* [OE-core][dunfell 0/9] Patch review
@ 2021-09-10 14:07 Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 1/9] dbus: upgrade 1.12.16 -> 1.12.18 Steve Sakoman
` (8 more replies)
0 siblings, 9 replies; 19+ messages in thread
From: Steve Sakoman @ 2021-09-10 14:07 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back by
end of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2570
The following changes since commit fcc609d3bafef2f63039dc54c0fd0eaf062710a1:
rt-tests: set branch name in SRC_URI (2021-09-08 04:50:47 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Armin Kuster (2):
xserver-xorg: Security fix for CVE-2020-14360/-25712
go: Several Security fixes
Ovidiu Panait (2):
dbus-test: Remove EXTRA_OECONF_X configs
dbus,dbus-test: Move common parts to dbus.inc
Richard Purdie (2):
flex: Add CVE-2019-6293 to exclusions for checks
go: Exclude CVE-2021-29923 from report list
Wang Mingyu (3):
dbus: upgrade 1.12.16 -> 1.12.18
dbus-test: upgrade 1.12.16 -> 1.12.18
dbus: upgrade 1.12.18 -> 1.12.20
.../distro/include/cve-extra-exclusions.inc | 4 -
...s-test_1.12.16.bb => dbus-test_1.12.20.bb} | 42 +----
meta/recipes-core/dbus/dbus.inc | 34 ++++
.../dbus/dbus/CVE-2020-12049.patch | 78 ---------
.../dbus/{dbus_1.12.16.bb => dbus_1.12.20.bb} | 40 +----
meta/recipes-devtools/flex/flex_2.6.4.bb | 5 +
meta/recipes-devtools/go/go-1.14.inc | 9 ++
.../go/go-1.14/CVE-2021-33196.patch | 124 ++++++++++++++
.../go/go-1.14/CVE-2021-33197.patch | 152 ++++++++++++++++++
.../go/go-1.14/CVE-2021-34558.patch | 51 ++++++
.../xserver-xorg/CVE-2020-14360.patch | 132 +++++++++++++++
.../xserver-xorg/CVE-2020-25712.patch | 102 ++++++++++++
.../xorg-xserver/xserver-xorg_1.20.8.bb | 2 +
13 files changed, 624 insertions(+), 151 deletions(-)
rename meta/recipes-core/dbus/{dbus-test_1.12.16.bb => dbus-test_1.12.20.bb} (51%)
create mode 100644 meta/recipes-core/dbus/dbus.inc
delete mode 100644 meta/recipes-core/dbus/dbus/CVE-2020-12049.patch
rename meta/recipes-core/dbus/{dbus_1.12.16.bb => dbus_1.12.20.bb} (75%)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch
--
2.25.1
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][dunfell 1/9] dbus: upgrade 1.12.16 -> 1.12.18
2021-09-10 14:07 [OE-core][dunfell 0/9] Patch review Steve Sakoman
@ 2021-09-10 14:07 ` Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 2/9] dbus-test: " Steve Sakoman
` (7 subsequent siblings)
8 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2021-09-10 14:07 UTC (permalink / raw)
To: openembedded-core
From: Wang Mingyu <wangmy@cn.fujitsu.com>
(From OE-Core rev: 8d33a2a4e4b6ff8f831523e5b1b16ead6b29cc79)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a62471f0641551717a260c67690d3a7d280ac028)
[Bug fix only update, drop cve patch now included
a0926ef86f (tag: dbus-1.12.18) Prepare 1.12.18
8bc1381819 fdpass test: Assert that we don't leak file descriptors
272d484283 sysdeps-unix: On MSG_CTRUNC, close the fds we did receive <- cve fix
31297172f1 Update NEWS
041d579139 dbus-daemon test: Don't test fd limits if in an unprivileged container
55b3f71376 Update NEWS
ced04aabc7 doxygen: fix example for dbus_message_append_args
3e40637b10 Update NEWS
3e0ea34966 cmake: Add X11 include path for tools
d0992805d7 doc: replace dbus-send's --address with --peer and --bus
dd32f6b617 Update NEWS
d251fe7850 Merge branch 'cherry-pick-b034b83b' into 'dbus-1.12'
2c6b0ad7f6 bus: Don't explicitly clear BusConnections.monitors
df0c675b93 Merge branch 'cherry-pick-bf71a58e' into 'dbus-1.12'
beb79b94fb doc: Fix environment variable name in dbus-daemon(1)
eab5d4a420 Start 1.12.18 development]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../dbus/dbus/CVE-2020-12049.patch | 78 -------------------
.../dbus/{dbus_1.12.16.bb => dbus_1.12.18.bb} | 5 +-
2 files changed, 2 insertions(+), 81 deletions(-)
delete mode 100644 meta/recipes-core/dbus/dbus/CVE-2020-12049.patch
rename meta/recipes-core/dbus/{dbus_1.12.16.bb => dbus_1.12.18.bb} (97%)
diff --git a/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch b/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch
deleted file mode 100644
index ac7a4b7a71..0000000000
--- a/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 872b085f12f56da25a2dbd9bd0b2dff31d5aea63 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Thu, 16 Apr 2020 14:45:11 +0100
-Subject: [PATCH] sysdeps-unix: On MSG_CTRUNC, close the fds we did receive
-
-MSG_CTRUNC indicates that we have received fewer fds that we should
-have done because the buffer was too small, but we were treating it
-as though it indicated that we received *no* fds. If we received any,
-we still have to make sure we close them, otherwise they will be leaked.
-
-On the system bus, if an attacker can induce us to leak fds in this
-way, that's a local denial of service via resource exhaustion.
-
-Reported-by: Kevin Backhouse, GitHub Security Lab
-Fixes: dbus#294
-Fixes: CVE-2020-12049
-Fixes: GHSL-2020-057
-
-Upstream-Status: Backport [https://gitlab.freedesktop.org/dbus/dbus/-/commit/872b085f12f56da25a2dbd9bd0b2dff31d5aea63]
-CVE: CVE-2020-12049
-Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
----
- dbus/dbus-sysdeps-unix.c | 32 ++++++++++++++++++++------------
- 1 file changed, 20 insertions(+), 12 deletions(-)
-
-diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
-index b5fc2466..b176dae1 100644
---- a/dbus/dbus-sysdeps-unix.c
-+++ b/dbus/dbus-sysdeps-unix.c
-@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
- struct cmsghdr *cm;
- dbus_bool_t found = FALSE;
-
-- if (m.msg_flags & MSG_CTRUNC)
-- {
-- /* Hmm, apparently the control data was truncated. The bad
-- thing is that we might have completely lost a couple of fds
-- without chance to recover them. Hence let's treat this as a
-- serious error. */
--
-- errno = ENOSPC;
-- _dbus_string_set_length (buffer, start);
-- return -1;
-- }
--
- for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
- if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
- {
-@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
- if (!found)
- *n_fds = 0;
-
-+ if (m.msg_flags & MSG_CTRUNC)
-+ {
-+ unsigned int i;
-+
-+ /* Hmm, apparently the control data was truncated. The bad
-+ thing is that we might have completely lost a couple of fds
-+ without chance to recover them. Hence let's treat this as a
-+ serious error. */
-+
-+ /* We still need to close whatever fds we *did* receive,
-+ * otherwise they'll never get closed. (CVE-2020-12049) */
-+ for (i = 0; i < *n_fds; i++)
-+ close (fds[i]);
-+
-+ *n_fds = 0;
-+ errno = ENOSPC;
-+ _dbus_string_set_length (buffer, start);
-+ return -1;
-+ }
-+
- /* put length back (doesn't actually realloc) */
- _dbus_string_set_length (buffer, start + bytes_read);
-
---
-2.25.1
-
diff --git a/meta/recipes-core/dbus/dbus_1.12.16.bb b/meta/recipes-core/dbus/dbus_1.12.18.bb
similarity index 97%
rename from meta/recipes-core/dbus/dbus_1.12.16.bb
rename to meta/recipes-core/dbus/dbus_1.12.18.bb
index 10d1b34448..2fcb3079ad 100644
--- a/meta/recipes-core/dbus/dbus_1.12.16.bb
+++ b/meta/recipes-core/dbus/dbus_1.12.18.bb
@@ -16,11 +16,10 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
file://tmpdir.patch \
file://dbus-1.init \
file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
- file://CVE-2020-12049.patch \
"
-SRC_URI[md5sum] = "2dbeae80dfc9e3632320c6a53d5e8890"
-SRC_URI[sha256sum] = "54a22d2fa42f2eb2a871f32811c6005b531b9613b1b93a0d269b05e7549fec80"
+SRC_URI[md5sum] = "4ca570c281be35d0b30ab83436712242"
+SRC_URI[sha256sum] = "64cf4d70840230e5e9bc784d153880775ab3db19d656ead8a0cb9c0ab5a95306"
inherit useradd autotools pkgconfig gettext update-rc.d upstream-version-is-even
--
2.25.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][dunfell 2/9] dbus-test: upgrade 1.12.16 -> 1.12.18
2021-09-10 14:07 [OE-core][dunfell 0/9] Patch review Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 1/9] dbus: upgrade 1.12.16 -> 1.12.18 Steve Sakoman
@ 2021-09-10 14:07 ` Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 3/9] dbus-test: Remove EXTRA_OECONF_X configs Steve Sakoman
` (6 subsequent siblings)
8 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2021-09-10 14:07 UTC (permalink / raw)
To: openembedded-core
From: Wang Mingyu <wangmy@cn.fujitsu.com>
(From OE-Core rev: 839695e0c1b0c0fcfbb924c2b174c4a638067a32)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5cbf053481642a820b9f4c6bed9ac79246719087)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../dbus/{dbus-test_1.12.16.bb => dbus-test_1.12.18.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-core/dbus/{dbus-test_1.12.16.bb => dbus-test_1.12.18.bb} (95%)
diff --git a/meta/recipes-core/dbus/dbus-test_1.12.16.bb b/meta/recipes-core/dbus/dbus-test_1.12.18.bb
similarity index 95%
rename from meta/recipes-core/dbus/dbus-test_1.12.16.bb
rename to meta/recipes-core/dbus/dbus-test_1.12.18.bb
index bea0e74ed0..0063dcce67 100644
--- a/meta/recipes-core/dbus/dbus-test_1.12.16.bb
+++ b/meta/recipes-core/dbus/dbus-test_1.12.18.bb
@@ -16,8 +16,8 @@ SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
"
-SRC_URI[md5sum] = "2dbeae80dfc9e3632320c6a53d5e8890"
-SRC_URI[sha256sum] = "54a22d2fa42f2eb2a871f32811c6005b531b9613b1b93a0d269b05e7549fec80"
+SRC_URI[md5sum] = "4ca570c281be35d0b30ab83436712242"
+SRC_URI[sha256sum] = "64cf4d70840230e5e9bc784d153880775ab3db19d656ead8a0cb9c0ab5a95306"
S="${WORKDIR}/dbus-${PV}"
FILESEXTRAPATHS =. "${FILE_DIRNAME}/dbus:"
--
2.25.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][dunfell 3/9] dbus-test: Remove EXTRA_OECONF_X configs
2021-09-10 14:07 [OE-core][dunfell 0/9] Patch review Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 1/9] dbus: upgrade 1.12.16 -> 1.12.18 Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 2/9] dbus-test: " Steve Sakoman
@ 2021-09-10 14:07 ` Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 4/9] dbus,dbus-test: Move common parts to dbus.inc Steve Sakoman
` (5 subsequent siblings)
8 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2021-09-10 14:07 UTC (permalink / raw)
To: openembedded-core
From: Ovidiu Panait <ovidiu.panait@windriver.com>
X specific configs are already handled through PACKAGECONFIG:
PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd x11', d)}"
...
PACKAGECONFIG[x11] = "--with-x --enable-x11-autolaunch,--without-x
--disable-x11-autolaunch, virtual/libx11 libsm"
Remove duplicated EXTRA_OECONF_X args.
(From OE-Core rev: 7dc107b05a29f8a3e8903d73f84ef8069f68af6f)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 036e3436e51a44de3fc9b4b8e5b1ff149e3aaa9d)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/dbus/dbus-test_1.12.18.bb | 4 ----
1 file changed, 4 deletions(-)
diff --git a/meta/recipes-core/dbus/dbus-test_1.12.18.bb b/meta/recipes-core/dbus/dbus-test_1.12.18.bb
index 0063dcce67..68fcdc847f 100644
--- a/meta/recipes-core/dbus/dbus-test_1.12.18.bb
+++ b/meta/recipes-core/dbus/dbus-test_1.12.18.bb
@@ -24,9 +24,6 @@ FILESEXTRAPATHS =. "${FILE_DIRNAME}/dbus:"
inherit autotools pkgconfig gettext ptest upstream-version-is-even
-EXTRA_OECONF_X = "${@bb.utils.contains('DISTRO_FEATURES', 'x11', '--with-x', '--without-x', d)}"
-EXTRA_OECONF_X_class-native = "--without-x"
-
EXTRA_OECONF = "--enable-tests \
--enable-modular-tests \
--enable-installed-tests \
@@ -37,7 +34,6 @@ EXTRA_OECONF = "--enable-tests \
--disable-doxygen-docs \
--disable-libaudit \
--with-dbus-test-dir=${PTEST_PATH} \
- ${EXTRA_OECONF_X} \
--enable-embedded-tests \
"
--
2.25.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][dunfell 4/9] dbus,dbus-test: Move common parts to dbus.inc
2021-09-10 14:07 [OE-core][dunfell 0/9] Patch review Steve Sakoman
` (2 preceding siblings ...)
2021-09-10 14:07 ` [OE-core][dunfell 3/9] dbus-test: Remove EXTRA_OECONF_X configs Steve Sakoman
@ 2021-09-10 14:07 ` Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 5/9] dbus: upgrade 1.12.18 -> 1.12.20 Steve Sakoman
` (4 subsequent siblings)
8 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2021-09-10 14:07 UTC (permalink / raw)
To: openembedded-core
From: Ovidiu Panait <ovidiu.panait@windriver.com>
dbus and dbus-test share the same source code and base configuration options,
so factor out the common parts into dbus.inc.
This way we can eliminate the need to keep the two recipes in sync. When they
are not properly in sync (e.g. when dbus recipe has extra patches/config
options that are not duplicated in dbus-test) ptest testsuite will actually
test a slightly different codebase. This is due to the fact that dbus-test does
not run the testsuite against the system libdbus library, but instead it
generates a local libdbus.so that needs to configured/compiled as close as
possible to the system one.
(From OE-Core rev: 1cde2935526d2eec7d6b17a6c622647b0c132439)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 44ae5d8d6f26fda4ab1a3fef9fc49d74e4ac89f0)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/dbus/dbus-test_1.12.18.bb | 38 +++++---------------
meta/recipes-core/dbus/dbus.inc | 34 ++++++++++++++++++
meta/recipes-core/dbus/dbus_1.12.18.bb | 39 +++------------------
3 files changed, 47 insertions(+), 64 deletions(-)
create mode 100644 meta/recipes-core/dbus/dbus.inc
diff --git a/meta/recipes-core/dbus/dbus-test_1.12.18.bb b/meta/recipes-core/dbus/dbus-test_1.12.18.bb
index 68fcdc847f..755c841bad 100644
--- a/meta/recipes-core/dbus/dbus-test_1.12.18.bb
+++ b/meta/recipes-core/dbus/dbus-test_1.12.18.bb
@@ -1,53 +1,31 @@
SUMMARY = "D-Bus test package (for D-bus functionality testing only)"
HOMEPAGE = "http://dbus.freedesktop.org"
SECTION = "base"
-LICENSE = "AFL-2.1 | GPLv2+"
-LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \
- file://dbus/dbus.h;beginline=6;endline=20;md5=7755c9d7abccd5dbd25a6a974538bb3c"
-DEPENDS = "dbus glib-2.0"
+require dbus.inc
-RDEPENDS_${PN}-dev = ""
+SRC_URI += "file://run-ptest \
+ file://python-config.patch \
+ "
-SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
- file://tmpdir.patch \
- file://run-ptest \
- file://python-config.patch \
- file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
- "
+DEPENDS = "dbus glib-2.0"
-SRC_URI[md5sum] = "4ca570c281be35d0b30ab83436712242"
-SRC_URI[sha256sum] = "64cf4d70840230e5e9bc784d153880775ab3db19d656ead8a0cb9c0ab5a95306"
+RDEPENDS_${PN}-dev = ""
S="${WORKDIR}/dbus-${PV}"
FILESEXTRAPATHS =. "${FILE_DIRNAME}/dbus:"
-inherit autotools pkgconfig gettext ptest upstream-version-is-even
+inherit ptest
-EXTRA_OECONF = "--enable-tests \
+EXTRA_OECONF += "--enable-tests \
--enable-modular-tests \
--enable-installed-tests \
--enable-checks \
--enable-asserts \
- --enable-largefile \
- --disable-xml-docs \
- --disable-doxygen-docs \
- --disable-libaudit \
--with-dbus-test-dir=${PTEST_PATH} \
--enable-embedded-tests \
"
-EXTRA_OECONF_append_class-target = " SYSTEMCTL=${base_bindir}/systemctl"
-
-PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd x11', d)}"
-PACKAGECONFIG_class-native = ""
-PACKAGECONFIG_class-nativesdk = ""
-
-PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd_system_unitdir},--disable-systemd --without-systemdsystemunitdir,systemd"
-PACKAGECONFIG[x11] = "--with-x --enable-x11-autolaunch,--without-x --disable-x11-autolaunch, virtual/libx11 libsm"
-PACKAGECONFIG[user-session] = "--enable-user-session --with-systemduserunitdir=${systemd_user_unitdir},--disable-user-session"
-PACKAGECONFIG[verbose-mode] = "--enable-verbose-mode,,,"
-
do_install() {
:
}
diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc
new file mode 100644
index 0000000000..3bdb7ea4ff
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus.inc
@@ -0,0 +1,34 @@
+inherit autotools pkgconfig gettext upstream-version-is-even
+
+LICENSE = "AFL-2.1 | GPLv2+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \
+ file://dbus/dbus.h;beginline=6;endline=20;md5=7755c9d7abccd5dbd25a6a974538bb3c"
+
+SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
+ file://tmpdir.patch \
+ file://dbus-1.init \
+ file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+"
+
+SRC_URI[md5sum] = "4ca570c281be35d0b30ab83436712242"
+SRC_URI[sha256sum] = "64cf4d70840230e5e9bc784d153880775ab3db19d656ead8a0cb9c0ab5a95306"
+
+EXTRA_OECONF = "--disable-xml-docs \
+ --disable-doxygen-docs \
+ --disable-libaudit \
+ --enable-largefile \
+ --with-system-socket=/run/dbus/system_bus_socket \
+ "
+EXTRA_OECONF_append_class-target = " SYSTEMCTL=${base_bindir}/systemctl"
+EXTRA_OECONF_append_class-native = " --disable-selinux"
+
+PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd x11', d)} \
+ user-session \
+ "
+PACKAGECONFIG_class-native = ""
+PACKAGECONFIG_class-nativesdk = ""
+
+PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd_system_unitdir},--disable-systemd --without-systemdsystemunitdir,systemd"
+PACKAGECONFIG[x11] = "--with-x --enable-x11-autolaunch,--without-x --disable-x11-autolaunch, virtual/libx11 libsm"
+PACKAGECONFIG[user-session] = "--enable-user-session --with-systemduserunitdir=${systemd_user_unitdir},--disable-user-session"
+PACKAGECONFIG[verbose-mode] = "--enable-verbose-mode,,,"
diff --git a/meta/recipes-core/dbus/dbus_1.12.18.bb b/meta/recipes-core/dbus/dbus_1.12.18.bb
index 2fcb3079ad..cf6f7dc0ef 100644
--- a/meta/recipes-core/dbus/dbus_1.12.18.bb
+++ b/meta/recipes-core/dbus/dbus_1.12.18.bb
@@ -2,9 +2,9 @@ SUMMARY = "D-Bus message bus"
DESCRIPTION = "D-Bus is a message bus system, a simple way for applications to talk to one another. In addition to interprocess communication, D-Bus helps coordinate process lifecycle; it makes it simple and reliable to code a \"single instance\" application or daemon, and to launch applications and daemons on demand when their services are needed."
HOMEPAGE = "https://dbus.freedesktop.org"
SECTION = "base"
-LICENSE = "AFL-2.1 | GPLv2+"
-LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \
- file://dbus/dbus.h;beginline=6;endline=20;md5=7755c9d7abccd5dbd25a6a974538bb3c"
+
+require dbus.inc
+
DEPENDS = "expat virtual/libintl autoconf-archive"
RDEPENDS_dbus_class-native = ""
RDEPENDS_dbus_class-nativesdk = ""
@@ -12,16 +12,7 @@ PACKAGES += "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', '${PN}-ptest', '',
ALLOW_EMPTY_dbus-ptest = "1"
RDEPENDS_dbus-ptest_class-target = "dbus-test-ptest"
-SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
- file://tmpdir.patch \
- file://dbus-1.init \
- file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
-"
-
-SRC_URI[md5sum] = "4ca570c281be35d0b30ab83436712242"
-SRC_URI[sha256sum] = "64cf4d70840230e5e9bc784d153880775ab3db19d656ead8a0cb9c0ab5a95306"
-
-inherit useradd autotools pkgconfig gettext update-rc.d upstream-version-is-even
+inherit useradd update-rc.d
INITSCRIPT_NAME = "dbus-1"
INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ."
@@ -92,27 +83,7 @@ pkg_postinst_dbus() {
}
-EXTRA_OECONF = "--disable-tests \
- --disable-xml-docs \
- --disable-doxygen-docs \
- --disable-libaudit \
- --enable-largefile \
- --with-system-socket=/run/dbus/system_bus_socket \
- "
-
-EXTRA_OECONF_append_class-target = " SYSTEMCTL=${base_bindir}/systemctl"
-EXTRA_OECONF_append_class-native = " --disable-selinux"
-
-PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd x11', d)} \
- user-session \
- "
-
-PACKAGECONFIG_class-native = ""
-PACKAGECONFIG_class-nativesdk = ""
-
-PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd_system_unitdir},--disable-systemd --without-systemdsystemunitdir,systemd"
-PACKAGECONFIG[x11] = "--with-x --enable-x11-autolaunch,--without-x --disable-x11-autolaunch, virtual/libx11 libsm"
-PACKAGECONFIG[user-session] = "--enable-user-session --with-systemduserunitdir=${systemd_user_unitdir},--disable-user-session"
+EXTRA_OECONF += "--disable-tests"
do_install() {
autotools_do_install
--
2.25.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][dunfell 5/9] dbus: upgrade 1.12.18 -> 1.12.20
2021-09-10 14:07 [OE-core][dunfell 0/9] Patch review Steve Sakoman
` (3 preceding siblings ...)
2021-09-10 14:07 ` [OE-core][dunfell 4/9] dbus,dbus-test: Move common parts to dbus.inc Steve Sakoman
@ 2021-09-10 14:07 ` Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 6/9] flex: Add CVE-2019-6293 to exclusions for checks Steve Sakoman
` (3 subsequent siblings)
8 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2021-09-10 14:07 UTC (permalink / raw)
To: openembedded-core
From: Wang Mingyu <wangmy@cn.fujitsu.com>
Source: https://git.openembedded.org/openembedded-core
MR: 108825
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-core/dbus?id=bfaef91e77cd54e4f642e966903aac3f3291c325
ChangeID: bfaef91e77cd54e4f642e966903aac3f3291c325
Description:
Bugz only update
Includes fix for CVE-2020-35512
ab88811768 (HEAD, tag: dbus-1.12.20) v1.12.20
5757fd5480 Update NEWS
f3b2574f0c userdb: Reference-count DBusUserInfo, DBusGroupInfo <- cve fix
37b36d49a6 userdb: Make lookups return a const pointer
732284d530 Solaris and derivatives do not adjust cmsg_len on MSG_CTRUNC
1f8c42c7cd Start 1.12.20 development
(From OE-Core rev: bfaef91e77cd54e4f642e966903aac3f3291c325)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bfaef91e77cd54e4f642e966903aac3f3291c325)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../dbus/{dbus-test_1.12.18.bb => dbus-test_1.12.20.bb} | 0
meta/recipes-core/dbus/dbus.inc | 4 ++--
meta/recipes-core/dbus/{dbus_1.12.18.bb => dbus_1.12.20.bb} | 0
3 files changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-core/dbus/{dbus-test_1.12.18.bb => dbus-test_1.12.20.bb} (100%)
rename meta/recipes-core/dbus/{dbus_1.12.18.bb => dbus_1.12.20.bb} (100%)
diff --git a/meta/recipes-core/dbus/dbus-test_1.12.18.bb b/meta/recipes-core/dbus/dbus-test_1.12.20.bb
similarity index 100%
rename from meta/recipes-core/dbus/dbus-test_1.12.18.bb
rename to meta/recipes-core/dbus/dbus-test_1.12.20.bb
diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc
index 3bdb7ea4ff..dcbcc0a9d6 100644
--- a/meta/recipes-core/dbus/dbus.inc
+++ b/meta/recipes-core/dbus/dbus.inc
@@ -10,8 +10,8 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
"
-SRC_URI[md5sum] = "4ca570c281be35d0b30ab83436712242"
-SRC_URI[sha256sum] = "64cf4d70840230e5e9bc784d153880775ab3db19d656ead8a0cb9c0ab5a95306"
+SRC_URI[md5sum] = "dfe8a71f412e0b53be26ed4fbfdc91c4"
+SRC_URI[sha256sum] = "f77620140ecb4cdc67f37fb444f8a6bea70b5b6461f12f1cbe2cec60fa7de5fe"
EXTRA_OECONF = "--disable-xml-docs \
--disable-doxygen-docs \
diff --git a/meta/recipes-core/dbus/dbus_1.12.18.bb b/meta/recipes-core/dbus/dbus_1.12.20.bb
similarity index 100%
rename from meta/recipes-core/dbus/dbus_1.12.18.bb
rename to meta/recipes-core/dbus/dbus_1.12.20.bb
--
2.25.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][dunfell 6/9] flex: Add CVE-2019-6293 to exclusions for checks
2021-09-10 14:07 [OE-core][dunfell 0/9] Patch review Steve Sakoman
` (4 preceding siblings ...)
2021-09-10 14:07 ` [OE-core][dunfell 5/9] dbus: upgrade 1.12.18 -> 1.12.20 Steve Sakoman
@ 2021-09-10 14:07 ` Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 7/9] go: Exclude CVE-2021-29923 from report list Steve Sakoman
` (2 subsequent siblings)
8 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2021-09-10 14:07 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE is effectively disputed - yes there is stack exhaustion but no bug and it
is building the parser, not running it, effectively similar to a compiler ICE.
Upstream no plans to address and there is no security issue.
https://github.com/westes/flex/issues/414
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0cae5d7a24bedf6784781b62cbb3795a44bab4d1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
| 4 ----
meta/recipes-devtools/flex/flex_2.6.4.bb | 5 +++++
2 files changed, 5 insertions(+), 4 deletions(-)
--git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index cf07acce1d..a6f52b5de7 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -61,10 +61,6 @@ CVE_CHECK_WHITELIST += "CVE-2020-29509 CVE-2020-29511"
# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
# however qemu maintainers are sure the patch is incorrect and should not be applied.
-# flex:flex-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6293
-# Upstream bug, still open: https://github.com/westes/flex/issues/414
-# Causes memory exhaustion so potential DoS but no buffer overflow, low priority
-
# wget https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31879
# https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html
# No response upstream as of 2021/5/12
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 1d43d2228a..50d3bf8de1 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -26,6 +26,11 @@ SRC_URI[sha256sum] = "e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c4
UPSTREAM_CHECK_URI = "https://github.com/westes/flex/releases"
UPSTREAM_CHECK_REGEX = "flex-(?P<pver>\d+(\.\d+)+)\.tar"
+# Disputed - yes there is stack exhaustion but no bug and it is building the
+# parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address
+# https://github.com/westes/flex/issues/414
+CVE_CHECK_WHITELIST += "CVE-2019-6293"
+
inherit autotools gettext texinfo ptest
M4 = "${bindir}/m4"
--
2.25.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][dunfell 7/9] go: Exclude CVE-2021-29923 from report list
2021-09-10 14:07 [OE-core][dunfell 0/9] Patch review Steve Sakoman
` (5 preceding siblings ...)
2021-09-10 14:07 ` [OE-core][dunfell 6/9] flex: Add CVE-2019-6293 to exclusions for checks Steve Sakoman
@ 2021-09-10 14:07 ` Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 8/9] xserver-xorg: Security fix for CVE-2020-14360/-25712 Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 9/9] go: Several Security fixes Steve Sakoman
8 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2021-09-10 14:07 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Upstream don't believe it is a signifiant real world issue and will only
fix in 1.17 onwards. Therefore exclude it from our reports.
https://github.com/golang/go/issues/30999#issuecomment-910470358
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5bd5faf0c34b47b2443975d66b71482d2380a01a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.14.inc | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 3dfd671d11..50136ca841 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -19,3 +19,9 @@ SRC_URI += "\
"
SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"
+
+# Upstream don't believe it is a signifiant real world issue and will only
+# fix in 1.17 onwards where we can drop this.
+# https://github.com/golang/go/issues/30999#issuecomment-910470358
+CVE_CHECK_WHITELIST += "CVE-2021-29923"
+
--
2.25.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][dunfell 8/9] xserver-xorg: Security fix for CVE-2020-14360/-25712
2021-09-10 14:07 [OE-core][dunfell 0/9] Patch review Steve Sakoman
` (6 preceding siblings ...)
2021-09-10 14:07 ` [OE-core][dunfell 7/9] go: Exclude CVE-2021-29923 from report list Steve Sakoman
@ 2021-09-10 14:07 ` Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 9/9] go: Several Security fixes Steve Sakoman
8 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2021-09-10 14:07 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: https://gitlab.freedesktop.org/xorg/xserver
MR: 108223,
Type: Security Fix
Disposition: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/446ff2d3177087b8173fa779fa5b77a2a128988b and https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9
ChangeID: 496c2a2d80e4f8fff9b0d3148fca70c090cec31e
Description:
affects < 1.20.10
Fixes CVE-2020-14360 and CVE-2020-25712
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../xserver-xorg/CVE-2020-14360.patch | 132 ++++++++++++++++++
.../xserver-xorg/CVE-2020-25712.patch | 102 ++++++++++++++
.../xorg-xserver/xserver-xorg_1.20.8.bb | 2 +
3 files changed, 236 insertions(+)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch
new file mode 100644
index 0000000000..e9ab42742e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch
@@ -0,0 +1,132 @@
+From 446ff2d3177087b8173fa779fa5b77a2a128988b Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Thu, 12 Nov 2020 19:15:07 +0100
+Subject: [PATCH] Check SetMap request length carefully.
+
+Avoid out of bounds memory accesses on too short request.
+
+ZDI-CAN 11572 / CVE-2020-14360
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+
+Upstream-Status: Backport
+https://gitlab.freedesktop.org/xorg/xserver/-/commit/446ff2d3177087b8173fa779fa5b77a2a128988b
+CVE: CVE-2020-14360
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ xkb/xkb.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 92 insertions(+)
+
+Index: xorg-server-1.20.8/xkb/xkb.c
+===================================================================
+--- xorg-server-1.20.8.orig/xkb/xkb.c
++++ xorg-server-1.20.8/xkb/xkb.c
+@@ -2382,6 +2382,93 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi,
+ return (char *) wire;
+ }
+
++#define _add_check_len(new) \
++ if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \
++ else len += new
++
++/**
++ * Check the length of the SetMap request
++ */
++static int
++_XkbSetMapCheckLength(xkbSetMapReq *req)
++{
++ size_t len = sz_xkbSetMapReq, req_len = req->length << 2;
++ xkbKeyTypeWireDesc *keytype;
++ xkbSymMapWireDesc *symmap;
++ BOOL preserve;
++ int i, map_count, nSyms;
++
++ if (req_len < len)
++ goto bad;
++ /* types */
++ if (req->present & XkbKeyTypesMask) {
++ keytype = (xkbKeyTypeWireDesc *)(req + 1);
++ for (i = 0; i < req->nTypes; i++) {
++ _add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc));
++ if (req->flags & XkbSetMapResizeTypes) {
++ _add_check_len(keytype->nMapEntries
++ * sz_xkbKTSetMapEntryWireDesc);
++ preserve = keytype->preserve;
++ map_count = keytype->nMapEntries;
++ if (preserve) {
++ _add_check_len(map_count * sz_xkbModsWireDesc);
++ }
++ keytype += 1;
++ keytype = (xkbKeyTypeWireDesc *)
++ ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
++ if (preserve)
++ keytype = (xkbKeyTypeWireDesc *)
++ ((xkbModsWireDesc *)keytype + map_count);
++ }
++ }
++ }
++ /* syms */
++ if (req->present & XkbKeySymsMask) {
++ symmap = (xkbSymMapWireDesc *)((char *)req + len);
++ for (i = 0; i < req->nKeySyms; i++) {
++ _add_check_len(sz_xkbSymMapWireDesc);
++ nSyms = symmap->nSyms;
++ _add_check_len(nSyms*sizeof(CARD32));
++ symmap += 1;
++ symmap = (xkbSymMapWireDesc *)((CARD32 *)symmap + nSyms);
++ }
++ }
++ /* actions */
++ if (req->present & XkbKeyActionsMask) {
++ _add_check_len(req->totalActs * sz_xkbActionWireDesc
++ + XkbPaddedSize(req->nKeyActs));
++ }
++ /* behaviours */
++ if (req->present & XkbKeyBehaviorsMask) {
++ _add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc);
++ }
++ /* vmods */
++ if (req->present & XkbVirtualModsMask) {
++ _add_check_len(XkbPaddedSize(Ones(req->virtualMods)));
++ }
++ /* explicit */
++ if (req->present & XkbExplicitComponentsMask) {
++ /* two bytes per non-zero explicit componen */
++ _add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16)));
++ }
++ /* modmap */
++ if (req->present & XkbModifierMapMask) {
++ /* two bytes per non-zero modmap component */
++ _add_check_len(XkbPaddedSize(req->totalModMapKeys * sizeof(CARD16)));
++ }
++ /* vmodmap */
++ if (req->present & XkbVirtualModMapMask) {
++ _add_check_len(req->totalVModMapKeys * sz_xkbVModMapWireDesc);
++ }
++ if (len == req_len)
++ return Success;
++bad:
++ ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n",
++ len, req_len);
++ return BadLength;
++}
++
++
+ /**
+ * Check if the given request can be applied to the given device but don't
+ * actually do anything..
+@@ -2639,6 +2726,11 @@ ProcXkbSetMap(ClientPtr client)
+ CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixManageAccess);
+ CHK_MASK_LEGAL(0x01, stuff->present, XkbAllMapComponentsMask);
+
++ /* first verify the request length carefully */
++ rc = _XkbSetMapCheckLength(stuff);
++ if (rc != Success)
++ return rc;
++
+ tmp = (char *) &stuff[1];
+
+ /* Check if we can to the SetMap on the requested device. If this
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch
new file mode 100644
index 0000000000..f39f6b32b1
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch
@@ -0,0 +1,102 @@
+From 87c64fc5b0db9f62f4e361444f4b60501ebf67b9 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Sun, 11 Oct 2020 17:05:09 +0200
+Subject: [PATCH] Fix XkbSetDeviceInfo() and SetDeviceIndicators() heap
+ overflows
+
+ZDI-CAN 11389 / CVE-2020-25712
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+
+Upstream-Status: Backport
+https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9
+CVE: CVE-2020-25712
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ xkb/xkb.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+Index: xorg-server-1.20.8/xkb/xkb.c
+===================================================================
+--- xorg-server-1.20.8.orig/xkb/xkb.c
++++ xorg-server-1.20.8/xkb/xkb.c
+@@ -6625,7 +6625,9 @@ SetDeviceIndicators(char *wire,
+ unsigned changed,
+ int num,
+ int *status_rtrn,
+- ClientPtr client, xkbExtensionDeviceNotify * ev)
++ ClientPtr client,
++ xkbExtensionDeviceNotify * ev,
++ xkbSetDeviceInfoReq * stuff)
+ {
+ xkbDeviceLedsWireDesc *ledWire;
+ int i;
+@@ -6646,6 +6648,11 @@ SetDeviceIndicators(char *wire,
+ xkbIndicatorMapWireDesc *mapWire;
+ XkbSrvLedInfoPtr sli;
+
++ if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) {
++ *status_rtrn = BadLength;
++ return (char *) ledWire;
++ }
++
+ namec = mapc = statec = 0;
+ sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID,
+ XkbXI_IndicatorMapsMask);
+@@ -6664,6 +6671,10 @@ SetDeviceIndicators(char *wire,
+ memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom));
+ for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
+ if (ledWire->namesPresent & bit) {
++ if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) {
++ *status_rtrn = BadLength;
++ return (char *) atomWire;
++ }
+ sli->names[n] = (Atom) *atomWire;
+ if (sli->names[n] == None)
+ ledWire->namesPresent &= ~bit;
+@@ -6681,6 +6692,10 @@ SetDeviceIndicators(char *wire,
+ if (ledWire->mapsPresent) {
+ for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
+ if (ledWire->mapsPresent & bit) {
++ if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) {
++ *status_rtrn = BadLength;
++ return (char *) mapWire;
++ }
+ sli->maps[n].flags = mapWire->flags;
+ sli->maps[n].which_groups = mapWire->whichGroups;
+ sli->maps[n].groups = mapWire->groups;
+@@ -6760,7 +6775,7 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
+ ed.deviceID = dev->id;
+ wire = (char *) &stuff[1];
+ if (stuff->change & XkbXI_ButtonActionsMask) {
+- int nBtns, sz, i;
++ int nBtns, sz, i;
+ XkbAction *acts;
+ DeviceIntPtr kbd;
+
+@@ -6772,7 +6787,11 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
+ return BadAlloc;
+ dev->button->xkb_acts = acts;
+ }
++ if (stuff->firstBtn + stuff->nBtns > nBtns)
++ return BadValue;
+ sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
++ if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
++ return BadLength;
+ memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz);
+ wire += sz;
+ ed.reason |= XkbXI_ButtonActionsMask;
+@@ -6793,7 +6812,8 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
+ int status = Success;
+
+ wire = SetDeviceIndicators(wire, dev, stuff->change,
+- stuff->nDeviceLedFBs, &status, client, &ed);
++ stuff->nDeviceLedFBs, &status, client, &ed,
++ stuff);
+ if (status != Success)
+ return status;
+ }
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
index 2af1b6f307..8c77c3756b 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
@@ -10,6 +10,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://CVE-2020-14361.patch \
file://CVE-2020-14362.patch \
file://CVE-2020-14345.patch \
+ file://CVE-2020-14360.patch \
+ file://CVE-2020-25712.patch \
"
SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839"
SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146"
--
2.25.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][dunfell 9/9] go: Several Security fixes
2021-09-10 14:07 [OE-core][dunfell 0/9] Patch review Steve Sakoman
` (7 preceding siblings ...)
2021-09-10 14:07 ` [OE-core][dunfell 8/9] xserver-xorg: Security fix for CVE-2020-14360/-25712 Steve Sakoman
@ 2021-09-10 14:07 ` Steve Sakoman
8 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2021-09-10 14:07 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: golang.org
MR: 111958, 112390, 112393
Type: Security Fix
Disposition: Backport from https://github.com/golang/go.git
ChangeID: 662d021814f025b3d768a04864498486f94819a7
Description:
Affects < 1.16.5
Fixes:
CVE-2021-33196
CVE-2021-33197
CVE-2021-34558
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.14.inc | 3 +
.../go/go-1.14/CVE-2021-33196.patch | 124 ++++++++++++++
.../go/go-1.14/CVE-2021-33197.patch | 152 ++++++++++++++++++
.../go/go-1.14/CVE-2021-34558.patch | 51 ++++++
4 files changed, 330 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 50136ca841..abc6f42184 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -16,6 +16,9 @@ SRC_URI += "\
file://0006-cmd-dist-separate-host-and-target-builds.patch \
file://0007-cmd-go-make-GOROOT-precious-by-default.patch \
file://0008-use-GOBUILDMODE-to-set-buildmode.patch \
+ file://CVE-2021-34558.patch \
+ file://CVE-2021-33196.patch \
+ file://CVE-2021-33197.patch \
"
SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch
new file mode 100644
index 0000000000..2e2dc62c49
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch
@@ -0,0 +1,124 @@
+From 74242baa4136c7a9132a8ccd9881354442788c8c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Tue, 11 May 2021 11:31:31 -0700
+Subject: [PATCH] archive/zip: only preallocate File slice if reasonably sized
+
+Since the number of files in the EOCD record isn't validated, it isn't
+safe to preallocate Reader.Files using that field. A malformed archive
+can indicate it contains up to 1 << 128 - 1 files. We can still safely
+preallocate the slice by checking if the specified number of files in
+the archive is reasonable, given the size of the archive.
+
+Thanks to the OSS-Fuzz project for discovering this issue and to
+Emmanuel Odeke for reporting it.
+
+Fixes #46242
+Fixes CVE-2021-33196
+
+Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76
+Reviewed-on: https://go-review.googlesource.com/c/go/+/318909
+Trust: Roland Shoemaker <roland@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Trust: Joe Tsai <thebrokentoaster@gmail.com>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-33196
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/archive/zip/reader.go | 10 +++++-
+ src/archive/zip/reader_test.go | 59 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+), 1 deletion(-)
+
+Index: go/src/archive/zip/reader.go
+===================================================================
+--- go.orig/src/archive/zip/reader.go
++++ go/src/archive/zip/reader.go
+@@ -84,7 +84,15 @@ func (z *Reader) init(r io.ReaderAt, siz
+ return err
+ }
+ z.r = r
+- z.File = make([]*File, 0, end.directoryRecords)
++ // Since the number of directory records is not validated, it is not
++ // safe to preallocate z.File without first checking that the specified
++ // number of files is reasonable, since a malformed archive may
++ // indicate it contains up to 1 << 128 - 1 files. Since each file has a
++ // header which will be _at least_ 30 bytes we can safely preallocate
++ // if (data size / 30) >= end.directoryRecords.
++ if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
++ z.File = make([]*File, 0, end.directoryRecords)
++ }
+ z.Comment = end.comment
+ rs := io.NewSectionReader(r, 0, size)
+ if _, err = rs.Seek(int64(end.directoryOffset), io.SeekStart); err != nil {
+Index: go/src/archive/zip/reader_test.go
+===================================================================
+--- go.orig/src/archive/zip/reader_test.go
++++ go/src/archive/zip/reader_test.go
+@@ -1070,3 +1070,62 @@ func TestIssue12449(t *testing.T) {
+ t.Errorf("Error reading the archive: %v", err)
+ }
+ }
++
++func TestCVE202133196(t *testing.T) {
++ // Archive that indicates it has 1 << 128 -1 files,
++ // this would previously cause a panic due to attempting
++ // to allocate a slice with 1 << 128 -1 elements.
++ data := []byte{
++ 0x50, 0x4b, 0x03, 0x04, 0x14, 0x00, 0x08, 0x08,
++ 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x02,
++ 0x03, 0x62, 0x61, 0x65, 0x03, 0x04, 0x00, 0x00,
++ 0xff, 0xff, 0x50, 0x4b, 0x07, 0x08, 0xbe, 0x20,
++ 0x5c, 0x6c, 0x09, 0x00, 0x00, 0x00, 0x03, 0x00,
++ 0x00, 0x00, 0x50, 0x4b, 0x01, 0x02, 0x14, 0x00,
++ 0x14, 0x00, 0x08, 0x08, 0x08, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0xbe, 0x20, 0x5c, 0x6c, 0x09, 0x00,
++ 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x03, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x01, 0x02, 0x03, 0x50, 0x4b, 0x06, 0x06, 0x2c,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
++ 0x00, 0x2d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff,
++ 0xff, 0xff, 0xff, 0x31, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x50, 0x4b, 0x06, 0x07, 0x00,
++ 0x00, 0x00, 0x00, 0x6b, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50,
++ 0x4b, 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0xff,
++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++ 0xff, 0xff, 0xff, 0x00, 0x00,
++ }
++ _, err := NewReader(bytes.NewReader(data), int64(len(data)))
++ if err != ErrFormat {
++ t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
++ }
++
++ // Also check that an archive containing a handful of empty
++ // files doesn't cause an issue
++ b := bytes.NewBuffer(nil)
++ w := NewWriter(b)
++ for i := 0; i < 5; i++ {
++ _, err := w.Create("")
++ if err != nil {
++ t.Fatalf("Writer.Create failed: %s", err)
++ }
++ }
++ if err := w.Close(); err != nil {
++ t.Fatalf("Writer.Close failed: %s", err)
++ }
++ r, err := NewReader(bytes.NewReader(b.Bytes()), int64(b.Len()))
++ if err != nil {
++ t.Fatalf("NewReader failed: %s", err)
++ }
++ if len(r.File) != 5 {
++ t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
++ }
++}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch
new file mode 100644
index 0000000000..2052b1d3db
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch
@@ -0,0 +1,152 @@
+From cbd1ca84453fecf3825a6bb9f985823e8bc32b76 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Fri, 21 May 2021 14:02:30 -0400
+Subject: [PATCH] [release-branch.go1.15] net/http/httputil: always remove
+ hop-by-hop headers
+
+Previously, we'd fail to remove the Connection header from a request
+like this:
+
+ Connection:
+ Connection: x-header
+
+Updates #46313
+Fixes #46314
+Fixes CVE-2021-33197
+
+Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d
+Reviewed-on: https://go-review.googlesource.com/c/go/+/321929
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Trust: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/323091
+Run-TryBot: Katie Hockman <katie@golang.org>
+
+Upstream-Status: Backport
+CVE: CVE-2021-33197
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/net/http/httputil/reverseproxy.go | 22 ++++----
+ src/net/http/httputil/reverseproxy_test.go | 63 +++++++++++++++++++++-
+ 2 files changed, 70 insertions(+), 15 deletions(-)
+
+Index: go/src/net/http/httputil/reverseproxy.go
+===================================================================
+--- go.orig/src/net/http/httputil/reverseproxy.go
++++ go/src/net/http/httputil/reverseproxy.go
+@@ -221,22 +221,18 @@ func (p *ReverseProxy) ServeHTTP(rw http
+ // important is "Connection" because we want a persistent
+ // connection, regardless of what the client sent to us.
+ for _, h := range hopHeaders {
+- hv := outreq.Header.Get(h)
+- if hv == "" {
+- continue
+- }
+- if h == "Te" && hv == "trailers" {
+- // Issue 21096: tell backend applications that
+- // care about trailer support that we support
+- // trailers. (We do, but we don't go out of
+- // our way to advertise that unless the
+- // incoming client request thought it was
+- // worth mentioning)
+- continue
+- }
+ outreq.Header.Del(h)
+ }
+
++ // Issue 21096: tell backend applications that care about trailer support
++ // that we support trailers. (We do, but we don't go out of our way to
++ // advertise that unless the incoming client request thought it was worth
++ // mentioning.) Note that we look at req.Header, not outreq.Header, since
++ // the latter has passed through removeConnectionHeaders.
++ if httpguts.HeaderValuesContainsToken(req.Header["Te"], "trailers") {
++ outreq.Header.Set("Te", "trailers")
++ }
++
+ // After stripping all the hop-by-hop connection headers above, add back any
+ // necessary for protocol upgrades, such as for websockets.
+ if reqUpType != "" {
+Index: go/src/net/http/httputil/reverseproxy_test.go
+===================================================================
+--- go.orig/src/net/http/httputil/reverseproxy_test.go
++++ go/src/net/http/httputil/reverseproxy_test.go
+@@ -91,8 +91,9 @@ func TestReverseProxy(t *testing.T) {
+
+ getReq, _ := http.NewRequest("GET", frontend.URL, nil)
+ getReq.Host = "some-name"
+- getReq.Header.Set("Connection", "close")
+- getReq.Header.Set("Te", "trailers")
++ getReq.Header.Set("Connection", "close, TE")
++ getReq.Header.Add("Te", "foo")
++ getReq.Header.Add("Te", "bar, trailers")
+ getReq.Header.Set("Proxy-Connection", "should be deleted")
+ getReq.Header.Set("Upgrade", "foo")
+ getReq.Close = true
+@@ -236,6 +237,64 @@ func TestReverseProxyStripHeadersPresent
+ }
+ }
+
++func TestReverseProxyStripEmptyConnection(t *testing.T) {
++ // See Issue 46313.
++ const backendResponse = "I am the backend"
++
++ // someConnHeader is some arbitrary header to be declared as a hop-by-hop header
++ // in the Request's Connection header.
++ const someConnHeader = "X-Some-Conn-Header"
++
++ backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
++ if c := r.Header.Values("Connection"); len(c) != 0 {
++ t.Errorf("handler got header %q = %v; want empty", "Connection", c)
++ }
++ if c := r.Header.Get(someConnHeader); c != "" {
++ t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
++ }
++ w.Header().Add("Connection", "")
++ w.Header().Add("Connection", someConnHeader)
++ w.Header().Set(someConnHeader, "should be deleted")
++ io.WriteString(w, backendResponse)
++ }))
++ defer backend.Close()
++ backendURL, err := url.Parse(backend.URL)
++ if err != nil {
++ t.Fatal(err)
++ }
++ proxyHandler := NewSingleHostReverseProxy(backendURL)
++ frontend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
++ proxyHandler.ServeHTTP(w, r)
++ if c := r.Header.Get(someConnHeader); c != "should be deleted" {
++ t.Errorf("handler modified header %q = %q; want %q", someConnHeader, c, "should be deleted")
++ }
++ }))
++ defer frontend.Close()
++
++ getReq, _ := http.NewRequest("GET", frontend.URL, nil)
++ getReq.Header.Add("Connection", "")
++ getReq.Header.Add("Connection", someConnHeader)
++ getReq.Header.Set(someConnHeader, "should be deleted")
++ res, err := frontend.Client().Do(getReq)
++ if err != nil {
++ t.Fatalf("Get: %v", err)
++ }
++ defer res.Body.Close()
++ bodyBytes, err := ioutil.ReadAll(res.Body)
++ if err != nil {
++ t.Fatalf("reading body: %v", err)
++ }
++ if got, want := string(bodyBytes), backendResponse; got != want {
++ t.Errorf("got body %q; want %q", got, want)
++ }
++ if c := res.Header.Get("Connection"); c != "" {
++ t.Errorf("handler got header %q = %q; want empty", "Connection", c)
++ }
++ if c := res.Header.Get(someConnHeader); c != "" {
++ t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
++ }
++}
++
+ func TestXForwardedFor(t *testing.T) {
+ const prevForwardedFor = "client ip"
+ const backendResponse = "I am the backend"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch
new file mode 100644
index 0000000000..8fb346d622
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch
@@ -0,0 +1,51 @@
+From a98589711da5e9d935e8d690cfca92892e86d557 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 9 Jun 2021 11:31:27 -0700
+Subject: [PATCH] crypto/tls: test key type when casting
+
+When casting the certificate public key in generateClientKeyExchange,
+check the type is appropriate. This prevents a panic when a server
+agrees to a RSA based key exchange, but then sends an ECDSA (or
+other) certificate.
+
+Fixes #47143
+Fixes CVE-2021-34558
+
+Thanks to Imre Rad for reporting this issue.
+
+Change-Id: Iabccacca6052769a605cccefa1216a9f7b7f6aea
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1116723
+Reviewed-by: Filippo Valsorda <valsorda@google.com>
+Reviewed-by: Katie Hockman <katiehockman@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/334031
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+
+Upstream-Status: Backport
+https://github.com/golang/go/commit/a98589711da5e9d935e8d690cfca92892e86d557
+CVE: CVE-2021-34558
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/crypto/tls/key_agreement.go | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+Index: go/src/crypto/tls/key_agreement.go
+===================================================================
+--- go.orig/src/crypto/tls/key_agreement.go
++++ go/src/crypto/tls/key_agreement.go
+@@ -67,7 +67,11 @@ func (ka rsaKeyAgreement) generateClient
+ return nil, nil, err
+ }
+
+- encrypted, err := rsa.EncryptPKCS1v15(config.rand(), cert.PublicKey.(*rsa.PublicKey), preMasterSecret)
++ rsaKey, ok := cert.PublicKey.(*rsa.PublicKey)
++ if !ok {
++ return nil, nil, errors.New("tls: server certificate contains incorrect key type for selected ciphersuite")
++ }
++ encrypted, err := rsa.EncryptPKCS1v15(config.rand(), rsaKey, preMasterSecret)
+ if err != nil {
+ return nil, nil, err
+ }
--
2.25.1
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][dunfell 0/9] Patch review
@ 2024-02-22 14:30 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2024-02-22 14:30 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for dunfell and have comments back by
end of day Monday, February 26
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6590
The following changes since commit 7ab6087536bc67c63094f08f863dcd3d5e35b8e7:
cmake: Unset CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES (2024-02-12 17:13:14 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Bruce Ashfield (5):
linux-yocto/5.4: update to v5.4.264
linux-yocto/5.4: update to v5.4.265
linux-yocto/5.4: update to v5.4.266
linux-yocto/5.4: update to v5.4.267
linux-yocto/5.4: update to v5.4.268
Peter Marko (1):
gcc-shared-source: whitelist CVE-2023-4039
Richard Purdie (1):
sstatesig: Allow exclusion of the root directory for do_package
Steve Sakoman (1):
cve-exclusion_5.4.inc: update for 5.4.268
Tim Orling (1):
vim: upgrade v9.0.2130 -> v9.0.2190
meta/lib/oe/sstatesig.py | 5 +-
.../gcc/gcc-shared-source.inc | 3 +
.../linux/cve-exclusion_5.4.inc | 199 +++++++++++++++++-
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +-
meta/recipes-support/vim/vim.inc | 4 +-
7 files changed, 215 insertions(+), 32 deletions(-)
--
2.34.1
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][dunfell 0/9] Patch review
@ 2023-04-30 16:25 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2023-04-30 16:25 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5239
The following changes since commit d1943e6a0ec00653c81cd4c0bb0d6b7e0909094c:
go: fix CVE-2023-24537 Infinite loop in parsing (2023-04-21 04:15:45 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Christoph Lauer (1):
populate_sdk_base: add zip options
Nikhil R (1):
openssl: Fix CVE-2023-0464
Omkar Patil (2):
openssl: Fix CVE-2023-0465
openssl: Fix CVE-2023-0466
Shubham Kulkarni (1):
go: Ignore CVE-2022-1705
Vijay Anusuri (2):
sudo: Security fix for CVE-2023-28486 and CVE-2023-28487
curl: Security fix CVE-2023-27533, CVE-2023-27535 and CVE-2023-27536
Virendra Thakur (1):
qemu: Whitelist CVE-2023-0664
Vivek Kumbhar (1):
go: fix CVE-2023-24534 denial of service from excessive memory
allocation
meta/classes/populate_sdk_base.bbclass | 4 +-
.../openssl/openssl/CVE-2023-0464.patch | 226 ++++++
.../openssl/openssl/CVE-2023-0465.patch | 60 ++
.../openssl/openssl/CVE-2023-0466.patch | 82 +++
.../openssl/openssl_1.1.1t.bb | 3 +
meta/recipes-devtools/go/go-1.14.inc | 4 +
.../go/go-1.14/CVE-2023-24534.patch | 200 ++++++
meta/recipes-devtools/qemu/qemu.inc | 5 +
.../CVE-2023-28486_CVE-2023-28487-1.patch | 646 ++++++++++++++++++
.../CVE-2023-28486_CVE-2023-28487-2.patch | 26 +
meta/recipes-extended/sudo/sudo_1.8.32.bb | 2 +
.../curl/curl/CVE-2023-27533.patch | 59 ++
.../curl/curl/CVE-2023-27535-pre1.patch | 236 +++++++
.../curl/curl/CVE-2023-27535.patch | 170 +++++
.../curl/curl/CVE-2023-27536.patch | 55 ++
meta/recipes-support/curl/curl_7.69.1.bb | 4 +
16 files changed, 1781 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24534.patch
create mode 100644 meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch
create mode 100644 meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27533.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch
--
2.34.1
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][dunfell 0/9] Patch review
@ 2022-10-13 16:36 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2022-10-13 16:36 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4330
The following changes since commit dbad46a0079843b380cf3dda6008b12ab9526688:
build-appliance-image: Update to dunfell head revision (2022-10-06 23:23:20 +0100)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Hitendra Prajapati (2):
dhcp: Fix CVE-2022-2928 & CVE-2022-2929
qemu: CVE-2021-3750 hcd-ehci: DMA reentrancy issue leads to
use-after-free
John Edward Broadbent (1):
externalsrc: git submodule--helper list unsupported
Michael Halstead (1):
uninative: Upgrade to 3.7 to work with glibc 2.36
Richard Purdie (1):
qemu: Avoid accidental librdmacm linkage
Steve Sakoman (3):
selftest: skip virgl test on ubuntu 22.04
qemu: Avoid accidental libvdeplug linkage
qemu: Add PACKAGECONFIG for rbd
Tim Orling (1):
python3: upgrade 3.8.13 -> 3.8.14
meta/classes/externalsrc.bbclass | 19 +-
meta/conf/distro/include/yocto-uninative.inc | 10 +-
meta/lib/oeqa/selftest/cases/runtime_test.py | 2 +
.../dhcp/dhcp/CVE-2022-2928.patch | 120 ++++++++++++
.../dhcp/dhcp/CVE-2022-2929.patch | 40 ++++
meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb | 2 +
.../python/python3/CVE-2021-28861.patch | 135 -------------
.../{python3_3.8.13.bb => python3_3.8.14.bb} | 5 +-
meta/recipes-devtools/qemu/qemu.inc | 4 +
.../qemu/qemu/CVE-2021-3750.patch | 180 ++++++++++++++++++
10 files changed, 365 insertions(+), 152 deletions(-)
create mode 100644 meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch
create mode 100644 meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2021-28861.patch
rename meta/recipes-devtools/python/{python3_3.8.13.bb => python3_3.8.14.bb} (98%)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750.patch
--
2.25.1
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][dunfell 0/9] Patch review
@ 2022-09-14 2:25 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2022-09-14 2:25 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4224
The following changes since commit c9a9d5a1f7fbe88422ccee542a89afbc4c5336e4:
vim: Upgrade 9.0.0242 -> 9.0.0341 (2022-09-07 04:40:43 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Chee Yang Lee (3):
connman: fix CVE-2022-32292
gnutls: fix CVE-2021-4209
virglrenderer: fix CVE-2022-0135
Florin Diaconescu (1):
binutils : CVE-2022-38533
Khan@kpit.com (1):
python3: Fix CVE-2021-28861 for python3
Virendra Thakur (1):
tiff: Fix for CVE-2022-2867/8/9
Yi Zhao (1):
tiff: Security fixes CVE-2022-1354 and CVE-2022-1355
niko.mauno@vaisala.com (2):
systemd: Fix unwritable /var/lock when no sysvinit handling
systemd: Add 'no-dns-fallback' PACKAGECONFIG option
.../connman/connman/CVE-2022-32292.patch | 37 +++
.../connman/connman_1.37.bb | 1 +
.../systemd/systemd/00-create-volatile.conf | 1 +
meta/recipes-core/systemd/systemd_244.5.bb | 1 +
.../binutils/binutils-2.34.inc | 1 +
.../binutils/binutils/CVE-2022-38533.patch | 37 +++
.../python/python3/CVE-2021-28861.patch | 135 +++++++++++
.../recipes-devtools/python/python3_3.8.13.bb | 1 +
.../virglrenderer/CVE-2022-0135.patch | 100 +++++++++
.../virglrenderer/virglrenderer_0.8.2.bb | 1 +
...022-2867-CVE-2022-2868-CVE-2022-2869.patch | 159 +++++++++++++
.../libtiff/tiff/CVE-2022-1354.patch | 212 ++++++++++++++++++
.../libtiff/tiff/CVE-2022-1355.patch | 62 +++++
meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 3 +
.../gnutls/gnutls/CVE-2021-4209.patch | 37 +++
meta/recipes-support/gnutls/gnutls_3.6.14.bb | 1 +
16 files changed, 789 insertions(+)
create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2021-28861.patch
create mode 100644 meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch
--
2.25.1
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][dunfell 0/9] Patch review
@ 2022-05-18 2:30 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2022-05-18 2:30 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for dunfell and have comments back by end
of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3677
The following changes since commit 0f6ae13d76129d96f788b7ede312cfc361ee2bda:
scripts/git: Ensure we don't have circular references (2022-05-10 08:23:12 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Dmitry Baryshkov (1):
linux-firmware: upgrade 20220411 -> 20220509
Konrad Weihmann (1):
linux-firmware: replace mkdir by install
Ranjitsinh Rathod (4):
tiff: Add patches to fix multiple CVEs
freetype: Fix CVEs for freetype
git: Use CVE_CHECK_WHITELIST instead of CVE_CHECK_IGNORE
openssl: Minor security upgrade 1.1.1n to 1.1.1o
Richard Purdie (1):
vim: Upgrade 8.2.4681 -> 8.2.4912
Sana Kazi (1):
curl: Fix CVEs for curl
Steve Sakoman (1):
selftest: skip virgl test on alma 8.6
meta/lib/oeqa/selftest/cases/runtime_test.py | 2 +
.../{openssl_1.1.1n.bb => openssl_1.1.1o.bb} | 2 +-
meta/recipes-devtools/git/git.inc | 2 +-
.../freetype/freetype/CVE-2022-27404.patch | 33 ++++
.../freetype/freetype/CVE-2022-27405.patch | 38 +++++
.../freetype/freetype/CVE-2022-27406.patch | 31 ++++
.../freetype/freetype_2.10.1.bb | 3 +
...01-Makefile-replace-mkdir-by-install.patch | 84 ++++++++++
...20220411.bb => linux-firmware_20220509.bb} | 9 +-
.../libtiff/files/CVE-2022-0865.patch | 39 +++++
.../libtiff/files/CVE-2022-0907.patch | 94 +++++++++++
.../libtiff/files/CVE-2022-0908.patch | 34 ++++
.../libtiff/files/CVE-2022-0909.patch | 37 +++++
.../libtiff/files/CVE-2022-0924.patch | 58 +++++++
meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 5 +
.../curl/curl/CVE-2022-22576.patch | 148 ++++++++++++++++++
.../curl/curl/CVE-2022-27775.patch | 39 +++++
.../curl/curl/CVE-2022-27776.patch | 114 ++++++++++++++
meta/recipes-support/curl/curl_7.69.1.bb | 3 +
meta/recipes-support/vim/vim.inc | 4 +-
20 files changed, 772 insertions(+), 7 deletions(-)
rename meta/recipes-connectivity/openssl/{openssl_1.1.1n.bb => openssl_1.1.1o.bb} (98%)
create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch
create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch
create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch
create mode 100644 meta/recipes-kernel/linux-firmware/files/0001-Makefile-replace-mkdir-by-install.patch
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220411.bb => linux-firmware_20220509.bb} (99%)
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-22576.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27775.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27776.patch
--
2.25.1
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][dunfell 0/9] Patch review
@ 2022-05-02 23:02 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2022-05-02 23:02 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Wednesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3600
with the exception of the meta-virtualization test which was just added
to a-full:
https://autobuilder.yoctoproject.org/typhoon/#/builders/128/builds/19
Note that the test passed for qemuarm and qemuarm64, but failed for qemux86-64.
I tried to refrain from commenting that the test was added by someone with an
arm.com address, but I couldn't help myself ;-) (looking at you Ross!)
I'm not going to hold up the review process on this, since this is a newly added test.
Any help fixing this for qemux86-64 would be much appreciated.
Steve
The following changes since commit bb3fc61f0d7f7bcd77ef194b76f4fdd8a7ff6aa5:
scripts/contrib/oe-build-perf-report-email.py: remove obsolete check for phantomjs and optipng (2022-04-27 05:00:00 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Chen Qi (1):
cases/buildepoxy.py: fix typo
Khem Raj (1):
busybox: Use base_bindir instead of hardcoding /bin path
Paul Gortmaker (1):
install/devshell: Introduce git intercept script due to fakeroot
issues
Peter Kjellerstedt (1):
devshell.bbclass: Allow devshell & pydevshell to use the network
Rahul Kumar (1):
neard: Switch SRC_URI to git repo
Richard Purdie (2):
base: Drop git intercept
uninative: Upgrade to 3.6 with gcc 12 support
Ross Burton (2):
python3: ignore CVE-2015-20107
bitbake.conf: mark all directories as safe for git to read
meta/classes/devshell.bbclass | 4 ++++
meta/conf/bitbake.conf | 8 ++++++++
meta/conf/distro/include/yocto-uninative.inc | 8 ++++----
meta/lib/oeqa/sdk/cases/buildepoxy.py | 2 +-
meta/recipes-connectivity/neard/neard_0.16.bb | 13 +++++++------
meta/recipes-core/busybox/busybox.inc | 2 +-
.../recipes-devtools/python/python3_3.8.13.bb | 3 +++
scripts/git-intercept/git | 19 +++++++++++++++++++
8 files changed, 47 insertions(+), 12 deletions(-)
create mode 100755 scripts/git-intercept/git
--
2.25.1
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][dunfell 0/9] Patch review
@ 2022-04-20 21:51 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2022-04-20 21:51 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Friday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3552
except for a known intermittent issue (the infamous ping issue), which passed on
subsequent re-test:
https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/5054
The following changes since commit 8fd5133fc7f6bc84193ec6fcbc1746c59bfc8caf:
libxshmfence: Correct LICENSE to HPND (2022-04-18 12:13:17 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Bruce Ashfield (5):
linux-yocto/5.4: update to v5.4.182
linux-yocto/5.4: update to v5.4.183
linux-yocto/5.4: update to v5.4.186
linux-yocto/5.4: update to v5.4.188
linux-yocto/5.4: update to v5.4.190
Peter Kjellerstedt (1):
u-boot: Correct the SRC_URI
Steve Sakoman (1):
git update from 2.24.3 to 2.24.4
wangmy (1):
linux-firmware: upgrade 20220310 -> 20220411
zhengruoqin (1):
wireless-regdb: upgrade 2022.02.18 -> 2022.04.08
meta/recipes-bsp/u-boot/u-boot-common.inc | 4 +-
.../git/files/CVE-2021-21300.patch | 305 ------------------
meta/recipes-devtools/git/git.inc | 1 -
.../git/{git_2.24.3.bb => git_2.24.4.bb} | 4 +-
...20220310.bb => linux-firmware_20220411.bb} | 4 +-
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +-
....02.18.bb => wireless-regdb_2022.04.08.bb} | 2 +-
9 files changed, 25 insertions(+), 331 deletions(-)
delete mode 100644 meta/recipes-devtools/git/files/CVE-2021-21300.patch
rename meta/recipes-devtools/git/{git_2.24.3.bb => git_2.24.4.bb} (51%)
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220310.bb => linux-firmware_20220411.bb} (99%)
rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2022.02.18.bb => wireless-regdb_2022.04.08.bb} (94%)
--
2.25.1
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][dunfell 0/9] Patch review
@ 2020-12-07 14:12 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2020-12-07 14:12 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back by
Wednesday end of day.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1648
The following changes since commit 071806feb195961e59069f778c9ae8f27a739d9a:
e2fsprogs: Fix a ptest permissions determinism issue (2020-11-30 12:05:57 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Bruce Ashfield (8):
linux-yocto/5.4: update to v5.4.71
linux-yocto/5.4: update to v5.4.72
linux-yocto/5.4: update to v5.4.73
linux-yocto/5.4: config cleanup / warnings
linux-yocto/5.4: update to v5.4.75
linux-yocto/5.4: perf: Alias SYS_futex with SYS_futex_time64 on 32-bit
arches with 64bit time_t
linux-yocto/5.4: update to v5.4.78
lttng-modules: add post 2.11.6 patches
Lee Chee Yang (1):
go: update to 1.14.12
meta/recipes-devtools/go/go-1.14.inc | 5 +-
...t-CGO_LDFLAGS-to-appear-in-go-ldflag.patch | 98 ++++++
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +-
...ncpy-equals-destination-size-warning.patch | 42 +++
...jtool-Rename-frame.h-objtool.h-v5.10.patch | 88 +++++
...oints-output-proper-root-owner-for-t.patch | 316 ++++++++++++++++++
...rdered-extent-tracepoint-take-btrfs_.patch | 179 ++++++++++
...ext4-fast-commit-recovery-path-v5.10.patch | 91 +++++
...intr-vectoring-info-and-error-code-t.patch | 124 +++++++
...x86-mmu-Add-TDP-MMU-PF-handler-v5.10.patch | 82 +++++
...Return-unique-RET_PF_-values-if-the-.patch | 71 ++++
...int-Optimize-using-static_call-v5.10.patch | 155 +++++++++
...-fix-include-order-for-older-kernels.patch | 31 ++
.../0011-Add-release-maintainer-script.patch | 59 ++++
.../0012-Improve-the-release-script.patch | 173 ++++++++++
...fix-ext4-fast-commit-recovery-path-v.patch | 32 ++
...-fix-include-order-for-older-kernels.patch | 32 ++
...fix-tracepoint-Optimize-using-static.patch | 46 +++
...ion-range-for-trace_find_free_extent.patch | 30 ++
.../lttng/lttng-modules_2.11.6.bb | 16 +
22 files changed, 1686 insertions(+), 20 deletions(-)
create mode 100644 meta/recipes-devtools/go/go-1.14/0010-cmd-go-permit-CGO_LDFLAGS-to-appear-in-go-ldflag.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-strncpy-equals-destination-size-warning.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0002-fix-objtool-Rename-frame.h-objtool.h-v5.10.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0003-fix-btrfs-tracepoints-output-proper-root-owner-for-t.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0004-fix-btrfs-make-ordered-extent-tracepoint-take-btrfs_.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0005-fix-ext4-fast-commit-recovery-path-v5.10.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0006-fix-KVM-x86-Add-intr-vectoring-info-and-error-code-t.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0007-fix-kvm-x86-mmu-Add-TDP-MMU-PF-handler-v5.10.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0008-fix-KVM-x86-mmu-Return-unique-RET_PF_-values-if-the-.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0009-fix-tracepoint-Optimize-using-static_call-v5.10.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0010-fix-include-order-for-older-kernels.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0011-Add-release-maintainer-script.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0012-Improve-the-release-script.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0013-fix-backport-of-fix-ext4-fast-commit-recovery-path-v.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0014-Revert-fix-include-order-for-older-kernels.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0015-fix-backport-of-fix-tracepoint-Optimize-using-static.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0016-fix-adjust-version-range-for-trace_find_free_extent.patch
--
2.17.1
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][dunfell 0/9] Patch review
@ 2020-11-17 23:47 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2020-11-17 23:47 UTC (permalink / raw)
To: openembedded-core
PLease review this next set of patches for dunfell and have comments back by
end of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1603
The following changes since commit b4a92a20a683a74423fd5a833d5c016f63dba2b4:
freetype: fix CVE-2020-15999, backport from 2.10.4 (2020-11-13 05:57:16 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexander Kanavin (2):
ptest-runner: fix upstream version check
glib-2.0: correct build with latest meson
Anibal Limon (1):
ptest-runner: Bump to 2.4.0
Joshua Watt (3):
classes/reproducible: Move to library code
lib/oe/reproducible: Fix error when no git HEAD
lib/oe/reproducible.py: Fix git HEAD check
Khem Raj (1):
ptest-runner: Backport patch to fix inappropriate ioctl error
Mark Jonas (1):
libbsd: Remove BSD-4-Clause from main package
Mingli Yu (1):
python3: add ldconfig rdepends for python3-ctypes
meta/classes/reproducible_build.bbclass | 90 +--------------
meta/lib/oe/reproducible.py | 104 ++++++++++++++++++
.../glib-2.0/meson.cross.d/common-linux | 2 +-
meta/recipes-devtools/python/python3_3.8.2.bb | 1 +
meta/recipes-support/libbsd/libbsd_0.10.0.bb | 3 +-
...-runner_2.3.2.bb => ptest-runner_2.4.0.bb} | 5 +-
6 files changed, 114 insertions(+), 91 deletions(-)
create mode 100644 meta/lib/oe/reproducible.py
rename meta/recipes-support/ptest-runner/{ptest-runner_2.3.2.bb => ptest-runner_2.4.0.bb} (87%)
--
2.17.1
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2024-02-22 14:30 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-10 14:07 [OE-core][dunfell 0/9] Patch review Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 1/9] dbus: upgrade 1.12.16 -> 1.12.18 Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 2/9] dbus-test: " Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 3/9] dbus-test: Remove EXTRA_OECONF_X configs Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 4/9] dbus,dbus-test: Move common parts to dbus.inc Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 5/9] dbus: upgrade 1.12.18 -> 1.12.20 Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 6/9] flex: Add CVE-2019-6293 to exclusions for checks Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 7/9] go: Exclude CVE-2021-29923 from report list Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 8/9] xserver-xorg: Security fix for CVE-2020-14360/-25712 Steve Sakoman
2021-09-10 14:07 ` [OE-core][dunfell 9/9] go: Several Security fixes Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2024-02-22 14:30 [OE-core][dunfell 0/9] Patch review Steve Sakoman
2023-04-30 16:25 Steve Sakoman
2022-10-13 16:36 Steve Sakoman
2022-09-14 2:25 Steve Sakoman
2022-05-18 2:30 Steve Sakoman
2022-05-02 23:02 Steve Sakoman
2022-04-20 21:51 Steve Sakoman
2020-12-07 14:12 Steve Sakoman
2020-11-17 23:47 Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.