* [dunfell 00/28] Patch review Jan 17th
@ 2021-01-17 17:45 akuster
2021-01-17 17:45 ` [dunfell 01/28] tcpdump: Patch for CVE-2020-8037 akuster
` (29 more replies)
0 siblings, 30 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:45 UTC (permalink / raw)
To: openembedded-devel
Here is the next batch for Dunfell. Please review and have comments back by Wednesday.
The following changes since commit f2d02cb71eaff8eb285a1997b30be52486c160ae:
python3-pyinotify: Add missing ctypes dependency (2020-11-15 11:13:25 -0800)
are available in the Git repository at:
git://git.openembedded.org/meta-openembedded-contrib stable/dunfell-nut
http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/dunfell-nut
Armin Kuster (5):
wireguard-module: fix build issue with 5.4 kernel
mariadb: update to 10.4.17 for cve fixes
lua: update to 5.3.6
nss: Security fix CVE-2020-12401
wireshark: Several securtiy fixes
Chenxi Mao (1):
geoclue: select avahi-daemon if nmea enabled
Gianfranco (1):
dlt-daemon: add upstream patch to fix CVE-2020-29394
Khem Raj (4):
nodejs: Fix build with icu 67.1
nodejs: Upgrade to 12.18.3
nodejs: Fix arm32/thumb builds with clang
nodejs: Update to 12.19.0
Leon Anavi (1):
php: Upgrade 7.4.4 -> 7.4.9
Max Kellermann (1):
php: remove the failing ${D}/${TMPDIR} code
Roland Hieber (1):
pcsc-lite: provide pcsc-lite-lib-native explicitly for native build
Sakib Sajal (1):
apache2: upgrade v2.4.43 -> v2.4.46
Sean Nyekjaer (1):
nodejs: 12.19.1 -> 12.20.1
Stacy Gaikovaia (1):
nodejs: 12.19.0 -> 12.19.1
Wang Mingyu (1):
zabbix: CVE-2020-15803 Security Advisory
Wenlin Kang (2):
lua: fix CVE-2020-15945
lua: fix CVE-2020-24371
Zang Ruochen (1):
mcpp: Normalize the patch format of CVE
Zheng Ruoqin (4):
samba: CVE-2020-14318 Security Advisory
samba: CVE-2020-14383 Security Advisory
php: CVE-2020-7070
php: CVE-2020-7069
jabdoa2 (2):
libsdl2-mixer: Fix ogg/vorbis support in libsdl2-mixer
libsdl2-mixer: set --disable-music-ogg-shared to link statically
viatsk (1):
tcpdump: Patch for CVE-2020-8037
.../samba/samba/CVE-2020-14318.patch | 142 +++++++++++++++
.../samba/samba/CVE-2020-14383.patch | 112 ++++++++++++
.../samba/samba_4.10.18.bb | 2 +
...NC_-START-END-were-backported-to-5.4.patch | 29 +++
.../wireguard-module_1.0.20200401.bb | 3 +-
...ping-don-t-allocate-a-too-large-buff.patch | 70 ++++++++
.../recipes-support/tcpdump/tcpdump_4.9.3.bb | 1 +
...wireshark_3.2.7.bb => wireshark_3.2.10.bb} | 2 +-
.../zabbix/zabbix/CVE-2020-15803.patch | 36 ++++
.../zabbix/zabbix_4.4.6.bb | 1 +
...e_10.4.12.bb => mariadb-native_10.4.17.bb} | 0
meta-oe/recipes-dbs/mysql/mariadb.inc | 6 +-
...-breakage-from-lock_guard-error-6161.patch | 32 ----
.../mariadb/0001-Fix-library-LZ4-lookup.patch | 19 +-
.../mysql/mariadb/c11_atomics.patch | 24 ++-
.../configure.cmake-fix-valgrind.patch | 10 +-
.../mariadb/fix-a-building-failure.patch | 13 +-
.../mysql/mariadb/fix-arm-atomic.patch | 13 +-
...Lists.txt-fix-gen_lex_hash-not-found.patch | 12 +-
...akeLists.txt-fix-do_populate_sysroot.patch | 10 +-
...{mariadb_10.4.12.bb => mariadb_10.4.17.bb} | 0
...rriers-cannot-be-active-during-sweep.patch | 90 ++++++++++
.../lua/lua/CVE-2020-15945.patch | 167 ++++++++++++++++++
.../lua/{lua_5.3.5.bb => lua_5.3.6.bb} | 8 +-
.../mcpp/files/CVE-2019-14274.patch | 34 ++++
.../mcpp/files/ice-mcpp.patch | 31 ----
meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb | 3 +-
...gister-r7-because-llvm-now-issues-an.patch | 53 ++++++
...-passing-multiple-libs-to-pkg_config.patch | 41 -----
...allow-use-of-system-installed-brotli.patch | 66 -------
...Install-both-binaries-and-use-libdir.patch | 28 ++-
.../{nodejs_12.14.1.bb => nodejs_12.20.1.bb} | 12 +-
.../php/php/CVE-2020-7069.patch | 158 +++++++++++++++++
.../php/php/CVE-2020-7070.patch | 24 +++
.../php/php/debian-php-fixheader.patch | 27 +--
.../php/{php_7.4.4.bb => php_7.4.9.bb} | 16 +-
.../dlt-daemon/dlt-daemon/275.patch | 38 ++++
.../dlt-daemon/dlt-daemon_2.18.4.bb | 1 +
.../libsdl/libsdl2-mixer_2.0.4.bb | 2 +-
.../geoclue/geoclue_2.5.3.bb | 2 +-
.../nss/nss/CVE-2020-12401.patch | 52 ++++++
meta-oe/recipes-support/nss/nss_3.51.1.bb | 1 +
.../pcsc-lite/pcsc-lite_1.8.26.bb | 1 +
.../{apache2_2.4.43.bb => apache2_2.4.46.bb} | 4 +-
44 files changed, 1111 insertions(+), 285 deletions(-)
create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch
create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch
create mode 100644 meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch
create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
rename meta-networking/recipes-support/wireshark/{wireshark_3.2.7.bb => wireshark_3.2.10.bb} (96%)
create mode 100644 meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-15803.patch
rename meta-oe/recipes-dbs/mysql/{mariadb-native_10.4.12.bb => mariadb-native_10.4.17.bb} (100%)
delete mode 100644 meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-breakage-from-lock_guard-error-6161.patch
rename meta-oe/recipes-dbs/mysql/{mariadb_10.4.12.bb => mariadb_10.4.17.bb} (100%)
create mode 100644 meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch
create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch
rename meta-oe/recipes-devtools/lua/{lua_5.3.5.bb => lua_5.3.6.bb} (87%)
create mode 100644 meta-oe/recipes-devtools/mcpp/files/CVE-2019-14274.patch
create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch
delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-build-allow-passing-multiple-libs-to-pkg_config.patch
delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0002-build-allow-use-of-system-installed-brotli.patch
rename meta-oe/recipes-devtools/nodejs/{nodejs_12.14.1.bb => nodejs_12.20.1.bb} (94%)
create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch
create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch
mode change 100755 => 100644 meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch
rename meta-oe/recipes-devtools/php/{php_7.4.4.bb => php_7.4.9.bb} (97%)
create mode 100644 meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch
rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.43.bb => apache2_2.4.46.bb} (98%)
--
2.17.1
^ permalink raw reply [flat|nested] 33+ messages in thread
* [dunfell 01/28] tcpdump: Patch for CVE-2020-8037
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
@ 2021-01-17 17:45 ` akuster
2021-01-17 17:46 ` [dunfell 02/28] dlt-daemon: add upstream patch to fix CVE-2020-29394 akuster
` (28 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:45 UTC (permalink / raw)
To: openembedded-devel
From: viatsk <viatsk@fastmail.com>
Signed-off-by: Stacy Gaikovaia <stacy.gaikovaia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...ping-don-t-allocate-a-too-large-buff.patch | 70 +++++++++++++++++++
.../recipes-support/tcpdump/tcpdump_4.9.3.bb | 1 +
2 files changed, 71 insertions(+)
create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
new file mode 100644
index 0000000000..9b74e00c5b
--- /dev/null
+++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
@@ -0,0 +1,70 @@
+From 32027e199368dad9508965aae8cd8de5b6ab5231 Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy@alum.mit.edu>
+Date: Sat, 18 Apr 2020 14:04:59 -0700
+Subject: [PATCH] PPP: When un-escaping, don't allocate a too-large buffer.
+
+The buffer should be big enough to hold the captured data, but it
+doesn't need to be big enough to hold the entire on-the-network packet,
+if we haven't captured all of it.
+
+(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334)
+
+Upstream-Status: Backport
+Signed-off-by: Stacy Gaikovaia <stacy.gaikovaia@windriver.com>
+
+---
+ print-ppp.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/print-ppp.c b/print-ppp.c
+index 89176172..33fb0341 100644
+--- a/print-ppp.c
++++ b/print-ppp.c
+@@ -1367,19 +1367,29 @@ trunc:
+ return 0;
+ }
+
++/*
++ * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes.
++ * The length argument is the on-the-wire length, not the captured
++ * length; we can only un-escape the captured part.
++ */
+ static void
+ ppp_hdlc(netdissect_options *ndo,
+ const u_char *p, int length)
+ {
++ u_int caplen = ndo->ndo_snapend - p;
+ u_char *b, *t, c;
+ const u_char *s;
+- int i, proto;
++ u_int i;
++ int proto;
+ const void *se;
+
++ if (caplen == 0)
++ return;
++
+ if (length <= 0)
+ return;
+
+- b = (u_char *)malloc(length);
++ b = (u_char *)malloc(caplen);
+ if (b == NULL)
+ return;
+
+@@ -1388,10 +1398,10 @@ ppp_hdlc(netdissect_options *ndo,
+ * Do this so that we dont overwrite the original packet
+ * contents.
+ */
+- for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) {
++ for (s = p, t = b, i = caplen; i != 0; i--) {
+ c = *s++;
+ if (c == 0x7d) {
+- if (i <= 1 || !ND_TTEST(*s))
++ if (i <= 1)
+ break;
+ i--;
+ c = *s++ ^ 0x20;
+--
+2.17.1
+
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
index 94543dd1da..8f7bd59f18 100644
--- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
+++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
@@ -17,6 +17,7 @@ SRC_URI = " \
file://avoid-absolute-path-when-searching-for-libdlpi.patch \
file://add-ptest.patch \
file://run-ptest \
+ file://0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch \
"
SRC_URI[md5sum] = "a4ead41d371f91aa0a2287f589958bae"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 02/28] dlt-daemon: add upstream patch to fix CVE-2020-29394
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
2021-01-17 17:45 ` [dunfell 01/28] tcpdump: Patch for CVE-2020-8037 akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 03/28] pcsc-lite: provide pcsc-lite-lib-native explicitly for native build akuster
` (27 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Gianfranco <costamagna.gianfranco@gmail.com>
More information on: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976228
| A buffer overflow in the dlt_filter_load function in dlt_common.c in
| dlt-daemon 2.8.5 (GENIVI Diagnostic Log and Trace) allows arbitrary
| code execution because fscanf is misused (no limit on the number of
| characters to be read in a format argument).
Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
[Fix up for Dunfell context - AK]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../dlt-daemon/dlt-daemon/275.patch | 38 +++++++++++++++++++
.../dlt-daemon/dlt-daemon_2.18.4.bb | 1 +
2 files changed, 39 insertions(+)
create mode 100644 meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
new file mode 100644
index 0000000000..75065eb054
--- /dev/null
+++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
@@ -0,0 +1,38 @@
+Upstream-status: Backport
+CVE: CVE-2020-29394
+From 7f5cd5404a03fa330e192084f6bdafb2dc9bdcb7 Mon Sep 17 00:00:00 2001
+From: GwanYeong Kim <gy741.kim@gmail.com>
+Date: Sat, 28 Nov 2020 12:24:46 +0900
+Subject: [PATCH] dlt_common: Fix buffer overflow in dlt_filter_load
+
+A buffer overflow in the dlt_filter_load function in dlt_common.c in dlt-daemon allows arbitrary code execution via an unsafe usage of fscanf, because it does not limit the number of characters to be read in a format argument.
+
+Fixed: #274
+
+Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
+---
+ src/shared/dlt_common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c
+index 254f4ce4..d15b1cec 100644
+--- a/src/shared/dlt_common.c
++++ b/src/shared/dlt_common.c
+@@ -404,7 +404,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb
+ while (!feof(handle)) {
+ str1[0] = 0;
+
+- if (fscanf(handle, "%s", str1) != 1)
++ if (fscanf(handle, "%254s", str1) != 1)
+ break;
+
+ if (str1[0] == 0)
+@@ -419,7 +419,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb
+
+ str1[0] = 0;
+
+- if (fscanf(handle, "%s", str1) != 1)
++ if (fscanf(handle, "%254s", str1) != 1)
+ break;
+
+ if (str1[0] == 0)
diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb
index 35c638bc78..45724e98ac 100644
--- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb
+++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https \
file://0002-Don-t-execute-processes-as-a-specific-user.patch \
file://0004-Modify-systemd-config-directory.patch \
file://204.patch \
+ file://275.patch \
"
SRCREV = "14ea971be7e808b9c5099c7f404ed3cf341873c4"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 03/28] pcsc-lite: provide pcsc-lite-lib-native explicitly for native build
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
2021-01-17 17:45 ` [dunfell 01/28] tcpdump: Patch for CVE-2020-8037 akuster
2021-01-17 17:46 ` [dunfell 02/28] dlt-daemon: add upstream patch to fix CVE-2020-29394 akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 04/28] wireguard-module: fix build issue with 5.4 kernel akuster
` (26 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Roland Hieber <rhi@pengutronix.de>
Commits e2180b00b3b8fcf776c3 and 8edd760e66b48e411d2a added support for
native builds for the opensc and pcsc-lite recipes, but building
opensc-native fails after commit 40b3a5123120da0e4586 (2019-12-04,
"opensc: fix RDEPENDS in pcsc PACKAGECONFIG"):
ERROR: Required build target 'opensc-native' has no buildable providers.
Missing or unbuildable dependency chain was: ['opensc-native', 'pcsc-lite-lib-native']
The commit in question is correct for target builds, but native builds
don't have packages. The -lib part is also provided along with
pcsc-lite-native, and there is no pcsc-lite-lib-native package.
Ideally we would fix this in the opensc recipe. However, using syntax
like "PACKAGECONFIG_class-native[pcsc]" in the opensc recipe is
apparently not possible to overwrite the dependency for a native build,
and using RDEPENDS_remove has no effect either – apparently dependencies
from PACKAGECONFIG are added after RDEPENDS_remove is evaluated.
Therefore let pcsc-lite provide the missing package name for native
builds, even if fixing this unrelated package is not the most elegant
solution.
Fixes: 40b3a5123120da0e4586 (2019-12-04, "opensc: fix RDEPENDS in pcsc PACKAGECONFIG")
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-oe/recipes-support/pcsc-lite/pcsc-lite_1.8.26.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta-oe/recipes-support/pcsc-lite/pcsc-lite_1.8.26.bb b/meta-oe/recipes-support/pcsc-lite/pcsc-lite_1.8.26.bb
index 91d77ac938..04989fb740 100644
--- a/meta-oe/recipes-support/pcsc-lite/pcsc-lite_1.8.26.bb
+++ b/meta-oe/recipes-support/pcsc-lite/pcsc-lite_1.8.26.bb
@@ -36,6 +36,7 @@ PACKAGES = "${PN} ${PN}-dbg ${PN}-dev ${PN}-lib ${PN}-doc ${PN}-spy ${PN}-spy-de
RRECOMMENDS_${PN} = "ccid"
RRECOMMENDS_${PN}_class-native = ""
+RPROVIDES_${PN}_class-native += "pcsc-lite-lib-native"
FILES_${PN} = "${sbindir}/pcscd"
FILES_${PN}-lib = "${libdir}/libpcsclite*${SOLIBS}"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 04/28] wireguard-module: fix build issue with 5.4 kernel
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (2 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 03/28] pcsc-lite: provide pcsc-lite-lib-native explicitly for native build akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 05/28] mcpp: Normalize the patch format of CVE akuster
` (25 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
/tmp/work/qemux86_64-poky-linux/wireguard-module/1.0.20200401-r0/git/src/compat/compat-asm.h:44: warning: "SYM_FUNC_START" redefined
| 44 | #define SYM_FUNC_START ENTRY
| |
| In file included from /tmp/work/qemux86_64-poky-linux/wireguard-module/1.0.20200401-r0/git/src/compat/compat-asm.h:9,
| from <command-line>:
| /tmp/work-shared/qemux86-64/kernel-source/include/linux/linkage.h:218: note: this is the location of the previous definition
| 218 | #define SYM_FUNC_START(name) \
| |
| In file included from <command-line>:
| /tmp/work/qemux86_64-poky-linux/wireguard-module/1.0.20200401-r0/git/src/compat/compat-asm.h:45: warning: "SYM_FUNC_END" redefined
| 45 | #define SYM_FUNC_END ENDPROC
| |
Backporit fix from upstream
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...NC_-START-END-were-backported-to-5.4.patch | 29 +++++++++++++++++++
.../wireguard-module_1.0.20200401.bb | 3 +-
2 files changed, 31 insertions(+), 1 deletion(-)
create mode 100644 meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch
diff --git a/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch b/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch
new file mode 100644
index 0000000000..a9dc9dc2b7
--- /dev/null
+++ b/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch
@@ -0,0 +1,29 @@
+From ce8faa3ee266ea69431805e6ed4bd7102d982508 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 12 Nov 2020 09:43:38 +0100
+Subject: [PATCH] compat: SYM_FUNC_{START,END} were backported to 5.4
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+
+Upstream-Status: Backport
+Fixes build failure in Dunfell.
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ compat/compat-asm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: src/compat/compat-asm.h
+===================================================================
+--- src.orig/compat/compat-asm.h
++++ src/compat/compat-asm.h
+@@ -40,7 +40,7 @@
+ #undef pull
+ #endif
+
+-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 5, 0)
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 76)
+ #define SYM_FUNC_START ENTRY
+ #define SYM_FUNC_END ENDPROC
+ #endif
diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb
index 73199592c8..45324c02a1 100644
--- a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb
+++ b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb
@@ -2,7 +2,8 @@ require wireguard.inc
SRCREV = "43f57dac7b8305024f83addc533c9eede6509129"
-SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat"
+SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat \
+ file://0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch"
inherit module kernel-module-split
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 05/28] mcpp: Normalize the patch format of CVE
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (3 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 04/28] wireguard-module: fix build issue with 5.4 kernel akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 06/28] zabbix: CVE-2020-15803 Security Advisory akuster
` (24 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Because CVE-2019-14274.patch is included in ice-mcpp.patch, the cve-check-tool fails to correctly judge the CVE of the OSS. CVE-2019-14274.patch is separated from ice-mcpp.patch to fix the problem.
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9301b77e3266160ffb7e9bfd69d445f0392076c8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 81874b239287126805aa176907bd52e9a7801655)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../mcpp/files/CVE-2019-14274.patch | 34 +++++++++++++++++++
.../mcpp/files/ice-mcpp.patch | 31 -----------------
meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb | 3 +-
3 files changed, 36 insertions(+), 32 deletions(-)
create mode 100644 meta-oe/recipes-devtools/mcpp/files/CVE-2019-14274.patch
diff --git a/meta-oe/recipes-devtools/mcpp/files/CVE-2019-14274.patch b/meta-oe/recipes-devtools/mcpp/files/CVE-2019-14274.patch
new file mode 100644
index 0000000000..a0c6584ecb
--- /dev/null
+++ b/meta-oe/recipes-devtools/mcpp/files/CVE-2019-14274.patch
@@ -0,0 +1,34 @@
+From ea453aca2742be6ac43ba4ce0da6f938a7e5a5d8 Mon Sep 17 00:00:00 2001
+From: He Liu <liulonnie@gmail.com>
+Date: Tue, 4 Feb 2014 11:00:40 -0800
+Subject: [PATCH] line comment bug
+
+---
+ src/support.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/support.c b/src/support.c
+index c57eaef..e3357e4 100644
+--- a/src/support.c
++++ b/src/support.c
+@@ -188,7 +188,7 @@ static char * append_to_buffer(
+ size_t length
+ )
+ {
+- if (mem_buf_p->bytes_avail < length) { /* Need to allocate more memory */
++ if (mem_buf_p->bytes_avail < length + 1) { /* Need to allocate more memory */
+ size_t size = MAX( BUF_INCR_SIZE, length);
+
+ if (mem_buf_p->buffer == NULL) { /* 1st append */
+@@ -1722,6 +1722,8 @@ com_start:
+ sp -= 2;
+ while (*sp != '\n') /* Until end of line */
+ mcpp_fputc( *sp++, OUT);
++ mcpp_fputc('\n', OUT);
++ wrong_line = TRUE;
+ }
+ goto end_line;
+ default: /* Not a comment */
+--
+2.25.1
+
diff --git a/meta-oe/recipes-devtools/mcpp/files/ice-mcpp.patch b/meta-oe/recipes-devtools/mcpp/files/ice-mcpp.patch
index 8103cf0920..1df3ae55bc 100644
--- a/meta-oe/recipes-devtools/mcpp/files/ice-mcpp.patch
+++ b/meta-oe/recipes-devtools/mcpp/files/ice-mcpp.patch
@@ -114,37 +114,6 @@ diff -r -c -N ../mcpp-2.7.2-old/src/main.c ./src/main.c
}
int mcpp_lib_main
-diff -r -c -N ../mcpp-2.7.2-old/src/support.c ./src/support.c
-*** ../mcpp-2.7.2-old/src/support.c Tue Jun 10 06:02:33 2008
---- ./src/support.c Fri May 14 12:40:56 2010
-***************
-*** 188,194 ****
- size_t length
- )
- {
-! if (mem_buf_p->bytes_avail < length) { /* Need to allocate more memory */
- size_t size = MAX( BUF_INCR_SIZE, length);
-
- if (mem_buf_p->buffer == NULL) { /* 1st append */
---- 188,194 ----
- size_t length
- )
- {
-! if (mem_buf_p->bytes_avail < length + 1) { /* Need to allocate more memory */
- size_t size = MAX( BUF_INCR_SIZE, length);
-
- if (mem_buf_p->buffer == NULL) { /* 1st append */
-***************
-*** 1722,1727 ****
---- 1722,1729 ----
- sp -= 2;
- while (*sp != '\n') /* Until end of line */
- mcpp_fputc( *sp++, OUT);
-+ mcpp_fputc( '\n', OUT);
-+ wrong_line = TRUE;
- }
- goto end_line;
- default: /* Not a comment */
diff -r -c -N ../mcpp-2.7.2-old/src/system.c ./src/system.c
*** ../mcpp-2.7.2-old/src/system.c 2008-11-26 10:53:51.000000000 +0100
--- ./src/system.c 2011-02-21 16:18:05.678058106 +0100
diff --git a/meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb b/meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb
index b5ca495663..f8125f72d9 100644
--- a/meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb
+++ b/meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb
@@ -4,7 +4,8 @@ LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=5ca370b75ec890321888a00cea9bc1d5"
SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
- file://ice-mcpp.patch "
+ file://ice-mcpp.patch \
+ file://CVE-2019-14274.patch"
SRC_URI[md5sum] = "512de48c87ab023a69250edc7a0c7b05"
SRC_URI[sha256sum] = "3b9b4421888519876c4fc68ade324a3bbd81ceeb7092ecdbbc2055099fcb8864"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 06/28] zabbix: CVE-2020-15803 Security Advisory
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (4 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 05/28] mcpp: Normalize the patch format of CVE akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 07/28] samba: CVE-2020-14318 " akuster
` (23 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Wang Mingyu <wangmy@cn.fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15803
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d259144422bb44af9dbc7397fc4077d0bf3fc83f)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit d9911b087c83e0c73fbe7eeb497ca388b62d7706)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../zabbix/zabbix/CVE-2020-15803.patch | 36 +++++++++++++++++++
.../zabbix/zabbix_4.4.6.bb | 1 +
2 files changed, 37 insertions(+)
create mode 100644 meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-15803.patch
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-15803.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-15803.patch
new file mode 100644
index 0000000000..2eec4bf327
--- /dev/null
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-15803.patch
@@ -0,0 +1,36 @@
+From 4943334fd9bf7dffd49f9e86251ad40b3efe2135 Mon Sep 17 00:00:00 2001
+From: Wang Mingyu <wangmy@cn.fujitsu.com>
+Date: Fri, 11 Dec 2020 17:02:20 +0900
+Subject: [PATCH] Fix bug for CVE-2020-15803
+
+Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
+---
+ frontends/php/include/classes/html/CIFrame.php | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/frontends/php/include/classes/html/CIFrame.php b/frontends/php/include/classes/html/CIFrame.php
+index 32220cd..70f2ab5 100644
+--- a/frontends/php/include/classes/html/CIFrame.php
++++ b/frontends/php/include/classes/html/CIFrame.php
+@@ -29,6 +29,7 @@ class CIFrame extends CTag {
+ $this->setHeight($height);
+ $this->setScrolling($scrolling);
+ $this->setId($id);
++ $this->setSandbox();
+ }
+
+ public function setSrc($value = null) {
+@@ -69,4 +70,10 @@ class CIFrame extends CTag {
+ $this->setAttribute('scrolling', $value);
+ return $this;
+ }
++
++ private function setSandbox() {
++ if (ZBX_IFRAME_SANDBOX !== false) {
++ $this->setAttribute('sandbox', ZBX_IFRAME_SANDBOX);
++ }
++ }
+ }
+--
+2.25.1
+
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix_4.4.6.bb b/meta-oe/recipes-connectivity/zabbix/zabbix_4.4.6.bb
index 0e0ddd5779..98a31879c4 100644
--- a/meta-oe/recipes-connectivity/zabbix/zabbix_4.4.6.bb
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix_4.4.6.bb
@@ -26,6 +26,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
SRC_URI = "http://jaist.dl.sourceforge.net/project/zabbix/ZABBIX%20Latest%20Stable/${PV}/${BPN}-${PV}.tar.gz \
file://0001-Fix-configure.ac.patch \
file://zabbix-agent.service \
+ file://CVE-2020-15803.patch \
"
SRC_URI[md5sum] = "e666539220be93b1af38e40f5fbb1f79"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 07/28] samba: CVE-2020-14318 Security Advisory
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (5 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 06/28] zabbix: CVE-2020-15803 Security Advisory akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 08/28] samba: CVE-2020-14383 " akuster
` (22 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14318
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1d44b4c03d51e91ce01cf5fd0b33155ce36f1862)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 38beb6fe98894ffaf82a05ccfd6694f735daba26)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../samba/samba/CVE-2020-14318.patch | 142 ++++++++++++++++++
.../samba/samba_4.10.18.bb | 1 +
2 files changed, 143 insertions(+)
create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch
new file mode 100644
index 0000000000..ff1225db07
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch
@@ -0,0 +1,142 @@
+From ccf53dfdcd39f3526dbc2f20e1245674155380ff Mon Sep 17 00:00:00 2001
+From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
+Date: Fri, 11 Dec 2020 11:32:44 +0900
+Subject: [PATCH] s4: torture: Add smb2.notify.handle-permissions test.
+
+s3: smbd: Ensure change notifies can't get set unless the
+ directory handle is open for SEC_DIR_LIST.
+
+CVE-2020-14318
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+
+Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
+---
+ source3/smbd/notify.c | 8 ++++
+ source4/torture/smb2/notify.c | 82 ++++++++++++++++++++++++++++++++++-
+ 2 files changed, 89 insertions(+), 1 deletion(-)
+
+diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c
+index 44c0b09..d23c03b 100644
+--- a/source3/smbd/notify.c
++++ b/source3/smbd/notify.c
+@@ -283,6 +283,14 @@ NTSTATUS change_notify_create(struct files_struct *fsp, uint32_t filter,
+ char fullpath[len+1];
+ NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED;
+
++ /*
++ * Setting a changenotify needs READ/LIST access
++ * on the directory handle.
++ */
++ if (!(fsp->access_mask & SEC_DIR_LIST)) {
++ return NT_STATUS_ACCESS_DENIED;
++ }
++
+ if (fsp->notify != NULL) {
+ DEBUG(1, ("change_notify_create: fsp->notify != NULL, "
+ "fname = %s\n", fsp->fsp_name->base_name));
+diff --git a/source4/torture/smb2/notify.c b/source4/torture/smb2/notify.c
+index ebb4f8a..a5c9b94 100644
+--- a/source4/torture/smb2/notify.c
++++ b/source4/torture/smb2/notify.c
+@@ -2569,6 +2569,83 @@ done:
+ return ok;
+ }
+
++/*
++ Test asking for a change notify on a handle without permissions.
++*/
++
++#define BASEDIR_HPERM BASEDIR "_HPERM"
++
++static bool torture_smb2_notify_handle_permissions(
++ struct torture_context *torture,
++ struct smb2_tree *tree)
++{
++ bool ret = true;
++ NTSTATUS status;
++ union smb_notify notify;
++ union smb_open io;
++ struct smb2_handle h1 = {{0}};
++ struct smb2_request *req;
++
++ smb2_deltree(tree, BASEDIR_HPERM);
++ smb2_util_rmdir(tree, BASEDIR_HPERM);
++
++ torture_comment(torture,
++ "TESTING CHANGE NOTIFY "
++ "ON A HANDLE WITHOUT PERMISSIONS\n");
++
++ /*
++ get a handle on the directory
++ */
++ ZERO_STRUCT(io.smb2);
++ io.generic.level = RAW_OPEN_SMB2;
++ io.smb2.in.create_flags = 0;
++ io.smb2.in.desired_access = SEC_FILE_READ_ATTRIBUTE;
++ io.smb2.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
++ io.smb2.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
++ io.smb2.in.share_access = NTCREATEX_SHARE_ACCESS_READ |
++ NTCREATEX_SHARE_ACCESS_WRITE;
++ io.smb2.in.alloc_size = 0;
++ io.smb2.in.create_disposition = NTCREATEX_DISP_CREATE;
++ io.smb2.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS;
++ io.smb2.in.security_flags = 0;
++ io.smb2.in.fname = BASEDIR_HPERM;
++
++ status = smb2_create(tree, torture, &io.smb2);
++ CHECK_STATUS(status, NT_STATUS_OK);
++ h1 = io.smb2.out.file.handle;
++
++ /* ask for a change notify,
++ on file or directory name changes */
++ ZERO_STRUCT(notify.smb2);
++ notify.smb2.level = RAW_NOTIFY_SMB2;
++ notify.smb2.in.buffer_size = 1000;
++ notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME;
++ notify.smb2.in.file.handle = h1;
++ notify.smb2.in.recursive = true;
++
++ req = smb2_notify_send(tree, ¬ify.smb2);
++ torture_assert_goto(torture,
++ req != NULL,
++ ret,
++ done,
++ "smb2_notify_send failed\n");
++
++ /*
++ * Cancel it, we don't really want to wait.
++ */
++ smb2_cancel(req);
++ status = smb2_notify_recv(req, torture, ¬ify.smb2);
++ /* Handle h1 doesn't have permissions for ChangeNotify. */
++ CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
++
++done:
++ if (!smb2_util_handle_empty(h1)) {
++ smb2_util_close(tree, h1);
++ }
++ smb2_deltree(tree, BASEDIR_HPERM);
++ return ret;
++}
++
+ /*
+ basic testing of SMB2 change notify
+ */
+@@ -2602,7 +2679,10 @@ struct torture_suite *torture_smb2_notify_init(TALLOC_CTX *ctx)
+ torture_smb2_notify_rmdir3);
+ torture_suite_add_2smb2_test(suite, "rmdir4",
+ torture_smb2_notify_rmdir4);
+-
++ torture_suite_add_1smb2_test(suite,
++ "handle-permissions",
++ torture_smb2_notify_handle_permissions);
++
+ suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests");
+
+ return suite;
+--
+2.25.1
+
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
index b5085c913b..923b2ddf16 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
@@ -28,6 +28,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://0002-util_sec.c-Move-__thread-variable-to-global-scope.patch \
file://0001-Add-options-to-configure-the-use-of-libbsd.patch \
file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \
+ file://CVE-2020-14318.patch \
"
SRC_URI_append_libc-musl = " \
file://samba-pam.patch \
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 08/28] samba: CVE-2020-14383 Security Advisory
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (6 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 07/28] samba: CVE-2020-14318 " akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 09/28] php: Upgrade 7.4.4 -> 7.4.9 akuster
` (21 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14383
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit baee1ebeafce5d6a99dafc30b91e6fb760197686)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 81d14a86353829eba1d55a93d478faf4c5527a89)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../samba/samba/CVE-2020-14383.patch | 112 ++++++++++++++++++
.../samba/samba_4.10.18.bb | 1 +
2 files changed, 113 insertions(+)
create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch
new file mode 100644
index 0000000000..3341b80a38
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch
@@ -0,0 +1,112 @@
+From ff17443fe761eda864d13957bec45f5bac478fe3 Mon Sep 17 00:00:00 2001
+From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
+Date: Fri, 11 Dec 2020 14:34:31 +0900
+Subject: [PATCH] CVE-2020-14383: s4/dns: Ensure variable initialization with
+ NULL. do not crash when additional data not found
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Found by Francis Brosnan Blázquez <francis@aspl.es>.
+Based on patches from Francis Brosnan Blázquez <francis@aspl.es>
+and Jeremy Allison <jra@samba.org>
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795
+
+Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
+Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184
+
+(based on commit df98e7db04c901259dd089e20cd557bdbdeaf379)
+(based on commit 7afe449e7201be92bed8e53cbb37b74af720ef4e
+
+Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
+---
+ .../rpc_server/dnsserver/dcerpc_dnsserver.c | 31 ++++++++++---------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+index 910de9a1..618c7096 100644
+--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
++++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+@@ -1754,15 +1754,17 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
+ TALLOC_CTX *tmp_ctx;
+ char *name;
+ const char * const attrs[] = { "name", "dnsRecord", NULL };
+- struct ldb_result *res;
+- struct DNS_RPC_RECORDS_ARRAY *recs;
++ struct ldb_result *res = NULL;
++ struct DNS_RPC_RECORDS_ARRAY *recs = NULL;
+ char **add_names = NULL;
+- char *rname;
++ char *rname = NULL;
+ const char *preference_name = NULL;
+ int add_count = 0;
+ int i, ret, len;
+ WERROR status;
+- struct dns_tree *tree, *base, *node;
++ struct dns_tree *tree = NULL;
++ struct dns_tree *base = NULL;
++ struct dns_tree *node = NULL;
+
+ tmp_ctx = talloc_new(mem_ctx);
+ W_ERROR_HAVE_NO_MEMORY(tmp_ctx);
+@@ -1845,15 +1847,15 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
+ }
+ }
+
+- talloc_free(res);
+- talloc_free(tree);
+- talloc_free(name);
++ TALLOC_FREE(res);
++ TALLOC_FREE(tree);
++ TALLOC_FREE(name);
+
+ /* Add any additional records */
+ if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) {
+ for (i=0; i<add_count; i++) {
+- struct dnsserver_zone *z2;
+-
++ struct dnsserver_zone *z2 = NULL;
++ struct ldb_message *msg = NULL;
+ /* Search all the available zones for additional name */
+ for (z2 = dsstate->zones; z2; z2 = z2->next) {
+ char *encoded_name;
+@@ -1865,14 +1867,15 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
+ LDB_SCOPE_ONELEVEL, attrs,
+ "(&(objectClass=dnsNode)(name=%s)(!(dNSTombstoned=TRUE)))",
+ encoded_name);
+- talloc_free(name);
++ TALLOC_FREE(name);
+ if (ret != LDB_SUCCESS) {
+ continue;
+ }
+ if (res->count == 1) {
++ msg = res->msgs[0];
+ break;
+ } else {
+- talloc_free(res);
++ TALLOC_FREE(res);
+ continue;
+ }
+ }
+@@ -1885,10 +1888,10 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
+ }
+ status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A,
+ select_flag, rname,
+- res->msgs[0], 0, recs,
++ msg, 0, recs,
+ NULL, NULL);
+- talloc_free(rname);
+- talloc_free(res);
++ TALLOC_FREE(rname);
++ TALLOC_FREE(res);
+ }
+ }
+
+--
+2.25.1
+
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
index 923b2ddf16..1a982368ec 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
@@ -29,6 +29,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://0001-Add-options-to-configure-the-use-of-libbsd.patch \
file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \
file://CVE-2020-14318.patch \
+ file://CVE-2020-14383.patch \
"
SRC_URI_append_libc-musl = " \
file://samba-pam.patch \
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 09/28] php: Upgrade 7.4.4 -> 7.4.9
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (7 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 08/28] samba: CVE-2020-14383 " akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 10/28] php: remove the failing ${D}/${TMPDIR} code akuster
` (20 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Leon Anavi <leon.anavi@konsulko.com>
Upgrade to release 7.4.9:
- Fixed: Upgrade apache2handler's php_apache_sapi_get_request_time
to return usec
- Fixed: BSTR to PHP string conversion not binary safe
- Fixed: DCOM does not work with Username, Password parameter
- Fixed: serialize() and unserialize() methods can not be called
statically
- Fixed: Segfault in php_str_replace_common
- Fixed: Assertion failure if dumping closure with unresolved
static variable
- Fixed: Assertion failure when assigning property of string
offset by reference
- Fixed: HT iterators not removed if empty array is destroyed
- Fixed: Changing array during undef index RW error segfaults
- Fixed: Use after free if changing array during undef var during
array write fetch
- Fixed: Use after free if string used in undefined index warning
is changed
- Fixed: Public non-static property in child should take priority
over private static
- Fixed: getimagesize function silently truncates after a null
byte
- Fixed: finfo_file crash (FILEINFO_MIME)
- Fixed: ftp_size on large files
- Fixed: mb_strimwidth does not trim string
- Fixed: Use of freed hash key in the phar_parse_zipfile function
- Fixed: ::getStaticProperties() ignores property modifications
- Fixed: ::getStaticPropertyValue() throws on protected props
- Fixed: Use after free when type duplicated into
ReflectionProperty gets resolved
- Fixed: Can't copy() large 'data://' with open_basedir
- Fixed: dns_check_record() always return true on Alpine
- Fixed: array_walk() does not respect property types
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f46931abf073a4c5b02a160a89fe073f1b67632b)
[Bug fix on update. lts version]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
| 27 ++++++++++---------
.../php/{php_7.4.4.bb => php_7.4.9.bb} | 5 ++--
2 files changed, 17 insertions(+), 15 deletions(-)
mode change 100755 => 100644 meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch
rename meta-oe/recipes-devtools/php/{php_7.4.4.bb => php_7.4.9.bb} (98%)
--git a/meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch b/meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch
old mode 100755
new mode 100644
index 21050f7605..a4804d1849
--- a/meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch
+++ b/meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch
@@ -1,31 +1,32 @@
-php: remove host specific info from header file
+From 1234a8ef7c5ab88e24bc5908f0ccfd55af21aa39 Mon Sep 17 00:00:00 2001
+From: Leon Anavi <leon.anavi@konsulko.com>
+Date: Mon, 31 Aug 2020 16:03:27 +0300
+Subject: [PATCH] php: remove host specific info from header file
+Based on:
https://sources.debian.org/data/main/p/php7.3/7.3.6-1/debian/patches/
0036-php-5.4.9-fixheader.patch
Upstream-Status: Inappropriate [not author]
Signed-off-by: Joe Slater <joe.slater@windriver.com>
-
----
-From: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
-Date: Sat, 2 May 2015 10:26:56 +0200
-Subject: php-5.4.9-fixheader
-
-Make generated php_config.h constant across rebuilds.
+Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
-index 433d7e6..41893d7 100644
+index 2a474ba36d..6d22a21630 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -1357,7 +1357,7 @@ PHP_BUILD_DATE=`date -u +%Y-%m-%d`
+@@ -1323,7 +1323,7 @@ PHP_BUILD_DATE=`date -u +%Y-%m-%d`
fi
AC_DEFINE_UNQUOTED(PHP_BUILD_DATE,"$PHP_BUILD_DATE",[PHP build date])
--PHP_UNAME=`uname -a | xargs`
-+PHP_UNAME=`uname | xargs`
+-UNAME=`uname -a | xargs`
++UNAME=`uname | xargs`
+ PHP_UNAME=${PHP_UNAME:-$UNAME}
AC_DEFINE_UNQUOTED(PHP_UNAME,"$PHP_UNAME",[uname -a output])
PHP_OS=`uname | xargs`
- AC_DEFINE_UNQUOTED(PHP_OS,"$PHP_OS",[uname output])
+--
+2.17.1
+
diff --git a/meta-oe/recipes-devtools/php/php_7.4.4.bb b/meta-oe/recipes-devtools/php/php_7.4.9.bb
similarity index 98%
rename from meta-oe/recipes-devtools/php/php_7.4.4.bb
rename to meta-oe/recipes-devtools/php/php_7.4.9.bb
index 1d93902e72..cd874d3c8b 100644
--- a/meta-oe/recipes-devtools/php/php_7.4.4.bb
+++ b/meta-oe/recipes-devtools/php/php_7.4.9.bb
@@ -31,9 +31,10 @@ SRC_URI_append_class-target = " \
file://0001-opcache-config.m4-enable-opcache.patch \
file://xfail_two_bug_tests.patch \
"
+
S = "${WORKDIR}/php-${PV}"
-SRC_URI[md5sum] = "262c258a3b8b5699fcca89a64e58758c"
-SRC_URI[sha256sum] = "308e8f4182ec8a2767b0b1b8e1e7c69fb149b37cfb98ee4a37475e082fa9829f"
+SRC_URI[md5sum] = "e68a66c54b080d108831f6dc2e1e403d"
+SRC_URI[sha256sum] = "2e270958a4216480da7886743438ccc92b6acf32ea96fefda88d07e0a5095deb"
inherit autotools pkgconfig python3native gettext
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 10/28] php: remove the failing ${D}/${TMPDIR} code
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (8 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 09/28] php: Upgrade 7.4.4 -> 7.4.9 akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 11/28] php: CVE-2020-7070 akuster
` (19 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Max Kellermann <max.kellermann@gmail.com>
Appending ${TMPDIR} to ${D} doesn't make any sense, because both are
absolute paths. And additionally, the code fails:
rmdir: failed to remove '/usr/src/oe/tmp-musl/work/core2-64-oe-linux-musl/php/7.1.9-r0/image//usr': Directory not empty
Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit f6338892d9c57c51ed48b04f587b468f7718a8ba)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-oe/recipes-devtools/php/php_7.4.9.bb | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/meta-oe/recipes-devtools/php/php_7.4.9.bb b/meta-oe/recipes-devtools/php/php_7.4.9.bb
index cd874d3c8b..fc01ea1953 100644
--- a/meta-oe/recipes-devtools/php/php_7.4.9.bb
+++ b/meta-oe/recipes-devtools/php/php_7.4.9.bb
@@ -154,7 +154,6 @@ do_install_prepend_class-target() {
# fixme
do_install_append_class-target() {
install -d ${D}${sysconfdir}/
- rm -rf ${D}/${TMPDIR}
rm -rf ${D}/.registry
rm -rf ${D}/.channels
rm -rf ${D}/.[a-z]*
@@ -178,14 +177,6 @@ do_install_append_class-target() {
${D}${systemd_unitdir}/system/php-fpm.service
fi
- TMP=`dirname ${D}/${TMPDIR}`
- while test ${TMP} != ${D}; do
- if [ -d ${TMP} ]; then
- rmdir ${TMP}
- fi
- TMP=`dirname ${TMP}`;
- done
-
if ${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'true', 'false', d)}; then
install -d ${D}${sysconfdir}/apache2/modules.d
install -d ${D}${sysconfdir}/php/apache2-php${PHP_MAJOR_VERSION}
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 11/28] php: CVE-2020-7070
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (9 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 10/28] php: remove the failing ${D}/${TMPDIR} code akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 12/28] php: CVE-2020-7069 akuster
` (18 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2020-7070
https://bugs.php.net/patch-display.php?bug=79699&patch=fix-urldecode&revision=1600650364
https://github.com/php/php-src/blob/master/main/php_variables.c
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit aff8a1fefb9a1a311e5ba14ad69871514270803a)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 09f5a2ac5ab8550f5f0bd05417f2f54d27995dac)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../php/php/CVE-2020-7070.patch | 24 +++++++++++++++++++
meta-oe/recipes-devtools/php/php_7.4.9.bb | 1 +
2 files changed, 25 insertions(+)
create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch b/meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch
new file mode 100644
index 0000000000..e5b527f989
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch
@@ -0,0 +1,24 @@
+Subject: Patch fix-urldecode for HTTP related Bug #79699
+
+---
+ main/php_variables.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/main/php_variables.c b/main/php_variables.c
+index 1a40c2a1..cbdc7cf1 100644
+--- a/main/php_variables.c
++++ b/main/php_variables.c
+@@ -514,7 +514,9 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
+ }
+
+ val = estrndup(val, val_len);
+- php_url_decode(var, strlen(var));
++ if (arg != PARSE_COOKIE) {
++ php_url_decode(var, strlen(var));
++ }
+ if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) {
+ php_register_variable_safe(var, val, new_val_len, &array);
+ }
+--
+2.25.1
+
diff --git a/meta-oe/recipes-devtools/php/php_7.4.9.bb b/meta-oe/recipes-devtools/php/php_7.4.9.bb
index fc01ea1953..73caed6543 100644
--- a/meta-oe/recipes-devtools/php/php_7.4.9.bb
+++ b/meta-oe/recipes-devtools/php/php_7.4.9.bb
@@ -30,6 +30,7 @@ SRC_URI_append_class-target = " \
file://phar-makefile.patch \
file://0001-opcache-config.m4-enable-opcache.patch \
file://xfail_two_bug_tests.patch \
+ file://CVE-2020-7070.patch \
"
S = "${WORKDIR}/php-${PV}"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 12/28] php: CVE-2020-7069
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (10 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 11/28] php: CVE-2020-7070 akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 13/28] apache2: upgrade v2.4.43 -> v2.4.46 akuster
` (17 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2020-7069
https://bugs.php.net/patch-display.php?bug_id=79601&patch=openssl_aes_ccm_iv_fix&revision=latest
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit fa80193468745a11bc12d5845f66412a0d62e0e2)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 992e09f09a40e7a8d03c7c4b5adf40f821ed3774)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../php/php/CVE-2020-7069.patch | 158 ++++++++++++++++++
meta-oe/recipes-devtools/php/php_7.4.9.bb | 1 +
2 files changed, 159 insertions(+)
create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch b/meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch
new file mode 100644
index 0000000000..0cf4d5ed60
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch
@@ -0,0 +1,158 @@
+Subject: Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption
+ for a 12 bytes IV)
+
+---
+ ext/openssl/openssl.c | 10 ++++-----
+ ext/openssl/tests/cipher_tests.inc | 21 +++++++++++++++++
+ ext/openssl/tests/openssl_decrypt_ccm.phpt | 22 +++++++++++-------
+ ext/openssl/tests/openssl_encrypt_ccm.phpt | 26 ++++++++++++++--------
+ 4 files changed, 57 insertions(+), 22 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 04cb9b0f..fdad2c3b 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -6521,11 +6521,6 @@ static int php_openssl_validate_iv(char **piv, size_t *piv_len, size_t iv_requir
+ {
+ char *iv_new;
+
+- /* Best case scenario, user behaved */
+- if (*piv_len == iv_required_len) {
+- return SUCCESS;
+- }
+-
+ if (mode->is_aead) {
+ if (EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_ivlen_flag, *piv_len, NULL) != 1) {
+ php_error_docref(NULL, E_WARNING, "Setting of IV length for AEAD mode failed");
+@@ -6534,6 +6529,11 @@ static int php_openssl_validate_iv(char **piv, size_t *piv_len, size_t iv_requir
+ return SUCCESS;
+ }
+
++ /* Best case scenario, user behaved */
++ if (*piv_len == iv_required_len) {
++ return SUCCESS;
++ }
++
+ iv_new = ecalloc(1, iv_required_len + 1);
+
+ if (*piv_len == 0) {
+diff --git a/ext/openssl/tests/cipher_tests.inc b/ext/openssl/tests/cipher_tests.inc
+index b1e46b41..779bfa85 100644
+--- a/ext/openssl/tests/cipher_tests.inc
++++ b/ext/openssl/tests/cipher_tests.inc
+@@ -1,5 +1,26 @@
+ <?php
+ $php_openssl_cipher_tests = array(
++ 'aes-128-ccm' => array(
++ array(
++ 'key' => '404142434445464748494a4b4c4d4e4f',
++ 'iv' => '1011121314151617',
++ 'aad' => '000102030405060708090a0b0c0d0e0f',
++ 'tag' => '1fc64fbfaccd',
++ 'pt' => '202122232425262728292a2b2c2d2e2f',
++ 'ct' => 'd2a1f0e051ea5f62081a7792073d593d',
++ ),
++ array(
++ 'key' => '404142434445464748494a4b4c4d4e4f',
++ 'iv' => '101112131415161718191a1b',
++ 'aad' => '000102030405060708090a0b0c0d0e0f' .
++ '10111213',
++ 'tag' => '484392fbc1b09951',
++ 'pt' => '202122232425262728292a2b2c2d2e2f' .
++ '3031323334353637',
++ 'ct' => 'e3b201a9f5b71a7a9b1ceaeccd97e70b' .
++ '6176aad9a4428aa5',
++ ),
++ ),
+ 'aes-256-ccm' => array(
+ array(
+ 'key' => '1bde3251d41a8b5ea013c195ae128b21' .
+diff --git a/ext/openssl/tests/openssl_decrypt_ccm.phpt b/ext/openssl/tests/openssl_decrypt_ccm.phpt
+index a5f01b87..08ef5bb7 100644
+--- a/ext/openssl/tests/openssl_decrypt_ccm.phpt
++++ b/ext/openssl/tests/openssl_decrypt_ccm.phpt
+@@ -10,14 +10,16 @@ if (!in_array('aes-256-ccm', openssl_get_cipher_methods()))
+ --FILE--
+ <?php
+ require_once __DIR__ . "/cipher_tests.inc";
+-$method = 'aes-256-ccm';
+-$tests = openssl_get_cipher_tests($method);
++$methods = ['aes-128-ccm', 'aes-256-ccm'];
+
+-foreach ($tests as $idx => $test) {
+- echo "TEST $idx\n";
+- $pt = openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA,
+- $test['iv'], $test['tag'], $test['aad']);
+- var_dump($test['pt'] === $pt);
++foreach ($methods as $method) {
++ $tests = openssl_get_cipher_tests($method);
++ foreach ($tests as $idx => $test) {
++ echo "$method - TEST $idx\n";
++ $pt = openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA,
++ $test['iv'], $test['tag'], $test['aad']);
++ var_dump($test['pt'] === $pt);
++ }
+ }
+
+ // no IV
+@@ -32,7 +34,11 @@ var_dump(openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA,
+
+ ?>
+ --EXPECTF--
+-TEST 0
++aes-128-ccm - TEST 0
++bool(true)
++aes-128-ccm - TEST 1
++bool(true)
++aes-256-ccm - TEST 0
+ bool(true)
+
+ Warning: openssl_decrypt(): Setting of IV length for AEAD mode failed in %s on line %d
+diff --git a/ext/openssl/tests/openssl_encrypt_ccm.phpt b/ext/openssl/tests/openssl_encrypt_ccm.phpt
+index fb5dbbc8..8c4c41f8 100644
+--- a/ext/openssl/tests/openssl_encrypt_ccm.phpt
++++ b/ext/openssl/tests/openssl_encrypt_ccm.phpt
+@@ -10,15 +10,17 @@ if (!in_array('aes-256-ccm', openssl_get_cipher_methods()))
+ --FILE--
+ <?php
+ require_once __DIR__ . "/cipher_tests.inc";
+-$method = 'aes-256-ccm';
+-$tests = openssl_get_cipher_tests($method);
++$methods = ['aes-128-ccm', 'aes-256-ccm'];
+
+-foreach ($tests as $idx => $test) {
+- echo "TEST $idx\n";
+- $ct = openssl_encrypt($test['pt'], $method, $test['key'], OPENSSL_RAW_DATA,
+- $test['iv'], $tag, $test['aad'], strlen($test['tag']));
+- var_dump($test['ct'] === $ct);
+- var_dump($test['tag'] === $tag);
++foreach ($methods as $method) {
++ $tests = openssl_get_cipher_tests($method);
++ foreach ($tests as $idx => $test) {
++ echo "$method - TEST $idx\n";
++ $ct = openssl_encrypt($test['pt'], $method, $test['key'], OPENSSL_RAW_DATA,
++ $test['iv'], $tag, $test['aad'], strlen($test['tag']));
++ var_dump($test['ct'] === $ct);
++ var_dump($test['tag'] === $tag);
++ }
+ }
+
+ // Empty IV error
+@@ -32,7 +34,13 @@ var_dump(strlen($tag));
+ var_dump(openssl_encrypt('data', $method, 'password', 0, str_repeat('x', 16), $tag, '', 1024));
+ ?>
+ --EXPECTF--
+-TEST 0
++aes-128-ccm - TEST 0
++bool(true)
++bool(true)
++aes-128-ccm - TEST 1
++bool(true)
++bool(true)
++aes-256-ccm - TEST 0
+ bool(true)
+ bool(true)
+
+--
+2.25.1
+
diff --git a/meta-oe/recipes-devtools/php/php_7.4.9.bb b/meta-oe/recipes-devtools/php/php_7.4.9.bb
index 73caed6543..16fc311b0e 100644
--- a/meta-oe/recipes-devtools/php/php_7.4.9.bb
+++ b/meta-oe/recipes-devtools/php/php_7.4.9.bb
@@ -31,6 +31,7 @@ SRC_URI_append_class-target = " \
file://0001-opcache-config.m4-enable-opcache.patch \
file://xfail_two_bug_tests.patch \
file://CVE-2020-7070.patch \
+ file://CVE-2020-7069.patch \
"
S = "${WORKDIR}/php-${PV}"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 13/28] apache2: upgrade v2.4.43 -> v2.4.46
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (11 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 12/28] php: CVE-2020-7069 akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 14/28] mariadb: update to 10.4.17 for cve fixes akuster
` (16 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Sakib Sajal <sakib.sajal@windriver.com>
Source: meta-openembedded.org
MR: 105034, 105034, 105124
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/meta-openembedded/commit/meta-webserver/recipes-httpd/apache2?h=gatesgarth&id=fc995b3cfed86850ce5ab1b70da1e31560ac350f
ChangeID: 37b9f376c5e4b9a9355f867bac56454e2630d86c
Description:
Minor upgrade inluding bug and CVE fixes, namely:
- CVE-2020-9490
- CVE-2020-11984
- CVE-2020-11993
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit fc995b3cfed86850ce5ab1b70da1e31560ac350f)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../apache2/{apache2_2.4.43.bb => apache2_2.4.46.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.43.bb => apache2_2.4.46.bb} (98%)
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.43.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb
similarity index 98%
rename from meta-webserver/recipes-httpd/apache2/apache2_2.4.43.bb
rename to meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb
index a7083d80e9..197cb83e64 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.43.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb
@@ -26,8 +26,8 @@ SRC_URI_append_class-target = " \
"
LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3"
-SRC_URI[md5sum] = "791c986b1e70fe61eb44060aacc89a64"
-SRC_URI[sha256sum] = "a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43"
+SRC_URI[md5sum] = "7d661ea5e736dac5e2761d9f49fe8361"
+SRC_URI[sha256sum] = "740eddf6e1c641992b22359cabc66e6325868c3c5e2e3f98faf349b61ecf41ea"
S = "${WORKDIR}/httpd-${PV}"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 14/28] mariadb: update to 10.4.17 for cve fixes
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (12 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 13/28] apache2: upgrade v2.4.43 -> v2.4.46 akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 15/28] lua: fix CVE-2020-15945 akuster
` (15 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
Source: mariadb.org
MR: 107836, 107837, 107838, 107839, 107840, 107852, 106414, 106414, 107864, 107876, 107888
Type: Security Fix
Disposition: Backport from mariadb.org
ChangeID: 75fb83ced15990b94659af6e107c063d288cb037
Description:
refresh several patches
Drop 0001-Fix-build-breakage-from-lock_guard-error-6161.patch as fix included in update
Bugfix only update including these cves:
10.4.13
CVE-2020-2752
CVE-2020-2812
CVE-2020-2814
CVE-2020-2760
CVE-2020-13249
10.4.15
CVE-2020-15180
10.4.16
CVE-2020-14812
CVE-2020-14765
CVE-2020-14776
CVE-2020-14789
CVE-2020-28912 (MDEV-24040)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...e_10.4.12.bb => mariadb-native_10.4.17.bb} | 0
meta-oe/recipes-dbs/mysql/mariadb.inc | 6 ++--
...-breakage-from-lock_guard-error-6161.patch | 32 -------------------
.../mariadb/0001-Fix-library-LZ4-lookup.patch | 19 +++++------
.../mysql/mariadb/c11_atomics.patch | 24 ++++++++------
.../configure.cmake-fix-valgrind.patch | 10 +++---
.../mariadb/fix-a-building-failure.patch | 13 +++-----
.../mysql/mariadb/fix-arm-atomic.patch | 13 +++-----
...Lists.txt-fix-gen_lex_hash-not-found.patch | 12 +++----
...akeLists.txt-fix-do_populate_sysroot.patch | 10 +++---
...{mariadb_10.4.12.bb => mariadb_10.4.17.bb} | 0
11 files changed, 51 insertions(+), 88 deletions(-)
rename meta-oe/recipes-dbs/mysql/{mariadb-native_10.4.12.bb => mariadb-native_10.4.17.bb} (100%)
delete mode 100644 meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-breakage-from-lock_guard-error-6161.patch
rename meta-oe/recipes-dbs/mysql/{mariadb_10.4.12.bb => mariadb_10.4.17.bb} (100%)
diff --git a/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.12.bb b/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.17.bb
similarity index 100%
rename from meta-oe/recipes-dbs/mysql/mariadb-native_10.4.12.bb
rename to meta-oe/recipes-dbs/mysql/mariadb-native_10.4.17.bb
diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc
index 95f5acba1f..1a86bc0446 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb.inc
+++ b/meta-oe/recipes-dbs/mysql/mariadb.inc
@@ -18,11 +18,9 @@ SRC_URI = "https://downloads.mariadb.org/interstitial/${BP}/source/${BP}.tar.gz
file://c11_atomics.patch \
file://clang_version_header_conflict.patch \
file://fix-arm-atomic.patch \
- file://0001-Fix-build-breakage-from-lock_guard-error-6161.patch \
- file://0001-Fix-library-LZ4-lookup.patch \
"
-SRC_URI[md5sum] = "97d7c0f508c04a31c138fdb24e95dbc4"
-SRC_URI[sha256sum] = "fef1e1d38aa253dd8a51006bd15aad184912fce31c446bb69434fcde735aa208"
+SRC_URI[md5sum] = "e8193b9cd008b6d7f177f5a5c44c7a9f"
+SRC_URI[sha256sum] = "a7b104e264311cd46524ae546ff0c5107978373e4a01cf7fd8a241454548d16e"
UPSTREAM_CHECK_URI = "https://github.com/MariaDB/server/releases"
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-breakage-from-lock_guard-error-6161.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-breakage-from-lock_guard-error-6161.patch
deleted file mode 100644
index 87c70617a1..0000000000
--- a/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-breakage-from-lock_guard-error-6161.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Subject: [PATCH] Fix build breakage from lock_guard error (#6161)
-
-Summary:
-This change fixes a source issue that caused compile time error which
-breaks build for many fbcode services in that setup. The size() member
-function of channel is a const member, so member variables accessed
-within it are implicitly const as well. This caused error when clang
-fails to resolve to a constructor that takes std::mutex because the
-suitable constructor got rejected due to loss of constness for its
-argument. The fix is to add mutable modifier to the lock_ member of
-channel.
-
-Pull Request resolved: https://github.com/facebook/rocksdb/pull/6161
-
-Differential Revision: D18967685
-
-Pulled By: maysamyabandeh
-
-Upstream-Status: Backport
-
-fbshipit-source-id:698b6a5153c3c92eeacb842c467aa28cc350d432
---- a/storage/rocksdb/rocksdb/util/channel.h
-+++ b/storage/rocksdb/rocksdb/util/channel.h
-@@ -60,7 +60,7 @@ class channel {
-
- private:
- std::condition_variable cv_;
-- std::mutex lock_;
-+ mutable std::mutex lock_;
- std::queue<T> buffer_;
- bool eof_;
- };
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-library-LZ4-lookup.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-library-LZ4-lookup.patch
index 574dfd317a..4b90d280ac 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-library-LZ4-lookup.patch
+++ b/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-library-LZ4-lookup.patch
@@ -8,15 +8,15 @@ Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
cmake/FindLZ4.cmake | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
-diff --git a/cmake/FindLZ4.cmake b/cmake/FindLZ4.cmake
-index e97dd63e2b0..2f4694e727c 100644
---- a/cmake/FindLZ4.cmake
-+++ b/cmake/FindLZ4.cmake
-@@ -1,5 +1,10 @@
--find_path(LZ4_INCLUDE_DIR NAMES lz4.h)
--find_library(LZ4_LIBRARY NAMES lz4)
+Index: mariadb-10.4.17/cmake/FindLZ4.cmake
+===================================================================
+--- mariadb-10.4.17.orig/cmake/FindLZ4.cmake
++++ mariadb-10.4.17/cmake/FindLZ4.cmake
+@@ -1,5 +1,11 @@
+ find_path(LZ4_INCLUDE_DIR NAMES lz4.h)
+-find_library(LZ4_LIBRARIES NAMES lz4)
+find_path(LZ4_INCLUDE_DIR
-+ NAMES lz4.h
++ NAMES lz4.h
+ NO_DEFAULT_PATH NO_CMAKE_FIND_ROOT_PATH)
+
+find_library(LZ4_LIBRARY
@@ -25,6 +25,3 @@ index e97dd63e2b0..2f4694e727c 100644
include(FindPackageHandleStandardArgs)
FIND_PACKAGE_HANDLE_STANDARD_ARGS(
---
-2.17.1
-
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch b/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch
index 169986130c..b1ce963602 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch
+++ b/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch
@@ -10,9 +10,11 @@ Date: Fri Dec 21 19:14:04 2018 +0200
Upstream-Status: Pending
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---- a/configure.cmake
-+++ b/configure.cmake
-@@ -926,7 +926,25 @@ int main()
+Index: mariadb-10.4.17/configure.cmake
+===================================================================
+--- mariadb-10.4.17.orig/configure.cmake
++++ mariadb-10.4.17/configure.cmake
+@@ -863,7 +863,25 @@ int main()
long long int *ptr= &var;
return (int)__atomic_load_n(ptr, __ATOMIC_SEQ_CST);
}"
@@ -39,10 +41,12 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
IF(WITH_VALGRIND)
SET(HAVE_valgrind 1)
---- a/mysys/CMakeLists.txt
-+++ b/mysys/CMakeLists.txt
+Index: mariadb-10.4.17/mysys/CMakeLists.txt
+===================================================================
+--- mariadb-10.4.17.orig/mysys/CMakeLists.txt
++++ mariadb-10.4.17/mysys/CMakeLists.txt
@@ -78,6 +78,10 @@ TARGET_LINK_LIBRARIES(mysys dbug strings
- ${LIBNSL} ${LIBM} ${LIBRT} ${LIBDL} ${LIBSOCKET} ${LIBEXECINFO} ${CRC32_LIBRARY})
+ ${LIBNSL} ${LIBM} ${LIBRT} ${CMAKE_DL_LIBS} ${LIBSOCKET} ${LIBEXECINFO} ${CRC32_LIBRARY})
DTRACE_INSTRUMENT(mysys)
+IF (HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC)
@@ -52,9 +56,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
IF(HAVE_BFD_H)
TARGET_LINK_LIBRARIES(mysys bfd)
ENDIF(HAVE_BFD_H)
---- a/sql/CMakeLists.txt
-+++ b/sql/CMakeLists.txt
-@@ -178,6 +178,10 @@ ELSE()
+Index: mariadb-10.4.17/sql/CMakeLists.txt
+===================================================================
+--- mariadb-10.4.17.orig/sql/CMakeLists.txt
++++ mariadb-10.4.17/sql/CMakeLists.txt
+@@ -196,6 +196,10 @@ ELSE()
SET(MYSQLD_SOURCE main.cc ${DTRACE_PROBES_ALL})
ENDIF()
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/configure.cmake-fix-valgrind.patch b/meta-oe/recipes-dbs/mysql/mariadb/configure.cmake-fix-valgrind.patch
index ac94279585..162b1e295b 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb/configure.cmake-fix-valgrind.patch
+++ b/meta-oe/recipes-dbs/mysql/mariadb/configure.cmake-fix-valgrind.patch
@@ -21,11 +21,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
configure.cmake | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
-diff --git a/configure.cmake b/configure.cmake
-index 3cfc4b31..d017b3b3 100644
---- a/configure.cmake
-+++ b/configure.cmake
-@@ -930,10 +930,9 @@ HAVE_GCC_C11_ATOMICS)
+Index: mariadb-10.4.17/configure.cmake
+===================================================================
+--- mariadb-10.4.17.orig/configure.cmake
++++ mariadb-10.4.17/configure.cmake
+@@ -867,10 +867,9 @@ HAVE_GCC_C11_ATOMICS)
IF(WITH_VALGRIND)
SET(HAVE_valgrind 1)
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/fix-a-building-failure.patch b/meta-oe/recipes-dbs/mysql/mariadb/fix-a-building-failure.patch
index 9149ee21f2..5fc94835ea 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb/fix-a-building-failure.patch
+++ b/meta-oe/recipes-dbs/mysql/mariadb/fix-a-building-failure.patch
@@ -14,11 +14,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
CMakeLists.txt | 5 -----
1 file changed, 5 deletions(-)
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index fc30750..4f9110e 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -347,11 +347,6 @@ CHECK_PCRE()
+Index: mariadb-10.4.17/CMakeLists.txt
+===================================================================
+--- mariadb-10.4.17.orig/CMakeLists.txt
++++ mariadb-10.4.17/CMakeLists.txt
+@@ -376,11 +376,6 @@ CHECK_PCRE()
CHECK_SYSTEMD()
@@ -30,6 +30,3 @@ index fc30750..4f9110e 100644
#
# Setup maintainer mode options. Platform checks are
# not run with the warning options as to not perturb fragile checks
---
-2.17.1
-
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/fix-arm-atomic.patch b/meta-oe/recipes-dbs/mysql/mariadb/fix-arm-atomic.patch
index 05b0cf8ff7..db72709439 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb/fix-arm-atomic.patch
+++ b/meta-oe/recipes-dbs/mysql/mariadb/fix-arm-atomic.patch
@@ -15,11 +15,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
storage/rocksdb/build_rocksdb.cmake | 3 +++
1 file changed, 3 insertions(+)
-diff --git a/storage/rocksdb/build_rocksdb.cmake b/storage/rocksdb/build_rocksdb.cmake
-index d7895b0..3bcd52a 100644
---- a/storage/rocksdb/build_rocksdb.cmake
-+++ b/storage/rocksdb/build_rocksdb.cmake
-@@ -470,6 +470,9 @@ list(APPEND SOURCES ${CMAKE_CURRENT_BINARY_DIR}/build_version.cc)
+Index: mariadb-10.4.17/storage/rocksdb/build_rocksdb.cmake
+===================================================================
+--- mariadb-10.4.17.orig/storage/rocksdb/build_rocksdb.cmake
++++ mariadb-10.4.17/storage/rocksdb/build_rocksdb.cmake
+@@ -498,6 +498,9 @@ list(APPEND SOURCES ${CMAKE_CURRENT_BINA
ADD_CONVENIENCE_LIBRARY(rocksdblib ${SOURCES})
target_link_libraries(rocksdblib ${THIRDPARTY_LIBS} ${SYSTEM_LIBS})
@@ -29,6 +29,3 @@ index d7895b0..3bcd52a 100644
IF(CMAKE_CXX_COMPILER_ID MATCHES "GNU" OR CMAKE_CXX_COMPILER_ID MATCHES "Clang")
set_target_properties(rocksdblib PROPERTIES COMPILE_FLAGS "-fPIC -fno-builtin-memcmp -Wno-error")
endif()
---
-2.7.4
-
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch b/meta-oe/recipes-dbs/mysql/mariadb/sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch
index afc1be47b5..16cd584da9 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb/sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch
+++ b/meta-oe/recipes-dbs/mysql/mariadb/sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch
@@ -15,11 +15,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
sql/CMakeLists.txt | 30 ++++++++++++++++++++----------
1 file changed, 20 insertions(+), 10 deletions(-)
-diff --git a/sql/CMakeLists.txt b/sql/CMakeLists.txt
-index c6910f46..bf51f4cb 100644
---- a/sql/CMakeLists.txt
-+++ b/sql/CMakeLists.txt
-@@ -50,11 +50,16 @@ ${WSREP_INCLUDES}
+Index: mariadb-10.4.17/sql/CMakeLists.txt
+===================================================================
+--- mariadb-10.4.17.orig/sql/CMakeLists.txt
++++ mariadb-10.4.17/sql/CMakeLists.txt
+@@ -55,11 +55,16 @@ ${CMAKE_BINARY_DIR}/sql
@@ -41,7 +41,7 @@ index c6910f46..bf51f4cb 100644
ADD_DEFINITIONS(-DMYSQL_SERVER -DHAVE_EVENT_SCHEDULER)
-@@ -370,11 +375,16 @@ IF(NOT CMAKE_CROSSCOMPILING)
+@@ -364,11 +369,16 @@ IF(NOT CMAKE_CROSSCOMPILING)
ADD_EXECUTABLE(gen_lex_hash gen_lex_hash.cc)
ENDIF()
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/support-files-CMakeLists.txt-fix-do_populate_sysroot.patch b/meta-oe/recipes-dbs/mysql/mariadb/support-files-CMakeLists.txt-fix-do_populate_sysroot.patch
index 4f9a4e9b0e..937d13da31 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb/support-files-CMakeLists.txt-fix-do_populate_sysroot.patch
+++ b/meta-oe/recipes-dbs/mysql/mariadb/support-files-CMakeLists.txt-fix-do_populate_sysroot.patch
@@ -15,11 +15,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
support-files/CMakeLists.txt | 7 -------
1 file changed, 7 deletions(-)
-diff --git a/support-files/CMakeLists.txt b/support-files/CMakeLists.txt
-index b5767432..56733de1 100644
---- a/support-files/CMakeLists.txt
-+++ b/support-files/CMakeLists.txt
-@@ -165,12 +165,5 @@ IF(UNIX)
+Index: mariadb-10.4.17/support-files/CMakeLists.txt
+===================================================================
+--- mariadb-10.4.17.orig/support-files/CMakeLists.txt
++++ mariadb-10.4.17/support-files/CMakeLists.txt
+@@ -192,12 +192,5 @@ IF(UNIX)
INSTALL(FILES rpm/enable_encryption.preset DESTINATION ${INSTALL_SYSCONF2DIR}
COMPONENT IniFiles)
ENDIF()
diff --git a/meta-oe/recipes-dbs/mysql/mariadb_10.4.12.bb b/meta-oe/recipes-dbs/mysql/mariadb_10.4.17.bb
similarity index 100%
rename from meta-oe/recipes-dbs/mysql/mariadb_10.4.12.bb
rename to meta-oe/recipes-dbs/mysql/mariadb_10.4.17.bb
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 15/28] lua: fix CVE-2020-15945
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (13 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 14/28] mariadb: update to 10.4.17 for cve fixes akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 16/28] lua: fix CVE-2020-24371 akuster
` (14 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Wenlin Kang <wenlin.kang@windriver.com>
Source: openembedded.org
MR: 104897
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/meta-openembedded gatesgarth
ChangeID: 6c43941d116bbb9f0d62ca5376da24ae03eb9eab
Description:
Fixes CVE-2020-15945
Backport with modifications to apply successfully.
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../lua/lua/CVE-2020-15945.patch | 167 ++++++++++++++++++
meta-oe/recipes-devtools/lua/lua_5.3.5.bb | 1 +
2 files changed, 168 insertions(+)
create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch
diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch
new file mode 100644
index 0000000000..89ce491487
--- /dev/null
+++ b/meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch
@@ -0,0 +1,167 @@
+From d8d344365945a534f700c82c5dd26f704f89fef3 Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Wed, 5 Aug 2020 16:59:58 +0800
+Subject: [PATCH] Fixed bug: invalid 'oldpc' when returning to a function
+
+The field 'L->oldpc' is not always updated when control returns to a
+function; an invalid value can seg. fault when computing 'changedline'.
+(One example is an error in a finalizer; control can return to
+'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to
+fix all possible corner cases, it seems safer to be resilient to invalid
+values for 'oldpc'. Valid but wrong values at most cause an extra call
+to a line hook.
+
+CVE: CVE-2020-15945
+
+[Adjust the code to be applicable to the tree]
+
+Upstream-Status: Backport [https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06db05e3]
+
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+Signed-off-by: Joe Slater <joe.slater@@windriver.com>
+
+---
+ src/ldebug.c | 30 +++++++++++++++---------------
+ src/ldebug.h | 4 ++++
+ src/ldo.c | 2 +-
+ src/lstate.c | 1 +
+ src/lstate.h | 2 +-
+ 5 files changed, 22 insertions(+), 17 deletions(-)
+
+diff --git a/src/ldebug.c b/src/ldebug.c
+index 239affb..832b16c 100644
+--- a/src/ldebug.c
++++ b/src/ldebug.c
+@@ -34,9 +34,8 @@
+ #define noLuaClosure(f) ((f) == NULL || (f)->c.tt == LUA_TCCL)
+
+
+-/* Active Lua function (given call info) */
+-#define ci_func(ci) (clLvalue((ci)->func))
+-
++/* inverse of 'pcRel' */
++#define invpcRel(pc, p) ((p)->code + (pc) + 1)
+
+ static const char *funcnamefromcode (lua_State *L, CallInfo *ci,
+ const char **name);
+@@ -71,20 +70,18 @@ static void swapextra (lua_State *L) {
+
+ /*
+ ** This function can be called asynchronously (e.g. during a signal).
+-** Fields 'oldpc', 'basehookcount', and 'hookcount' (set by
+-** 'resethookcount') are for debug only, and it is no problem if they
+-** get arbitrary values (causes at most one wrong hook call). 'hookmask'
+-** is an atomic value. We assume that pointers are atomic too (e.g., gcc
+-** ensures that for all platforms where it runs). Moreover, 'hook' is
+-** always checked before being called (see 'luaD_hook').
++** Fields 'basehookcount' and 'hookcount' (set by 'resethookcount')
++** are for debug only, and it is no problem if they get arbitrary
++** values (causes at most one wrong hook call). 'hookmask' is an atomic
++** value. We assume that pointers are atomic too (e.g., gcc ensures that
++** for all platforms where it runs). Moreover, 'hook' is always checked
++** before being called (see 'luaD_hook').
+ */
+ LUA_API void lua_sethook (lua_State *L, lua_Hook func, int mask, int count) {
+ if (func == NULL || mask == 0) { /* turn off hooks? */
+ mask = 0;
+ func = NULL;
+ }
+- if (isLua(L->ci))
+- L->oldpc = L->ci->u.l.savedpc;
+ L->hook = func;
+ L->basehookcount = count;
+ resethookcount(L);
+@@ -665,7 +662,10 @@ l_noret luaG_runerror (lua_State *L, const char *fmt, ...) {
+ void luaG_traceexec (lua_State *L) {
+ CallInfo *ci = L->ci;
+ lu_byte mask = L->hookmask;
++ const Proto *p = ci_func(ci)->p;
+ int counthook = (--L->hookcount == 0 && (mask & LUA_MASKCOUNT));
++ /* 'L->oldpc' may be invalid; reset it in this case */
++ int oldpc = (L->oldpc < p->sizecode) ? L->oldpc : 0;
+ if (counthook)
+ resethookcount(L); /* reset count */
+ else if (!(mask & LUA_MASKLINE))
+@@ -677,15 +677,15 @@ void luaG_traceexec (lua_State *L) {
+ if (counthook)
+ luaD_hook(L, LUA_HOOKCOUNT, -1); /* call count hook */
+ if (mask & LUA_MASKLINE) {
+- Proto *p = ci_func(ci)->p;
+ int npc = pcRel(ci->u.l.savedpc, p);
+ int newline = getfuncline(p, npc);
+ if (npc == 0 || /* call linehook when enter a new function, */
+- ci->u.l.savedpc <= L->oldpc || /* when jump back (loop), or when */
+- newline != getfuncline(p, pcRel(L->oldpc, p))) /* enter a new line */
++ ci->u.l.savedpc <= invpcRel(oldpc, p) || /* when jump back (loop), or when */
++ newline != getfuncline(p, oldpc)) /* enter a new line */
+ luaD_hook(L, LUA_HOOKLINE, newline); /* call line hook */
++
++ L->oldpc = npc; /* 'pc' of last call to line hook */
+ }
+- L->oldpc = ci->u.l.savedpc;
+ if (L->status == LUA_YIELD) { /* did hook yield? */
+ if (counthook)
+ L->hookcount = 1; /* undo decrement to zero */
+diff --git a/src/ldebug.h b/src/ldebug.h
+index 0e31546..c224cc4 100644
+--- a/src/ldebug.h
++++ b/src/ldebug.h
+@@ -13,6 +13,10 @@
+
+ #define pcRel(pc, p) (cast(int, (pc) - (p)->code) - 1)
+
++/* Active Lua function (given call info) */
++#define ci_func(ci) (clLvalue((ci)->func))
++
++
+ #define getfuncline(f,pc) (((f)->lineinfo) ? (f)->lineinfo[pc] : -1)
+
+ #define resethookcount(L) (L->hookcount = L->basehookcount)
+diff --git a/src/ldo.c b/src/ldo.c
+index 90b695f..f66ac1a 100644
+--- a/src/ldo.c
++++ b/src/ldo.c
+@@ -382,7 +382,7 @@ int luaD_poscall (lua_State *L, CallInfo *ci, StkId firstResult, int nres) {
+ luaD_hook(L, LUA_HOOKRET, -1);
+ firstResult = restorestack(L, fr);
+ }
+- L->oldpc = ci->previous->u.l.savedpc; /* 'oldpc' for caller function */
++ L->oldpc = pcRel(ci->u.l.savedpc, ci_func(ci)->p); /* 'oldpc' for caller function */
+ }
+ res = ci->func; /* res == final position of 1st result */
+ L->ci = ci->previous; /* back to caller */
+diff --git a/src/lstate.c b/src/lstate.c
+index 9194ac3..3573e36 100644
+--- a/src/lstate.c
++++ b/src/lstate.c
+@@ -236,6 +236,7 @@ static void preinit_thread (lua_State *L, global_State *g) {
+ L->nny = 1;
+ L->status = LUA_OK;
+ L->errfunc = 0;
++ L->oldpc = 0;
+ }
+
+
+diff --git a/src/lstate.h b/src/lstate.h
+index a469466..d75eadf 100644
+--- a/src/lstate.h
++++ b/src/lstate.h
+@@ -164,7 +164,6 @@ struct lua_State {
+ StkId top; /* first free slot in the stack */
+ global_State *l_G;
+ CallInfo *ci; /* call info for current function */
+- const Instruction *oldpc; /* last pc traced */
+ StkId stack_last; /* last free slot in the stack */
+ StkId stack; /* stack base */
+ UpVal *openupval; /* list of open upvalues in this stack */
+@@ -174,6 +173,7 @@ struct lua_State {
+ CallInfo base_ci; /* CallInfo for first level (C calling Lua) */
+ volatile lua_Hook hook;
+ ptrdiff_t errfunc; /* current error handling function (stack index) */
++ int oldpc; /* last pc traced */
+ int stacksize;
+ int basehookcount;
+ int hookcount;
+--
+2.13.3
+
diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb b/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
index d3461b06de..4f89579c78 100644
--- a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
+++ b/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
@@ -8,6 +8,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
file://lua.pc.in \
file://0001-Allow-building-lua-without-readline-on-Linux.patch \
file://CVE-2020-15888.patch \
+ file://CVE-2020-15945.patch \
"
# if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 16/28] lua: fix CVE-2020-24371
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (14 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 15/28] lua: fix CVE-2020-15945 akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 17/28] lua: update to 5.3.6 akuster
` (13 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Wenlin Kang <wenlin.kang@windriver.com>
Source: openembedded.org
MR: 105165
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/meta-openembedded gatesgarth
ChangeID: 747161877824daae061bc4fb458f55ab033f62f4
Description:
Fix CVE-2020-24371
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...rriers-cannot-be-active-during-sweep.patch | 90 +++++++++++++++++++
meta-oe/recipes-devtools/lua/lua_5.3.5.bb | 1 +
2 files changed, 91 insertions(+)
create mode 100644 meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch
diff --git a/meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch b/meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch
new file mode 100644
index 0000000000..a302874d76
--- /dev/null
+++ b/meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch
@@ -0,0 +1,90 @@
+From 1e6df25ac28dcd89f0324177bb55019422404b44 Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Thu, 3 Sep 2020 15:32:17 +0800
+Subject: [PATCH] Fixed bug: barriers cannot be active during sweep
+
+Barriers cannot be active during sweep, even in generational mode.
+(Although gen. mode is not incremental, it can hit a barrier when
+deleting a thread and closing its upvalues.) The colors of objects are
+being changed during sweep and, therefore, cannot be trusted.
+
+Upstream-Status: Backport [https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110]
+CVE: CVE-2020-24371
+
+[Adjust code KGC_INC -> KGC_NORMAL, refer 69371c4b84becac09c445aae01d005b49658ef82]
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+---
+ src/lgc.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/src/lgc.c b/src/lgc.c
+index 973c269..7af23d5 100644
+--- a/src/lgc.c
++++ b/src/lgc.c
+@@ -142,10 +142,17 @@ static int iscleared (global_State *g, const TValue *o) {
+
+
+ /*
+-** barrier that moves collector forward, that is, mark the white object
+-** being pointed by a black object. (If in sweep phase, clear the black
+-** object to white [sweep it] to avoid other barrier calls for this
+-** same object.)
++** Barrier that moves collector forward, that is, marks the white object
++** 'v' being pointed by the black object 'o'. In the generational
++** mode, 'v' must also become old, if 'o' is old; however, it cannot
++** be changed directly to OLD, because it may still point to non-old
++** objects. So, it is marked as OLD0. In the next cycle it will become
++** OLD1, and in the next it will finally become OLD (regular old). By
++** then, any object it points to will also be old. If called in the
++** incremental sweep phase, it clears the black object to white (sweep
++** it) to avoid other barrier calls for this same object. (That cannot
++** be done is generational mode, as its sweep does not distinguish
++** whites from deads.)
+ */
+ void luaC_barrier_ (lua_State *L, GCObject *o, GCObject *v) {
+ global_State *g = G(L);
+@@ -154,7 +161,8 @@ void luaC_barrier_ (lua_State *L, GCObject *o, GCObject *v) {
+ reallymarkobject(g, v); /* restore invariant */
+ else { /* sweep phase */
+ lua_assert(issweepphase(g));
+- makewhite(g, o); /* mark main obj. as white to avoid other barriers */
++ if (g->gckind == KGC_NORMAL) /* incremental mode? */
++ makewhite(g, o); /* mark 'o' as white to avoid other barriers */
+ }
+ }
+
+@@ -299,10 +307,15 @@ static void markbeingfnz (global_State *g) {
+
+
+ /*
+-** Mark all values stored in marked open upvalues from non-marked threads.
+-** (Values from marked threads were already marked when traversing the
+-** thread.) Remove from the list threads that no longer have upvalues and
+-** not-marked threads.
++** For each non-marked thread, simulates a barrier between each open
++** upvalue and its value. (If the thread is collected, the value will be
++** assigned to the upvalue, but then it can be too late for the barrier
++** to act. The "barrier" does not need to check colors: A non-marked
++** thread must be young; upvalues cannot be older than their threads; so
++** any visited upvalue must be young too.) Also removes the thread from
++** the list, as it was already visited. Removes also threads with no
++** upvalues, as they have nothing to be checked. (If the thread gets an
++** upvalue later, it will be linked in the list again.)
+ */
+ static void remarkupvals (global_State *g) {
+ lua_State *thread;
+@@ -313,9 +326,11 @@ static void remarkupvals (global_State *g) {
+ p = &thread->twups; /* keep marked thread with upvalues in the list */
+ else { /* thread is not marked or without upvalues */
+ UpVal *uv;
++ lua_assert(!isold(thread) || thread->openupval == NULL);
+ *p = thread->twups; /* remove thread from the list */
+ thread->twups = thread; /* mark that it is out of list */
+ for (uv = thread->openupval; uv != NULL; uv = uv->u.open.next) {
++ lua_assert(getage(uv) <= getage(thread));
+ if (uv->u.open.touched) {
+ markvalue(g, uv->v); /* remark upvalue's value */
+ uv->u.open.touched = 0;
+--
+1.9.1
+
diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb b/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
index 4f89579c78..7d84ea60b6 100644
--- a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
+++ b/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
@@ -9,6 +9,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
file://0001-Allow-building-lua-without-readline-on-Linux.patch \
file://CVE-2020-15888.patch \
file://CVE-2020-15945.patch \
+ file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \
"
# if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 17/28] lua: update to 5.3.6
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (15 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 16/28] lua: fix CVE-2020-24371 akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 18/28] nss: Security fix CVE-2020-12401 akuster
` (12 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Armin Kuster <akuster@mvista.com>
LIC_FILES_CHKSUM changed to do year updates
This is the last 5.3.x update. This will give us the best
starting point for doing Maintence moving forward.
Its a bug fix only update. See http://www.lua.org/work/diffs-lua-5.3.5-lua-5.3.6.html
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-oe/recipes-devtools/lua/{lua_5.3.5.bb => lua_5.3.6.bb} | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
rename meta-oe/recipes-devtools/lua/{lua_5.3.5.bb => lua_5.3.6.bb} (92%)
diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
similarity index 92%
rename from meta-oe/recipes-devtools/lua/lua_5.3.5.bb
rename to meta-oe/recipes-devtools/lua/lua_5.3.6.bb
index 7d84ea60b6..342ed1b547 100644
--- a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
+++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
@@ -1,7 +1,7 @@
DESCRIPTION = "Lua is a powerful light-weight programming language designed \
for extending applications."
LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://doc/readme.html;beginline=318;endline=352;md5=60aa5cfdbd40086501778d9b6ebf29ee"
+LIC_FILES_CHKSUM = "file://doc/readme.html;beginline=318;endline=352;md5=f43d8ee6bc4df18ef8b276439cc4a153"
HOMEPAGE = "http://www.lua.org/"
SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
@@ -20,8 +20,8 @@ SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', \
file://run-ptest \
', '', d)}"
-SRC_URI[tarballsrc.md5sum] = "4f4b4f323fd3514a68e0ab3da8ce3455"
-SRC_URI[tarballsrc.sha256sum] = "0c2eed3f960446e1a3e4b9a1ca2f3ff893b6ce41942cf54d5dd59ab4b3b058ac"
+SRC_URI[tarballsrc.md5sum] = "83f23dbd5230140a3770d5f54076948d"
+SRC_URI[tarballsrc.sha256sum] = "fc5fd69bb8736323f026672b1b7235da613d7177e72558893a0bdcd320466d60"
SRC_URI[tarballtest.md5sum] = "b14fe3748c1cb2d74e3acd1943629ba3"
SRC_URI[tarballtest.sha256sum] = "b80771238271c72565e5a1183292ef31bd7166414cd0d43a8eb79845fa7f599f"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 18/28] nss: Security fix CVE-2020-12401
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (16 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 17/28] lua: update to 5.3.6 akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 19/28] wireshark: Several securtiy fixes akuster
` (11 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Armin Kuster <akuster@mvista.com>
Source: Mozilla.org
MR: 106876
Type: Security Fix
Disposition: Backport from https://hg.mozilla.org/projects/nss/raw-rev/aeb2e583ee957a699d949009c7ba37af76515c20
ChangeID: a61d4926f8ab5afc54c23e58cd86b4a7609c9708
Description:
Fixes CVE-2020-12401
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../nss/nss/CVE-2020-12401.patch | 52 +++++++++++++++++++
meta-oe/recipes-support/nss/nss_3.51.1.bb | 1 +
2 files changed, 53 insertions(+)
create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch
diff --git a/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch b/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch
new file mode 100644
index 0000000000..e67926fe50
--- /dev/null
+++ b/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch
@@ -0,0 +1,52 @@
+# HG changeset patch
+# User Billy Brumley <bbrumley@gmail.com>
+# Date 1595283525 0
+# Node ID aeb2e583ee957a699d949009c7ba37af76515c20
+# Parent ca207655b4b7cb1d3a5e438c1fb9b90d45596da6
+Bug 1631573: Remove unnecessary scalar padding in ec.c r=kjacobs,bbeurdouche
+
+Subsequent calls to ECPoints_mul and ECPoint_mul remove this padding.
+
+Timing attack countermeasures are now applied more generally deeper in
+the call stack.
+
+Differential Revision: https://phabricator.services.mozilla.com/D82011
+
+
+Upstream-Status: Backport
+
+CVE: CVE-2020-1240
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: nss-3.51.1/nss/lib/freebl/ec.c
+===================================================================
+--- nss-3.51.1.orig/nss/lib/freebl/ec.c
++++ nss-3.51.1/nss/lib/freebl/ec.c
+@@ -724,27 +724,6 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *k
+ }
+
+ /*
+- ** We do not want timing information to leak the length of k,
+- ** so we compute k*G using an equivalent scalar of fixed
+- ** bit-length.
+- ** Fix based on patch for ECDSA timing attack in the paper
+- ** by Billy Bob Brumley and Nicola Tuveri at
+- ** http://eprint.iacr.org/2011/232
+- **
+- ** How do we convert k to a value of a fixed bit-length?
+- ** k starts off as an integer satisfying 0 <= k < n. Hence,
+- ** n <= k+n < 2n, which means k+n has either the same number
+- ** of bits as n or one more bit than n. If k+n has the same
+- ** number of bits as n, the second addition ensures that the
+- ** final value has exactly one more bit than n. Thus, we
+- ** always end up with a value that exactly one more bit than n.
+- */
+- CHECK_MPI_OK(mp_add(&k, &n, &k));
+- if (mpl_significant_bits(&k) <= mpl_significant_bits(&n)) {
+- CHECK_MPI_OK(mp_add(&k, &n, &k));
+- }
+-
+- /*
+ ** ANSI X9.62, Section 5.3.2, Step 2
+ **
+ ** Compute kG
diff --git a/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-oe/recipes-support/nss/nss_3.51.1.bb
index c00bd34cb2..3e3c3a3fdf 100644
--- a/meta-oe/recipes-support/nss/nss_3.51.1.bb
+++ b/meta-oe/recipes-support/nss/nss_3.51.1.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
file://riscv.patch \
file://0001-Enable-uint128-on-mips64.patch \
file://0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch \
+ file://CVE-2020-12401.patch \
"
SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 19/28] wireshark: Several securtiy fixes
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (17 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 18/28] nss: Security fix CVE-2020-12401 akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 20/28] nodejs: Fix build with icu 67.1 akuster
` (10 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Armin Kuster <akuster@mvista.com>
Source: Wireshark.org
MR: 106181, 106696, 107655, 107673, 107682
Type: Security Fix
Disposition: Backport from wireshark.org
ChangeID: 57df6ac3b11aabd96e6aec728501ce7988bc176a
Description:
Bugfix only update including these cves:
3.2.8
CVE-2020-26575
CVE-2020-28030
3.2.9
CVE-2020-26418
CVE-2020-26421
CVE-2020-26420
Signed-off-by: Armin Kuster <akuster@mvista.com>
(cherry picked from commit a10ea62a1c9c7b0c4810f2e4ef0dcc6f75b0ca6b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../wireshark/{wireshark_3.2.7.bb => wireshark_3.2.10.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta-networking/recipes-support/wireshark/{wireshark_3.2.7.bb => wireshark_3.2.10.bb} (96%)
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.7.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.10.bb
similarity index 96%
rename from meta-networking/recipes-support/wireshark/wireshark_3.2.7.bb
rename to meta-networking/recipes-support/wireshark/wireshark_3.2.10.bb
index 65f925ce1f..d284824149 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.2.7.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.10.bb
@@ -12,7 +12,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
-SRC_URI[sha256sum] = "be832fb86d9c455c5be8b225a755cdc77cb0e92356bdfc1fe4b000d93f7d70da"
+SRC_URI[sha256sum] = "1e9e239f2449f240a7910ed598084ccaf8ea308b2b46b196c5adbec59612226c"
PE = "1"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 20/28] nodejs: Fix build with icu 67.1
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (18 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 19/28] wireshark: Several securtiy fixes akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 21/28] nodejs: Upgrade to 12.18.3 akuster
` (9 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Khem Raj <raj.khem@gmail.com>
Remove soon-to-be removed getAllFieldPositions
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Andrej Valek <andrej.valek@siemens.com>
(cherry picked from commit 7910f2b64575dcd3352effd441accb3b56e3554d)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../0001-deps-V8-backport-3f8dc4b2e5ba.patch | 194 ++++++++++++++++++
.../recipes-devtools/nodejs/nodejs_12.14.1.bb | 1 +
2 files changed, 195 insertions(+)
create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-deps-V8-backport-3f8dc4b2e5ba.patch
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-deps-V8-backport-3f8dc4b2e5ba.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-deps-V8-backport-3f8dc4b2e5ba.patch
new file mode 100644
index 0000000000..07dbdfe564
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-deps-V8-backport-3f8dc4b2e5ba.patch
@@ -0,0 +1,194 @@
+From 836311710ca8d49fdf4d619e3a738a445c413605 Mon Sep 17 00:00:00 2001
+From: Ujjwal Sharma <ryzokuken@disroot.org>
+Date: Wed, 22 Apr 2020 12:20:17 +0530
+Subject: [PATCH] deps: V8: backport 3f8dc4b2e5ba
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Original commit message:
+
+ [intl] Remove soon-to-be removed getAllFieldPositions
+
+ Needed to land ICU67.1 soon.
+
+ Bug: v8:10393
+ Change-Id: I3c7737ca600d6ccfdc46ffaddfb318ce60bc7618
+ Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2136489
+ Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
+ Commit-Queue: Frank Tang <ftang@chromium.org>
+ Cr-Commit-Position: refs/heads/master@{#67027}
+
+Refs: https://github.com/v8/v8/commit/3f8dc4b2e5baf77b463334c769af85b79d8c1463
+
+PR-URL: https://github.com/nodejs/node/pull/32993
+Reviewed-By: Michaël Zasso <targos@protonmail.com>
+Reviewed-By: Matheus Marchini <mat@mmarchini.me>
+Reviewed-By: Steven R Loomis <srloomis@us.ibm.com>
+Reviewed-By: Richard Lau <riclau@uk.ibm.com>
+---
+ common.gypi | 2 +-
+ deps/v8/src/objects/js-number-format.cc | 72 +++++++++++++------------
+ 2 files changed, 38 insertions(+), 36 deletions(-)
+
+diff --git a/common.gypi b/common.gypi
+index b86e5e0..a7b37e6 100644
+--- a/common.gypi
++++ b/common.gypi
+@@ -38,7 +38,7 @@
+
+ # Reset this number to 0 on major V8 upgrades.
+ # Increment by one for each non-official patch applied to deps/v8.
+- 'v8_embedder_string': '-node.16',
++ 'v8_embedder_string': '-node.17',
+
+ ##### V8 defaults for Node.js #####
+
+diff --git a/deps/v8/src/objects/js-number-format.cc b/deps/v8/src/objects/js-number-format.cc
+index d1e3ef4..757c665 100644
+--- a/deps/v8/src/objects/js-number-format.cc
++++ b/deps/v8/src/objects/js-number-format.cc
+@@ -1252,42 +1252,31 @@ MaybeHandle<JSNumberFormat> JSNumberFormat::New(Isolate* isolate,
+ }
+
+ namespace {
+-Maybe<icu::UnicodeString> IcuFormatNumber(
++Maybe<bool> IcuFormatNumber(
+ Isolate* isolate,
+ const icu::number::LocalizedNumberFormatter& number_format,
+- Handle<Object> numeric_obj, icu::FieldPositionIterator* fp_iter) {
++ Handle<Object> numeric_obj, icu::number::FormattedNumber* formatted) {
+ // If it is BigInt, handle it differently.
+ UErrorCode status = U_ZERO_ERROR;
+- icu::number::FormattedNumber formatted;
+ if (numeric_obj->IsBigInt()) {
+ Handle<BigInt> big_int = Handle<BigInt>::cast(numeric_obj);
+ Handle<String> big_int_string;
+ ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, big_int_string,
+ BigInt::ToString(isolate, big_int),
+- Nothing<icu::UnicodeString>());
+- formatted = number_format.formatDecimal(
++ Nothing<bool>());
++ *formatted = number_format.formatDecimal(
+ {big_int_string->ToCString().get(), big_int_string->length()}, status);
+ } else {
+ double number = numeric_obj->Number();
+- formatted = number_format.formatDouble(number, status);
++ *formatted = number_format.formatDouble(number, status);
+ }
+ if (U_FAILURE(status)) {
+ // This happen because of icu data trimming trim out "unit".
+ // See https://bugs.chromium.org/p/v8/issues/detail?id=8641
+- THROW_NEW_ERROR_RETURN_VALUE(isolate,
+- NewTypeError(MessageTemplate::kIcuError),
+- Nothing<icu::UnicodeString>());
+- }
+- if (fp_iter) {
+- formatted.getAllFieldPositions(*fp_iter, status);
++ THROW_NEW_ERROR_RETURN_VALUE(
++ isolate, NewTypeError(MessageTemplate::kIcuError), Nothing<bool>());
+ }
+- icu::UnicodeString result = formatted.toString(status);
+- if (U_FAILURE(status)) {
+- THROW_NEW_ERROR_RETURN_VALUE(isolate,
+- NewTypeError(MessageTemplate::kIcuError),
+- Nothing<icu::UnicodeString>());
+- }
+- return Just(result);
++ return Just(true);
+ }
+
+ } // namespace
+@@ -1298,10 +1287,16 @@ MaybeHandle<String> JSNumberFormat::FormatNumeric(
+ Handle<Object> numeric_obj) {
+ DCHECK(numeric_obj->IsNumeric());
+
+- Maybe<icu::UnicodeString> maybe_format =
+- IcuFormatNumber(isolate, number_format, numeric_obj, nullptr);
++ icu::number::FormattedNumber formatted;
++ Maybe<bool> maybe_format =
++ IcuFormatNumber(isolate, number_format, numeric_obj, &formatted);
+ MAYBE_RETURN(maybe_format, Handle<String>());
+- return Intl::ToString(isolate, maybe_format.FromJust());
++ UErrorCode status = U_ZERO_ERROR;
++ icu::UnicodeString result = formatted.toString(status);
++ if (U_FAILURE(status)) {
++ THROW_NEW_ERROR(isolate, NewTypeError(MessageTemplate::kIcuError), String);
++ }
++ return Intl::ToString(isolate, result);
+ }
+
+ namespace {
+@@ -1414,12 +1409,18 @@ std::vector<NumberFormatSpan> FlattenRegionsToParts(
+ }
+
+ namespace {
+-Maybe<int> ConstructParts(Isolate* isolate, const icu::UnicodeString& formatted,
+- icu::FieldPositionIterator* fp_iter,
++Maybe<int> ConstructParts(Isolate* isolate,
++ icu::number::FormattedNumber* formatted,
+ Handle<JSArray> result, int start_index,
+ Handle<Object> numeric_obj, bool style_is_unit) {
++ UErrorCode status = U_ZERO_ERROR;
++ icu::UnicodeString formatted_text = formatted->toString(status);
++ if (U_FAILURE(status)) {
++ THROW_NEW_ERROR_RETURN_VALUE(
++ isolate, NewTypeError(MessageTemplate::kIcuError), Nothing<int>());
++ }
+ DCHECK(numeric_obj->IsNumeric());
+- int32_t length = formatted.length();
++ int32_t length = formatted_text.length();
+ int index = start_index;
+ if (length == 0) return Just(index);
+
+@@ -1428,13 +1429,14 @@ Maybe<int> ConstructParts(Isolate* isolate, const icu::UnicodeString& formatted,
+ // other region covers some part of the formatted string. It's possible
+ // there's another field with exactly the same begin and end as this backdrop,
+ // in which case the backdrop's field_id of -1 will give it lower priority.
+- regions.push_back(NumberFormatSpan(-1, 0, formatted.length()));
++ regions.push_back(NumberFormatSpan(-1, 0, formatted_text.length()));
+
+ {
+- icu::FieldPosition fp;
+- while (fp_iter->next(fp)) {
+- regions.push_back(NumberFormatSpan(fp.getField(), fp.getBeginIndex(),
+- fp.getEndIndex()));
++ icu::ConstrainedFieldPosition cfp;
++ cfp.constrainCategory(UFIELD_CATEGORY_NUMBER);
++ while (formatted->nextPosition(cfp, status)) {
++ regions.push_back(
++ NumberFormatSpan(cfp.getField(), cfp.getStart(), cfp.getLimit()));
+ }
+ }
+
+@@ -1456,7 +1458,7 @@ Maybe<int> ConstructParts(Isolate* isolate, const icu::UnicodeString& formatted,
+ Handle<String> substring;
+ ASSIGN_RETURN_ON_EXCEPTION_VALUE(
+ isolate, substring,
+- Intl::ToString(isolate, formatted, part.begin_pos, part.end_pos),
++ Intl::ToString(isolate, formatted_text, part.begin_pos, part.end_pos),
+ Nothing<int>());
+ Intl::AddElement(isolate, result, index, field_type_string, substring);
+ ++index;
+@@ -1476,14 +1478,14 @@ MaybeHandle<JSArray> JSNumberFormat::FormatToParts(
+ number_format->icu_number_formatter().raw();
+ CHECK_NOT_NULL(fmt);
+
+- icu::FieldPositionIterator fp_iter;
+- Maybe<icu::UnicodeString> maybe_format =
+- IcuFormatNumber(isolate, *fmt, numeric_obj, &fp_iter);
++ icu::number::FormattedNumber formatted;
++ Maybe<bool> maybe_format =
++ IcuFormatNumber(isolate, *fmt, numeric_obj, &formatted);
+ MAYBE_RETURN(maybe_format, Handle<JSArray>());
+
+ Handle<JSArray> result = factory->NewJSArray(0);
+ Maybe<int> maybe_format_to_parts = ConstructParts(
+- isolate, maybe_format.FromJust(), &fp_iter, result, 0, numeric_obj,
++ isolate, &formatted, result, 0, numeric_obj,
+ number_format->style() == JSNumberFormat::Style::UNIT);
+ MAYBE_RETURN(maybe_format_to_parts, Handle<JSArray>());
+
+--
+2.26.2
+
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.14.1.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.14.1.bb
index d468fb3ffa..9f9f320aa7 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_12.14.1.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.14.1.bb
@@ -23,6 +23,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
file://0001-build-allow-passing-multiple-libs-to-pkg_config.patch \
file://0002-build-allow-use-of-system-installed-brotli.patch \
file://mips-warnings.patch \
+ file://0001-deps-V8-backport-3f8dc4b2e5ba.patch \
"
SRC_URI_append_class-target = " \
file://0002-Using-native-binaries.patch \
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 21/28] nodejs: Upgrade to 12.18.3
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (19 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 20/28] nodejs: Fix build with icu 67.1 akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 22/28] nodejs: Fix arm32/thumb builds with clang akuster
` (8 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Khem Raj <raj.khem@gmail.com>
Drop already upstreamed patches
use builtin uv, it does not build without it
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bda3ee6276d76a10d2b5564da5709db4c21b8f13)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...-passing-multiple-libs-to-pkg_config.patch | 41 ----
.../0001-deps-V8-backport-3f8dc4b2e5ba.patch | 194 ------------------
...allow-use-of-system-installed-brotli.patch | 66 ------
...Install-both-binaries-and-use-libdir.patch | 28 +--
.../{nodejs_12.14.1.bb => nodejs_12.18.3.bb} | 12 +-
5 files changed, 14 insertions(+), 327 deletions(-)
delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-build-allow-passing-multiple-libs-to-pkg_config.patch
delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-deps-V8-backport-3f8dc4b2e5ba.patch
delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0002-build-allow-use-of-system-installed-brotli.patch
rename meta-oe/recipes-devtools/nodejs/{nodejs_12.14.1.bb => nodejs_12.18.3.bb} (93%)
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-build-allow-passing-multiple-libs-to-pkg_config.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-build-allow-passing-multiple-libs-to-pkg_config.patch
deleted file mode 100644
index 13edf229b3..0000000000
--- a/meta-oe/recipes-devtools/nodejs/nodejs/0001-build-allow-passing-multiple-libs-to-pkg_config.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From fdaa0e3bef93c5c72a7258b5f1e30718e7d81f9b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net>
-Date: Mon, 2 Mar 2020 12:17:09 +0000
-Subject: [PATCH 1/2] build: allow passing multiple libs to pkg_config
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Sometimes it's necessary to pass multiple library names to pkg-config,
-e.g. the brotli shared libraries can be pulled in with
- pkg-config libbrotlienc libbrotlidec
-
-Update the code to handle both, strings (as used so far), and lists
-of strings.
-
-Signed-off-by: André Draszik <git@andred.net>
----
-Upstream-Status: Submitted [https://github.com/nodejs/node/pull/32046]
- configure.py | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/configure.py b/configure.py
-index beb08df088..e3f78f2fed 100755
---- a/configure.py
-+++ b/configure.py
-@@ -680,7 +680,11 @@ def pkg_config(pkg):
- retval = ()
- for flag in ['--libs-only-l', '--cflags-only-I',
- '--libs-only-L', '--modversion']:
-- args += [flag, pkg]
-+ args += [flag]
-+ if isinstance(pkg, list):
-+ args += pkg
-+ else:
-+ args += [pkg]
- try:
- proc = subprocess.Popen(shlex.split(pkg_config) + args,
- stdout=subprocess.PIPE)
---
-2.25.0
-
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-deps-V8-backport-3f8dc4b2e5ba.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-deps-V8-backport-3f8dc4b2e5ba.patch
deleted file mode 100644
index 07dbdfe564..0000000000
--- a/meta-oe/recipes-devtools/nodejs/nodejs/0001-deps-V8-backport-3f8dc4b2e5ba.patch
+++ /dev/null
@@ -1,194 +0,0 @@
-From 836311710ca8d49fdf4d619e3a738a445c413605 Mon Sep 17 00:00:00 2001
-From: Ujjwal Sharma <ryzokuken@disroot.org>
-Date: Wed, 22 Apr 2020 12:20:17 +0530
-Subject: [PATCH] deps: V8: backport 3f8dc4b2e5ba
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Original commit message:
-
- [intl] Remove soon-to-be removed getAllFieldPositions
-
- Needed to land ICU67.1 soon.
-
- Bug: v8:10393
- Change-Id: I3c7737ca600d6ccfdc46ffaddfb318ce60bc7618
- Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2136489
- Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
- Commit-Queue: Frank Tang <ftang@chromium.org>
- Cr-Commit-Position: refs/heads/master@{#67027}
-
-Refs: https://github.com/v8/v8/commit/3f8dc4b2e5baf77b463334c769af85b79d8c1463
-
-PR-URL: https://github.com/nodejs/node/pull/32993
-Reviewed-By: Michaël Zasso <targos@protonmail.com>
-Reviewed-By: Matheus Marchini <mat@mmarchini.me>
-Reviewed-By: Steven R Loomis <srloomis@us.ibm.com>
-Reviewed-By: Richard Lau <riclau@uk.ibm.com>
----
- common.gypi | 2 +-
- deps/v8/src/objects/js-number-format.cc | 72 +++++++++++++------------
- 2 files changed, 38 insertions(+), 36 deletions(-)
-
-diff --git a/common.gypi b/common.gypi
-index b86e5e0..a7b37e6 100644
---- a/common.gypi
-+++ b/common.gypi
-@@ -38,7 +38,7 @@
-
- # Reset this number to 0 on major V8 upgrades.
- # Increment by one for each non-official patch applied to deps/v8.
-- 'v8_embedder_string': '-node.16',
-+ 'v8_embedder_string': '-node.17',
-
- ##### V8 defaults for Node.js #####
-
-diff --git a/deps/v8/src/objects/js-number-format.cc b/deps/v8/src/objects/js-number-format.cc
-index d1e3ef4..757c665 100644
---- a/deps/v8/src/objects/js-number-format.cc
-+++ b/deps/v8/src/objects/js-number-format.cc
-@@ -1252,42 +1252,31 @@ MaybeHandle<JSNumberFormat> JSNumberFormat::New(Isolate* isolate,
- }
-
- namespace {
--Maybe<icu::UnicodeString> IcuFormatNumber(
-+Maybe<bool> IcuFormatNumber(
- Isolate* isolate,
- const icu::number::LocalizedNumberFormatter& number_format,
-- Handle<Object> numeric_obj, icu::FieldPositionIterator* fp_iter) {
-+ Handle<Object> numeric_obj, icu::number::FormattedNumber* formatted) {
- // If it is BigInt, handle it differently.
- UErrorCode status = U_ZERO_ERROR;
-- icu::number::FormattedNumber formatted;
- if (numeric_obj->IsBigInt()) {
- Handle<BigInt> big_int = Handle<BigInt>::cast(numeric_obj);
- Handle<String> big_int_string;
- ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, big_int_string,
- BigInt::ToString(isolate, big_int),
-- Nothing<icu::UnicodeString>());
-- formatted = number_format.formatDecimal(
-+ Nothing<bool>());
-+ *formatted = number_format.formatDecimal(
- {big_int_string->ToCString().get(), big_int_string->length()}, status);
- } else {
- double number = numeric_obj->Number();
-- formatted = number_format.formatDouble(number, status);
-+ *formatted = number_format.formatDouble(number, status);
- }
- if (U_FAILURE(status)) {
- // This happen because of icu data trimming trim out "unit".
- // See https://bugs.chromium.org/p/v8/issues/detail?id=8641
-- THROW_NEW_ERROR_RETURN_VALUE(isolate,
-- NewTypeError(MessageTemplate::kIcuError),
-- Nothing<icu::UnicodeString>());
-- }
-- if (fp_iter) {
-- formatted.getAllFieldPositions(*fp_iter, status);
-+ THROW_NEW_ERROR_RETURN_VALUE(
-+ isolate, NewTypeError(MessageTemplate::kIcuError), Nothing<bool>());
- }
-- icu::UnicodeString result = formatted.toString(status);
-- if (U_FAILURE(status)) {
-- THROW_NEW_ERROR_RETURN_VALUE(isolate,
-- NewTypeError(MessageTemplate::kIcuError),
-- Nothing<icu::UnicodeString>());
-- }
-- return Just(result);
-+ return Just(true);
- }
-
- } // namespace
-@@ -1298,10 +1287,16 @@ MaybeHandle<String> JSNumberFormat::FormatNumeric(
- Handle<Object> numeric_obj) {
- DCHECK(numeric_obj->IsNumeric());
-
-- Maybe<icu::UnicodeString> maybe_format =
-- IcuFormatNumber(isolate, number_format, numeric_obj, nullptr);
-+ icu::number::FormattedNumber formatted;
-+ Maybe<bool> maybe_format =
-+ IcuFormatNumber(isolate, number_format, numeric_obj, &formatted);
- MAYBE_RETURN(maybe_format, Handle<String>());
-- return Intl::ToString(isolate, maybe_format.FromJust());
-+ UErrorCode status = U_ZERO_ERROR;
-+ icu::UnicodeString result = formatted.toString(status);
-+ if (U_FAILURE(status)) {
-+ THROW_NEW_ERROR(isolate, NewTypeError(MessageTemplate::kIcuError), String);
-+ }
-+ return Intl::ToString(isolate, result);
- }
-
- namespace {
-@@ -1414,12 +1409,18 @@ std::vector<NumberFormatSpan> FlattenRegionsToParts(
- }
-
- namespace {
--Maybe<int> ConstructParts(Isolate* isolate, const icu::UnicodeString& formatted,
-- icu::FieldPositionIterator* fp_iter,
-+Maybe<int> ConstructParts(Isolate* isolate,
-+ icu::number::FormattedNumber* formatted,
- Handle<JSArray> result, int start_index,
- Handle<Object> numeric_obj, bool style_is_unit) {
-+ UErrorCode status = U_ZERO_ERROR;
-+ icu::UnicodeString formatted_text = formatted->toString(status);
-+ if (U_FAILURE(status)) {
-+ THROW_NEW_ERROR_RETURN_VALUE(
-+ isolate, NewTypeError(MessageTemplate::kIcuError), Nothing<int>());
-+ }
- DCHECK(numeric_obj->IsNumeric());
-- int32_t length = formatted.length();
-+ int32_t length = formatted_text.length();
- int index = start_index;
- if (length == 0) return Just(index);
-
-@@ -1428,13 +1429,14 @@ Maybe<int> ConstructParts(Isolate* isolate, const icu::UnicodeString& formatted,
- // other region covers some part of the formatted string. It's possible
- // there's another field with exactly the same begin and end as this backdrop,
- // in which case the backdrop's field_id of -1 will give it lower priority.
-- regions.push_back(NumberFormatSpan(-1, 0, formatted.length()));
-+ regions.push_back(NumberFormatSpan(-1, 0, formatted_text.length()));
-
- {
-- icu::FieldPosition fp;
-- while (fp_iter->next(fp)) {
-- regions.push_back(NumberFormatSpan(fp.getField(), fp.getBeginIndex(),
-- fp.getEndIndex()));
-+ icu::ConstrainedFieldPosition cfp;
-+ cfp.constrainCategory(UFIELD_CATEGORY_NUMBER);
-+ while (formatted->nextPosition(cfp, status)) {
-+ regions.push_back(
-+ NumberFormatSpan(cfp.getField(), cfp.getStart(), cfp.getLimit()));
- }
- }
-
-@@ -1456,7 +1458,7 @@ Maybe<int> ConstructParts(Isolate* isolate, const icu::UnicodeString& formatted,
- Handle<String> substring;
- ASSIGN_RETURN_ON_EXCEPTION_VALUE(
- isolate, substring,
-- Intl::ToString(isolate, formatted, part.begin_pos, part.end_pos),
-+ Intl::ToString(isolate, formatted_text, part.begin_pos, part.end_pos),
- Nothing<int>());
- Intl::AddElement(isolate, result, index, field_type_string, substring);
- ++index;
-@@ -1476,14 +1478,14 @@ MaybeHandle<JSArray> JSNumberFormat::FormatToParts(
- number_format->icu_number_formatter().raw();
- CHECK_NOT_NULL(fmt);
-
-- icu::FieldPositionIterator fp_iter;
-- Maybe<icu::UnicodeString> maybe_format =
-- IcuFormatNumber(isolate, *fmt, numeric_obj, &fp_iter);
-+ icu::number::FormattedNumber formatted;
-+ Maybe<bool> maybe_format =
-+ IcuFormatNumber(isolate, *fmt, numeric_obj, &formatted);
- MAYBE_RETURN(maybe_format, Handle<JSArray>());
-
- Handle<JSArray> result = factory->NewJSArray(0);
- Maybe<int> maybe_format_to_parts = ConstructParts(
-- isolate, maybe_format.FromJust(), &fp_iter, result, 0, numeric_obj,
-+ isolate, &formatted, result, 0, numeric_obj,
- number_format->style() == JSNumberFormat::Style::UNIT);
- MAYBE_RETURN(maybe_format_to_parts, Handle<JSArray>());
-
---
-2.26.2
-
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0002-build-allow-use-of-system-installed-brotli.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0002-build-allow-use-of-system-installed-brotli.patch
deleted file mode 100644
index fc038f3aae..0000000000
--- a/meta-oe/recipes-devtools/nodejs/nodejs/0002-build-allow-use-of-system-installed-brotli.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From f0f927feee8cb1fb173835d5c3f6beb6bf7d5e54 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net>
-Date: Mon, 2 Mar 2020 12:17:35 +0000
-Subject: [PATCH 2/2] build: allow use of system-installed brotli
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-brotli is available as a shared library since 2016, so it makes sense
-to allow its use as a system-installed version.
-
-Some of the infrastructure was in place already (node.gyp and
-node.gypi), but some bits in the configure script here were missing.
-
-Add them, keeping the default as before, to use the bundled version.
-
-Refs: https://github.com/google/brotli/pull/421
-Signed-off-by: André Draszik <git@andred.net>
----
-Upstream-Status: Submitted [https://github.com/nodejs/node/pull/32046]
- configure.py | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/configure.py b/configure.py
-index e3f78f2fed..0190e31b41 100755
---- a/configure.py
-+++ b/configure.py
-@@ -301,6 +301,27 @@ shared_optgroup.add_option('--shared-zlib-libpath',
- dest='shared_zlib_libpath',
- help='a directory to search for the shared zlib DLL')
-
-+shared_optgroup.add_option('--shared-brotli',
-+ action='store_true',
-+ dest='shared_brotli',
-+ help='link to a shared brotli DLL instead of static linking')
-+
-+shared_optgroup.add_option('--shared-brotli-includes',
-+ action='store',
-+ dest='shared_brotli_includes',
-+ help='directory containing brotli header files')
-+
-+shared_optgroup.add_option('--shared-brotli-libname',
-+ action='store',
-+ dest='shared_brotli_libname',
-+ default='brotlidec,brotlienc',
-+ help='alternative lib name to link to [default: %default]')
-+
-+shared_optgroup.add_option('--shared-brotli-libpath',
-+ action='store',
-+ dest='shared_brotli_libpath',
-+ help='a directory to search for the shared brotli DLL')
-+
- shared_optgroup.add_option('--shared-cares',
- action='store_true',
- dest='shared_cares',
-@@ -1692,6 +1713,7 @@ configure_napi(output)
- configure_library('zlib', output)
- configure_library('http_parser', output)
- configure_library('libuv', output)
-+configure_library('brotli', output, pkgname=['libbrotlidec', 'libbrotlienc'])
- configure_library('cares', output, pkgname='libcares')
- configure_library('nghttp2', output, pkgname='libnghttp2')
- configure_v8(output)
---
-2.25.0
-
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir.patch
index 599f742b2f..92386fa779 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir.patch
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir.patch
@@ -20,11 +20,9 @@ Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
tools/install.py | 31 ++++++++++++++-----------------
2 files changed, 21 insertions(+), 17 deletions(-)
-diff --git a/configure.py b/configure.py
-index 20cce214db..e2d78a2a51 100755
--- a/configure.py
+++ b/configure.py
-@@ -559,6 +559,12 @@ parser.add_option('--shared',
+@@ -602,6 +602,12 @@ parser.add_option('--shared',
help='compile shared library for embedding node in another project. ' +
'(This mode is not officially supported for regular applications)')
@@ -37,16 +35,14 @@ index 20cce214db..e2d78a2a51 100755
parser.add_option('--without-v8-platform',
action='store_true',
dest='without_v8_platform',
-@@ -1103,6 +1109,7 @@ def configure_node(o):
- if o['variables']['want_separate_host_toolset'] == 0:
- o['variables']['node_code_cache'] = 'yes' # For testing
+@@ -1168,6 +1174,7 @@ def configure_node(o):
+ o['variables']['node_no_browser_globals'] = b(options.no_browser_globals)
+
o['variables']['node_shared'] = b(options.shared)
+ o['variables']['libdir'] = options.libdir
node_module_version = getmoduleversion.get_version()
- if sys.platform == 'darwin':
-diff --git a/tools/install.py b/tools/install.py
-index 655802980a..fe4723bf15 100755
+ if options.dest_os == 'android':
--- a/tools/install.py
+++ b/tools/install.py
@@ -121,26 +121,23 @@ def subdir_files(path, dest, action):
@@ -72,24 +68,20 @@ index 655802980a..fe4723bf15 100755
- # in its source - see the _InstallableTargetInstallPath function.
- if sys.platform != 'darwin':
- output_prefix += 'lib.target/'
--
-- if 'false' == variables.get('node_shared'):
-- action([output_prefix + output_file], 'bin/' + output_file)
-- else:
-- action([output_prefix + output_file], 'lib/' + output_file)
+ output_bin = 'node'
+ output_lib = 'libnode.' + variables.get('shlib_suffix')
+ # GYP will output to lib.target except on OS X, this is hardcoded
+ # in its source - see the _InstallableTargetInstallPath function.
+ if sys.platform != 'darwin':
+ output_libprefix += 'lib.target/'
-+
+
+- if 'false' == variables.get('node_shared'):
+- action([output_prefix + output_file], 'bin/' + output_file)
+- else:
+- action([output_prefix + output_file], 'lib/' + output_file)
+ action([output_prefix + output_bin], 'bin/' + output_bin)
+ if 'true' == variables.get('node_shared'):
+ action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib)
if 'true' == variables.get('node_use_dtrace'):
action(['out/Release/node.d'], 'lib/dtrace/node.d')
---
-2.20.1
-
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.14.1.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb
similarity index 93%
rename from meta-oe/recipes-devtools/nodejs/nodejs_12.14.1.bb
rename to meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb
index 9f9f320aa7..8a9f32bce2 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_12.14.1.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb
@@ -1,7 +1,7 @@
DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript"
HOMEPAGE = "http://nodejs.org"
LICENSE = "MIT & BSD & Artistic-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=be4d5107c64dc3d7c57e3797e1a0674b"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=30e27bd6830002d9415e4a5da7901f03"
DEPENDS = "openssl"
DEPENDS_append_class-target = " nodejs-native"
@@ -20,17 +20,12 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
file://0003-Install-both-binaries-and-use-libdir.patch \
file://0004-v8-don-t-override-ARM-CFLAGS.patch \
file://big-endian.patch \
- file://0001-build-allow-passing-multiple-libs-to-pkg_config.patch \
- file://0002-build-allow-use-of-system-installed-brotli.patch \
file://mips-warnings.patch \
- file://0001-deps-V8-backport-3f8dc4b2e5ba.patch \
"
SRC_URI_append_class-target = " \
file://0002-Using-native-binaries.patch \
"
-
-SRC_URI[md5sum] = "1c78a75f5c95321f533ecccca695e814"
-SRC_URI[sha256sum] = "877b4b842318b0e09bc754faf7343f2f097f0fc4f88ab9ae57cf9944e88e7adb"
+SRC_URI[sha256sum] = "71158026579487422fd13cc2553b34cddb76519098aa6030faab52f88c6e0d0e"
S = "${WORKDIR}/node-v${PV}"
@@ -55,7 +50,8 @@ ARCHFLAGS_arm = "${@bb.utils.contains('TUNE_FEATURES', 'callconvention-hard', '-
GYP_DEFINES_append_mipsel = " mips_arch_variant='r1' "
ARCHFLAGS ?= ""
-PACKAGECONFIG ??= "ares brotli icu libuv zlib"
+PACKAGECONFIG ??= "ares brotli icu zlib"
+
PACKAGECONFIG[ares] = "--shared-cares,,c-ares"
PACKAGECONFIG[brotli] = "--shared-brotli,,brotli"
PACKAGECONFIG[icu] = "--with-intl=system-icu,--without-intl,icu"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 22/28] nodejs: Fix arm32/thumb builds with clang
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (20 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 21/28] nodejs: Upgrade to 12.18.3 akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 23/28] nodejs: Update to 12.19.0 akuster
` (7 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Khem Raj <raj.khem@gmail.com>
Backport a patch from upstream to take care of build failure e.g.
| ../deps/v8/src/codegen/arm/cpu-arm.cc:38:16: error: write to reserved register 'R7'
| asm volatile("svc 0\n"
| ^
| 1 error generated.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 45a2dfdd0f16ed6941926e2dca1ad90f36e120bc)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...gister-r7-because-llvm-now-issues-an.patch | 53 +++++++++++++++++++
.../recipes-devtools/nodejs/nodejs_12.18.3.bb | 1 +
2 files changed, 54 insertions(+)
create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch
new file mode 100644
index 0000000000..a23f1c243e
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch
@@ -0,0 +1,53 @@
+From be8d3cd6eab4b8f9849133060abb1aba4400276b Mon Sep 17 00:00:00 2001
+From: Amy Huang <akhuang@google.com>
+Date: Thu, 23 Apr 2020 11:25:53 -0700
+Subject: [PATCH] Remove use of register r7 because llvm now issues an error
+ when "r7" is used (starting in commit d85b3877)
+
+Bug: chromium:1073270
+Change-Id: I7ec8112f170b98d2edaf92bc9341e738f8de07a3
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2163435
+Reviewed-by: Nico Weber <thakis@chromium.org>
+Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
+Commit-Queue: Nico Weber <thakis@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#67371}
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Backport [https://chromium.googlesource.com/v8/v8/+/00604cd2806b5d26bef592dd19989a234bd07a4b%5E%21/]
+ deps/v8/src/codegen/arm/cpu-arm.cc | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+diff --git a/deps/v8/src/codegen/arm/cpu-arm.cc b/deps/v8/src/codegen/arm/cpu-arm.cc
+index 868f360..654d68f 100644
+--- a/deps/v8/src/codegen/arm/cpu-arm.cc
++++ b/deps/v8/src/codegen/arm/cpu-arm.cc
+@@ -30,18 +30,6 @@ V8_NOINLINE void CpuFeatures::FlushICache(void* start, size_t size) {
+ register uint32_t end asm("r1") = beg + size;
+ register uint32_t flg asm("r2") = 0;
+
+-#ifdef __clang__
+- // This variant of the asm avoids a constant pool entry, which can be
+- // problematic when LTO'ing. It is also slightly shorter.
+- register uint32_t scno asm("r7") = __ARM_NR_cacheflush;
+-
+- asm volatile("svc 0\n"
+- :
+- : "r"(beg), "r"(end), "r"(flg), "r"(scno)
+- : "memory");
+-#else
+- // Use a different variant of the asm with GCC because some versions doesn't
+- // support r7 as an asm input.
+ asm volatile(
+ // This assembly works for both ARM and Thumb targets.
+
+@@ -59,7 +47,6 @@ V8_NOINLINE void CpuFeatures::FlushICache(void* start, size_t size) {
+ : "r"(beg), "r"(end), "r"(flg), [scno] "i"(__ARM_NR_cacheflush)
+ : "memory");
+ #endif
+-#endif
+ #endif // !USE_SIMULATOR
+ }
+
+--
+2.29.2
+
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb
index 8a9f32bce2..7d8fd1db94 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
file://0004-v8-don-t-override-ARM-CFLAGS.patch \
file://big-endian.patch \
file://mips-warnings.patch \
+ file://0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch \
"
SRC_URI_append_class-target = " \
file://0002-Using-native-binaries.patch \
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 23/28] nodejs: Update to 12.19.0
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (21 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 22/28] nodejs: Fix arm32/thumb builds with clang akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 24/28] nodejs: 12.19.0 -> 12.19.1 akuster
` (6 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Khem Raj <raj.khem@gmail.com>
This perhaps is last release in 12.x LTS
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a10f894a8e7f800d2412fff8d47fb37d363fa322)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../nodejs/{nodejs_12.18.3.bb => nodejs_12.19.0.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta-oe/recipes-devtools/nodejs/{nodejs_12.18.3.bb => nodejs_12.19.0.bb} (98%)
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.19.0.bb
similarity index 98%
rename from meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb
rename to meta-oe/recipes-devtools/nodejs/nodejs_12.19.0.bb
index 7d8fd1db94..9d15586238 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_12.18.3.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.19.0.bb
@@ -26,7 +26,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
SRC_URI_append_class-target = " \
file://0002-Using-native-binaries.patch \
"
-SRC_URI[sha256sum] = "71158026579487422fd13cc2553b34cddb76519098aa6030faab52f88c6e0d0e"
+SRC_URI[sha256sum] = "3b671c45c493f96d7e018c15110cdbafa4478e5e5cfc9e6eec83cea9e6b551e1"
S = "${WORKDIR}/node-v${PV}"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 24/28] nodejs: 12.19.0 -> 12.19.1
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (22 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 23/28] nodejs: Update to 12.19.0 akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 25/28] nodejs: 12.19.1 -> 12.20.1 akuster
` (5 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Stacy Gaikovaia <Stacy.Gaikovaia@windriver.com>
Uprev nodejs in order to fix CVE-2020-8277.
This CVE allows an attacker to trigger a DNS request for a host
of their choice, which could trigger a Denial of Service in
nodejs versions < 12.19.1.
See https://nvd.nist.gov/vuln/detail/CVE-2020-8277 for details.
CVE: CVE-2020-8277
Signed-off-by: Stacy Gaikovaia <Stacy.Gaikovaia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a44015408253d8a4f64055f41fa1f497aeacfc30)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 387f40ce8068ec8848c2e3b76ce2e3267b98c3d6)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../nodejs/{nodejs_12.19.0.bb => nodejs_12.19.1.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta-oe/recipes-devtools/nodejs/{nodejs_12.19.0.bb => nodejs_12.19.1.bb} (98%)
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.19.0.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.19.1.bb
similarity index 98%
rename from meta-oe/recipes-devtools/nodejs/nodejs_12.19.0.bb
rename to meta-oe/recipes-devtools/nodejs/nodejs_12.19.1.bb
index 9d15586238..8021fedf44 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_12.19.0.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.19.1.bb
@@ -26,7 +26,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
SRC_URI_append_class-target = " \
file://0002-Using-native-binaries.patch \
"
-SRC_URI[sha256sum] = "3b671c45c493f96d7e018c15110cdbafa4478e5e5cfc9e6eec83cea9e6b551e1"
+SRC_URI[sha256sum] = "74077e0cc3db000a6f3cc685b220e609807b61adc8e7d8243e8511d478d1b17d"
S = "${WORKDIR}/node-v${PV}"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 25/28] nodejs: 12.19.1 -> 12.20.1
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (23 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 24/28] nodejs: 12.19.0 -> 12.19.1 akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 26/28] libsdl2-mixer: Fix ogg/vorbis support in libsdl2-mixer akuster
` (4 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Sean Nyekjaer <sean@geanix.com>
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit cde1019804c2f7b67bf89d178eec9f4efafea414)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit ac6bc96e7da6b3c9d5b9c9272b487a926fbb462e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../nodejs/{nodejs_12.19.1.bb => nodejs_12.20.1.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-oe/recipes-devtools/nodejs/{nodejs_12.19.1.bb => nodejs_12.20.1.bb} (97%)
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.19.1.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.20.1.bb
similarity index 97%
rename from meta-oe/recipes-devtools/nodejs/nodejs_12.19.1.bb
rename to meta-oe/recipes-devtools/nodejs/nodejs_12.20.1.bb
index 8021fedf44..0673a3202d 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_12.19.1.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.20.1.bb
@@ -1,7 +1,7 @@
DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript"
HOMEPAGE = "http://nodejs.org"
LICENSE = "MIT & BSD & Artistic-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=30e27bd6830002d9415e4a5da7901f03"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=8c66ff8861d9f96076a7cb61e3d75f54"
DEPENDS = "openssl"
DEPENDS_append_class-target = " nodejs-native"
@@ -26,7 +26,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
SRC_URI_append_class-target = " \
file://0002-Using-native-binaries.patch \
"
-SRC_URI[sha256sum] = "74077e0cc3db000a6f3cc685b220e609807b61adc8e7d8243e8511d478d1b17d"
+SRC_URI[sha256sum] = "e00eee325d705b2bfa9929b7d061eb2315402d7e8548945eac9870bf84321853"
S = "${WORKDIR}/node-v${PV}"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 26/28] libsdl2-mixer: Fix ogg/vorbis support in libsdl2-mixer
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (24 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 25/28] nodejs: 12.19.1 -> 12.20.1 akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 27/28] libsdl2-mixer: set --disable-music-ogg-shared to link statically akuster
` (3 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: jabdoa2 <jabdoa2@users.noreply.github.com>
Remove --enable-music-ogg-tremor as it broke vorbis support:
checking tremor/ivorbisfile.h usability... no
checking tremor/ivorbisfile.h presence... no
checking for tremor/ivorbisfile.h... no
checking for ov_open_callbacks in -lvorbisidec... no
configure: WARNING: *** Unable to find Ogg Vorbis Tremor library (http://www.xiph.org/)
configure: WARNING: Ogg Vorbis support disabled
With this change:
checking vorbis/vorbisfile.h usability... yes
checking vorbis/vorbisfile.h presence... yes
checking for vorbis/vorbisfile.h... yes
checking for ov_open_callbacks in -lvorbisfile... yes
-- dynamic libvorbisfile -> libvorbisfile.so.3
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 074c7d9a1ebb86674f02d8a5545e1ed54f6d87fe)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb b/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb
index aa246f9995..77e50d3841 100644
--- a/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb
+++ b/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb
@@ -14,7 +14,7 @@ S = "${WORKDIR}/SDL2_mixer-${PV}"
inherit autotools-brokensep pkgconfig
EXTRA_AUTORECONF += "--include=acinclude"
-EXTRA_OECONF = "--disable-music-mp3 --enable-music-ogg --enable-music-ogg-tremor LIBS=-L${STAGING_LIBDIR}"
+EXTRA_OECONF = "--disable-music-mp3 --enable-music-ogg LIBS=-L${STAGING_LIBDIR}"
PACKAGECONFIG[mad] = "--enable-music-mp3-mad-gpl,--disable-music-mp3-mad-gpl,libmad"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 27/28] libsdl2-mixer: set --disable-music-ogg-shared to link statically
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (25 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 26/28] libsdl2-mixer: Fix ogg/vorbis support in libsdl2-mixer akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 17:46 ` [dunfell 28/28] geoclue: select avahi-daemon if nmea enabled akuster
` (2 subsequent siblings)
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: jabdoa2 <jabdoa2@users.noreply.github.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 69bae2a2360643805de2ae1cd9ebc4202cd5a2fb)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb b/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb
index 77e50d3841..8f1960d8ad 100644
--- a/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb
+++ b/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb
@@ -14,7 +14,7 @@ S = "${WORKDIR}/SDL2_mixer-${PV}"
inherit autotools-brokensep pkgconfig
EXTRA_AUTORECONF += "--include=acinclude"
-EXTRA_OECONF = "--disable-music-mp3 --enable-music-ogg LIBS=-L${STAGING_LIBDIR}"
+EXTRA_OECONF = "--disable-music-mp3 --enable-music-ogg --disable-music-ogg-shared LIBS=-L${STAGING_LIBDIR}"
PACKAGECONFIG[mad] = "--enable-music-mp3-mad-gpl,--disable-music-mp3-mad-gpl,libmad"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [dunfell 28/28] geoclue: select avahi-daemon if nmea enabled
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (26 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 27/28] libsdl2-mixer: set --disable-music-ogg-shared to link statically akuster
@ 2021-01-17 17:46 ` akuster
2021-01-17 20:38 ` [oe] [dunfell 00/28] Patch review Jan 17th Andreas Müller
2021-01-18 10:12 ` Diego Santa Cruz
29 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-17 17:46 UTC (permalink / raw)
To: openembedded-devel
From: Chenxi Mao <maochenxi@eswin.com>
geoclue serivce rely on avahi-daemon, so enable it by default.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9239584e717bb2093c9bfd6972bb2f01507ab859)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-oe/recipes-navigation/geoclue/geoclue_2.5.3.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-oe/recipes-navigation/geoclue/geoclue_2.5.3.bb b/meta-oe/recipes-navigation/geoclue/geoclue_2.5.3.bb
index b46445a2ba..e57e7a7209 100644
--- a/meta-oe/recipes-navigation/geoclue/geoclue_2.5.3.bb
+++ b/meta-oe/recipes-navigation/geoclue/geoclue_2.5.3.bb
@@ -31,7 +31,7 @@ PACKAGECONFIG ??= "3g modem-gps cdma nmea lib"
PACKAGECONFIG[3g] = "-D3g-source=true,-D3g-source=false,modemmanager"
PACKAGECONFIG[modem-gps] = "-Dmodem-gps-source=true,-Dmodem-gps-source=false,modemmanager"
PACKAGECONFIG[cdma] = "-Dcdma-source=true,-Dcdma-source=false,modemmanager"
-PACKAGECONFIG[nmea] = "-Dnmea-source=true,-Dnmea-source=false,avahi"
+PACKAGECONFIG[nmea] = "-Dnmea-source=true,-Dnmea-source=false,avahi,avahi-daemon"
PACKAGECONFIG[lib] = "-Dlibgeoclue=true,-Dlibgeoclue=false,gobject-introspection"
GTKDOC_MESON_OPTION = "gtk-doc"
--
2.17.1
^ permalink raw reply related [flat|nested] 33+ messages in thread
* Re: [oe] [dunfell 00/28] Patch review Jan 17th
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (27 preceding siblings ...)
2021-01-17 17:46 ` [dunfell 28/28] geoclue: select avahi-daemon if nmea enabled akuster
@ 2021-01-17 20:38 ` Andreas Müller
2021-01-18 4:09 ` akuster
2021-01-18 10:12 ` Diego Santa Cruz
29 siblings, 1 reply; 33+ messages in thread
From: Andreas Müller @ 2021-01-17 20:38 UTC (permalink / raw)
To: akuster; +Cc: openembeded-devel
On Sun, Jan 17, 2021 at 6:46 PM akuster <akuster808@gmail.com> wrote:
>
> Here is the next batch for Dunfell. Please review and have comments back by Wednesday.
>
> The following changes since commit f2d02cb71eaff8eb285a1997b30be52486c160ae:
>
> python3-pyinotify: Add missing ctypes dependency (2020-11-15 11:13:25 -0800)
>
> are available in the Git repository at:
>
> git://git.openembedded.org/meta-openembedded-contrib stable/dunfell-nut
> http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/dunfell-nut
>
> Armin Kuster (5):
> wireguard-module: fix build issue with 5.4 kernel
> mariadb: update to 10.4.17 for cve fixes
> lua: update to 5.3.6
> nss: Security fix CVE-2020-12401
> wireshark: Several securtiy fixes
>
> Chenxi Mao (1):
> geoclue: select avahi-daemon if nmea enabled
>
> Gianfranco (1):
> dlt-daemon: add upstream patch to fix CVE-2020-29394
>
> Khem Raj (4):
> nodejs: Fix build with icu 67.1
> nodejs: Upgrade to 12.18.3
> nodejs: Fix arm32/thumb builds with clang
> nodejs: Update to 12.19.0
>
> Leon Anavi (1):
> php: Upgrade 7.4.4 -> 7.4.9
>
> Max Kellermann (1):
> php: remove the failing ${D}/${TMPDIR} code
>
> Roland Hieber (1):
> pcsc-lite: provide pcsc-lite-lib-native explicitly for native build
>
> Sakib Sajal (1):
> apache2: upgrade v2.4.43 -> v2.4.46
>
> Sean Nyekjaer (1):
> nodejs: 12.19.1 -> 12.20.1
>
> Stacy Gaikovaia (1):
> nodejs: 12.19.0 -> 12.19.1
>
> Wang Mingyu (1):
> zabbix: CVE-2020-15803 Security Advisory
>
> Wenlin Kang (2):
> lua: fix CVE-2020-15945
> lua: fix CVE-2020-24371
>
> Zang Ruochen (1):
> mcpp: Normalize the patch format of CVE
>
> Zheng Ruoqin (4):
> samba: CVE-2020-14318 Security Advisory
> samba: CVE-2020-14383 Security Advisory
> php: CVE-2020-7070
> php: CVE-2020-7069
>
> jabdoa2 (2):
> libsdl2-mixer: Fix ogg/vorbis support in libsdl2-mixer
> libsdl2-mixer: set --disable-music-ogg-shared to link statically
>
> viatsk (1):
> tcpdump: Patch for CVE-2020-8037
>
> .../samba/samba/CVE-2020-14318.patch | 142 +++++++++++++++
> .../samba/samba/CVE-2020-14383.patch | 112 ++++++++++++
> .../samba/samba_4.10.18.bb | 2 +
> ...NC_-START-END-were-backported-to-5.4.patch | 29 +++
> .../wireguard-module_1.0.20200401.bb | 3 +-
> ...ping-don-t-allocate-a-too-large-buff.patch | 70 ++++++++
> .../recipes-support/tcpdump/tcpdump_4.9.3.bb | 1 +
> ...wireshark_3.2.7.bb => wireshark_3.2.10.bb} | 2 +-
> .../zabbix/zabbix/CVE-2020-15803.patch | 36 ++++
> .../zabbix/zabbix_4.4.6.bb | 1 +
> ...e_10.4.12.bb => mariadb-native_10.4.17.bb} | 0
> meta-oe/recipes-dbs/mysql/mariadb.inc | 6 +-
> ...-breakage-from-lock_guard-error-6161.patch | 32 ----
> .../mariadb/0001-Fix-library-LZ4-lookup.patch | 19 +-
> .../mysql/mariadb/c11_atomics.patch | 24 ++-
> .../configure.cmake-fix-valgrind.patch | 10 +-
> .../mariadb/fix-a-building-failure.patch | 13 +-
> .../mysql/mariadb/fix-arm-atomic.patch | 13 +-
> ...Lists.txt-fix-gen_lex_hash-not-found.patch | 12 +-
> ...akeLists.txt-fix-do_populate_sysroot.patch | 10 +-
> ...{mariadb_10.4.12.bb => mariadb_10.4.17.bb} | 0
> ...rriers-cannot-be-active-during-sweep.patch | 90 ++++++++++
> .../lua/lua/CVE-2020-15945.patch | 167 ++++++++++++++++++
> .../lua/{lua_5.3.5.bb => lua_5.3.6.bb} | 8 +-
> .../mcpp/files/CVE-2019-14274.patch | 34 ++++
> .../mcpp/files/ice-mcpp.patch | 31 ----
> meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb | 3 +-
> ...gister-r7-because-llvm-now-issues-an.patch | 53 ++++++
> ...-passing-multiple-libs-to-pkg_config.patch | 41 -----
> ...allow-use-of-system-installed-brotli.patch | 66 -------
> ...Install-both-binaries-and-use-libdir.patch | 28 ++-
> .../{nodejs_12.14.1.bb => nodejs_12.20.1.bb} | 12 +-
> .../php/php/CVE-2020-7069.patch | 158 +++++++++++++++++
> .../php/php/CVE-2020-7070.patch | 24 +++
> .../php/php/debian-php-fixheader.patch | 27 +--
> .../php/{php_7.4.4.bb => php_7.4.9.bb} | 16 +-
> .../dlt-daemon/dlt-daemon/275.patch | 38 ++++
> .../dlt-daemon/dlt-daemon_2.18.4.bb | 1 +
> .../libsdl/libsdl2-mixer_2.0.4.bb | 2 +-
> .../geoclue/geoclue_2.5.3.bb | 2 +-
> .../nss/nss/CVE-2020-12401.patch | 52 ++++++
> meta-oe/recipes-support/nss/nss_3.51.1.bb | 1 +
> .../pcsc-lite/pcsc-lite_1.8.26.bb | 1 +
> .../{apache2_2.4.43.bb => apache2_2.4.46.bb} | 4 +-
> 44 files changed, 1111 insertions(+), 285 deletions(-)
> create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch
> create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch
> create mode 100644 meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch
> create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
> rename meta-networking/recipes-support/wireshark/{wireshark_3.2.7.bb => wireshark_3.2.10.bb} (96%)
> create mode 100644 meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-15803.patch
> rename meta-oe/recipes-dbs/mysql/{mariadb-native_10.4.12.bb => mariadb-native_10.4.17.bb} (100%)
> delete mode 100644 meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-breakage-from-lock_guard-error-6161.patch
> rename meta-oe/recipes-dbs/mysql/{mariadb_10.4.12.bb => mariadb_10.4.17.bb} (100%)
> create mode 100644 meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch
> create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch
> rename meta-oe/recipes-devtools/lua/{lua_5.3.5.bb => lua_5.3.6.bb} (87%)
> create mode 100644 meta-oe/recipes-devtools/mcpp/files/CVE-2019-14274.patch
> create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch
> delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-build-allow-passing-multiple-libs-to-pkg_config.patch
> delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0002-build-allow-use-of-system-installed-brotli.patch
> rename meta-oe/recipes-devtools/nodejs/{nodejs_12.14.1.bb => nodejs_12.20.1.bb} (94%)
> create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch
> create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch
> mode change 100755 => 100644 meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch
> rename meta-oe/recipes-devtools/php/{php_7.4.4.bb => php_7.4.9.bb} (97%)
> create mode 100644 meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
> create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch
> rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.43.bb => apache2_2.4.46.bb} (98%)
>
Hi Armin,
maybe you take the graphviz patches into account I just sent out. As
said in cover letter: graphviz is broken currently
Cheers
Andreas
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [oe] [dunfell 00/28] Patch review Jan 17th
2021-01-17 20:38 ` [oe] [dunfell 00/28] Patch review Jan 17th Andreas Müller
@ 2021-01-18 4:09 ` akuster
0 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-18 4:09 UTC (permalink / raw)
To: Andreas Müller; +Cc: openembeded-devel
On 1/17/21 12:38 PM, Andreas Müller wrote:
> On Sun, Jan 17, 2021 at 6:46 PM akuster <akuster808@gmail.com> wrote:
>> Here is the next batch for Dunfell. Please review and have comments back by Wednesday.
>>
>> The following changes since commit f2d02cb71eaff8eb285a1997b30be52486c160ae:
>>
>> python3-pyinotify: Add missing ctypes dependency (2020-11-15 11:13:25 -0800)
>>
>> are available in the Git repository at:
>>
>> git://git.openembedded.org/meta-openembedded-contrib stable/dunfell-nut
>> http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/dunfell-nut
>>
>> Armin Kuster (5):
>> wireguard-module: fix build issue with 5.4 kernel
>> mariadb: update to 10.4.17 for cve fixes
>> lua: update to 5.3.6
>> nss: Security fix CVE-2020-12401
>> wireshark: Several securtiy fixes
>>
>> Chenxi Mao (1):
>> geoclue: select avahi-daemon if nmea enabled
>>
>> Gianfranco (1):
>> dlt-daemon: add upstream patch to fix CVE-2020-29394
>>
>> Khem Raj (4):
>> nodejs: Fix build with icu 67.1
>> nodejs: Upgrade to 12.18.3
>> nodejs: Fix arm32/thumb builds with clang
>> nodejs: Update to 12.19.0
>>
>> Leon Anavi (1):
>> php: Upgrade 7.4.4 -> 7.4.9
>>
>> Max Kellermann (1):
>> php: remove the failing ${D}/${TMPDIR} code
>>
>> Roland Hieber (1):
>> pcsc-lite: provide pcsc-lite-lib-native explicitly for native build
>>
>> Sakib Sajal (1):
>> apache2: upgrade v2.4.43 -> v2.4.46
>>
>> Sean Nyekjaer (1):
>> nodejs: 12.19.1 -> 12.20.1
>>
>> Stacy Gaikovaia (1):
>> nodejs: 12.19.0 -> 12.19.1
>>
>> Wang Mingyu (1):
>> zabbix: CVE-2020-15803 Security Advisory
>>
>> Wenlin Kang (2):
>> lua: fix CVE-2020-15945
>> lua: fix CVE-2020-24371
>>
>> Zang Ruochen (1):
>> mcpp: Normalize the patch format of CVE
>>
>> Zheng Ruoqin (4):
>> samba: CVE-2020-14318 Security Advisory
>> samba: CVE-2020-14383 Security Advisory
>> php: CVE-2020-7070
>> php: CVE-2020-7069
>>
>> jabdoa2 (2):
>> libsdl2-mixer: Fix ogg/vorbis support in libsdl2-mixer
>> libsdl2-mixer: set --disable-music-ogg-shared to link statically
>>
>> viatsk (1):
>> tcpdump: Patch for CVE-2020-8037
>>
>> .../samba/samba/CVE-2020-14318.patch | 142 +++++++++++++++
>> .../samba/samba/CVE-2020-14383.patch | 112 ++++++++++++
>> .../samba/samba_4.10.18.bb | 2 +
>> ...NC_-START-END-were-backported-to-5.4.patch | 29 +++
>> .../wireguard-module_1.0.20200401.bb | 3 +-
>> ...ping-don-t-allocate-a-too-large-buff.patch | 70 ++++++++
>> .../recipes-support/tcpdump/tcpdump_4.9.3.bb | 1 +
>> ...wireshark_3.2.7.bb => wireshark_3.2.10.bb} | 2 +-
>> .../zabbix/zabbix/CVE-2020-15803.patch | 36 ++++
>> .../zabbix/zabbix_4.4.6.bb | 1 +
>> ...e_10.4.12.bb => mariadb-native_10.4.17.bb} | 0
>> meta-oe/recipes-dbs/mysql/mariadb.inc | 6 +-
>> ...-breakage-from-lock_guard-error-6161.patch | 32 ----
>> .../mariadb/0001-Fix-library-LZ4-lookup.patch | 19 +-
>> .../mysql/mariadb/c11_atomics.patch | 24 ++-
>> .../configure.cmake-fix-valgrind.patch | 10 +-
>> .../mariadb/fix-a-building-failure.patch | 13 +-
>> .../mysql/mariadb/fix-arm-atomic.patch | 13 +-
>> ...Lists.txt-fix-gen_lex_hash-not-found.patch | 12 +-
>> ...akeLists.txt-fix-do_populate_sysroot.patch | 10 +-
>> ...{mariadb_10.4.12.bb => mariadb_10.4.17.bb} | 0
>> ...rriers-cannot-be-active-during-sweep.patch | 90 ++++++++++
>> .../lua/lua/CVE-2020-15945.patch | 167 ++++++++++++++++++
>> .../lua/{lua_5.3.5.bb => lua_5.3.6.bb} | 8 +-
>> .../mcpp/files/CVE-2019-14274.patch | 34 ++++
>> .../mcpp/files/ice-mcpp.patch | 31 ----
>> meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb | 3 +-
>> ...gister-r7-because-llvm-now-issues-an.patch | 53 ++++++
>> ...-passing-multiple-libs-to-pkg_config.patch | 41 -----
>> ...allow-use-of-system-installed-brotli.patch | 66 -------
>> ...Install-both-binaries-and-use-libdir.patch | 28 ++-
>> .../{nodejs_12.14.1.bb => nodejs_12.20.1.bb} | 12 +-
>> .../php/php/CVE-2020-7069.patch | 158 +++++++++++++++++
>> .../php/php/CVE-2020-7070.patch | 24 +++
>> .../php/php/debian-php-fixheader.patch | 27 +--
>> .../php/{php_7.4.4.bb => php_7.4.9.bb} | 16 +-
>> .../dlt-daemon/dlt-daemon/275.patch | 38 ++++
>> .../dlt-daemon/dlt-daemon_2.18.4.bb | 1 +
>> .../libsdl/libsdl2-mixer_2.0.4.bb | 2 +-
>> .../geoclue/geoclue_2.5.3.bb | 2 +-
>> .../nss/nss/CVE-2020-12401.patch | 52 ++++++
>> meta-oe/recipes-support/nss/nss_3.51.1.bb | 1 +
>> .../pcsc-lite/pcsc-lite_1.8.26.bb | 1 +
>> .../{apache2_2.4.43.bb => apache2_2.4.46.bb} | 4 +-
>> 44 files changed, 1111 insertions(+), 285 deletions(-)
>> create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch
>> create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch
>> create mode 100644 meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch
>> create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
>> rename meta-networking/recipes-support/wireshark/{wireshark_3.2.7.bb => wireshark_3.2.10.bb} (96%)
>> create mode 100644 meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-15803.patch
>> rename meta-oe/recipes-dbs/mysql/{mariadb-native_10.4.12.bb => mariadb-native_10.4.17.bb} (100%)
>> delete mode 100644 meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-breakage-from-lock_guard-error-6161.patch
>> rename meta-oe/recipes-dbs/mysql/{mariadb_10.4.12.bb => mariadb_10.4.17.bb} (100%)
>> create mode 100644 meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch
>> create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch
>> rename meta-oe/recipes-devtools/lua/{lua_5.3.5.bb => lua_5.3.6.bb} (87%)
>> create mode 100644 meta-oe/recipes-devtools/mcpp/files/CVE-2019-14274.patch
>> create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch
>> delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-build-allow-passing-multiple-libs-to-pkg_config.patch
>> delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0002-build-allow-use-of-system-installed-brotli.patch
>> rename meta-oe/recipes-devtools/nodejs/{nodejs_12.14.1.bb => nodejs_12.20.1.bb} (94%)
>> create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch
>> create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch
>> mode change 100755 => 100644 meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch
>> rename meta-oe/recipes-devtools/php/{php_7.4.4.bb => php_7.4.9.bb} (97%)
>> create mode 100644 meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
>> create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch
>> rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.43.bb => apache2_2.4.46.bb} (98%)
>>
> Hi Armin,
>
> maybe you take the graphviz patches into account I just sent out. As
> said in cover letter: graphviz is broken currently
sure thing.
thanks,
Armin
>
> Cheers
>
> Andreas
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [oe] [dunfell 00/28] Patch review Jan 17th
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
` (28 preceding siblings ...)
2021-01-17 20:38 ` [oe] [dunfell 00/28] Patch review Jan 17th Andreas Müller
@ 2021-01-18 10:12 ` Diego Santa Cruz
2021-01-18 16:34 ` akuster
29 siblings, 1 reply; 33+ messages in thread
From: Diego Santa Cruz @ 2021-01-18 10:12 UTC (permalink / raw)
To: akuster808, openembedded-devel
> -----Original Message-----
> From: openembedded-devel@lists.openembedded.org <openembedded-
> devel@lists.openembedded.org> On Behalf Of akuster via
> lists.openembedded.org
> Sent: 17 January 2021 18:46
> To: openembedded-devel@lists.openembedded.org
> Subject: [oe] [dunfell 00/28] Patch review Jan 17th
>
> Here is the next batch for Dunfell. Please review and have comments back by
> Wednesday.
>
> The following changes since commit
> f2d02cb71eaff8eb285a1997b30be52486c160ae:
>
> python3-pyinotify: Add missing ctypes dependency (2020-11-15 11:13:25 -
> 0800)
>
> are available in the Git repository at:
>
> git://git.openembedded.org/meta-openembedded-contrib stable/dunfell-
> nut
> http://cgit.openembedded.org/meta-openembedded-
> contrib/log/?h=stable/dunfell-nut
>
> Armin Kuster (5):
> wireguard-module: fix build issue with 5.4 kernel
> mariadb: update to 10.4.17 for cve fixes
> lua: update to 5.3.6
> nss: Security fix CVE-2020-12401
> wireshark: Several securtiy fixes
>
> Chenxi Mao (1):
> geoclue: select avahi-daemon if nmea enabled
>
> Gianfranco (1):
> dlt-daemon: add upstream patch to fix CVE-2020-29394
>
> Khem Raj (4):
> nodejs: Fix build with icu 67.1
> nodejs: Upgrade to 12.18.3
> nodejs: Fix arm32/thumb builds with clang
> nodejs: Update to 12.19.0
>
> Leon Anavi (1):
> php: Upgrade 7.4.4 -> 7.4.9
>
> Max Kellermann (1):
> php: remove the failing ${D}/${TMPDIR} code
>
> Roland Hieber (1):
> pcsc-lite: provide pcsc-lite-lib-native explicitly for native build
>
> Sakib Sajal (1):
> apache2: upgrade v2.4.43 -> v2.4.46
>
> Sean Nyekjaer (1):
> nodejs: 12.19.1 -> 12.20.1
>
> Stacy Gaikovaia (1):
> nodejs: 12.19.0 -> 12.19.1
>
> Wang Mingyu (1):
> zabbix: CVE-2020-15803 Security Advisory
>
> Wenlin Kang (2):
> lua: fix CVE-2020-15945
> lua: fix CVE-2020-24371
>
> Zang Ruochen (1):
> mcpp: Normalize the patch format of CVE
>
> Zheng Ruoqin (4):
> samba: CVE-2020-14318 Security Advisory
> samba: CVE-2020-14383 Security Advisory
> php: CVE-2020-7070
> php: CVE-2020-7069
>
> jabdoa2 (2):
> libsdl2-mixer: Fix ogg/vorbis support in libsdl2-mixer
> libsdl2-mixer: set --disable-music-ogg-shared to link statically
>
> viatsk (1):
> tcpdump: Patch for CVE-2020-8037
>
> .../samba/samba/CVE-2020-14318.patch | 142 +++++++++++++++
> .../samba/samba/CVE-2020-14383.patch | 112 ++++++++++++
> .../samba/samba_4.10.18.bb | 2 +
> ...NC_-START-END-were-backported-to-5.4.patch | 29 +++
> .../wireguard-module_1.0.20200401.bb | 3 +-
> ...ping-don-t-allocate-a-too-large-buff.patch | 70 ++++++++
> .../recipes-support/tcpdump/tcpdump_4.9.3.bb | 1 +
> ...wireshark_3.2.7.bb => wireshark_3.2.10.bb} | 2 +-
> .../zabbix/zabbix/CVE-2020-15803.patch | 36 ++++
> .../zabbix/zabbix_4.4.6.bb | 1 +
> ...e_10.4.12.bb => mariadb-native_10.4.17.bb} | 0
> meta-oe/recipes-dbs/mysql/mariadb.inc | 6 +-
> ...-breakage-from-lock_guard-error-6161.patch | 32 ----
> .../mariadb/0001-Fix-library-LZ4-lookup.patch | 19 +-
> .../mysql/mariadb/c11_atomics.patch | 24 ++-
> .../configure.cmake-fix-valgrind.patch | 10 +-
> .../mariadb/fix-a-building-failure.patch | 13 +-
> .../mysql/mariadb/fix-arm-atomic.patch | 13 +-
> ...Lists.txt-fix-gen_lex_hash-not-found.patch | 12 +-
> ...akeLists.txt-fix-do_populate_sysroot.patch | 10 +-
> ...{mariadb_10.4.12.bb => mariadb_10.4.17.bb} | 0
> ...rriers-cannot-be-active-during-sweep.patch | 90 ++++++++++
> .../lua/lua/CVE-2020-15945.patch | 167 ++++++++++++++++++
> .../lua/{lua_5.3.5.bb => lua_5.3.6.bb} | 8 +-
> .../mcpp/files/CVE-2019-14274.patch | 34 ++++
> .../mcpp/files/ice-mcpp.patch | 31 ----
> meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb | 3 +-
> ...gister-r7-because-llvm-now-issues-an.patch | 53 ++++++
> ...-passing-multiple-libs-to-pkg_config.patch | 41 -----
> ...allow-use-of-system-installed-brotli.patch | 66 -------
> ...Install-both-binaries-and-use-libdir.patch | 28 ++-
> .../{nodejs_12.14.1.bb => nodejs_12.20.1.bb} | 12 +-
> .../php/php/CVE-2020-7069.patch | 158 +++++++++++++++++
> .../php/php/CVE-2020-7070.patch | 24 +++
> .../php/php/debian-php-fixheader.patch | 27 +--
> .../php/{php_7.4.4.bb => php_7.4.9.bb} | 16 +-
> .../dlt-daemon/dlt-daemon/275.patch | 38 ++++
> .../dlt-daemon/dlt-daemon_2.18.4.bb | 1 +
> .../libsdl/libsdl2-mixer_2.0.4.bb | 2 +-
> .../geoclue/geoclue_2.5.3.bb | 2 +-
> .../nss/nss/CVE-2020-12401.patch | 52 ++++++
> meta-oe/recipes-support/nss/nss_3.51.1.bb | 1 +
> .../pcsc-lite/pcsc-lite_1.8.26.bb | 1 +
> .../{apache2_2.4.43.bb => apache2_2.4.46.bb} | 4 +-
> 44 files changed, 1111 insertions(+), 285 deletions(-)
> create mode 100644 meta-networking/recipes-
> connectivity/samba/samba/CVE-2020-14318.patch
> create mode 100644 meta-networking/recipes-
> connectivity/samba/samba/CVE-2020-14383.patch
> create mode 100644 meta-networking/recipes-kernel/wireguard/files/0001-
> compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch
> create mode 100644 meta-networking/recipes-
> support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-
> too-large-buff.patch
> rename meta-networking/recipes-support/wireshark/{wireshark_3.2.7.bb
> => wireshark_3.2.10.bb} (96%)
> create mode 100644 meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-
> 15803.patch
> rename meta-oe/recipes-dbs/mysql/{mariadb-native_10.4.12.bb =>
> mariadb-native_10.4.17.bb} (100%)
> delete mode 100644 meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-
> breakage-from-lock_guard-error-6161.patch
> rename meta-oe/recipes-dbs/mysql/{mariadb_10.4.12.bb =>
> mariadb_10.4.17.bb} (100%)
> create mode 100644 meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-
> barriers-cannot-be-active-during-sweep.patch
> create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2020-
> 15945.patch
> rename meta-oe/recipes-devtools/lua/{lua_5.3.5.bb => lua_5.3.6.bb} (87%)
> create mode 100644 meta-oe/recipes-devtools/mcpp/files/CVE-2019-
> 14274.patch
> create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-
> Remove-use-of-register-r7-because-llvm-now-issues-an.patch
> delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-build-
> allow-passing-multiple-libs-to-pkg_config.patch
> delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0002-build-
> allow-use-of-system-installed-brotli.patch
> rename meta-oe/recipes-devtools/nodejs/{nodejs_12.14.1.bb =>
> nodejs_12.20.1.bb} (94%)
> create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-
> 7069.patch
> create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-
> 7070.patch
> mode change 100755 => 100644 meta-oe/recipes-
> devtools/php/php/debian-php-fixheader.patch
> rename meta-oe/recipes-devtools/php/{php_7.4.4.bb => php_7.4.9.bb}
> (97%)
> create mode 100644 meta-oe/recipes-extended/dlt-daemon/dlt-
> daemon/275.patch
> create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2020-
> 12401.patch
> rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.43.bb =>
> apache2_2.4.46.bb} (98%)
>
> --
> 2.17.1
Hi Armin,
Is there any specific reason why the gssdp and gupnp updates I sent for dunfell a while ago to fix a CVE are not in? They are in the patch review you've sent for gatesgarth though.
Anything I should do?
Thanks,
Diego
--
Diego Santa Cruz, PhD
Technology Architect
spinetix.com
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [oe] [dunfell 00/28] Patch review Jan 17th
2021-01-18 10:12 ` Diego Santa Cruz
@ 2021-01-18 16:34 ` akuster
0 siblings, 0 replies; 33+ messages in thread
From: akuster @ 2021-01-18 16:34 UTC (permalink / raw)
To: Diego Santa Cruz, openembedded-devel
On 1/18/21 2:12 AM, Diego Santa Cruz wrote:
>> -----Original Message-----
>> From: openembedded-devel@lists.openembedded.org <openembedded-
>> devel@lists.openembedded.org> On Behalf Of akuster via
>> lists.openembedded.org
>> Sent: 17 January 2021 18:46
>> To: openembedded-devel@lists.openembedded.org
>> Subject: [oe] [dunfell 00/28] Patch review Jan 17th
>>
>> Here is the next batch for Dunfell. Please review and have comments back by
>> Wednesday.
>>
>> The following changes since commit
>> f2d02cb71eaff8eb285a1997b30be52486c160ae:
>>
>> python3-pyinotify: Add missing ctypes dependency (2020-11-15 11:13:25 -
>> 0800)
>>
>> are available in the Git repository at:
>>
>> git://git.openembedded.org/meta-openembedded-contrib stable/dunfell-
>> nut
>> http://cgit.openembedded.org/meta-openembedded-
>> contrib/log/?h=stable/dunfell-nut
>>
>> Armin Kuster (5):
>> wireguard-module: fix build issue with 5.4 kernel
>> mariadb: update to 10.4.17 for cve fixes
>> lua: update to 5.3.6
>> nss: Security fix CVE-2020-12401
>> wireshark: Several securtiy fixes
>>
>> Chenxi Mao (1):
>> geoclue: select avahi-daemon if nmea enabled
>>
>> Gianfranco (1):
>> dlt-daemon: add upstream patch to fix CVE-2020-29394
>>
>> Khem Raj (4):
>> nodejs: Fix build with icu 67.1
>> nodejs: Upgrade to 12.18.3
>> nodejs: Fix arm32/thumb builds with clang
>> nodejs: Update to 12.19.0
>>
>> Leon Anavi (1):
>> php: Upgrade 7.4.4 -> 7.4.9
>>
>> Max Kellermann (1):
>> php: remove the failing ${D}/${TMPDIR} code
>>
>> Roland Hieber (1):
>> pcsc-lite: provide pcsc-lite-lib-native explicitly for native build
>>
>> Sakib Sajal (1):
>> apache2: upgrade v2.4.43 -> v2.4.46
>>
>> Sean Nyekjaer (1):
>> nodejs: 12.19.1 -> 12.20.1
>>
>> Stacy Gaikovaia (1):
>> nodejs: 12.19.0 -> 12.19.1
>>
>> Wang Mingyu (1):
>> zabbix: CVE-2020-15803 Security Advisory
>>
>> Wenlin Kang (2):
>> lua: fix CVE-2020-15945
>> lua: fix CVE-2020-24371
>>
>> Zang Ruochen (1):
>> mcpp: Normalize the patch format of CVE
>>
>> Zheng Ruoqin (4):
>> samba: CVE-2020-14318 Security Advisory
>> samba: CVE-2020-14383 Security Advisory
>> php: CVE-2020-7070
>> php: CVE-2020-7069
>>
>> jabdoa2 (2):
>> libsdl2-mixer: Fix ogg/vorbis support in libsdl2-mixer
>> libsdl2-mixer: set --disable-music-ogg-shared to link statically
>>
>> viatsk (1):
>> tcpdump: Patch for CVE-2020-8037
>>
>> .../samba/samba/CVE-2020-14318.patch | 142 +++++++++++++++
>> .../samba/samba/CVE-2020-14383.patch | 112 ++++++++++++
>> .../samba/samba_4.10.18.bb | 2 +
>> ...NC_-START-END-were-backported-to-5.4.patch | 29 +++
>> .../wireguard-module_1.0.20200401.bb | 3 +-
>> ...ping-don-t-allocate-a-too-large-buff.patch | 70 ++++++++
>> .../recipes-support/tcpdump/tcpdump_4.9.3.bb | 1 +
>> ...wireshark_3.2.7.bb => wireshark_3.2.10.bb} | 2 +-
>> .../zabbix/zabbix/CVE-2020-15803.patch | 36 ++++
>> .../zabbix/zabbix_4.4.6.bb | 1 +
>> ...e_10.4.12.bb => mariadb-native_10.4.17.bb} | 0
>> meta-oe/recipes-dbs/mysql/mariadb.inc | 6 +-
>> ...-breakage-from-lock_guard-error-6161.patch | 32 ----
>> .../mariadb/0001-Fix-library-LZ4-lookup.patch | 19 +-
>> .../mysql/mariadb/c11_atomics.patch | 24 ++-
>> .../configure.cmake-fix-valgrind.patch | 10 +-
>> .../mariadb/fix-a-building-failure.patch | 13 +-
>> .../mysql/mariadb/fix-arm-atomic.patch | 13 +-
>> ...Lists.txt-fix-gen_lex_hash-not-found.patch | 12 +-
>> ...akeLists.txt-fix-do_populate_sysroot.patch | 10 +-
>> ...{mariadb_10.4.12.bb => mariadb_10.4.17.bb} | 0
>> ...rriers-cannot-be-active-during-sweep.patch | 90 ++++++++++
>> .../lua/lua/CVE-2020-15945.patch | 167 ++++++++++++++++++
>> .../lua/{lua_5.3.5.bb => lua_5.3.6.bb} | 8 +-
>> .../mcpp/files/CVE-2019-14274.patch | 34 ++++
>> .../mcpp/files/ice-mcpp.patch | 31 ----
>> meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb | 3 +-
>> ...gister-r7-because-llvm-now-issues-an.patch | 53 ++++++
>> ...-passing-multiple-libs-to-pkg_config.patch | 41 -----
>> ...allow-use-of-system-installed-brotli.patch | 66 -------
>> ...Install-both-binaries-and-use-libdir.patch | 28 ++-
>> .../{nodejs_12.14.1.bb => nodejs_12.20.1.bb} | 12 +-
>> .../php/php/CVE-2020-7069.patch | 158 +++++++++++++++++
>> .../php/php/CVE-2020-7070.patch | 24 +++
>> .../php/php/debian-php-fixheader.patch | 27 +--
>> .../php/{php_7.4.4.bb => php_7.4.9.bb} | 16 +-
>> .../dlt-daemon/dlt-daemon/275.patch | 38 ++++
>> .../dlt-daemon/dlt-daemon_2.18.4.bb | 1 +
>> .../libsdl/libsdl2-mixer_2.0.4.bb | 2 +-
>> .../geoclue/geoclue_2.5.3.bb | 2 +-
>> .../nss/nss/CVE-2020-12401.patch | 52 ++++++
>> meta-oe/recipes-support/nss/nss_3.51.1.bb | 1 +
>> .../pcsc-lite/pcsc-lite_1.8.26.bb | 1 +
>> .../{apache2_2.4.43.bb => apache2_2.4.46.bb} | 4 +-
>> 44 files changed, 1111 insertions(+), 285 deletions(-)
>> create mode 100644 meta-networking/recipes-
>> connectivity/samba/samba/CVE-2020-14318.patch
>> create mode 100644 meta-networking/recipes-
>> connectivity/samba/samba/CVE-2020-14383.patch
>> create mode 100644 meta-networking/recipes-kernel/wireguard/files/0001-
>> compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch
>> create mode 100644 meta-networking/recipes-
>> support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-
>> too-large-buff.patch
>> rename meta-networking/recipes-support/wireshark/{wireshark_3.2.7.bb
>> => wireshark_3.2.10.bb} (96%)
>> create mode 100644 meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-
>> 15803.patch
>> rename meta-oe/recipes-dbs/mysql/{mariadb-native_10.4.12.bb =>
>> mariadb-native_10.4.17.bb} (100%)
>> delete mode 100644 meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-
>> breakage-from-lock_guard-error-6161.patch
>> rename meta-oe/recipes-dbs/mysql/{mariadb_10.4.12.bb =>
>> mariadb_10.4.17.bb} (100%)
>> create mode 100644 meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-
>> barriers-cannot-be-active-during-sweep.patch
>> create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2020-
>> 15945.patch
>> rename meta-oe/recipes-devtools/lua/{lua_5.3.5.bb => lua_5.3.6.bb} (87%)
>> create mode 100644 meta-oe/recipes-devtools/mcpp/files/CVE-2019-
>> 14274.patch
>> create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-
>> Remove-use-of-register-r7-because-llvm-now-issues-an.patch
>> delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-build-
>> allow-passing-multiple-libs-to-pkg_config.patch
>> delete mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0002-build-
>> allow-use-of-system-installed-brotli.patch
>> rename meta-oe/recipes-devtools/nodejs/{nodejs_12.14.1.bb =>
>> nodejs_12.20.1.bb} (94%)
>> create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-
>> 7069.patch
>> create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2020-
>> 7070.patch
>> mode change 100755 => 100644 meta-oe/recipes-
>> devtools/php/php/debian-php-fixheader.patch
>> rename meta-oe/recipes-devtools/php/{php_7.4.4.bb => php_7.4.9.bb}
>> (97%)
>> create mode 100644 meta-oe/recipes-extended/dlt-daemon/dlt-
>> daemon/275.patch
>> create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2020-
>> 12401.patch
>> rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.43.bb =>
>> apache2_2.4.46.bb} (98%)
>>
>> --
>> 2.17.1
> Hi Armin,
>
> Is there any specific reason why the gssdp and gupnp updates I sent for dunfell a while ago to fix a CVE are not in? They are in the patch review you've sent for gatesgarth though.
I most forgot to merge them from Gatesgarth. They are in there shortly.
-armin
>
> Anything I should do?
>
> Thanks,
>
> Diego
>
^ permalink raw reply [flat|nested] 33+ messages in thread
end of thread, other threads:[~2021-01-18 16:34 UTC | newest]
Thread overview: 33+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
2021-01-17 17:45 ` [dunfell 01/28] tcpdump: Patch for CVE-2020-8037 akuster
2021-01-17 17:46 ` [dunfell 02/28] dlt-daemon: add upstream patch to fix CVE-2020-29394 akuster
2021-01-17 17:46 ` [dunfell 03/28] pcsc-lite: provide pcsc-lite-lib-native explicitly for native build akuster
2021-01-17 17:46 ` [dunfell 04/28] wireguard-module: fix build issue with 5.4 kernel akuster
2021-01-17 17:46 ` [dunfell 05/28] mcpp: Normalize the patch format of CVE akuster
2021-01-17 17:46 ` [dunfell 06/28] zabbix: CVE-2020-15803 Security Advisory akuster
2021-01-17 17:46 ` [dunfell 07/28] samba: CVE-2020-14318 " akuster
2021-01-17 17:46 ` [dunfell 08/28] samba: CVE-2020-14383 " akuster
2021-01-17 17:46 ` [dunfell 09/28] php: Upgrade 7.4.4 -> 7.4.9 akuster
2021-01-17 17:46 ` [dunfell 10/28] php: remove the failing ${D}/${TMPDIR} code akuster
2021-01-17 17:46 ` [dunfell 11/28] php: CVE-2020-7070 akuster
2021-01-17 17:46 ` [dunfell 12/28] php: CVE-2020-7069 akuster
2021-01-17 17:46 ` [dunfell 13/28] apache2: upgrade v2.4.43 -> v2.4.46 akuster
2021-01-17 17:46 ` [dunfell 14/28] mariadb: update to 10.4.17 for cve fixes akuster
2021-01-17 17:46 ` [dunfell 15/28] lua: fix CVE-2020-15945 akuster
2021-01-17 17:46 ` [dunfell 16/28] lua: fix CVE-2020-24371 akuster
2021-01-17 17:46 ` [dunfell 17/28] lua: update to 5.3.6 akuster
2021-01-17 17:46 ` [dunfell 18/28] nss: Security fix CVE-2020-12401 akuster
2021-01-17 17:46 ` [dunfell 19/28] wireshark: Several securtiy fixes akuster
2021-01-17 17:46 ` [dunfell 20/28] nodejs: Fix build with icu 67.1 akuster
2021-01-17 17:46 ` [dunfell 21/28] nodejs: Upgrade to 12.18.3 akuster
2021-01-17 17:46 ` [dunfell 22/28] nodejs: Fix arm32/thumb builds with clang akuster
2021-01-17 17:46 ` [dunfell 23/28] nodejs: Update to 12.19.0 akuster
2021-01-17 17:46 ` [dunfell 24/28] nodejs: 12.19.0 -> 12.19.1 akuster
2021-01-17 17:46 ` [dunfell 25/28] nodejs: 12.19.1 -> 12.20.1 akuster
2021-01-17 17:46 ` [dunfell 26/28] libsdl2-mixer: Fix ogg/vorbis support in libsdl2-mixer akuster
2021-01-17 17:46 ` [dunfell 27/28] libsdl2-mixer: set --disable-music-ogg-shared to link statically akuster
2021-01-17 17:46 ` [dunfell 28/28] geoclue: select avahi-daemon if nmea enabled akuster
2021-01-17 20:38 ` [oe] [dunfell 00/28] Patch review Jan 17th Andreas Müller
2021-01-18 4:09 ` akuster
2021-01-18 10:12 ` Diego Santa Cruz
2021-01-18 16:34 ` akuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.