5530ab38 100644 --- a/poky/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/poky/meta/recipes-extended/unzip/unzip_6.0.bb @@ -32,6 +32,9 @@ UPSTREAM_VERSION_UNKNOWN = "1" SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37" +# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source +CVE_CHECK_WHITELIST += "CVE-2008-0888" + # exclude version 5.5.2 which triggers a false positive UPSTREAM_CHECK_REGEX = "unzip(?P(?!552).+)\.tgz" diff --git a/poky/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb b/poky/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb index 1ff4b2e15f..bbbd72193e 100644 --- a/poky/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb +++ b/poky/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb @@ -30,3 +30,6 @@ PROVIDES += "libnotify3" RPROVIDES_${PN} += "libnotify3" RCONFLICTS_${PN} += "libnotify3" RREPLACES_${PN} += "libnotify3" + +# -7381 is specific to the NodeJS bindings +CVE_CHECK_WHITELIST += "CVE-2013-7381" diff --git a/poky/meta/recipes-gnome/librsvg/librsvg_2.40.21.bb b/poky/meta/recipes-gnome/librsvg/librsvg_2.40.21.bb index acdbc1f1b3..59de80a691 100644 --- a/poky/meta/recipes-gnome/librsvg/librsvg_2.40.21.bb +++ b/poky/meta/recipes-gnome/librsvg/librsvg_2.40.21.bb @@ -25,6 +25,9 @@ SRC_URI += "file://gtk-option.patch \ SRC_URI[archive.sha256sum] = "f7628905f1cada84e87e2b14883ed57d8094dca3281d5bcb24ece4279e9a92ba" +# Issue only on windows +CVE_CHECK_WHITELIST += "CVE-2018-1000041" + CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders" PACKAGECONFIG ??= "gdkpixbuf" diff --git a/poky/meta/recipes-graphics/builder/builder_0.1.bb b/poky/meta/recipes-graphics/builder/builder_0.1.bb index 0a64c31ab3..9d5cd8cde6 100644 --- a/poky/meta/recipes-graphics/builder/builder_0.1.bb +++ b/poky/meta/recipes-graphics/builder/builder_0.1.bb @@ -29,3 +29,5 @@ do_install () { chown builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh } +# -4178 is an unrelated 'builder' +CVE_CHECK_WHITELIST = "CVE-2008-4178" diff --git a/poky/meta/recipes-multimedia/libtiff/tiff_4.2.0.bb b/poky/meta/recipes-multimedia/libtiff/tiff_4.2.0.bb index ea8580a25e..6ca01af2fa 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff_4.2.0.bb +++ b/poky/meta/recipes-multimedia/libtiff/tiff_4.2.0.bb @@ -15,6 +15,10 @@ SRC_URI[sha256sum] = "eb0484e568ead8fa23b513e9b0041df7e327f4ee2d22db5a533929dfc1 # exclude betas UPSTREAM_CHECK_REGEX = "tiff-(?P\d+(\.\d+)+).tar" +# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 +# and 4.3.0 doesn't have the issue +CVE_CHECK_WHITELIST += "CVE-2015-7313" + inherit autotools multilib_header CACHED_CONFIGUREVARS = "ax_cv_check_gl_libgl=no" -- cgit v1.2.3