[hardknott] [PATCH 01/10] libxml2: Fix CVE-2021-3518

[hardknott] [PATCH 01/10] libxml2: Fix CVE-2021-3518

[Richard Purdie]

From: Tony Tascioglu <tony.tascioglu@windriver.com>

This patch fixes CVE-2021-3518. The fix for the CVE is the
following 3 lines in 1098c30a:

   -                   (cur->children->type != XML_ENTITY_DECL) &&
   -                   (cur->children->type != XML_XINCLUDE_START) &&
   -                   (cur->children->type != XML_XINCLUDE_END)) {
   +                   ((cur->type == XML_DOCUMENT_NODE) ||
   +                    (cur->type == XML_ELEMENT_NODE))) {

This relies on an updated version of xinclude.c from upstream which
also adds several new tests. Those changes are brought in first so
that the CVE patch can be applied cleanly.

The first patch updates xinclude.c and adds the new tests from
upstream, and the second applies the fix for the CVE.

CVE: CVE-2021-3518
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7]

Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../libxml/libxml2/CVE-2021-3518-0001.patch   | 216 ++++++++++++++++++
 .../libxml/libxml2/CVE-2021-3518-0002.patch   |  45 ++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |   2 +
 3 files changed, 263 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch
new file mode 100644
index 00000000000..3d4d3a0237e
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0001.patch
@@ -0,0 +1,216 @@
+From 0f9817c75b50a77c6aeb8f36801966fdadad229a Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 10 Jun 2020 16:34:52 +0200
+Subject: [PATCH 1/2] Don't recurse into xi:include children in
+ xmlXIncludeDoProcess
+
+Otherwise, nested xi:include nodes might result in a use-after-free
+if XML_PARSE_NOXINCNODE is specified.
+
+Found with libFuzzer and ASan.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/0f9817c75b50a77c6aeb8f36801966fdadad229a]
+CVE: CVE-2021-3518
+
+This patch brings in the necessary files to allow the 2nd patch that fixes the CVE to be applied.
+
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ result/XInclude/fallback3.xml     |  8 ++++++++
+ result/XInclude/fallback3.xml.err |  0
+ result/XInclude/fallback3.xml.rdr | 25 +++++++++++++++++++++++++
+ result/XInclude/fallback4.xml     | 10 ++++++++++
+ result/XInclude/fallback4.xml.err |  0
+ result/XInclude/fallback4.xml.rdr | 29 +++++++++++++++++++++++++++++
+ test/XInclude/docs/fallback3.xml  |  9 +++++++++
+ test/XInclude/docs/fallback4.xml  |  7 +++++++
+ xinclude.c                        | 24 ++++++++++--------------
+ 9 files changed, 98 insertions(+), 14 deletions(-)
+ create mode 100644 result/XInclude/fallback3.xml
+ create mode 100644 result/XInclude/fallback3.xml.err
+ create mode 100644 result/XInclude/fallback3.xml.rdr
+ create mode 100644 result/XInclude/fallback4.xml
+ create mode 100644 result/XInclude/fallback4.xml.err
+ create mode 100644 result/XInclude/fallback4.xml.rdr
+ create mode 100644 test/XInclude/docs/fallback3.xml
+ create mode 100644 test/XInclude/docs/fallback4.xml
+
+diff --git a/result/XInclude/fallback3.xml b/result/XInclude/fallback3.xml
+new file mode 100644
+index 0000000..b423551
+--- /dev/null
++++ b/result/XInclude/fallback3.xml
+@@ -0,0 +1,8 @@
++<?xml version="1.0"?>
++<a>
++    <doc xml:base="../ents/something.xml">
++<p>something</p>
++<p>really</p>
++<p>simple</p>
++</doc>
++</a>
+diff --git a/result/XInclude/fallback3.xml.err b/result/XInclude/fallback3.xml.err
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/XInclude/fallback3.xml.rdr b/result/XInclude/fallback3.xml.rdr
+new file mode 100644
+index 0000000..aa2f137
+--- /dev/null
++++ b/result/XInclude/fallback3.xml.rdr
+@@ -0,0 +1,25 @@
++0 1 a 0 0
++1 14 #text 0 1 
++    
++1 1 doc 0 0
++2 14 #text 0 1 
++
++2 1 p 0 0
++3 3 #text 0 1 something
++2 15 p 0 0
++2 14 #text 0 1 
++
++2 1 p 0 0
++3 3 #text 0 1 really
++2 15 p 0 0
++2 14 #text 0 1 
++
++2 1 p 0 0
++3 3 #text 0 1 simple
++2 15 p 0 0
++2 14 #text 0 1 
++
++1 15 doc 0 0
++1 14 #text 0 1 
++
++0 15 a 0 0
+diff --git a/result/XInclude/fallback4.xml b/result/XInclude/fallback4.xml
+new file mode 100644
+index 0000000..9883fd5
+--- /dev/null
++++ b/result/XInclude/fallback4.xml
+@@ -0,0 +1,10 @@
++<?xml version="1.0"?>
++<a>
++    
++            <doc xml:base="../ents/something.xml">
++<p>something</p>
++<p>really</p>
++<p>simple</p>
++</doc>
++        
++</a>
+diff --git a/result/XInclude/fallback4.xml.err b/result/XInclude/fallback4.xml.err
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/XInclude/fallback4.xml.rdr b/result/XInclude/fallback4.xml.rdr
+new file mode 100644
+index 0000000..628b951
+--- /dev/null
++++ b/result/XInclude/fallback4.xml.rdr
+@@ -0,0 +1,29 @@
++0 1 a 0 0
++1 14 #text 0 1 
++    
++1 14 #text 0 1 
++            
++1 1 doc 0 0
++2 14 #text 0 1 
++
++2 1 p 0 0
++3 3 #text 0 1 something
++2 15 p 0 0
++2 14 #text 0 1 
++
++2 1 p 0 0
++3 3 #text 0 1 really
++2 15 p 0 0
++2 14 #text 0 1 
++
++2 1 p 0 0
++3 3 #text 0 1 simple
++2 15 p 0 0
++2 14 #text 0 1 
++
++1 15 doc 0 0
++1 14 #text 0 1 
++        
++1 14 #text 0 1 
++
++0 15 a 0 0
+diff --git a/test/XInclude/docs/fallback3.xml b/test/XInclude/docs/fallback3.xml
+new file mode 100644
+index 0000000..0c8b6c9
+--- /dev/null
++++ b/test/XInclude/docs/fallback3.xml
+@@ -0,0 +1,9 @@
++<a>
++    <xi:include href="../ents/something.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
++        <xi:fallback>
++            <xi:include href="c.xml">
++                <xi:fallback>There is no c.xml ... </xi:fallback>
++            </xi:include>
++        </xi:fallback>
++    </xi:include>
++</a>
+diff --git a/test/XInclude/docs/fallback4.xml b/test/XInclude/docs/fallback4.xml
+new file mode 100644
+index 0000000..b500a63
+--- /dev/null
++++ b/test/XInclude/docs/fallback4.xml
+@@ -0,0 +1,7 @@
++<a>
++    <xi:include href="c.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
++        <xi:fallback>
++            <xi:include href="../ents/something.xml"/>
++        </xi:fallback>
++    </xi:include>
++</a>
+diff --git a/xinclude.c b/xinclude.c
+index 001e992..6ec5d31 100644
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -2382,21 +2382,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+      * First phase: lookup the elements in the document
+      */
+     cur = tree;
+-    if (xmlXIncludeTestNode(ctxt, cur) == 1)
+-	xmlXIncludePreProcessNode(ctxt, cur);
+     while ((cur != NULL) && (cur != tree->parent)) {
+ 	/* TODO: need to work on entities -> stack */
+-	if ((cur->children != NULL) &&
+-	    (cur->children->type != XML_ENTITY_DECL) &&
+-	    (cur->children->type != XML_XINCLUDE_START) &&
+-	    (cur->children->type != XML_XINCLUDE_END)) {
+-	    cur = cur->children;
+-	    if (xmlXIncludeTestNode(ctxt, cur))
+-		xmlXIncludePreProcessNode(ctxt, cur);
+-	} else if (cur->next != NULL) {
++        if (xmlXIncludeTestNode(ctxt, cur) == 1) {
++            xmlXIncludePreProcessNode(ctxt, cur);
++        } else if ((cur->children != NULL) &&
++                   (cur->children->type != XML_ENTITY_DECL) &&
++                   (cur->children->type != XML_XINCLUDE_START) &&
++                   (cur->children->type != XML_XINCLUDE_END)) {
++            cur = cur->children;
++            continue;
++        }
++	if (cur->next != NULL) {
+ 	    cur = cur->next;
+-	    if (xmlXIncludeTestNode(ctxt, cur))
+-		xmlXIncludePreProcessNode(ctxt, cur);
+ 	} else {
+ 	    if (cur == tree)
+ 	        break;
+@@ -2406,8 +2404,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+ 		    break; /* do */
+ 		if (cur->next != NULL) {
+ 		    cur = cur->next;
+-		    if (xmlXIncludeTestNode(ctxt, cur))
+-			xmlXIncludePreProcessNode(ctxt, cur);
+ 		    break; /* do */
+ 		}
+ 	    } while (cur != NULL);
+-- 
+2.23.0
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch
new file mode 100644
index 00000000000..de5fc0e8cbe
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518-0002.patch
@@ -0,0 +1,45 @@
+From 1098c30a040e72a4654968547f415be4e4c40fe7 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 22 Apr 2021 19:26:28 +0200
+Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
+
+The --dropdtd option can leave dangling pointers in entity reference
+nodes. Make sure to skip these nodes when processing XIncludes.
+
+This also avoids scanning entity declarations and even modifying
+them inadvertently during XInclude processing.
+
+Move from a block list to an allow list approach to avoid descending
+into other node types that can't contain elements.
+
+Fixes #237.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7]
+CVE: CVE-2021-3518
+
+[OP: adjusted context]
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ xinclude.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/xinclude.c b/xinclude.c
+index 6ec5d31..b8eebcc 100644
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -2387,9 +2387,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+         if (xmlXIncludeTestNode(ctxt, cur) == 1) {
+             xmlXIncludePreProcessNode(ctxt, cur);
+         } else if ((cur->children != NULL) &&
+-                   (cur->children->type != XML_ENTITY_DECL) &&
+-                   (cur->children->type != XML_XINCLUDE_START) &&
+-                   (cur->children->type != XML_XINCLUDE_END)) {
++                   ((cur->type == XML_DOCUMENT_NODE) ||
++                    (cur->type == XML_ELEMENT_NODE))) {
+             cur = cur->children;
+             continue;
+         }
+-- 
+2.23.0
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index b850164285a..a9bff74b553 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -26,6 +26,8 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
            file://fix-python39.patch \
            file://CVE-2021-3517.patch \
            file://CVE-2021-3516.patch \
+           file://CVE-2021-3518-0001.patch \
+           file://CVE-2021-3518-0002.patch \
            file://CVE-2021-3537.patch \
            "
 
-- 
2.30.2

[hardknott] [PATCH 02/10] libxml2: Fix CVE-2021-3541

[Richard Purdie]

From: Tony Tascioglu <tony.tascioglu@windriver.com>

Upstream commit:
This is related to parameter entities expansion and following
the line of the billion laugh attack. Somehow in that path the
counting of parameters was missed and the normal algorithm based
on entities "density" was useless.

CVE: CVE-2021-3541
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e]

Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../libxml/libxml2/CVE-2021-3541.patch        | 73 +++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.10.bb    |  1 +
 2 files changed, 74 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch
new file mode 100644
index 00000000000..3b86278ac4d
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch
@@ -0,0 +1,73 @@
+From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 13 May 2021 14:55:12 +0200
+Subject: [PATCH] Patch for security issue CVE-2021-3541
+
+This is relapted to parameter entities expansion and following
+the line of the billion laugh attack. Somehow in that path the
+counting of parameters was missed and the normal algorithm based
+on entities "density" was useless.
+
+CVE: CVE-2021-3541
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e]
+
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+
+---
+ parser.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index f5e5e169..c9312fa4 100644
+--- a/parser.c
++++ b/parser.c
+@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+                      xmlEntityPtr ent, size_t replacement)
+ {
+     size_t consumed = 0;
++    int i;
+ 
+     if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
+         return (0);
+@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ 	    rep = NULL;
+ 	}
+     }
++
++    /*
++     * Prevent entity exponential check, not just replacement while
++     * parsing the DTD
++     * The check is potentially costly so do that only once in a thousand
++     */
++    if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
++        (ctxt->nbentities % 1024 == 0)) {
++	for (i = 0;i < ctxt->inputNr;i++) {
++	    consumed += ctxt->inputTab[i]->consumed +
++	               (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
++	}
++	if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
++	    xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
++	    ctxt->instate = XML_PARSER_EOF;
++	    return (1);
++	}
++	consumed = 0;
++    }
++
++
++
+     if (replacement != 0) {
+ 	if (replacement < XML_MAX_TEXT_LENGTH)
+ 	    return(0);
+@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+             xmlChar start[4];
+             xmlCharEncoding enc;
+ 
++	    if (xmlParserEntityCheck(ctxt, 0, entity, 0))
++	        return;
++
+ 	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ 	        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+ 		((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+-- 
+2.25.1
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index a9bff74b553..ce4f9a33408 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
            file://CVE-2021-3518-0001.patch \
            file://CVE-2021-3518-0002.patch \
            file://CVE-2021-3537.patch \
+           file://CVE-2021-3541.patch \
            "
 
 SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
-- 
2.30.2

[hardknott] [PATCH 03/10] ltp: Disable problematic tests causing autobuilder hangs

[Richard Purdie]

We've seen three hangs in cgroup_xattr and two in proc01 so far. The new
plan is just to disable any tests seen to hang. I've had enough of these
causing problems on our testing infrastructure.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../ltp/ltp/disable_hanging_tests.patch       | 45 +++++++++++++++++++
 meta/recipes-extended/ltp/ltp_20210121.bb     |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 meta/recipes-extended/ltp/ltp/disable_hanging_tests.patch

diff --git a/meta/recipes-extended/ltp/ltp/disable_hanging_tests.patch b/meta/recipes-extended/ltp/ltp/disable_hanging_tests.patch
new file mode 100644
index 00000000000..113ac0fefec
--- /dev/null
+++ b/meta/recipes-extended/ltp/ltp/disable_hanging_tests.patch
@@ -0,0 +1,45 @@
+This patch disables tests which we've found "hang" on our infrastructure.
+
+cgroup_xattr:
+https://autobuilder.yoctoproject.org/typhoon/#/builders/95/builds/1926 (x86)
+https://autobuilder.yoctoproject.org/typhoon/#/builders/95/builds/1898 (x86)
+https://autobuilder.yoctoproject.org/typhoon/#/builders/95/builds/1916 (x86)
+
+proc01:
+https://autobuilder.yoctoproject.org/typhoon/#/builders/96/builds/1748 (arm)
+https://autobuilder.yoctoproject.org/typhoon/#/builders/96/builds/1781 (arm)
+(in the latter was trying to read /proc/kmsg)
+(the above test looks horrible anyway)
+
+Upstream-Status: Inappropriate [OE Configuration]
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: git/runtest/controllers
+===================================================================
+--- git.orig/runtest/controllers
++++ git/runtest/controllers
+@@ -352,8 +352,6 @@ cpuset_memory_spread	cpuset_memory_sprea
+ 
+ cpuset_regression_test cpuset_regression_test.sh
+ 
+-cgroup_xattr	cgroup_xattr
+-
+ pids_1_1 pids.sh 1 1 0
+ pids_1_2 pids.sh 1 2 0
+ pids_1_10 pids.sh 1 10 0
+Index: git/runtest/fs
+===================================================================
+--- git.orig/runtest/fs
++++ git/runtest/fs
+@@ -64,11 +64,6 @@ writetest01	writetest
+ #Also run the fs_di (Data Integrity tests)
+ fs_di fs_di -d $TMPDIR
+ 
+-# Read every file in /proc. Not likely to crash, but does enough
+-# to disturb the kernel. A good kernel latency killer too.
+-# Was not sure why it should reside in runtest/crashme and won't get tested ever
+-proc01 proc01 -m 128
+-
+ read_all_dev read_all -d /dev -p -q -r 3
+ read_all_proc read_all -d /proc -q -r 3
+ read_all_sys read_all -d /sys -q -r 3
diff --git a/meta/recipes-extended/ltp/ltp_20210121.bb b/meta/recipes-extended/ltp/ltp_20210121.bb
index d98c9fdc250..17adbf43f0a 100644
--- a/meta/recipes-extended/ltp/ltp_20210121.bb
+++ b/meta/recipes-extended/ltp/ltp_20210121.bb
@@ -42,6 +42,7 @@ SRC_URI = "git://github.com/linux-test-project/ltp.git \
            file://0001-open_posix_testsuite-generate-makefiles.sh-Avoid-inc.patch \
            file://0002-Makefile-Avoid-wildcard-determinism-issues.patch \
            file://0003-syscalls-swapon-swapoff-Move-common-library-to-libs.patch \
+           file://disable_hanging_tests.patch \
            "
 
 S = "${WORKDIR}/git"
-- 
2.30.2

[hardknott] [PATCH 04/10] baremetal-image: Fix post process command rootfs_update_timestamp

[Richard Purdie]

From: Alejandro Hernandez Samaniego <alejandro@enedino.org>

When running:

execute_pre_post_process(d, d.getVar(ROOTFS_POSTPROCESS_COMMAND))

rootfs_update_timestamp is run, which assumes that rootfs/${sysconfdir}
is already created (usually done through the do_rootfs task on linux).

This causes the build to fail if ${sysconfdir} does not exist.

This may be overlooked if debug-tweaks is enabled since some other
commands are added, one of which creates the required path
(see postinst_enable_logging).

See [1] for more info:

[1] https://github.com/aehs29/meta-freertos/issues/4

Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandro@enedino.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/classes/baremetal-image.bbclass | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/classes/baremetal-image.bbclass b/meta/classes/baremetal-image.bbclass
index b0f5e885b5c..bc888f62234 100644
--- a/meta/classes/baremetal-image.bbclass
+++ b/meta/classes/baremetal-image.bbclass
@@ -50,6 +50,10 @@ python do_rootfs(){
         if os.path.lexists(manifest_link):
             os.remove(manifest_link)
         os.symlink(os.path.basename(manifest_name), manifest_link)
+    # A lot of postprocess commands assume the existence of rootfs/etc
+    sysconfdir = d.getVar("IMAGE_ROOTFS") + d.getVar('sysconfdir')
+    bb.utils.mkdirhier(sysconfdir)
+
     execute_pre_post_process(d, d.getVar('ROOTFS_POSTPROCESS_COMMAND'))
 }
 
-- 
2.30.2

[hardknott] [PATCH 05/10] boost: fix do_fetch failure

[Richard Purdie]

From: Stefan Ghinea <stefan.ghinea@windriver.com>

Bintray service has been discontinued causing boost do_fetch to fail:
WARNING: boost-1.76.0-r0 do_fetch: Failed to fetch URL
https://dl.bintray.com/boostorg/release/1.75.0/source/boost_1_75_0.tar.bz2,
attempting MIRRORS if available

RP: Backport to 1.75.0
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-support/boost/boost-1.75.0.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-support/boost/boost-1.75.0.inc b/meta/recipes-support/boost/boost-1.75.0.inc
index e5a8488c588..bc70c73739b 100644
--- a/meta/recipes-support/boost/boost-1.75.0.inc
+++ b/meta/recipes-support/boost/boost-1.75.0.inc
@@ -11,7 +11,7 @@ BOOST_VER = "${@"_".join(d.getVar("PV").split("."))}"
 BOOST_MAJ = "${@"_".join(d.getVar("PV").split(".")[0:2])}"
 BOOST_P = "boost_${BOOST_VER}"
 
-SRC_URI = "https://dl.bintray.com/boostorg/release/${PV}/source/${BOOST_P}.tar.bz2"
+SRC_URI = "https://boostorg.jfrog.io/artifactory/main/release/${PV}/source/${BOOST_P}.tar.bz2"
 SRC_URI[sha256sum] = "953db31e016db7bb207f11432bef7df100516eeb746843fa0486a222e3fd49cb"
 
 UPSTREAM_CHECK_URI = "http://www.boost.org/users/download/"
-- 
2.30.2

[hardknott] [PATCH 06/10] sstate: Ignore sstate signing key

[Richard Purdie]

From: Daniel McGregor <daniel.mcgregor@vecima.com>

What key is used to sign sstate artefacts should not affect the hash of
the object, otherwise everyone would need to use the same signing key.

Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/classes/sstate.bbclass | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index 79588df2cdb..f376c1ed2d0 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -706,6 +706,8 @@ def sstate_package(ss, d):
 
     return
 
+sstate_package[vardepsexclude] += "SSTATE_SIG_KEY"
+
 def pstaging_fetch(sstatefetch, d):
     import bb.fetch2
 
-- 
2.30.2

[hardknott] [PATCH 07/10] lib/oe/gpg_sign.py: Fix gpg verification

[Richard Purdie]

From: Daniel McGregor <daniel.mcgregor@vecima.com>

A stray space made it into the command for verifying gpg signatures.
This caused verification to fail, at least on my host. Removing the
space makes it work as expected.

Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/lib/oe/gpg_sign.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 7634d7ef1db..492f096eaa7 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -111,7 +111,7 @@ class LocalSigner(object):
 
     def verify(self, sig_file):
         """Verify signature"""
-        cmd = self.gpg_cmd + [" --verify", "--no-permission-warning"]
+        cmd = self.gpg_cmd + ["--verify", "--no-permission-warning"]
         if self.gpg_path:
             cmd += ["--homedir", self.gpg_path]
 
-- 
2.30.2

[hardknott] [PATCH 08/10] grub2: Add CVE whitelist entries for issues fixed in 2.06

[Richard Purdie]

We're using a pre-release version of 2.06 so these issues are fixed but
continue to show up in the checks since it is pre-2.06 and the CPE
entries are "before but excluding 2.06".

Adding these will clean up CVE reports until the 2.06 release comes out.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-bsp/grub/grub2.inc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 6de683ee1c5..f0fa86b1823 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -27,6 +27,13 @@ SRC_URI[sha256sum] = "2c87f1f21e2ab50043e6cd9163c08f1b6c3a6171556bf23ff9ed65b074
 REALPV = "2.06~rc1"
 PV = "2.04+${REALPV}"
 
+# Fixed in 2.06~rc1, can be removed for 2.06 final
+CVE_CHECK_WHITELIST += "\
+    CVE-2020-14308 CVE-2020-14309 CVE-2020-14310 CVE-2020-14311 CVE-2020-10713 \
+    CVE-2020-14372 CVE-2020-15705 CVE-2020-15706 CVE-2020-15707 \
+    CVE-2020-25632 CVE-2020-25647 CVE-2020-27749 CVE-2020-27779 \
+    CVE-2021-3418 CVE-2021-20225 CVE-2021-20233"
+
 S = "${WORKDIR}/grub-${REALPV}"
 
 UPSTREAM_CHECK_URI = "${GNU_MIRROR}/grub"
-- 
2.30.2

[hardknott] [PATCH 09/10] grub: Exclude CVE-2019-14865 from cve-check

[Richard Purdie]

The CVE only applies to RHEL.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-bsp/grub/grub2.inc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index f0fa86b1823..3c6b434c2d5 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -34,6 +34,9 @@ CVE_CHECK_WHITELIST += "\
     CVE-2020-25632 CVE-2020-25647 CVE-2020-27749 CVE-2020-27779 \
     CVE-2021-3418 CVE-2021-20225 CVE-2021-20233"
 
+# Applies only to RHEL
+CVE_CHECK_WHITELIST += "CVE-2019-14865"
+
 S = "${WORKDIR}/grub-${REALPV}"
 
 UPSTREAM_CHECK_URI = "${GNU_MIRROR}/grub"
-- 
2.30.2

[hardknott] [PATCH 10/10] cve-extra-exclusions.inc: add exclusion list for intractable CVE's

[Richard Purdie]

The preferred methods for CVE resolution are:

1. Version upgrades where possible
2. Patches where not possible
3. Database updates where version info is incorrect
4. Exclusion from checking where it is determined that the CVE
   does not apply to our environment

In some cases none of these methods are possible. For example the
CVE may be decades old with no apparent resolution, and with broken
links that make further research impractical. Some CVEs are vauge
with no specific action the project can take too.

This patch creates a mechanism for users to remove this type of
CVE from the cve-check results via an optional include file.

Based on an initial patch from Steve Sakoman <steve@sakoman.com>
but extended heavily by RP.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../distro/include/cve-extra-exclusions.inc   | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 meta/conf/distro/include/cve-extra-exclusions.inc

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
new file mode 100644
index 00000000000..561386b7069
--- /dev/null
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -0,0 +1,45 @@
+# This file contains a list of CVE's where resolution has proven to be impractical
+# or there is no reasonable action the Yocto Project can take to resolve the issue.
+# It contains all the information we are aware of about an issue and analysis about
+# why we believe it can't be fixed/handled. Additional information is welcome through
+# patches to the file.
+#
+# Include this file in your local.conf or distro.conf to exclude these CVE's
+# from the cve-check results or add to the bitbake command with:
+#     -R conf/distro/include/cve-extra-exclusions.inc
+#
+# The file is not included by default since users should review this data to ensure
+# it matches their expectations and usage of the project.
+#
+# We may also include "in-flight" information about current/ongoing CVE work with
+# the aim of sharing that work and ensuring we don't duplicate it.
+#
+
+
+# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
+# CVE is more than 20 years old with no resolution evident
+# broken links in CVE database references make resolution impractical
+CVE_CHECK_WHITELIST += "CVE-2000-0006"
+
+# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
+# The issue here is spoofing of domain names using characters from other character sets.
+# There has been much discussion amongst the epiphany and webkit developers and
+# whilst there are improvements about how domains are handled and displayed to the user
+# there is unlikely ever to be a single fix to webkit or epiphany which addresses this
+# problem. Whitelisted as there isn't any mitigation or fix or way to progress this further
+# we can seem to take.
+CVE_CHECK_WHITELIST += "CVE-2005-0238"
+
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
+# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
+# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
+# Upstream don't see it as a security issue, ftp servers shouldn't be passing
+# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
+CVE_CHECK_WHITELIST += "CVE-2010-4756"
+
+# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
+# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
+# The encoding/xml package in go can potentially be used for security exploits if not used correctly
+# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
+# exposing this interface in an exploitable way
+CVE_CHECK_WHITELIST += "CVE-2020-29509 CVE-2020-29511"
-- 
2.30.2