* [OE-core][dunfell 00/14] Patch review
@ 2023-09-12 13:53 Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 01/14] bind: Backport fix for CVE-2023-2828 Steve Sakoman
` (13 more replies)
0 siblings, 14 replies; 30+ messages in thread
From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for dunfell and have comments back by
end of day Thursday, September 14.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5868
The following changes since commit c953ccba6c2a334cc58a97eee073bdb51a68f1d3:
linux/cve-exclusion: remove obsolete manual entries (2023-08-31 04:26:32 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Anuj Mittal (4):
glibc/check-test-wrapper: don't emit warnings from ssh
selftest/cases/glibc.py: increase the memory for testing
oeqa/utils/nfs: allow requesting non-udp ports
selftest/cases/glibc.py: switch to using NFS over TCP
Ashish Sharma (1):
qemu: Backport fix CVE-2023-3180
Michael Halstead (2):
yocto-uninative: Update to 4.3
resulttool/resultutils: allow index generation despite corrupt json
Priyal Doshi (1):
rootfs-post: remove traling blanks from tasks
Richard Purdie (2):
oeqa/target/ssh: Ensure EAGAIN doesn't truncate output
oeqa/runtime/ltp: Increase ltp test output timeout
Shubham Kulkarni (1):
openssh: Securiry fix for CVE-2023-38408
Staffan Rydén (1):
kernel: Fix path comparison in kernel staging dir symlinking
Vijay Anusuri (2):
bind: Backport fix for CVE-2023-2828
qemu: Backport fix for CVE-2023-0330
meta/classes/kernel.bbclass | 7 +-
meta/classes/rootfs-postcommands.bbclass | 6 +-
meta/classes/rootfsdebugfiles.bbclass | 2 +-
meta/conf/distro/include/yocto-uninative.inc | 8 +-
meta/lib/oeqa/core/target/ssh.py | 3 +
meta/lib/oeqa/runtime/cases/ltp.py | 2 +-
meta/lib/oeqa/selftest/cases/glibc.py | 6 +-
meta/lib/oeqa/utils/nfs.py | 4 +-
.../bind/bind/CVE-2023-2828.patch | 166 +++++
.../recipes-connectivity/bind/bind_9.11.37.bb | 1 +
.../openssh/openssh/CVE-2023-38408-01.patch | 189 ++++++
.../openssh/openssh/CVE-2023-38408-02.patch | 581 ++++++++++++++++++
.../openssh/openssh/CVE-2023-38408-03.patch | 171 ++++++
.../openssh/openssh/CVE-2023-38408-04.patch | 34 +
.../openssh/openssh/CVE-2023-38408-05.patch | 194 ++++++
.../openssh/openssh/CVE-2023-38408-06.patch | 73 +++
.../openssh/openssh/CVE-2023-38408-07.patch | 125 ++++
.../openssh/openssh/CVE-2023-38408-08.patch | 315 ++++++++++
.../openssh/openssh/CVE-2023-38408-09.patch | 38 ++
.../openssh/openssh/CVE-2023-38408-10.patch | 39 ++
.../openssh/openssh/CVE-2023-38408-11.patch | 307 +++++++++
.../openssh/openssh/CVE-2023-38408-12.patch | 120 ++++
.../openssh/openssh_8.2p1.bb | 12 +
.../glibc/glibc/check-test-wrapper | 2 +-
meta/recipes-devtools/qemu/qemu.inc | 4 +-
...-2023-0330.patch => CVE-2023-0330_1.patch} | 0
.../qemu/qemu/CVE-2023-0330_2.patch | 135 ++++
.../qemu/qemu/CVE-2023-3180.patch | 49 ++
scripts/lib/resulttool/resultutils.py | 6 +-
29 files changed, 2579 insertions(+), 20 deletions(-)
create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch
rename meta/recipes-devtools/qemu/qemu/{CVE-2023-0330.patch => CVE-2023-0330_1.patch} (100%)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch
--
2.34.1
^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 01/14] bind: Backport fix for CVE-2023-2828
2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman
@ 2023-09-12 13:53 ` Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 02/14] openssh: Securiry fix for CVE-2023-38408 Steve Sakoman
` (12 subsequent siblings)
13 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream Patch: https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch
LINK: https://security-tracker.debian.org/tracker/CVE-2023-2828
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../bind/bind/CVE-2023-2828.patch | 166 ++++++++++++++++++
.../recipes-connectivity/bind/bind_9.11.37.bb | 1 +
2 files changed, 167 insertions(+)
create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
new file mode 100644
index 0000000000..6f6c104530
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
@@ -0,0 +1,166 @@
+
+Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.11.5.P4+dfsg-5.1+deb10u9.debian.tar.xz
+Upstream patch https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch]
+Upstream Commit: https://github.com/isc-projects/bind9/commit/da0eafcdee52147e72d407cc3b9f179378ee1d3a
+CVE: CVE-2023-2828
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+
+---
+ lib/dns/rbtdb.c | 106 +++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 63 insertions(+), 43 deletions(-)
+
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index b1b928c..3165e26 100644
+--- a/lib/dns/rbtdb.c
++++ b/lib/dns/rbtdb.c
+@@ -792,7 +792,7 @@ static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+ static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+ bool tree_locked, expire_t reason);
+ static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
+- isc_stdtime_t now, bool tree_locked);
++ size_t purgesize, bool tree_locked);
+ static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx,
+ rdatasetheader_t *newheader);
+ static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
+@@ -6784,6 +6784,16 @@ addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
+
+ static dns_dbmethods_t zone_methods;
+
++static size_t
++rdataset_size(rdatasetheader_t *header) {
++ if (!NONEXISTENT(header)) {
++ return (dns_rdataslab_size((unsigned char *)header,
++ sizeof(*header)));
++ }
++
++ return (sizeof(*header));
++}
++
+ static isc_result_t
+ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+@@ -6932,7 +6942,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ }
+
+ if (cache_is_overmem)
+- overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
++ overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader),
++ tree_locked);
+
+ NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+ isc_rwlocktype_write);
+@@ -6947,9 +6958,14 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ cleanup_dead_nodes(rbtdb, rbtnode->locknum);
+
+ header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
+- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL)
+- expire_header(rbtdb, header, tree_locked,
+- expire_ttl);
++ if (header != NULL) {
++ dns_ttl_t rdh_ttl = header->rdh_ttl;
++
++ if (rdh_ttl < now - RBTDB_VIRTUAL) {
++ expire_header(rbtdb, header, tree_locked,
++ expire_ttl);
++ }
++ }
+
+ /*
+ * If we've been holding a write lock on the tree just for
+@@ -10388,54 +10404,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+ ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
+ }
+
++static size_t
++expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
++ bool tree_locked) {
++ rdatasetheader_t *header, *header_prev;
++ size_t purged = 0;
++
++ for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
++ header != NULL && purged <= purgesize; header = header_prev)
++ {
++ header_prev = ISC_LIST_PREV(header, link);
++ /*
++ * Unlink the entry at this point to avoid checking it
++ * again even if it's currently used someone else and
++ * cannot be purged at this moment. This entry won't be
++ * referenced any more (so unlinking is safe) since the
++ * TTL was reset to 0.
++ */
++ ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
++ size_t header_size = rdataset_size(header);
++ expire_header(rbtdb, header, tree_locked, expire_lru);
++ purged += header_size;
++ }
++
++ return (purged);
++}
++
+ /*%
+- * Purge some expired and/or stale (i.e. unused for some period) cache entries
+- * under an overmem condition. To recover from this condition quickly, up to
+- * 2 entries will be purged. This process is triggered while adding a new
+- * entry, and we specifically avoid purging entries in the same LRU bucket as
+- * the one to which the new entry will belong. Otherwise, we might purge
+- * entries of the same name of different RR types while adding RRsets from a
+- * single response (consider the case where we're adding A and AAAA glue records
+- * of the same NS name).
+- */
++ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache
++ * entries under the overmem condition. To recover from this condition quickly,
++ * we cleanup entries up to the size of newly added rdata (passed as purgesize).
++ *
++ * This process is triggered while adding a new entry, and we specifically avoid
++ * purging entries in the same LRU bucket as the one to which the new entry will
++ * belong. Otherwise, we might purge entries of the same name of different RR
++ * types while adding RRsets from a single response (consider the case where
++ * we're adding A and AAAA glue records of the same NS name).
++*/
+ static void
+-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
+- isc_stdtime_t now, bool tree_locked)
++overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
++ bool tree_locked)
+ {
+- rdatasetheader_t *header, *header_prev;
+ unsigned int locknum;
+- int purgecount = 2;
++ size_t purged = 0;
+
+ for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
+- locknum != locknum_start && purgecount > 0;
++ locknum != locknum_start && purged <= purgesize;
+ locknum = (locknum + 1) % rbtdb->node_lock_count) {
+ NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+ isc_rwlocktype_write);
+
+- header = isc_heap_element(rbtdb->heaps[locknum], 1);
+- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) {
+- expire_header(rbtdb, header, tree_locked,
+- expire_ttl);
+- purgecount--;
+- }
+-
+- for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
+- header != NULL && purgecount > 0;
+- header = header_prev) {
+- header_prev = ISC_LIST_PREV(header, link);
+- /*
+- * Unlink the entry at this point to avoid checking it
+- * again even if it's currently used someone else and
+- * cannot be purged at this moment. This entry won't be
+- * referenced any more (so unlinking is safe) since the
+- * TTL was reset to 0.
+- */
+- ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
+- link);
+- expire_header(rbtdb, header, tree_locked,
+- expire_lru);
+- purgecount--;
+- }
++ purged += expire_lru_headers(rbtdb, locknum, purgesize - purged,
++ tree_locked);
+
+ NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+ isc_rwlocktype_write);
diff --git a/meta/recipes-connectivity/bind/bind_9.11.37.bb b/meta/recipes-connectivity/bind/bind_9.11.37.bb
index 2fca28e684..80fbcbfa36 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.37.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.37.bb
@@ -22,6 +22,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://CVE-2022-2795.patch \
file://CVE-2022-38177.patch \
file://CVE-2022-38178.patch \
+ file://CVE-2023-2828.patch \
"
SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff"
--
2.34.1
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 02/14] openssh: Securiry fix for CVE-2023-38408
2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 01/14] bind: Backport fix for CVE-2023-2828 Steve Sakoman
@ 2023-09-12 13:53 ` Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 03/14] qemu: Backport fix CVE-2023-3180 Steve Sakoman
` (11 subsequent siblings)
13 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw)
To: openembedded-core
From: Shubham Kulkarni <skulkarni@mvista.com>
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an
insufficiently trustworthy search path, leading to remote code
execution if an agent is forwarded to an attacker-controlled system.
(Code in /usr/lib is not necessarily safe for loading into ssh-agent.)
NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-38408
Upstream patches:
https://github.com/openssh/openssh-portable/commit/dee22129, https://github.com/openssh/openssh-portable/commit/099cdf59,
https://github.com/openssh/openssh-portable/commit/29ef8a04, https://github.com/openssh/openssh-portable/commit/892506b1,
https://github.com/openssh/openssh-portable/commit/0c111eb8, https://github.com/openssh/openssh-portable/commit/52a03e9f,
https://github.com/openssh/openssh-portable/commit/1fe16fd6, https://github.com/openssh/openssh-portable/commit/e0e8bee8,
https://github.com/openssh/openssh-portable/commit/8afaa7d7, https://github.com/openssh/openssh-portable/commit/1a4b9275,
https://github.com/openssh/openssh-portable/commit/4c1e3ce8, https://github.com/openssh/openssh-portable/commit/1f2731f5.
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../openssh/openssh/CVE-2023-38408-01.patch | 189 ++++++
.../openssh/openssh/CVE-2023-38408-02.patch | 581 ++++++++++++++++++
.../openssh/openssh/CVE-2023-38408-03.patch | 171 ++++++
.../openssh/openssh/CVE-2023-38408-04.patch | 34 +
.../openssh/openssh/CVE-2023-38408-05.patch | 194 ++++++
.../openssh/openssh/CVE-2023-38408-06.patch | 73 +++
.../openssh/openssh/CVE-2023-38408-07.patch | 125 ++++
.../openssh/openssh/CVE-2023-38408-08.patch | 315 ++++++++++
.../openssh/openssh/CVE-2023-38408-09.patch | 38 ++
.../openssh/openssh/CVE-2023-38408-10.patch | 39 ++
.../openssh/openssh/CVE-2023-38408-11.patch | 307 +++++++++
.../openssh/openssh/CVE-2023-38408-12.patch | 120 ++++
.../openssh/openssh_8.2p1.bb | 12 +
13 files changed, 2198 insertions(+)
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch
new file mode 100644
index 0000000000..c899056337
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch
@@ -0,0 +1,189 @@
+From f6213e03887237714eb5bcfc9089c707069f87c5 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Fri, 1 Oct 2021 16:35:49 +1000
+Subject: [PATCH 01/12] make OPENSSL_HAS_ECC checks more thorough
+
+ok dtucker
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/dee22129bbc61e25b1003adfa2bc584c5406ef2d]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-pkcs11-client.c | 16 ++++++++--------
+ ssh-pkcs11.c | 26 +++++++++++++-------------
+ 2 files changed, 21 insertions(+), 21 deletions(-)
+
+diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
+index 8a0ffef..41114c7 100644
+--- a/ssh-pkcs11-client.c
++++ b/ssh-pkcs11-client.c
+@@ -163,7 +163,7 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+ return (ret);
+ }
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static ECDSA_SIG *
+ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+ const BIGNUM *rp, EC_KEY *ec)
+@@ -220,12 +220,12 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+ sshbuf_free(msg);
+ return (ret);
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ static RSA_METHOD *helper_rsa;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static EC_KEY_METHOD *helper_ecdsa;
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ /* redirect private key crypto operations to the ssh-pkcs11-helper */
+ static void
+@@ -233,10 +233,10 @@ wrap_key(struct sshkey *k)
+ {
+ if (k->type == KEY_RSA)
+ RSA_set_method(k->rsa, helper_rsa);
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ else if (k->type == KEY_ECDSA)
+ EC_KEY_set_method(k->ecdsa, helper_ecdsa);
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+ else
+ fatal("%s: unknown key type", __func__);
+ }
+@@ -247,7 +247,7 @@ pkcs11_start_helper_methods(void)
+ if (helper_rsa != NULL)
+ return (0);
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ int (*orig_sign)(int, const unsigned char *, int, unsigned char *,
+ unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL;
+ if (helper_ecdsa != NULL)
+@@ -257,7 +257,7 @@ pkcs11_start_helper_methods(void)
+ return (-1);
+ EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL);
+ EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign);
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
+ fatal("%s: RSA_meth_dup failed", __func__);
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index a302c79..b56a41b 100644
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -78,7 +78,7 @@ struct pkcs11_key {
+
+ int pkcs11_interactive = 0;
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static void
+ ossl_error(const char *msg)
+ {
+@@ -89,7 +89,7 @@ ossl_error(const char *msg)
+ error("%s: libcrypto error: %.100s", __func__,
+ ERR_error_string(e, NULL));
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ int
+ pkcs11_init(int interactive)
+@@ -190,10 +190,10 @@ pkcs11_del_provider(char *provider_id)
+
+ static RSA_METHOD *rsa_method;
+ static int rsa_idx = 0;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static EC_KEY_METHOD *ec_key_method;
+ static int ec_key_idx = 0;
+-#endif
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ /* release a wrapped object */
+ static void
+@@ -492,7 +492,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
+ return (0);
+ }
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ /* openssl callback doing the actual signing operation */
+ static ECDSA_SIG *
+ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+@@ -604,7 +604,7 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
+
+ return (0);
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ /* remove trailing spaces */
+ static void
+@@ -679,7 +679,7 @@ pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key)
+ return (0);
+ }
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static struct sshkey *
+ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+ CK_OBJECT_HANDLE *obj)
+@@ -802,7 +802,7 @@ fail:
+
+ return (key);
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ static struct sshkey *
+ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+@@ -910,7 +910,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+ #endif
+ struct sshkey *key = NULL;
+ int i;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ int nid;
+ #endif
+ const u_char *cp;
+@@ -999,7 +999,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+ key->type = KEY_RSA;
+ key->flags |= SSHKEY_FLAG_EXT;
+ rsa = NULL; /* now owned by key */
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ } else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) {
+ if (EVP_PKEY_get0_EC_KEY(evp) == NULL) {
+ error("invalid x509; no ec key");
+@@ -1030,7 +1030,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+ key->type = KEY_ECDSA;
+ key->flags |= SSHKEY_FLAG_EXT;
+ ec = NULL; /* now owned by key */
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+ } else {
+ error("unknown certificate key type");
+ goto out;
+@@ -1237,11 +1237,11 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
+ case CKK_RSA:
+ key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj);
+ break;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ case CKK_ECDSA:
+ key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj);
+ break;
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+ default:
+ /* XXX print key type? */
+ key = NULL;
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch
new file mode 100644
index 0000000000..25ba921869
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch
@@ -0,0 +1,581 @@
+From 92cebfbcc221c9ef3f6bbb78da3d7699c0ae56be Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 14:03:45 +0000
+Subject: [PATCH 02/12] upstream: Separate ssh-pkcs11-helpers for each p11
+ module
+
+Make ssh-pkcs11-client start an independent helper for each provider,
+providing better isolation between modules and reliability if a single
+module misbehaves.
+
+This also implements reference counting of PKCS#11-hosted keys,
+allowing ssh-pkcs11-helper subprocesses to be automatically reaped
+when no remaining keys reference them. This fixes some bugs we have
+that make PKCS11 keys unusable after they have been deleted, e.g.
+https://bugzilla.mindrot.org/show_bug.cgi?id=3125
+
+ok markus@
+
+OpenBSD-Commit-ID: 0ce188b14fe271ab0568f4500070d96c5657244e
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/099cdf59ce1e72f55d421c8445bf6321b3004755]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-pkcs11-client.c | 372 +++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 282 insertions(+), 90 deletions(-)
+
+diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
+index 41114c7..4f3c6ed 100644
+--- a/ssh-pkcs11-client.c
++++ b/ssh-pkcs11-client.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-pkcs11-client.c,v 1.16 2020/01/25 00:03:36 djm Exp $ */
++/* $OpenBSD: ssh-pkcs11-client.c,v 1.18 2023/07/19 14:03:45 djm Exp $ */
+ /*
+ * Copyright (c) 2010 Markus Friedl. All rights reserved.
+ * Copyright (c) 2014 Pedro Martelletto. All rights reserved.
+@@ -30,12 +30,11 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <errno.h>
++#include <limits.h>
+
+ #include <openssl/ecdsa.h>
+ #include <openssl/rsa.h>
+
+-#include "openbsd-compat/openssl-compat.h"
+-
+ #include "pathnames.h"
+ #include "xmalloc.h"
+ #include "sshbuf.h"
+@@ -47,18 +46,140 @@
+ #include "ssh-pkcs11.h"
+ #include "ssherr.h"
+
++#include "openbsd-compat/openssl-compat.h"
++
+ /* borrows code from sftp-server and ssh-agent */
+
+-static int fd = -1;
+-static pid_t pid = -1;
++/*
++ * Maintain a list of ssh-pkcs11-helper subprocesses. These may be looked up
++ * by provider path or their unique EC/RSA METHOD pointers.
++ */
++struct helper {
++ char *path;
++ pid_t pid;
++ int fd;
++ RSA_METHOD *rsa_meth;
++ EC_KEY_METHOD *ec_meth;
++ int (*rsa_finish)(RSA *rsa);
++ void (*ec_finish)(EC_KEY *key);
++ size_t nrsa, nec; /* number of active keys of each type */
++};
++static struct helper **helpers;
++static size_t nhelpers;
++
++static struct helper *
++helper_by_provider(const char *path)
++{
++ size_t i;
++
++ for (i = 0; i < nhelpers; i++) {
++ if (helpers[i] == NULL || helpers[i]->path == NULL ||
++ helpers[i]->fd == -1)
++ continue;
++ if (strcmp(helpers[i]->path, path) == 0)
++ return helpers[i];
++ }
++ return NULL;
++}
++
++static struct helper *
++helper_by_rsa(const RSA *rsa)
++{
++ size_t i;
++ const RSA_METHOD *meth;
++
++ if ((meth = RSA_get_method(rsa)) == NULL)
++ return NULL;
++ for (i = 0; i < nhelpers; i++) {
++ if (helpers[i] != NULL && helpers[i]->rsa_meth == meth)
++ return helpers[i];
++ }
++ return NULL;
++
++}
++
++static struct helper *
++helper_by_ec(const EC_KEY *ec)
++{
++ size_t i;
++ const EC_KEY_METHOD *meth;
++
++ if ((meth = EC_KEY_get_method(ec)) == NULL)
++ return NULL;
++ for (i = 0; i < nhelpers; i++) {
++ if (helpers[i] != NULL && helpers[i]->ec_meth == meth)
++ return helpers[i];
++ }
++ return NULL;
++
++}
++
++static void
++helper_free(struct helper *helper)
++{
++ size_t i;
++ int found = 0;
++
++ if (helper == NULL)
++ return;
++ if (helper->path == NULL || helper->ec_meth == NULL ||
++ helper->rsa_meth == NULL)
++ fatal("%s: inconsistent helper", __func__);
++ debug3("%s: free helper for provider %s", __func__ , helper->path);
++ for (i = 0; i < nhelpers; i++) {
++ if (helpers[i] == helper) {
++ if (found)
++ fatal("%s: helper recorded more than once", __func__);
++ found = 1;
++ }
++ else if (found)
++ helpers[i - 1] = helpers[i];
++ }
++ if (found) {
++ helpers = xrecallocarray(helpers, nhelpers,
++ nhelpers - 1, sizeof(*helpers));
++ nhelpers--;
++ }
++ free(helper->path);
++ EC_KEY_METHOD_free(helper->ec_meth);
++ RSA_meth_free(helper->rsa_meth);
++ free(helper);
++}
++
++static void
++helper_terminate(struct helper *helper)
++{
++ if (helper == NULL) {
++ return;
++ } else if (helper->fd == -1) {
++ debug3("%s: already terminated", __func__);
++ } else {
++ debug3("terminating helper for %s; "
++ "remaining %zu RSA %zu ECDSA", __func__,
++ helper->path, helper->nrsa, helper->nec);
++ close(helper->fd);
++ /* XXX waitpid() */
++ helper->fd = -1;
++ helper->pid = -1;
++ }
++ /*
++ * Don't delete the helper entry until there are no remaining keys
++ * that reference it. Otherwise, any signing operation would call
++ * a free'd METHOD pointer and that would be bad.
++ */
++ if (helper->nrsa == 0 && helper->nec == 0)
++ helper_free(helper);
++}
+
+ static void
+-send_msg(struct sshbuf *m)
++send_msg(int fd, struct sshbuf *m)
+ {
+ u_char buf[4];
+ size_t mlen = sshbuf_len(m);
+ int r;
+
++ if (fd == -1)
++ return;
+ POKE_U32(buf, mlen);
+ if (atomicio(vwrite, fd, buf, 4) != 4 ||
+ atomicio(vwrite, fd, sshbuf_mutable_ptr(m),
+@@ -69,12 +190,15 @@ send_msg(struct sshbuf *m)
+ }
+
+ static int
+-recv_msg(struct sshbuf *m)
++recv_msg(int fd, struct sshbuf *m)
+ {
+ u_int l, len;
+ u_char c, buf[1024];
+ int r;
+
++ sshbuf_reset(m);
++ if (fd == -1)
++ return 0; /* XXX */
+ if ((len = atomicio(read, fd, buf, 4)) != 4) {
+ error("read from helper failed: %u", len);
+ return (0); /* XXX */
+@@ -83,7 +207,6 @@ recv_msg(struct sshbuf *m)
+ if (len > 256 * 1024)
+ fatal("response too long: %u", len);
+ /* read len bytes into m */
+- sshbuf_reset(m);
+ while (len > 0) {
+ l = len;
+ if (l > sizeof(buf))
+@@ -104,14 +227,17 @@ recv_msg(struct sshbuf *m)
+ int
+ pkcs11_init(int interactive)
+ {
+- return (0);
++ return 0;
+ }
+
+ void
+ pkcs11_terminate(void)
+ {
+- if (fd >= 0)
+- close(fd);
++ size_t i;
++
++ debug3("%s: terminating %zu helpers", __func__, nhelpers);
++ for (i = 0; i < nhelpers; i++)
++ helper_terminate(helpers[i]);
+ }
+
+ static int
+@@ -122,7 +248,11 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+ u_char *blob = NULL, *signature = NULL;
+ size_t blen, slen = 0;
+ int r, ret = -1;
++ struct helper *helper;
+
++ if ((helper = helper_by_rsa(rsa)) == NULL || helper->fd == -1)
++ fatal("%s: no helper for PKCS11 key", __func__);
++ debug3("%s: signing with PKCS11 provider %s", __func__, helper->path);
+ if (padding != RSA_PKCS1_PADDING)
+ goto fail;
+ key = sshkey_new(KEY_UNSPEC);
+@@ -144,10 +274,10 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+ (r = sshbuf_put_string(msg, from, flen)) != 0 ||
+ (r = sshbuf_put_u32(msg, 0)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+- send_msg(msg);
++ send_msg(helper->fd, msg);
+ sshbuf_reset(msg);
+
+- if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) {
++ if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) {
+ if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ if (slen <= (size_t)RSA_size(rsa)) {
+@@ -163,7 +293,26 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+ return (ret);
+ }
+
+-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
++static int
++rsa_finish(RSA *rsa)
++{
++ struct helper *helper;
++
++ if ((helper = helper_by_rsa(rsa)) == NULL)
++ fatal("%s: no helper for PKCS11 key", __func__);
++ debug3("%s: free PKCS11 RSA key for provider %s", __func__, helper->path);
++ if (helper->rsa_finish != NULL)
++ helper->rsa_finish(rsa);
++ if (helper->nrsa == 0)
++ fatal("%s: RSA refcount error", __func__);
++ helper->nrsa--;
++ debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__,
++ helper->path, helper->nrsa, helper->nec);
++ if (helper->nrsa == 0 && helper->nec == 0)
++ helper_terminate(helper);
++ return 1;
++}
++
+ static ECDSA_SIG *
+ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+ const BIGNUM *rp, EC_KEY *ec)
+@@ -175,7 +324,11 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+ u_char *blob = NULL, *signature = NULL;
+ size_t blen, slen = 0;
+ int r, nid;
++ struct helper *helper;
+
++ if ((helper = helper_by_ec(ec)) == NULL || helper->fd == -1)
++ fatal("%s: no helper for PKCS11 key", __func__);
++ debug3("%s: signing with PKCS11 provider %s", __func__, helper->path);
+ nid = sshkey_ecdsa_key_to_nid(ec);
+ if (nid < 0) {
+ error("%s: couldn't get curve nid", __func__);
+@@ -203,10 +356,10 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+ (r = sshbuf_put_string(msg, dgst, dgst_len)) != 0 ||
+ (r = sshbuf_put_u32(msg, 0)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+- send_msg(msg);
++ send_msg(helper->fd, msg);
+ sshbuf_reset(msg);
+
+- if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) {
++ if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) {
+ if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ cp = signature;
+@@ -220,75 +373,110 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+ sshbuf_free(msg);
+ return (ret);
+ }
+-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+-static RSA_METHOD *helper_rsa;
+-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+-static EC_KEY_METHOD *helper_ecdsa;
+-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
++static void
++ecdsa_do_finish(EC_KEY *ec)
++{
++ struct helper *helper;
++
++ if ((helper = helper_by_ec(ec)) == NULL)
++ fatal("%s: no helper for PKCS11 key", __func__);
++ debug3("%s: free PKCS11 ECDSA key for provider %s", __func__, helper->path);
++ if (helper->ec_finish != NULL)
++ helper->ec_finish(ec);
++ if (helper->nec == 0)
++ fatal("%s: ECDSA refcount error", __func__);
++ helper->nec--;
++ debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__,
++ helper->path, helper->nrsa, helper->nec);
++ if (helper->nrsa == 0 && helper->nec == 0)
++ helper_terminate(helper);
++}
+
+ /* redirect private key crypto operations to the ssh-pkcs11-helper */
+ static void
+-wrap_key(struct sshkey *k)
++wrap_key(struct helper *helper, struct sshkey *k)
+ {
+- if (k->type == KEY_RSA)
+- RSA_set_method(k->rsa, helper_rsa);
+-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+- else if (k->type == KEY_ECDSA)
+- EC_KEY_set_method(k->ecdsa, helper_ecdsa);
+-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+- else
++ debug3("%s: wrap %s for provider %s", __func__, sshkey_type(k), helper->path);
++ if (k->type == KEY_RSA) {
++ RSA_set_method(k->rsa, helper->rsa_meth);
++ if (helper->nrsa++ >= INT_MAX)
++ fatal("%s: RSA refcount error", __func__);
++ } else if (k->type == KEY_ECDSA) {
++ EC_KEY_set_method(k->ecdsa, helper->ec_meth);
++ if (helper->nec++ >= INT_MAX)
++ fatal("%s: EC refcount error", __func__);
++ } else
+ fatal("%s: unknown key type", __func__);
++ k->flags |= SSHKEY_FLAG_EXT;
++ debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__,
++ helper->path, helper->nrsa, helper->nec);
+ }
+
+ static int
+-pkcs11_start_helper_methods(void)
++pkcs11_start_helper_methods(struct helper *helper)
+ {
+- if (helper_rsa != NULL)
+- return (0);
+-
+-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+- int (*orig_sign)(int, const unsigned char *, int, unsigned char *,
++ int (*ec_init)(EC_KEY *key);
++ int (*ec_copy)(EC_KEY *dest, const EC_KEY *src);
++ int (*ec_set_group)(EC_KEY *key, const EC_GROUP *grp);
++ int (*ec_set_private)(EC_KEY *key, const BIGNUM *priv_key);
++ int (*ec_set_public)(EC_KEY *key, const EC_POINT *pub_key);
++ int (*ec_sign)(int, const unsigned char *, int, unsigned char *,
+ unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL;
+- if (helper_ecdsa != NULL)
+- return (0);
+- helper_ecdsa = EC_KEY_METHOD_new(EC_KEY_OpenSSL());
+- if (helper_ecdsa == NULL)
+- return (-1);
+- EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL);
+- EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign);
+-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+-
+- if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
++ RSA_METHOD *rsa_meth;
++ EC_KEY_METHOD *ec_meth;
++
++ if ((ec_meth = EC_KEY_METHOD_new(EC_KEY_OpenSSL())) == NULL)
++ return -1;
++ EC_KEY_METHOD_get_sign(ec_meth, &ec_sign, NULL, NULL);
++ EC_KEY_METHOD_set_sign(ec_meth, ec_sign, NULL, ecdsa_do_sign);
++ EC_KEY_METHOD_get_init(ec_meth, &ec_init, &helper->ec_finish,
++ &ec_copy, &ec_set_group, &ec_set_private, &ec_set_public);
++ EC_KEY_METHOD_set_init(ec_meth, ec_init, ecdsa_do_finish,
++ ec_copy, ec_set_group, ec_set_private, ec_set_public);
++
++ if ((rsa_meth = RSA_meth_dup(RSA_get_default_method())) == NULL)
+ fatal("%s: RSA_meth_dup failed", __func__);
+- if (!RSA_meth_set1_name(helper_rsa, "ssh-pkcs11-helper") ||
+- !RSA_meth_set_priv_enc(helper_rsa, rsa_encrypt))
++ helper->rsa_finish = RSA_meth_get_finish(rsa_meth);
++ if (!RSA_meth_set1_name(rsa_meth, "ssh-pkcs11-helper") ||
++ !RSA_meth_set_priv_enc(rsa_meth, rsa_encrypt) ||
++ !RSA_meth_set_finish(rsa_meth, rsa_finish))
+ fatal("%s: failed to prepare method", __func__);
+
+- return (0);
++ helper->ec_meth = ec_meth;
++ helper->rsa_meth = rsa_meth;
++ return 0;
+ }
+
+-static int
+-pkcs11_start_helper(void)
++static struct helper *
++pkcs11_start_helper(const char *path)
+ {
+ int pair[2];
+- char *helper, *verbosity = NULL;
+-
+- if (log_level_get() >= SYSLOG_LEVEL_DEBUG1)
+- verbosity = "-vvv";
+-
+- if (pkcs11_start_helper_methods() == -1) {
+- error("pkcs11_start_helper_methods failed");
+- return (-1);
+- }
++ char *prog, *verbosity = NULL;
++ struct helper *helper;
++ pid_t pid;
+
++ if (nhelpers >= INT_MAX)
++ fatal("%s: too many helpers", __func__);
++ debug3("%s: start helper for %s", __func__, path);
+ if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) {
+ error("socketpair: %s", strerror(errno));
+- return (-1);
++ return NULL;
++ }
++ helper = xcalloc(1, sizeof(*helper));
++ if (pkcs11_start_helper_methods(helper) == -1) {
++ error("pkcs11_start_helper_methods failed");
++ goto fail;
+ }
+ if ((pid = fork()) == -1) {
+ error("fork: %s", strerror(errno));
+- return (-1);
++ fail:
++ close(pair[0]);
++ close(pair[1]);
++ RSA_meth_free(helper->rsa_meth);
++ EC_KEY_METHOD_free(helper->ec_meth);
++ free(helper);
++ return NULL;
+ } else if (pid == 0) {
+ if ((dup2(pair[1], STDIN_FILENO) == -1) ||
+ (dup2(pair[1], STDOUT_FILENO) == -1)) {
+@@ -297,18 +485,27 @@ pkcs11_start_helper(void)
+ }
+ close(pair[0]);
+ close(pair[1]);
+- helper = getenv("SSH_PKCS11_HELPER");
+- if (helper == NULL || strlen(helper) == 0)
+- helper = _PATH_SSH_PKCS11_HELPER;
++ prog = getenv("SSH_PKCS11_HELPER");
++ if (prog == NULL || strlen(prog) == 0)
++ prog = _PATH_SSH_PKCS11_HELPER;
++ if (log_level_get() >= SYSLOG_LEVEL_DEBUG1)
++ verbosity = "-vvv";
+ debug("%s: starting %s %s", __func__, helper,
+ verbosity == NULL ? "" : verbosity);
+- execlp(helper, helper, verbosity, (char *)NULL);
+- fprintf(stderr, "exec: %s: %s\n", helper, strerror(errno));
++ execlp(prog, prog, verbosity, (char *)NULL);
++ fprintf(stderr, "exec: %s: %s\n", prog, strerror(errno));
+ _exit(1);
+ }
+ close(pair[1]);
+- fd = pair[0];
+- return (0);
++ helper->fd = pair[0];
++ helper->path = xstrdup(path);
++ helper->pid = pid;
++ debug3("%s: helper %zu for \"%s\" on fd %d pid %ld", __func__, nhelpers,
++ helper->path, helper->fd, (long)helper->pid);
++ helpers = xrecallocarray(helpers, nhelpers,
++ nhelpers + 1, sizeof(*helpers));
++ helpers[nhelpers++] = helper;
++ return helper;
+ }
+
+ int
+@@ -322,9 +519,11 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+ size_t blen;
+ u_int nkeys, i;
+ struct sshbuf *msg;
++ struct helper *helper;
+
+- if (fd < 0 && pkcs11_start_helper() < 0)
+- return (-1);
++ if ((helper = helper_by_provider(name)) == NULL &&
++ (helper = pkcs11_start_helper(name)) == NULL)
++ return -1;
+
+ if ((msg = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__);
+@@ -332,10 +531,10 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+ (r = sshbuf_put_cstring(msg, name)) != 0 ||
+ (r = sshbuf_put_cstring(msg, pin)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+- send_msg(msg);
++ send_msg(helper->fd, msg);
+ sshbuf_reset(msg);
+
+- type = recv_msg(msg);
++ type = recv_msg(helper->fd, msg);
+ if (type == SSH2_AGENT_IDENTITIES_ANSWER) {
+ if ((r = sshbuf_get_u32(msg, &nkeys)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+@@ -350,7 +549,7 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+ __func__, ssh_err(r));
+ if ((r = sshkey_from_blob(blob, blen, &k)) != 0)
+ fatal("%s: bad key: %s", __func__, ssh_err(r));
+- wrap_key(k);
++ wrap_key(helper, k);
+ (*keysp)[i] = k;
+ if (labelsp)
+ (*labelsp)[i] = label;
+@@ -371,22 +570,15 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+ int
+ pkcs11_del_provider(char *name)
+ {
+- int r, ret = -1;
+- struct sshbuf *msg;
+-
+- if ((msg = sshbuf_new()) == NULL)
+- fatal("%s: sshbuf_new failed", __func__);
+- if ((r = sshbuf_put_u8(msg, SSH_AGENTC_REMOVE_SMARTCARD_KEY)) != 0 ||
+- (r = sshbuf_put_cstring(msg, name)) != 0 ||
+- (r = sshbuf_put_cstring(msg, "")) != 0)
+- fatal("%s: buffer error: %s", __func__, ssh_err(r));
+- send_msg(msg);
+- sshbuf_reset(msg);
+-
+- if (recv_msg(msg) == SSH_AGENT_SUCCESS)
+- ret = 0;
+- sshbuf_free(msg);
+- return (ret);
++ struct helper *helper;
++
++ /*
++ * ssh-agent deletes keys before calling this, so the helper entry
++ * should be gone before we get here.
++ */
++ debug3("%s: delete %s", __func__, name);
++ if ((helper = helper_by_provider(name)) != NULL)
++ helper_terminate(helper);
++ return 0;
+ }
+-
+ #endif /* ENABLE_PKCS11 */
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch
new file mode 100644
index 0000000000..e16e5e245e
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch
@@ -0,0 +1,171 @@
+From 2f1be98e83feb90665b9292eff8bb734537fd491 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 14:02:27 +0000
+Subject: [PATCH 03/12] upstream: Ensure FIDO/PKCS11 libraries contain expected
+ symbols
+
+This checks via nlist(3) that candidate provider libraries contain one
+of the symbols that we will require prior to dlopen(), which can cause
+a number of side effects, including execution of constructors.
+
+Feedback deraadt; ok markus
+
+OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/29ef8a04866ca14688d5b7fed7b8b9deab851f77]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ misc.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ misc.h | 1 +
+ ssh-pkcs11.c | 4 +++
+ ssh-sk.c | 6 ++--
+ 4 files changed, 86 insertions(+), 2 deletions(-)
+
+diff --git a/misc.c b/misc.c
+index 3a31d5c..8a107e4 100644
+--- a/misc.c
++++ b/misc.c
+@@ -28,6 +28,7 @@
+
+ #include <sys/types.h>
+ #include <sys/ioctl.h>
++#include <sys/mman.h>
+ #include <sys/socket.h>
+ #include <sys/stat.h>
+ #include <sys/time.h>
+@@ -41,6 +42,9 @@
+ #ifdef HAVE_POLL_H
+ #include <poll.h>
+ #endif
++#ifdef HAVE_NLIST_H
++#include <nlist.h>
++#endif
+ #include <signal.h>
+ #include <stdarg.h>
+ #include <stdio.h>
+@@ -2266,3 +2270,76 @@ ssh_signal(int signum, sshsig_t handler)
+ }
+ return osa.sa_handler;
+ }
++
++
++/*
++ * Returns zero if the library at 'path' contains symbol 's', nonzero
++ * otherwise.
++ */
++int
++lib_contains_symbol(const char *path, const char *s)
++{
++#ifdef HAVE_NLIST_H
++ struct nlist nl[2];
++ int ret = -1, r;
++
++ memset(nl, 0, sizeof(nl));
++ nl[0].n_name = xstrdup(s);
++ nl[1].n_name = NULL;
++ if ((r = nlist(path, nl)) == -1) {
++ error("%s: nlist failed for %s", __func__, path);
++ goto out;
++ }
++ if (r != 0 || nl[0].n_value == 0 || nl[0].n_type == 0) {
++ error("%s: library %s does not contain symbol %s", __func__, path, s);
++ goto out;
++ }
++ /* success */
++ ret = 0;
++ out:
++ free(nl[0].n_name);
++ return ret;
++#else /* HAVE_NLIST_H */
++ int fd, ret = -1;
++ struct stat st;
++ void *m = NULL;
++ size_t sz = 0;
++
++ memset(&st, 0, sizeof(st));
++ if ((fd = open(path, O_RDONLY)) < 0) {
++ error("%s: open %s: %s", __func__, path, strerror(errno));
++ return -1;
++ }
++ if (fstat(fd, &st) != 0) {
++ error("%s: fstat %s: %s", __func__, path, strerror(errno));
++ goto out;
++ }
++ if (!S_ISREG(st.st_mode)) {
++ error("%s: %s is not a regular file", __func__, path);
++ goto out;
++ }
++ if (st.st_size < 0 ||
++ (size_t)st.st_size < strlen(s) ||
++ st.st_size >= INT_MAX/2) {
++ error("%s: %s bad size %lld", __func__, path, (long long)st.st_size);
++ goto out;
++ }
++ sz = (size_t)st.st_size;
++ if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED ||
++ m == NULL) {
++ error("%s: mmap %s: %s", __func__, path, strerror(errno));
++ goto out;
++ }
++ if (memmem(m, sz, s, strlen(s)) == NULL) {
++ error("%s: %s does not contain expected string %s", __func__, path, s);
++ goto out;
++ }
++ /* success */
++ ret = 0;
++ out:
++ if (m != NULL && m != MAP_FAILED)
++ munmap(m, sz);
++ close(fd);
++ return ret;
++#endif /* HAVE_NLIST_H */
++}
+diff --git a/misc.h b/misc.h
+index 4a05db2..3f9f4db 100644
+--- a/misc.h
++++ b/misc.h
+@@ -86,6 +86,7 @@ const char *atoi_err(const char *, int *);
+ int parse_absolute_time(const char *, uint64_t *);
+ void format_absolute_time(uint64_t, char *, size_t);
+ int path_absolute(const char *);
++int lib_contains_symbol(const char *, const char *);
+
+ void sock_set_v6only(int);
+
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index b56a41b..639a6f7 100644
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -1499,6 +1499,10 @@ pkcs11_register_provider(char *provider_id, char *pin,
+ __func__, provider_id);
+ goto fail;
+ }
++ if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) {
++ error("provider %s is not a PKCS11 library", provider_id);
++ goto fail;
++ }
+ /* open shared pkcs11-library */
+ if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) {
+ error("dlopen %s failed: %s", provider_id, dlerror());
+diff --git a/ssh-sk.c b/ssh-sk.c
+index 5ff9381..9df12cc 100644
+--- a/ssh-sk.c
++++ b/ssh-sk.c
+@@ -119,10 +119,12 @@ sshsk_open(const char *path)
+ #endif
+ return ret;
+ }
+- if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
+- error("Provider \"%s\" dlopen failed: %s", path, dlerror());
++ if (lib_contains_symbol(path, "sk_api_version") != 0) {
++ error("provider %s is not an OpenSSH FIDO library", path);
+ goto fail;
+ }
++ if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL)
++ fatal("Provider \"%s\" dlopen failed: %s", path, dlerror());
+ if ((ret->sk_api_version = dlsym(ret->dlhandle,
+ "sk_api_version")) == NULL) {
+ error("Provider \"%s\" dlsym(sk_api_version) failed: %s",
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch
new file mode 100644
index 0000000000..5e8040c9bf
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch
@@ -0,0 +1,34 @@
+From 0862f338941bfdfb2cadee87de6d5fdca1b8f457 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 13:55:53 +0000
+Subject: [PATCH 04/12] upstream: terminate process if requested to load a
+ PKCS#11 provider that isn't a PKCS#11 provider; from / ok markus@
+
+OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-pkcs11.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index 639a6f7..7530acc 100644
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -1508,10 +1508,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
+ error("dlopen %s failed: %s", provider_id, dlerror());
+ goto fail;
+ }
+- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
+- error("dlsym(C_GetFunctionList) failed: %s", dlerror());
+- goto fail;
+- }
++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
+ p = xcalloc(1, sizeof(*p));
+ p->name = xstrdup(provider_id);
+ p->handle = handle;
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch
new file mode 100644
index 0000000000..0ddbdc68d4
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch
@@ -0,0 +1,194 @@
+From a6cee3905edf070c0de135d3f2ee5b74da1dbd28 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 26 May 2020 01:26:58 +0000
+Subject: [PATCH 05/12] upstream: Restrict ssh-agent from signing web
+ challenges for FIDO
+
+keys.
+
+When signing messages in ssh-agent using a FIDO key that has an
+application string that does not start with "ssh:", ensure that the
+message being signed is one of the forms expected for the SSH protocol
+(currently pubkey authentication and sshsig signatures).
+
+This prevents ssh-agent forwarding on a host that has FIDO keys
+attached granting the ability for the remote side to sign challenges
+for web authentication using those keys too.
+
+Note that the converse case of web browsers signing SSH challenges is
+already precluded because no web RP can have the "ssh:" prefix in the
+application string that we require.
+
+ok markus@
+
+OpenBSD-Commit-ID: 9ab6012574ed0352d2f097d307f4a988222d1b19
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/0c111eb84efba7c2a38b2cc3278901a0123161b9]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 110 +++++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 100 insertions(+), 10 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index ceb348c..1794f35 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.255 2020/02/06 22:30:54 naddy Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.258 2020/05/26 01:26:58 djm Exp $ */
+ /*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -77,6 +77,7 @@
+
+ #include "xmalloc.h"
+ #include "ssh.h"
++#include "ssh2.h"
+ #include "sshbuf.h"
+ #include "sshkey.h"
+ #include "authfd.h"
+@@ -167,6 +168,9 @@ static long lifetime = 0;
+
+ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
+
++/* Refuse signing of non-SSH messages for web-origin FIDO keys */
++static int restrict_websafe = 1;
++
+ static void
+ close_socket(SocketEntry *e)
+ {
+@@ -282,6 +286,80 @@ agent_decode_alg(struct sshkey *key, u_int flags)
+ return NULL;
+ }
+
++/*
++ * This function inspects a message to be signed by a FIDO key that has a
++ * web-like application string (i.e. one that does not begin with "ssh:".
++ * It checks that the message is one of those expected for SSH operations
++ * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges
++ * for the web.
++ */
++static int
++check_websafe_message_contents(struct sshkey *key,
++ const u_char *msg, size_t len)
++{
++ int matched = 0;
++ struct sshbuf *b;
++ u_char m, n;
++ char *cp1 = NULL, *cp2 = NULL;
++ int r;
++ struct sshkey *mkey = NULL;
++
++ if ((b = sshbuf_from(msg, len)) == NULL)
++ fatal("%s: sshbuf_new", __func__);
++
++ /* SSH userauth request */
++ if ((r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* sess_id */
++ (r = sshbuf_get_u8(b, &m)) == 0 && /* SSH2_MSG_USERAUTH_REQUEST */
++ (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* server user */
++ (r = sshbuf_get_cstring(b, &cp1, NULL)) == 0 && /* service */
++ (r = sshbuf_get_cstring(b, &cp2, NULL)) == 0 && /* method */
++ (r = sshbuf_get_u8(b, &n)) == 0 && /* sig-follows */
++ (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* alg */
++ (r = sshkey_froms(b, &mkey)) == 0 && /* key */
++ sshbuf_len(b) == 0) {
++ debug("%s: parsed userauth", __func__);
++ if (m == SSH2_MSG_USERAUTH_REQUEST && n == 1 &&
++ strcmp(cp1, "ssh-connection") == 0 &&
++ strcmp(cp2, "publickey") == 0 &&
++ sshkey_equal(key, mkey)) {
++ debug("%s: well formed userauth", __func__);
++ matched = 1;
++ }
++ }
++ free(cp1);
++ free(cp2);
++ sshkey_free(mkey);
++ sshbuf_free(b);
++ if (matched)
++ return 1;
++
++ if ((b = sshbuf_from(msg, len)) == NULL)
++ fatal("%s: sshbuf_new", __func__);
++ cp1 = cp2 = NULL;
++ mkey = NULL;
++
++ /* SSHSIG */
++ if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) == 0 &&
++ (r = sshbuf_consume(b, 6)) == 0 &&
++ (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* namespace */
++ (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* reserved */
++ (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* hashalg */
++ (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* H(msg) */
++ sshbuf_len(b) == 0) {
++ debug("%s: parsed sshsig", __func__);
++ matched = 1;
++ }
++
++ sshbuf_free(b);
++ if (matched)
++ return 1;
++
++ /* XXX CA signature operation */
++
++ error("web-origin key attempting to sign non-SSH message");
++ return 0;
++}
++
+ /* ssh2 only */
+ static void
+ process_sign_request2(SocketEntry *e)
+@@ -314,14 +392,20 @@ process_sign_request2(SocketEntry *e)
+ verbose("%s: user refused key", __func__);
+ goto send;
+ }
+- if (sshkey_is_sk(id->key) &&
+- (id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
+- if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
+- SSH_FP_DEFAULT)) == NULL)
+- fatal("%s: fingerprint failed", __func__);
+- notifier = notify_start(0,
+- "Confirm user presence for key %s %s",
+- sshkey_type(id->key), fp);
++ if (sshkey_is_sk(id->key)) {
++ if (strncmp(id->key->sk_application, "ssh:", 4) != 0 &&
++ !check_websafe_message_contents(key, data, dlen)) {
++ /* error already logged */
++ goto send;
++ }
++ if ((id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
++ if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
++ SSH_FP_DEFAULT)) == NULL)
++ fatal("%s: fingerprint failed", __func__);
++ notifier = notify_start(0,
++ "Confirm user presence for key %s %s",
++ sshkey_type(id->key), fp);
++ }
+ }
+ if ((r = sshkey_sign(id->key, &signature, &slen,
+ data, dlen, agent_decode_alg(key, flags),
+@@ -1214,7 +1298,7 @@ main(int ac, char **av)
+ __progname = ssh_get_progname(av[0]);
+ seed_rng();
+
+- while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
++ while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) {
+ switch (ch) {
+ case 'E':
+ fingerprint_hash = ssh_digest_alg_by_name(optarg);
+@@ -1229,6 +1313,12 @@ main(int ac, char **av)
+ case 'k':
+ k_flag++;
+ break;
++ case 'O':
++ if (strcmp(optarg, "no-restrict-websafe") == 0)
++ restrict_websafe = 0;
++ else
++ fatal("Unknown -O option");
++ break;
+ case 'P':
+ if (provider_whitelist != NULL)
+ fatal("-P option already specified");
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch
new file mode 100644
index 0000000000..ac494aab0b
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch
@@ -0,0 +1,73 @@
+From a5d845b7b42861d18f43e83de9f24c7374d1b458 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 18 Sep 2020 08:16:38 +0000
+Subject: [PATCH 06/12] upstream: handle multiple messages in a single read()
+
+PR#183 by Dennis Kaarsemaker; feedback and ok markus@
+
+OpenBSD-Commit-ID: 8570bb4d02d00cf70b98590716ea6a7d1cce68d1
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/52a03e9fca2d74eef953ddd4709250f365ca3975]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 1794f35..78f7268 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.258 2020/05/26 01:26:58 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */
+ /*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -853,8 +853,10 @@ send:
+ }
+ #endif /* ENABLE_PKCS11 */
+
+-/* dispatch incoming messages */
+-
++/*
++ * dispatch incoming message.
++ * returns 1 on success, 0 for incomplete messages or -1 on error.
++ */
+ static int
+ process_message(u_int socknum)
+ {
+@@ -908,7 +910,7 @@ process_message(u_int socknum)
+ /* send a fail message for all other request types */
+ send_status(e, 0);
+ }
+- return 0;
++ return 1;
+ }
+
+ switch (type) {
+@@ -952,7 +954,7 @@ process_message(u_int socknum)
+ send_status(e, 0);
+ break;
+ }
+- return 0;
++ return 1;
+ }
+
+ static void
+@@ -1043,7 +1045,12 @@ handle_conn_read(u_int socknum)
+ if ((r = sshbuf_put(sockets[socknum].input, buf, len)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ explicit_bzero(buf, sizeof(buf));
+- process_message(socknum);
++ for (;;) {
++ if ((r = process_message(socknum)) == -1)
++ return -1;
++ else if (r == 0)
++ break;
++ }
+ return 0;
+ }
+
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
new file mode 100644
index 0000000000..0dcf23ae17
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
@@ -0,0 +1,125 @@
+From 653cc18c922fc387b3d3aa1b081c5e5283cce28a Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 26 Jan 2021 00:47:47 +0000
+Subject: [PATCH 07/12] upstream: use recallocarray to allocate the agent
+ sockets table;
+
+also clear socket entries that are being marked as unused.
+
+spinkle in some debug2() spam to make it easier to watch an agent
+do its thing.
+
+ok markus
+
+OpenBSD-Commit-ID: 74582c8e82e96afea46f6c7b6813a429cbc75922
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1fe16fd61bb53944ec510882acc0491abd66ff76]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 78f7268..2635bc5 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */
+ /*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -175,11 +175,12 @@ static void
+ close_socket(SocketEntry *e)
+ {
+ close(e->fd);
+- e->fd = -1;
+- e->type = AUTH_UNUSED;
+ sshbuf_free(e->input);
+ sshbuf_free(e->output);
+ sshbuf_free(e->request);
++ memset(e, '\0', sizeof(*e));
++ e->fd = -1;
++ e->type = AUTH_UNUSED;
+ }
+
+ static void
+@@ -249,6 +250,8 @@ process_request_identities(SocketEntry *e)
+ struct sshbuf *msg;
+ int r;
+
++ debug2("%s: entering", __func__);
++
+ if ((msg = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__);
+ if ((r = sshbuf_put_u8(msg, SSH2_AGENT_IDENTITIES_ANSWER)) != 0 ||
+@@ -441,6 +444,7 @@ process_remove_identity(SocketEntry *e)
+ struct sshkey *key = NULL;
+ Identity *id;
+
++ debug2("%s: entering", __func__);
+ if ((r = sshkey_froms(e->request, &key)) != 0) {
+ error("%s: get key: %s", __func__, ssh_err(r));
+ goto done;
+@@ -467,6 +471,7 @@ process_remove_all_identities(SocketEntry *e)
+ {
+ Identity *id;
+
++ debug2("%s: entering", __func__);
+ /* Loop over all identities and clear the keys. */
+ for (id = TAILQ_FIRST(&idtab->idlist); id;
+ id = TAILQ_FIRST(&idtab->idlist)) {
+@@ -520,6 +525,7 @@ process_add_identity(SocketEntry *e)
+ u_char ctype;
+ int r = SSH_ERR_INTERNAL_ERROR;
+
++ debug2("%s: entering", __func__);
+ if ((r = sshkey_private_deserialize(e->request, &k)) != 0 ||
+ k == NULL ||
+ (r = sshbuf_get_cstring(e->request, &comment, NULL)) != 0) {
+@@ -667,6 +673,7 @@ process_lock_agent(SocketEntry *e, int lock)
+ static u_int fail_count = 0;
+ size_t pwlen;
+
++ debug2("%s: entering", __func__);
+ /*
+ * This is deliberately fatal: the user has requested that we lock,
+ * but we can't parse their request properly. The only safe thing to
+@@ -738,6 +745,7 @@ process_add_smartcard_key(SocketEntry *e)
+ struct sshkey **keys = NULL, *k;
+ Identity *id;
+
++ debug2("%s: entering", __func__);
+ if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 ||
+ (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) {
+ error("%s: buffer error: %s", __func__, ssh_err(r));
+@@ -818,6 +826,7 @@ process_remove_smartcard_key(SocketEntry *e)
+ int r, success = 0;
+ Identity *id, *nxt;
+
++ debug2("%s: entering", __func__);
+ if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 ||
+ (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) {
+ error("%s: buffer error: %s", __func__, ssh_err(r));
+@@ -962,6 +971,8 @@ new_socket(sock_type type, int fd)
+ {
+ u_int i, old_alloc, new_alloc;
+
++ debug("%s: type = %s", __func__, type == AUTH_CONNECTION ? "CONNECTION" :
++ (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
+ set_nonblock(fd);
+
+ if (fd > max_fd)
+@@ -981,7 +992,8 @@ new_socket(sock_type type, int fd)
+ }
+ old_alloc = sockets_alloc;
+ new_alloc = sockets_alloc + 10;
+- sockets = xreallocarray(sockets, new_alloc, sizeof(sockets[0]));
++ sockets = xrecallocarray(sockets, old_alloc, new_alloc,
++ sizeof(sockets[0]));
+ for (i = old_alloc; i < new_alloc; i++)
+ sockets[i].type = AUTH_UNUSED;
+ sockets_alloc = new_alloc;
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch
new file mode 100644
index 0000000000..141c8113bf
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch
@@ -0,0 +1,315 @@
+From c30158ea225cf8ad67c3dcc88fa9e4afbf8959a7 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 26 Jan 2021 00:53:31 +0000
+Subject: [PATCH 08/12] upstream: more ssh-agent refactoring
+
+Allow confirm_key() to accept an additional reason suffix
+
+Factor publickey userauth parsing out into its own function and allow
+it to optionally return things it parsed out of the message to its
+caller.
+
+feedback/ok markus@
+
+OpenBSD-Commit-ID: 29006515617d1aa2d8b85cd2bf667e849146477e
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/e0e8bee8024fa9e31974244d14f03d799e5c0775]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 197 ++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 130 insertions(+), 67 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 2635bc5..7ad323c 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.270 2021/01/26 00:53:31 djm Exp $ */
+ /*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -216,15 +216,16 @@ lookup_identity(struct sshkey *key)
+
+ /* Check confirmation of keysign request */
+ static int
+-confirm_key(Identity *id)
++confirm_key(Identity *id, const char *extra)
+ {
+ char *p;
+ int ret = -1;
+
+ p = sshkey_fingerprint(id->key, fingerprint_hash, SSH_FP_DEFAULT);
+ if (p != NULL &&
+- ask_permission("Allow use of key %s?\nKey fingerprint %s.",
+- id->comment, p))
++ ask_permission("Allow use of key %s?\nKey fingerprint %s.%s%s",
++ id->comment, p,
++ extra == NULL ? "" : "\n", extra == NULL ? "" : extra))
+ ret = 0;
+ free(p);
+
+@@ -290,74 +291,133 @@ agent_decode_alg(struct sshkey *key, u_int flags)
+ }
+
+ /*
+- * This function inspects a message to be signed by a FIDO key that has a
+- * web-like application string (i.e. one that does not begin with "ssh:".
+- * It checks that the message is one of those expected for SSH operations
+- * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges
+- * for the web.
++ * Attempt to parse the contents of a buffer as a SSH publickey userauth
++ * request, checking its contents for consistency and matching the embedded
++ * key against the one that is being used for signing.
++ * Note: does not modify msg buffer.
++ * Optionally extract the username and session ID from the request.
+ */
+ static int
+-check_websafe_message_contents(struct sshkey *key,
+- const u_char *msg, size_t len)
++parse_userauth_request(struct sshbuf *msg, const struct sshkey *expected_key,
++ char **userp, struct sshbuf **sess_idp)
+ {
+- int matched = 0;
+- struct sshbuf *b;
+- u_char m, n;
+- char *cp1 = NULL, *cp2 = NULL;
++ struct sshbuf *b = NULL, *sess_id = NULL;
++ char *user = NULL, *service = NULL, *method = NULL, *pkalg = NULL;
+ int r;
++ u_char t, sig_follows;
+ struct sshkey *mkey = NULL;
+
+- if ((b = sshbuf_from(msg, len)) == NULL)
+- fatal("%s: sshbuf_new", __func__);
++ if (userp != NULL)
++ *userp = NULL;
++ if (sess_idp != NULL)
++ *sess_idp = NULL;
++ if ((b = sshbuf_fromb(msg)) == NULL)
++ fatal("%s: sshbuf_fromb", __func__);
+
+ /* SSH userauth request */
+- if ((r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* sess_id */
+- (r = sshbuf_get_u8(b, &m)) == 0 && /* SSH2_MSG_USERAUTH_REQUEST */
+- (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* server user */
+- (r = sshbuf_get_cstring(b, &cp1, NULL)) == 0 && /* service */
+- (r = sshbuf_get_cstring(b, &cp2, NULL)) == 0 && /* method */
+- (r = sshbuf_get_u8(b, &n)) == 0 && /* sig-follows */
+- (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* alg */
+- (r = sshkey_froms(b, &mkey)) == 0 && /* key */
+- sshbuf_len(b) == 0) {
+- debug("%s: parsed userauth", __func__);
+- if (m == SSH2_MSG_USERAUTH_REQUEST && n == 1 &&
+- strcmp(cp1, "ssh-connection") == 0 &&
+- strcmp(cp2, "publickey") == 0 &&
+- sshkey_equal(key, mkey)) {
+- debug("%s: well formed userauth", __func__);
+- matched = 1;
+- }
++ if ((r = sshbuf_froms(b, &sess_id)) != 0)
++ goto out;
++ if (sshbuf_len(sess_id) == 0) {
++ r = SSH_ERR_INVALID_FORMAT;
++ goto out;
+ }
+- free(cp1);
+- free(cp2);
+- sshkey_free(mkey);
++ if ((r = sshbuf_get_u8(b, &t)) != 0 || /* SSH2_MSG_USERAUTH_REQUEST */
++ (r = sshbuf_get_cstring(b, &user, NULL)) != 0 || /* server user */
++ (r = sshbuf_get_cstring(b, &service, NULL)) != 0 || /* service */
++ (r = sshbuf_get_cstring(b, &method, NULL)) != 0 || /* method */
++ (r = sshbuf_get_u8(b, &sig_follows)) != 0 || /* sig-follows */
++ (r = sshbuf_get_cstring(b, &pkalg, NULL)) != 0 || /* alg */
++ (r = sshkey_froms(b, &mkey)) != 0) /* key */
++ goto out;
++ if (t != SSH2_MSG_USERAUTH_REQUEST ||
++ sig_follows != 1 ||
++ strcmp(service, "ssh-connection") != 0 ||
++ !sshkey_equal(expected_key, mkey) ||
++ sshkey_type_from_name(pkalg) != expected_key->type) {
++ r = SSH_ERR_INVALID_FORMAT;
++ goto out;
++ }
++ if (strcmp(method, "publickey") != 0) {
++ r = SSH_ERR_INVALID_FORMAT;
++ goto out;
++ }
++ if (sshbuf_len(b) != 0) {
++ r = SSH_ERR_INVALID_FORMAT;
++ goto out;
++ }
++ /* success */
++ r = 0;
++ debug("%s: well formed userauth", __func__);
++ if (userp != NULL) {
++ *userp = user;
++ user = NULL;
++ }
++ if (sess_idp != NULL) {
++ *sess_idp = sess_id;
++ sess_id = NULL;
++ }
++ out:
+ sshbuf_free(b);
+- if (matched)
+- return 1;
++ sshbuf_free(sess_id);
++ free(user);
++ free(service);
++ free(method);
++ free(pkalg);
++ sshkey_free(mkey);
++ return r;
++}
+
+- if ((b = sshbuf_from(msg, len)) == NULL)
+- fatal("%s: sshbuf_new", __func__);
+- cp1 = cp2 = NULL;
+- mkey = NULL;
+-
+- /* SSHSIG */
+- if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) == 0 &&
+- (r = sshbuf_consume(b, 6)) == 0 &&
+- (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* namespace */
+- (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* reserved */
+- (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* hashalg */
+- (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* H(msg) */
+- sshbuf_len(b) == 0) {
+- debug("%s: parsed sshsig", __func__);
+- matched = 1;
+- }
++/*
++ * Attempt to parse the contents of a buffer as a SSHSIG signature request.
++ * Note: does not modify buffer.
++ */
++static int
++parse_sshsig_request(struct sshbuf *msg)
++{
++ int r;
++ struct sshbuf *b;
+
++ if ((b = sshbuf_fromb(msg)) == NULL)
++ fatal("%s: sshbuf_fromb", __func__);
++
++ if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) != 0 ||
++ (r = sshbuf_consume(b, 6)) != 0 ||
++ (r = sshbuf_get_cstring(b, NULL, NULL)) != 0 || /* namespace */
++ (r = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || /* reserved */
++ (r = sshbuf_get_cstring(b, NULL, NULL)) != 0 || /* hashalg */
++ (r = sshbuf_get_string_direct(b, NULL, NULL)) != 0) /* H(msg) */
++ goto out;
++ if (sshbuf_len(b) != 0) {
++ r = SSH_ERR_INVALID_FORMAT;
++ goto out;
++ }
++ /* success */
++ r = 0;
++ out:
+ sshbuf_free(b);
+- if (matched)
++ return r;
++}
++
++/*
++ * This function inspects a message to be signed by a FIDO key that has a
++ * web-like application string (i.e. one that does not begin with "ssh:".
++ * It checks that the message is one of those expected for SSH operations
++ * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges
++ * for the web.
++ */
++static int
++check_websafe_message_contents(struct sshkey *key, struct sshbuf *data)
++{
++ if (parse_userauth_request(data, key, NULL, NULL) == 0) {
++ debug("%s: signed data matches public key userauth request", __func__);
+ return 1;
++ }
++ if (parse_sshsig_request(data) == 0) {
++ debug("%s: signed data matches SSHSIG signature request", __func__);
++ return 1;
++ }
+
+- /* XXX CA signature operation */
++ /* XXX check CA signature operation */
+
+ error("web-origin key attempting to sign non-SSH message");
+ return 0;
+@@ -367,21 +427,22 @@ check_websafe_message_contents(struct sshkey *key,
+ static void
+ process_sign_request2(SocketEntry *e)
+ {
+- const u_char *data;
+ u_char *signature = NULL;
+- size_t dlen, slen = 0;
++ size_t i, slen = 0;
+ u_int compat = 0, flags;
+ int r, ok = -1;
+ char *fp = NULL;
+- struct sshbuf *msg;
++ struct sshbuf *msg = NULL, *data = NULL;
+ struct sshkey *key = NULL;
+ struct identity *id;
+ struct notifier_ctx *notifier = NULL;
+
+- if ((msg = sshbuf_new()) == NULL)
++ debug("%s: entering", __func__);
++
++ if ((msg = sshbuf_new()) == NULL | (data = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__);
+ if ((r = sshkey_froms(e->request, &key)) != 0 ||
+- (r = sshbuf_get_string_direct(e->request, &data, &dlen)) != 0 ||
++ (r = sshbuf_get_stringb(e->request, data)) != 0 ||
+ (r = sshbuf_get_u32(e->request, &flags)) != 0) {
+ error("%s: couldn't parse request: %s", __func__, ssh_err(r));
+ goto send;
+@@ -391,13 +452,13 @@ process_sign_request2(SocketEntry *e)
+ verbose("%s: %s key not found", __func__, sshkey_type(key));
+ goto send;
+ }
+- if (id->confirm && confirm_key(id) != 0) {
++ if (id->confirm && confirm_key(id, NULL) != 0) {
+ verbose("%s: user refused key", __func__);
+ goto send;
+ }
+ if (sshkey_is_sk(id->key)) {
+ if (strncmp(id->key->sk_application, "ssh:", 4) != 0 &&
+- !check_websafe_message_contents(key, data, dlen)) {
++ !check_websafe_message_contents(key, data)) {
+ /* error already logged */
+ goto send;
+ }
+@@ -411,7 +472,7 @@ process_sign_request2(SocketEntry *e)
+ }
+ }
+ if ((r = sshkey_sign(id->key, &signature, &slen,
+- data, dlen, agent_decode_alg(key, flags),
++ sshbuf_ptr(data), sshbuf_len(data), agent_decode_alg(key, flags),
+ id->sk_provider, compat)) != 0) {
+ error("%s: sshkey_sign: %s", __func__, ssh_err(r));
+ goto send;
+@@ -420,8 +481,7 @@ process_sign_request2(SocketEntry *e)
+ ok = 0;
+ send:
+ notify_complete(notifier);
+- sshkey_free(key);
+- free(fp);
++
+ if (ok == 0) {
+ if ((r = sshbuf_put_u8(msg, SSH2_AGENT_SIGN_RESPONSE)) != 0 ||
+ (r = sshbuf_put_string(msg, signature, slen)) != 0)
+@@ -432,7 +492,10 @@ process_sign_request2(SocketEntry *e)
+ if ((r = sshbuf_put_stringb(e->output, msg)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
++ sshbuf_free(data);
+ sshbuf_free(msg);
++ sshkey_free(key);
++ free(fp);
+ free(signature);
+ }
+
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch
new file mode 100644
index 0000000000..b519ccce42
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch
@@ -0,0 +1,38 @@
+From 7adba46611e5d076d7d12d9f4162dd4cabd5ff50 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 29 Jan 2021 06:28:10 +0000
+Subject: [PATCH 09/12] upstream: give typedef'd struct a struct name; makes
+ the fuzzer I'm
+
+writing a bit easier
+
+OpenBSD-Commit-ID: 1052ab521505a4d8384d67acb3974ef81b8896cb
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8afaa7d7918419d3da6c0477b83db2159879cb33]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 7ad323c..c99927c 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.270 2021/01/26 00:53:31 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.274 2021/01/29 06:28:10 djm Exp $ */
+ /*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -108,7 +108,7 @@ typedef enum {
+ AUTH_CONNECTION
+ } sock_type;
+
+-typedef struct {
++typedef struct socket_entry {
+ int fd;
+ sock_type type;
+ struct sshbuf *input;
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch
new file mode 100644
index 0000000000..27b2eadfae
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch
@@ -0,0 +1,39 @@
+From 343e2a2c0ef754a7a86118016b248f7a73f8d510 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 29 Jan 2021 06:29:46 +0000
+Subject: [PATCH 10/12] upstream: fix the values of enum sock_type
+
+OpenBSD-Commit-ID: 18d048f4dbfbb159ff500cfc2700b8fb1407facd
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1a4b92758690faa12f49079dd3b72567f909466d]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index c99927c..7f1e14b 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.274 2021/01/29 06:28:10 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.275 2021/01/29 06:29:46 djm Exp $ */
+ /*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -103,9 +103,9 @@
+ #define AGENT_RBUF_LEN (4096)
+
+ typedef enum {
+- AUTH_UNUSED,
+- AUTH_SOCKET,
+- AUTH_CONNECTION
++ AUTH_UNUSED = 0,
++ AUTH_SOCKET = 1,
++ AUTH_CONNECTION = 2,
+ } sock_type;
+
+ typedef struct socket_entry {
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch
new file mode 100644
index 0000000000..c300393ebf
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch
@@ -0,0 +1,307 @@
+From 2b3b369c8cf71f9ef5942a5e074e6f86e7ca1e0c Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sun, 19 Dec 2021 22:09:23 +0000
+Subject: [PATCH 11/12] upstream: ssh-agent side of binding
+
+record session ID/hostkey/forwarding status for each active socket.
+
+Attempt to parse data-to-be-signed at signature request time and extract
+session ID from the blob if it is a pubkey userauth request.
+
+ok markus@
+
+OpenBSD-Commit-ID: a80fd41e292b18b67508362129e9fed549abd318
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/4c1e3ce85e183a9d0c955c88589fed18e4d6a058]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ authfd.h | 3 +
+ ssh-agent.c | 175 +++++++++++++++++++++++++++++++++++++++++++++++++---
+ 2 files changed, 170 insertions(+), 8 deletions(-)
+
+diff --git a/authfd.h b/authfd.h
+index c3bf625..9cc9807 100644
+--- a/authfd.h
++++ b/authfd.h
+@@ -76,6 +76,9 @@ int ssh_agent_sign(int sock, const struct sshkey *key,
+ #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
+ #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
+
++/* generic extension mechanism */
++#define SSH_AGENTC_EXTENSION 27
++
+ #define SSH_AGENT_CONSTRAIN_LIFETIME 1
+ #define SSH_AGENT_CONSTRAIN_CONFIRM 2
+ #define SSH_AGENT_CONSTRAIN_MAXSIGN 3
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 7f1e14b..01c7f2b 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.275 2021/01/29 06:29:46 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */
+ /*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -98,9 +98,15 @@
+ #endif
+
+ /* Maximum accepted message length */
+-#define AGENT_MAX_LEN (256*1024)
++#define AGENT_MAX_LEN (256*1024)
+ /* Maximum bytes to read from client socket */
+-#define AGENT_RBUF_LEN (4096)
++#define AGENT_RBUF_LEN (4096)
++/* Maximum number of recorded session IDs/hostkeys per connection */
++#define AGENT_MAX_SESSION_IDS 16
++/* Maximum size of session ID */
++#define AGENT_MAX_SID_LEN 128
++
++/* XXX store hostkey_sid in a refcounted tree */
+
+ typedef enum {
+ AUTH_UNUSED = 0,
+@@ -108,12 +114,20 @@ typedef enum {
+ AUTH_CONNECTION = 2,
+ } sock_type;
+
++struct hostkey_sid {
++ struct sshkey *key;
++ struct sshbuf *sid;
++ int forwarded;
++};
++
+ typedef struct socket_entry {
+ int fd;
+ sock_type type;
+ struct sshbuf *input;
+ struct sshbuf *output;
+ struct sshbuf *request;
++ size_t nsession_ids;
++ struct hostkey_sid *session_ids;
+ } SocketEntry;
+
+ u_int sockets_alloc = 0;
+@@ -174,10 +188,17 @@ static int restrict_websafe = 1;
+ static void
+ close_socket(SocketEntry *e)
+ {
++ size_t i;
++
+ close(e->fd);
+ sshbuf_free(e->input);
+ sshbuf_free(e->output);
+ sshbuf_free(e->request);
++ for (i = 0; i < e->nsession_ids; i++) {
++ sshkey_free(e->session_ids[i].key);
++ sshbuf_free(e->session_ids[i].sid);
++ }
++ free(e->session_ids);
+ memset(e, '\0', sizeof(*e));
+ e->fd = -1;
+ e->type = AUTH_UNUSED;
+@@ -423,6 +444,18 @@ check_websafe_message_contents(struct sshkey *key, struct sshbuf *data)
+ return 0;
+ }
+
++static int
++buf_equal(const struct sshbuf *a, const struct sshbuf *b)
++{
++ if (sshbuf_ptr(a) == NULL || sshbuf_ptr(b) == NULL)
++ return SSH_ERR_INVALID_ARGUMENT;
++ if (sshbuf_len(a) != sshbuf_len(b))
++ return SSH_ERR_INVALID_FORMAT;
++ if (timingsafe_bcmp(sshbuf_ptr(a), sshbuf_ptr(b), sshbuf_len(a)) != 0)
++ return SSH_ERR_INVALID_FORMAT;
++ return 0;
++}
++
+ /* ssh2 only */
+ static void
+ process_sign_request2(SocketEntry *e)
+@@ -431,8 +464,8 @@ process_sign_request2(SocketEntry *e)
+ size_t i, slen = 0;
+ u_int compat = 0, flags;
+ int r, ok = -1;
+- char *fp = NULL;
+- struct sshbuf *msg = NULL, *data = NULL;
++ char *fp = NULL, *user = NULL, *sig_dest = NULL;
++ struct sshbuf *msg = NULL, *data = NULL, *sid = NULL;
+ struct sshkey *key = NULL;
+ struct identity *id;
+ struct notifier_ctx *notifier = NULL;
+@@ -452,7 +485,33 @@ process_sign_request2(SocketEntry *e)
+ verbose("%s: %s key not found", __func__, sshkey_type(key));
+ goto send;
+ }
+- if (id->confirm && confirm_key(id, NULL) != 0) {
++ /*
++ * If session IDs were recorded for this socket, then use them to
++ * annotate the confirmation messages with the host keys.
++ */
++ if (e->nsession_ids > 0 &&
++ parse_userauth_request(data, key, &user, &sid) == 0) {
++ /*
++ * session ID from userauth request should match the final
++ * ID in the list recorded in the socket, unless the ssh
++ * client at that point lacks the binding extension (or if
++ * an attacker is trying to steal use of the agent).
++ */
++ i = e->nsession_ids - 1;
++ if (buf_equal(sid, e->session_ids[i].sid) == 0) {
++ if ((fp = sshkey_fingerprint(e->session_ids[i].key,
++ SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL)
++ fatal("%s: fingerprint failed", __func__);
++ debug3("%s: destination %s %s (slot %zu)", __func__,
++ sshkey_type(e->session_ids[i].key), fp, i);
++ xasprintf(&sig_dest, "public key request for "
++ "target user \"%s\" to %s %s", user,
++ sshkey_type(e->session_ids[i].key), fp);
++ free(fp);
++ fp = NULL;
++ }
++ }//
++ if (id->confirm && confirm_key(id, sig_dest) != 0) {
+ verbose("%s: user refused key", __func__);
+ goto send;
+ }
+@@ -467,8 +526,10 @@ process_sign_request2(SocketEntry *e)
+ SSH_FP_DEFAULT)) == NULL)
+ fatal("%s: fingerprint failed", __func__);
+ notifier = notify_start(0,
+- "Confirm user presence for key %s %s",
+- sshkey_type(id->key), fp);
++ "Confirm user presence for key %s %s%s%s",
++ sshkey_type(id->key), fp,
++ sig_dest == NULL ? "" : "\n",
++ sig_dest == NULL ? "" : sig_dest);
+ }
+ }
+ if ((r = sshkey_sign(id->key, &signature, &slen,
+@@ -492,11 +553,14 @@ process_sign_request2(SocketEntry *e)
+ if ((r = sshbuf_put_stringb(e->output, msg)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
++ sshbuf_free(sid);
+ sshbuf_free(data);
+ sshbuf_free(msg);
+ sshkey_free(key);
+ free(fp);
+ free(signature);
++ free(sig_dest);
++ free(user);
+ }
+
+ /* shared */
+@@ -925,6 +989,98 @@ send:
+ }
+ #endif /* ENABLE_PKCS11 */
+
++static int
++process_ext_session_bind(SocketEntry *e)
++{
++ int r, sid_match, key_match;
++ struct sshkey *key = NULL;
++ struct sshbuf *sid = NULL, *sig = NULL;
++ char *fp = NULL;
++ u_char fwd;
++ size_t i;
++
++ debug2("%s: entering", __func__);
++ if ((r = sshkey_froms(e->request, &key)) != 0 ||
++ (r = sshbuf_froms(e->request, &sid)) != 0 ||
++ (r = sshbuf_froms(e->request, &sig)) != 0 ||
++ (r = sshbuf_get_u8(e->request, &fwd)) != 0) {
++ error("%s: parse: %s", __func__, ssh_err(r));
++ goto out;
++ }
++ if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
++ SSH_FP_DEFAULT)) == NULL)
++ fatal("%s: fingerprint failed", __func__);
++ /* check signature with hostkey on session ID */
++ if ((r = sshkey_verify(key, sshbuf_ptr(sig), sshbuf_len(sig),
++ sshbuf_ptr(sid), sshbuf_len(sid), NULL, 0, NULL)) != 0) {
++ error("%s: sshkey_verify for %s %s: %s", __func__, sshkey_type(key), fp, ssh_err(r));
++ goto out;
++ }
++ /* check whether sid/key already recorded */
++ for (i = 0; i < e->nsession_ids; i++) {
++ sid_match = buf_equal(sid, e->session_ids[i].sid) == 0;
++ key_match = sshkey_equal(key, e->session_ids[i].key);
++ if (sid_match && key_match) {
++ debug("%s: session ID already recorded for %s %s", __func__,
++ sshkey_type(key), fp);
++ r = 0;
++ goto out;
++ } else if (sid_match) {
++ error("%s: session ID recorded against different key "
++ "for %s %s", __func__, sshkey_type(key), fp);
++ r = -1;
++ goto out;
++ }
++ /*
++ * new sid with previously-seen key can happen, e.g. multiple
++ * connections to the same host.
++ */
++ }
++ /* record new key/sid */
++ if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) {
++ error("%s: too many session IDs recorded", __func__);
++ goto out;
++ }
++ e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids,
++ e->nsession_ids + 1, sizeof(*e->session_ids));
++ i = e->nsession_ids++;
++ debug("%s: recorded %s %s (slot %zu of %d)", __func__, sshkey_type(key), fp, i,
++ AGENT_MAX_SESSION_IDS);
++ e->session_ids[i].key = key;
++ e->session_ids[i].forwarded = fwd != 0;
++ key = NULL; /* transferred */
++ /* can't transfer sid; it's refcounted and scoped to request's life */
++ if ((e->session_ids[i].sid = sshbuf_new()) == NULL)
++ fatal("%s: sshbuf_new", __func__);
++ if ((r = sshbuf_putb(e->session_ids[i].sid, sid)) != 0)
++ fatal("%s: sshbuf_putb session ID: %s", __func__, ssh_err(r));
++ /* success */
++ r = 0;
++ out:
++ sshkey_free(key);
++ sshbuf_free(sid);
++ sshbuf_free(sig);
++ return r == 0 ? 1 : 0;
++}
++
++static void
++process_extension(SocketEntry *e)
++{
++ int r, success = 0;
++ char *name;
++
++ debug2("%s: entering", __func__);
++ if ((r = sshbuf_get_cstring(e->request, &name, NULL)) != 0) {
++ error("%s: parse: %s", __func__, ssh_err(r));
++ goto send;
++ }
++ if (strcmp(name, "session-bind@openssh.com") == 0)
++ success = process_ext_session_bind(e);
++ else
++ debug("%s: unsupported extension \"%s\"", __func__, name);
++send:
++ send_status(e, success);
++}
+ /*
+ * dispatch incoming message.
+ * returns 1 on success, 0 for incomplete messages or -1 on error.
+@@ -1019,6 +1175,9 @@ process_message(u_int socknum)
+ process_remove_smartcard_key(e);
+ break;
+ #endif /* ENABLE_PKCS11 */
++ case SSH_AGENTC_EXTENSION:
++ process_extension(e);
++ break;
+ default:
+ /* Unknown message. Respond with failure. */
+ error("Unknown message %d", type);
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch
new file mode 100644
index 0000000000..934775bdec
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch
@@ -0,0 +1,120 @@
+From 4fe3d0fbd3d6dc1f19354e0d73a3231c461ed044 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 13:56:33 +0000
+Subject: [PATCH 12/12] upstream: Disallow remote addition of FIDO/PKCS11
+ provider libraries to ssh-agent by default.
+
+The old behaviour of allowing remote clients from loading providers
+can be restored using `ssh-agent -O allow-remote-pkcs11`.
+
+Detection of local/remote clients requires a ssh(1) that supports
+the `session-bind@openssh.com` extension. Forwarding access to a
+ssh-agent socket using non-OpenSSH tools may circumvent this control.
+
+ok markus@
+
+OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.1 | 20 ++++++++++++++++++++
+ ssh-agent.c | 26 ++++++++++++++++++++++++--
+ 2 files changed, 44 insertions(+), 2 deletions(-)
+
+diff --git a/ssh-agent.1 b/ssh-agent.1
+index fff0db6..a0f1e21 100644
+--- a/ssh-agent.1
++++ b/ssh-agent.1
+@@ -97,6 +97,26 @@ The default is
+ Kill the current agent (given by the
+ .Ev SSH_AGENT_PID
+ environment variable).
++Currently two options are supported:
++.Cm allow-remote-pkcs11
++and
++.Pp
++The
++.Cm allow-remote-pkcs11
++option allows clients of a forwarded
++.Nm
++to load PKCS#11 or FIDO provider libraries.
++By default only local clients may perform this operation.
++Note that signalling that a
++.Nm
++client remote is performed by
++.Xr ssh 1 ,
++and use of other tools to forward access to the agent socket may circumvent
++this restriction.
++.Pp
++The
++.Cm no-restrict-websafe ,
++instructs
+ .It Fl P Ar provider_whitelist
+ Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator
+ shared libraries that may be used with the
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 01c7f2b..40c1b6b 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.300 2023/07/19 13:56:33 djm Exp $ */
+ /*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -167,6 +167,12 @@ char socket_dir[PATH_MAX];
+ /* PKCS#11/Security key path whitelist */
+ static char *provider_whitelist;
+
++/*
++ * Allows PKCS11 providers or SK keys that use non-internal providers to
++ * be added over a remote connection (identified by session-bind@openssh.com).
++ */
++static int remote_add_provider;
++
+ /* locking */
+ #define LOCK_SIZE 32
+ #define LOCK_SALT_SIZE 16
+@@ -736,6 +742,15 @@ process_add_identity(SocketEntry *e)
+ if (strcasecmp(sk_provider, "internal") == 0) {
+ debug("%s: internal provider", __func__);
+ } else {
++ if (e->nsession_ids != 0 && !remote_add_provider) {
++ verbose("failed add of SK provider \"%.100s\": "
++ "remote addition of providers is disabled",
++ sk_provider);
++ free(sk_provider);
++ free(comment);
++ sshkey_free(k);
++ goto send;
++ }
+ if (realpath(sk_provider, canonical_provider) == NULL) {
+ verbose("failed provider \"%.100s\": "
+ "realpath: %s", sk_provider,
+@@ -901,6 +916,11 @@ process_add_smartcard_key(SocketEntry *e)
+ goto send;
+ }
+ }
++ if (e->nsession_ids != 0 && !remote_add_provider) {
++ verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
++ "providers is disabled", provider);
++ goto send;
++ }
+ if (realpath(provider, canonical_provider) == NULL) {
+ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+ provider, strerror(errno));
+@@ -1556,7 +1576,9 @@ main(int ac, char **av)
+ break;
+ case 'O':
+ if (strcmp(optarg, "no-restrict-websafe") == 0)
+- restrict_websafe = 0;
++ restrict_websafe = 0;
++ else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
++ remote_add_provider = 1;
+ else
+ fatal("Unknown -O option");
+ break;
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
index 79dba121ff..bc4b922301 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
@@ -27,6 +27,18 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://CVE-2020-14145.patch \
file://CVE-2021-28041.patch \
file://CVE-2021-41617.patch \
+ file://CVE-2023-38408-01.patch \
+ file://CVE-2023-38408-02.patch \
+ file://CVE-2023-38408-03.patch \
+ file://CVE-2023-38408-04.patch \
+ file://CVE-2023-38408-05.patch \
+ file://CVE-2023-38408-06.patch \
+ file://CVE-2023-38408-07.patch \
+ file://CVE-2023-38408-08.patch \
+ file://CVE-2023-38408-09.patch \
+ file://CVE-2023-38408-10.patch \
+ file://CVE-2023-38408-11.patch \
+ file://CVE-2023-38408-12.patch \
"
SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
--
2.34.1
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 03/14] qemu: Backport fix CVE-2023-3180
2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 01/14] bind: Backport fix for CVE-2023-2828 Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 02/14] openssh: Securiry fix for CVE-2023-38408 Steve Sakoman
@ 2023-09-12 13:53 ` Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 04/14] qemu: Backport fix for CVE-2023-0330 Steve Sakoman
` (10 subsequent siblings)
13 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw)
To: openembedded-core
From: Ashish Sharma <asharma@mvista.com>
Upstream-Status: Backport from [https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980]
CVE: CVE-2023-3180
Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2023-3180.patch | 49 +++++++++++++++++++
2 files changed, 50 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 2871818cb1..3789d77046 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -139,6 +139,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
file://CVE-2023-0330.patch \
file://CVE-2023-3354.patch \
+ file://CVE-2023-3180.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch
new file mode 100644
index 0000000000..7144bdca46
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch
@@ -0,0 +1,49 @@
+From 9d38a8434721a6479fe03fb5afb150ca793d3980 Mon Sep 17 00:00:00 2001
+From: zhenwei pi <pizhenwei@bytedance.com>
+Date: Thu, 3 Aug 2023 10:43:13 +0800
+Subject: [PATCH] virtio-crypto: verify src&dst buffer length for sym request
+
+For symmetric algorithms, the length of ciphertext must be as same
+as the plaintext.
+The missing verification of the src_len and the dst_len in
+virtio_crypto_sym_op_helper() may lead buffer overflow/divulged.
+
+This patch is originally written by Yiming Tao for QEMU-SECURITY,
+resend it(a few changes of error message) in qemu-devel.
+
+Fixes: CVE-2023-3180
+Fixes: 04b9b37edda("virtio-crypto: add data queue processing handler")
+Cc: Gonglei <arei.gonglei@huawei.com>
+Cc: Mauro Matteo Cascella <mcascell@redhat.com>
+Cc: Yiming Tao <taoym@zju.edu.cn>
+Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
+Message-Id: <20230803024314.29962-2-pizhenwei@bytedance.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+Upstream-Status: Backport from [https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980]
+CVE: CVE-2023-3180
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ hw/virtio/virtio-crypto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
+index 44faf5a522b..13aec771e11 100644
+--- a/hw/virtio/virtio-crypto.c
++++ b/hw/virtio/virtio-crypto.c
+@@ -634,6 +634,11 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
+ return NULL;
+ }
+
++ if (unlikely(src_len != dst_len)) {
++ virtio_error(vdev, "sym request src len is different from dst len");
++ return NULL;
++ }
++
+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
+ if (unlikely(max_len > vcrypto->conf.max_size)) {
+ virtio_error(vdev, "virtio-crypto too big length");
+--
+GitLab
+
--
2.34.1
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 04/14] qemu: Backport fix for CVE-2023-0330
2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman
` (2 preceding siblings ...)
2023-09-12 13:53 ` [OE-core][dunfell 03/14] qemu: Backport fix CVE-2023-3180 Steve Sakoman
@ 2023-09-12 13:53 ` Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 05/14] rootfs-post: remove traling blanks from tasks Steve Sakoman
` (9 subsequent siblings)
13 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
A DMA-MMIO reentrancy problem may lead to memory corruption bugs
like stack overflow or use-after-free.
Summary of the problem from Peter Maydell:
https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com
Reference:
https://gitlab.com/qemu-project/qemu/-/issues/556
qemu.git$ git log --no-merges --oneline --grep CVE-2023-0330
b987718bbb hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330)
a2e1753b80 memory: prevent dma-reentracy issues
Included second commit as well as commit log of a2e1753b80 says it
resolves CVE-2023-0330
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 3 +-
...-2023-0330.patch => CVE-2023-0330_1.patch} | 0
.../qemu/qemu/CVE-2023-0330_2.patch | 135 ++++++++++++++++++
3 files changed, 137 insertions(+), 1 deletion(-)
rename meta/recipes-devtools/qemu/qemu/{CVE-2023-0330.patch => CVE-2023-0330_1.patch} (100%)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 3789d77046..2669ba4ec8 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -137,7 +137,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3409-4.patch \
file://CVE-2021-3409-5.patch \
file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
- file://CVE-2023-0330.patch \
+ file://CVE-2023-0330_1.patch \
+ file://CVE-2023-0330_2.patch \
file://CVE-2023-3354.patch \
file://CVE-2023-3180.patch \
"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch
similarity index 100%
rename from meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
rename to meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch
new file mode 100644
index 0000000000..3b45bc0411
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch
@@ -0,0 +1,135 @@
+From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Thu, 27 Apr 2023 17:10:06 -0400
+Subject: [PATCH] memory: prevent dma-reentracy issues
+
+Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
+This flag is set/checked prior to calling a device's MemoryRegion
+handlers, and set when device code initiates DMA. The purpose of this
+flag is to prevent two types of DMA-based reentrancy issues:
+
+1.) mmio -> dma -> mmio case
+2.) bh -> dma write -> mmio case
+
+These issues have led to problems such as stack-exhaustion and
+use-after-frees.
+
+Summary of the problem from Peter Maydell:
+https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
+Resolves: CVE-2023-0330
+
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Message-Id: <20230427211013.2994127-2-alxndr@bu.edu>
+[thuth: Replace warn_report() with warn_report_once()]
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380]
+CVE: CVE-2023-0330
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ include/exec/memory.h | 5 +++++
+ include/hw/qdev-core.h | 7 +++++++
+ memory.c | 16 ++++++++++++++++
+ 3 files changed, 28 insertions(+)
+
+diff --git a/include/exec/memory.h b/include/exec/memory.h
+index 2b8bccdd..0c8cdb8e 100644
+--- a/include/exec/memory.h
++++ b/include/exec/memory.h
+@@ -378,6 +378,8 @@ struct MemoryRegion {
+ bool is_iommu;
+ RAMBlock *ram_block;
+ Object *owner;
++ /* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath */
++ DeviceState *dev;
+
+ const MemoryRegionOps *ops;
+ void *opaque;
+@@ -400,6 +402,9 @@ struct MemoryRegion {
+ const char *name;
+ unsigned ioeventfd_nb;
+ MemoryRegionIoeventfd *ioeventfds;
++
++ /* For devices designed to perform re-entrant IO into their own IO MRs */
++ bool disable_reentrancy_guard;
+ };
+
+ struct IOMMUMemoryRegion {
+diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
+index 1518495b..206f0a70 100644
+--- a/include/hw/qdev-core.h
++++ b/include/hw/qdev-core.h
+@@ -138,6 +138,10 @@ struct NamedGPIOList {
+ QLIST_ENTRY(NamedGPIOList) node;
+ };
+
++typedef struct {
++ bool engaged_in_io;
++} MemReentrancyGuard;
++
+ /**
+ * DeviceState:
+ * @realized: Indicates whether the device has been fully constructed.
+@@ -163,6 +167,9 @@ struct DeviceState {
+ int num_child_bus;
+ int instance_id_alias;
+ int alias_required_for_version;
++
++ /* Is the device currently in mmio/pio/dma? Used to prevent re-entrancy */
++ MemReentrancyGuard mem_reentrancy_guard;
+ };
+
+ struct DeviceListener {
+diff --git a/memory.c b/memory.c
+index 8cafb86a..94ebcaf9 100644
+--- a/memory.c
++++ b/memory.c
+@@ -531,6 +531,18 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
+ access_size_max = 4;
+ }
+
++ /* Do not allow more than one simultaneous access to a device's IO Regions */
++ if (mr->dev && !mr->disable_reentrancy_guard &&
++ !mr->ram_device && !mr->ram && !mr->rom_device && !mr->readonly) {
++ if (mr->dev->mem_reentrancy_guard.engaged_in_io) {
++ warn_report_once("Blocked re-entrant IO on MemoryRegion: "
++ "%s at addr: 0x%" HWADDR_PRIX,
++ memory_region_name(mr), addr);
++ return MEMTX_ACCESS_ERROR;
++ }
++ mr->dev->mem_reentrancy_guard.engaged_in_io = true;
++ }
++
+ /* FIXME: support unaligned access? */
+ access_size = MAX(MIN(size, access_size_max), access_size_min);
+ access_mask = MAKE_64BIT_MASK(0, access_size * 8);
+@@ -545,6 +557,9 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
+ access_mask, attrs);
+ }
+ }
++ if (mr->dev) {
++ mr->dev->mem_reentrancy_guard.engaged_in_io = false;
++ }
+ return r;
+ }
+
+@@ -1132,6 +1147,7 @@ static void memory_region_do_init(MemoryRegion *mr,
+ }
+ mr->name = g_strdup(name);
+ mr->owner = owner;
++ mr->dev = (DeviceState *) object_dynamic_cast(mr->owner, TYPE_DEVICE);
+ mr->ram_block = NULL;
+
+ if (name) {
+--
+2.25.1
+
--
2.34.1
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 05/14] rootfs-post: remove traling blanks from tasks
2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman
` (3 preceding siblings ...)
2023-09-12 13:53 ` [OE-core][dunfell 04/14] qemu: Backport fix for CVE-2023-0330 Steve Sakoman
@ 2023-09-12 13:53 ` Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 06/14] yocto-uninative: Update to 4.3 Steve Sakoman
` (8 subsequent siblings)
13 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw)
To: openembedded-core
From: Priyal Doshi <pdoshi@mvista.com>
remove the traling blanks before the ;-delimiter, so one could use
"_remove" to avoid running tasks like 'rootfs_update_timestamp',
which are currently hardcoded and not bound to any
configurable feature flag
Signed-off-by: Priyal Doshi <pdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/rootfs-postcommands.bbclass | 6 +++---
meta/classes/rootfsdebugfiles.bbclass | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass
index d9e2aeab64..943534c57a 100644
--- a/meta/classes/rootfs-postcommands.bbclass
+++ b/meta/classes/rootfs-postcommands.bbclass
@@ -1,6 +1,6 @@
# Zap the root password if debug-tweaks feature is not enabled
-ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'empty-root-password' ], "", "zap_empty_root_password ; ",d)}'
+ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'empty-root-password' ], "", "zap_empty_root_password; ",d)}'
# Allow dropbear/openssh to accept logins from accounts with an empty password string if debug-tweaks or allow-empty-password is enabled
ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'allow-empty-password' ], "ssh_allow_empty_password; ", "",d)}'
@@ -12,7 +12,7 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'deb
ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'post-install-logging' ], "postinst_enable_logging; ", "",d)}'
# Create /etc/timestamp during image construction to give a reasonably sane default time setting
-ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; "
+ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp; "
# Tweak the mount options for rootfs in /etc/fstab if read-only-rootfs is enabled
ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_rootfs_hook; ", "",d)}'
@@ -26,7 +26,7 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only
APPEND_append = '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", " ro", "", d)}'
# Generates test data file with data store variables expanded in json format
-ROOTFS_POSTPROCESS_COMMAND += "write_image_test_data ; "
+ROOTFS_POSTPROCESS_COMMAND += "write_image_test_data; "
# Write manifest
IMAGE_MANIFEST = "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.manifest"
diff --git a/meta/classes/rootfsdebugfiles.bbclass b/meta/classes/rootfsdebugfiles.bbclass
index e2ba4e3647..85c7ec7434 100644
--- a/meta/classes/rootfsdebugfiles.bbclass
+++ b/meta/classes/rootfsdebugfiles.bbclass
@@ -28,7 +28,7 @@
ROOTFS_DEBUG_FILES ?= ""
ROOTFS_DEBUG_FILES[doc] = "Lists additional files or directories to be installed with 'cp -a' in the format 'source1 target1;source2 target2;...'"
-ROOTFS_POSTPROCESS_COMMAND += "rootfs_debug_files ;"
+ROOTFS_POSTPROCESS_COMMAND += "rootfs_debug_files;"
rootfs_debug_files () {
#!/bin/sh -e
echo "${ROOTFS_DEBUG_FILES}" | sed -e 's/;/\n/g' | while read source target mode; do
--
2.34.1
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 06/14] yocto-uninative: Update to 4.3
2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman
` (4 preceding siblings ...)
2023-09-12 13:53 ` [OE-core][dunfell 05/14] rootfs-post: remove traling blanks from tasks Steve Sakoman
@ 2023-09-12 13:53 ` Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 07/14] resulttool/resultutils: allow index generation despite corrupt json Steve Sakoman
` (7 subsequent siblings)
13 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw)
To: openembedded-core
From: Michael Halstead <mhalstead@linuxfoundation.org>
Add in stable updates to glibc 2.38 to fix malloc bugs
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 39f987fcb20ad7c0e45425b9f508d463c50ce0c1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/conf/distro/include/yocto-uninative.inc | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 6596c0f4a2..eaa3e9b31c 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -7,9 +7,9 @@
#
UNINATIVE_MAXGLIBCVERSION = "2.38"
-UNINATIVE_VERSION = "4.2"
+UNINATIVE_VERSION = "4.3"
UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "cff40e7bdde50aeda06707af8c001796a71b4cf33c5ae1616e5c47943ff6b94e"
-UNINATIVE_CHECKSUM[i686] ?= "a70516447e9a9f1465ffaf1c7f89e79d1692d2356d86fd2a5a63acd908db1ff2"
-UNINATIVE_CHECKSUM[x86_64] ?= "6a86d71eeafba4fefec600c9bf8cf4a01324d1eb52788b6e398d3f23c10d19fb"
+UNINATIVE_CHECKSUM[aarch64] ?= "8df05f4a41455018b4303b2e0ea4eac5c960b5a13713f6dbb33dfdb3e32753ec"
+UNINATIVE_CHECKSUM[i686] ?= "bea76b4a97c9ba0077c0dd1295f519cd599dbf71f0ca1c964471c4cdb043addd"
+UNINATIVE_CHECKSUM[x86_64] ?= "1c35f09a75c4096749bbe1e009df4e3968cde151424062cf4aa3ed89db22b030"
--
2.34.1
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 07/14] resulttool/resultutils: allow index generation despite corrupt json
2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman
` (5 preceding siblings ...)
2023-09-12 13:53 ` [OE-core][dunfell 06/14] yocto-uninative: Update to 4.3 Steve Sakoman
@ 2023-09-12 13:53 ` Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 08/14] kernel: Fix path comparison in kernel staging dir symlinking Steve Sakoman
` (6 subsequent siblings)
13 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw)
To: openembedded-core
From: Michael Halstead <mhalstead@linuxfoundation.org>
non-release indexes will continue to generate when test output is
corrupted.
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1a9157684a6bff8406c9bb470cb2e16ee006bbe9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
scripts/lib/resulttool/resultutils.py | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/scripts/lib/resulttool/resultutils.py b/scripts/lib/resulttool/resultutils.py
index 7666331ba2..c5521d81bd 100644
--- a/scripts/lib/resulttool/resultutils.py
+++ b/scripts/lib/resulttool/resultutils.py
@@ -58,7 +58,11 @@ def append_resultsdata(results, f, configmap=store_map, configvars=extra_configv
testseries = posixpath.basename(posixpath.dirname(url.path))
else:
with open(f, "r") as filedata:
- data = json.load(filedata)
+ try:
+ data = json.load(filedata)
+ except json.decoder.JSONDecodeError:
+ print("Cannot decode {}. Possible corruption. Skipping.".format(f))
+ data = ""
testseries = os.path.basename(os.path.dirname(f))
else:
data = f
--
2.34.1
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 08/14] kernel: Fix path comparison in kernel staging dir symlinking
2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman
` (6 preceding siblings ...)
2023-09-12 13:53 ` [OE-core][dunfell 07/14] resulttool/resultutils: allow index generation despite corrupt json Steve Sakoman
@ 2023-09-12 13:53 ` Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 09/14] glibc/check-test-wrapper: don't emit warnings from ssh Steve Sakoman
` (5 subsequent siblings)
13 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw)
To: openembedded-core
From: Staffan Rydén <staffan.ryden@axis.com>
Due to an oversight in the do_symlink_kernsrc function, the path
comparison between "S" and "STAGING_KERNEL_DIR" is broken. The code
obtains both variables, but modifies the local copy of "S" before
comparing them, causing the comparison to always return false.
This can cause the build to fail when the EXTERNALSRC flag is enabled,
since the code will try to create a symlink even if one already exists.
This patch resolves the issue by comparing the variables before they are
modified.
Signed-off-by: Staffan Rydén <staffan.ryden@axis.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit afd2038ef8a66a5e6433be31a14e1eb0d9f9a1d3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/kernel.bbclass | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index 5d8b3b062a..ba5b6cf384 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -143,13 +143,14 @@ do_unpack[cleandirs] += " ${S} ${STAGING_KERNEL_DIR} ${B} ${STAGING_KERNEL_BUILD
do_clean[cleandirs] += " ${S} ${STAGING_KERNEL_DIR} ${B} ${STAGING_KERNEL_BUILDDIR}"
python do_symlink_kernsrc () {
s = d.getVar("S")
- if s[-1] == '/':
- # drop trailing slash, so that os.symlink(kernsrc, s) doesn't use s as directory name and fail
- s=s[:-1]
kernsrc = d.getVar("STAGING_KERNEL_DIR")
if s != kernsrc:
bb.utils.mkdirhier(kernsrc)
bb.utils.remove(kernsrc, recurse=True)
+ if s[-1] == '/':
+ # drop trailing slash, so that os.symlink(kernsrc, s) doesn't use s as
+ # directory name and fail
+ s = s[:-1]
if d.getVar("EXTERNALSRC"):
# With EXTERNALSRC S will not be wiped so we can symlink to it
os.symlink(s, kernsrc)
--
2.34.1
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 09/14] glibc/check-test-wrapper: don't emit warnings from ssh
2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman
` (7 preceding siblings ...)
2023-09-12 13:53 ` [OE-core][dunfell 08/14] kernel: Fix path comparison in kernel staging dir symlinking Steve Sakoman
@ 2023-09-12 13:53 ` Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 10/14] selftest/cases/glibc.py: increase the memory for testing Steve Sakoman
` (4 subsequent siblings)
13 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
Dont fill up the test log with ssh warning about having added the host
to list of known hosts.
Also helps fix a test case failure where stderr log was being compared
to a known value.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 63b31ff7e54a171c4c02fca2e6b07aec64a410af)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/glibc/glibc/check-test-wrapper | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-core/glibc/glibc/check-test-wrapper b/meta/recipes-core/glibc/glibc/check-test-wrapper
index 6ec9b9b29e..5cc993f718 100644
--- a/meta/recipes-core/glibc/glibc/check-test-wrapper
+++ b/meta/recipes-core/glibc/glibc/check-test-wrapper
@@ -58,7 +58,7 @@ elif targettype == "ssh":
user = os.environ.get("SSH_HOST_USER", None)
port = os.environ.get("SSH_HOST_PORT", None)
- command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no"]
+ command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", "-o", "LogLevel=quiet"]
if port:
command += ["-p", str(port)]
if not host:
--
2.34.1
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 10/14] selftest/cases/glibc.py: increase the memory for testing
2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman
` (8 preceding siblings ...)
2023-09-12 13:53 ` [OE-core][dunfell 09/14] glibc/check-test-wrapper: don't emit warnings from ssh Steve Sakoman
@ 2023-09-12 13:53 ` Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 11/14] oeqa/utils/nfs: allow requesting non-udp ports Steve Sakoman
` (3 subsequent siblings)
13 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
Some of the tests trigger OOM and fail. Increase the amount of memory
available so we dont run into these issues.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4d22dba482cb19ffcff5abee73f24526ea9d1c2a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/selftest/cases/glibc.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/lib/oeqa/selftest/cases/glibc.py b/meta/lib/oeqa/selftest/cases/glibc.py
index cf8c92887b..f2ed822bf3 100644
--- a/meta/lib/oeqa/selftest/cases/glibc.py
+++ b/meta/lib/oeqa/selftest/cases/glibc.py
@@ -61,7 +61,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase):
bitbake("core-image-minimal")
# start runqemu
- qemu = s.enter_context(runqemu("core-image-minimal", runqemuparams = "nographic"))
+ qemu = s.enter_context(runqemu("core-image-minimal", runqemuparams = "nographic", qemuparams = "-m 1024"))
# validate that SSH is working
status, _ = qemu.run("uname")
--
2.34.1
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 11/14] oeqa/utils/nfs: allow requesting non-udp ports
2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman
` (9 preceding siblings ...)
2023-09-12 13:53 ` [OE-core][dunfell 10/14] selftest/cases/glibc.py: increase the memory for testing Steve Sakoman
@ 2023-09-12 13:53 ` Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 12/14] selftest/cases/glibc.py: switch to using NFS over TCP Steve Sakoman
` (2 subsequent siblings)
13 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
Allows setting up NFS over TCP as well.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e1ff9b9a3b7f7924aea67d2024581bea2e916036)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/utils/nfs.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/lib/oeqa/utils/nfs.py b/meta/lib/oeqa/utils/nfs.py
index a37686c914..c9bac050a4 100644
--- a/meta/lib/oeqa/utils/nfs.py
+++ b/meta/lib/oeqa/utils/nfs.py
@@ -8,7 +8,7 @@ from oeqa.utils.commands import bitbake, get_bb_var, Command
from oeqa.utils.network import get_free_port
@contextlib.contextmanager
-def unfs_server(directory, logger = None):
+def unfs_server(directory, logger = None, udp = True):
unfs_sysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "unfs3-native")
if not os.path.exists(os.path.join(unfs_sysroot, "usr", "bin", "unfsd")):
# build native tool
@@ -22,7 +22,7 @@ def unfs_server(directory, logger = None):
exports.write("{0} (rw,no_root_squash,no_all_squash,insecure)\n".format(directory).encode())
# find some ports for the server
- nfsport, mountport = get_free_port(udp = True), get_free_port(udp = True)
+ nfsport, mountport = get_free_port(udp), get_free_port(udp)
nenv = dict(os.environ)
nenv['PATH'] = "{0}/sbin:{0}/usr/sbin:{0}/usr/bin:".format(unfs_sysroot) + nenv.get('PATH', '')
--
2.34.1
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 12/14] selftest/cases/glibc.py: switch to using NFS over TCP
2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman
` (10 preceding siblings ...)
2023-09-12 13:53 ` [OE-core][dunfell 11/14] oeqa/utils/nfs: allow requesting non-udp ports Steve Sakoman
@ 2023-09-12 13:53 ` Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 13/14] oeqa/target/ssh: Ensure EAGAIN doesn't truncate output Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 14/14] oeqa/runtime/ltp: Increase ltp test output timeout Steve Sakoman
13 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
This provides a more reliable test execution when running tests that
write a large buffer/file and significantly reduces the localedata test
failures.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 97a7612e3959bc9c75116a4e696f47cc31aea75d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/selftest/cases/glibc.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/glibc.py b/meta/lib/oeqa/selftest/cases/glibc.py
index f2ed822bf3..c1f6e4c1fb 100644
--- a/meta/lib/oeqa/selftest/cases/glibc.py
+++ b/meta/lib/oeqa/selftest/cases/glibc.py
@@ -41,7 +41,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase):
with contextlib.ExitStack() as s:
# use the base work dir, as the nfs mount, since the recipe directory may not exist
tmpdir = get_bb_var("BASE_WORKDIR")
- nfsport, mountport = s.enter_context(unfs_server(tmpdir))
+ nfsport, mountport = s.enter_context(unfs_server(tmpdir, udp = False))
# build core-image-minimal with required packages
default_installed_packages = [
@@ -70,7 +70,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase):
# setup nfs mount
if qemu.run("mkdir -p \"{0}\"".format(tmpdir))[0] != 0:
raise Exception("Failed to setup NFS mount directory on target")
- mountcmd = "mount -o noac,nfsvers=3,port={0},udp,mountport={1} \"{2}:{3}\" \"{3}\"".format(nfsport, mountport, qemu.server_ip, tmpdir)
+ mountcmd = "mount -o noac,nfsvers=3,port={0},mountport={1} \"{2}:{3}\" \"{3}\"".format(nfsport, mountport, qemu.server_ip, tmpdir)
status, output = qemu.run(mountcmd)
if status != 0:
raise Exception("Failed to setup NFS mount on target ({})".format(repr(output)))
--
2.34.1
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 13/14] oeqa/target/ssh: Ensure EAGAIN doesn't truncate output
2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman
` (11 preceding siblings ...)
2023-09-12 13:53 ` [OE-core][dunfell 12/14] selftest/cases/glibc.py: switch to using NFS over TCP Steve Sakoman
@ 2023-09-12 13:53 ` Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 14/14] oeqa/runtime/ltp: Increase ltp test output timeout Steve Sakoman
13 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
We have a suspicion that the read() call may return EAGAIN on the non-blocking
fd and this may truncate test output leading to some of our intermittent failures.
Tweak the code to avoid this potential issue.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a8920c105725431e989cceb616bd04eaa52127ec)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/core/target/ssh.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/lib/oeqa/core/target/ssh.py b/meta/lib/oeqa/core/target/ssh.py
index af4a67f266..832b6216f6 100644
--- a/meta/lib/oeqa/core/target/ssh.py
+++ b/meta/lib/oeqa/core/target/ssh.py
@@ -226,6 +226,9 @@ def SSHCall(command, logger, timeout=None, **opts):
endtime = time.time() + timeout
except InterruptedError:
continue
+ except BlockingIOError:
+ logger.debug('BlockingIOError')
+ continue
# process hasn't returned yet
if not eof:
--
2.34.1
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 14/14] oeqa/runtime/ltp: Increase ltp test output timeout
2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman
` (12 preceding siblings ...)
2023-09-12 13:53 ` [OE-core][dunfell 13/14] oeqa/target/ssh: Ensure EAGAIN doesn't truncate output Steve Sakoman
@ 2023-09-12 13:53 ` Steve Sakoman
13 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
On our slower arm server, the tests currently timeout leading to inconsistent test
results. Increase the timeout to avoid this and aim to make the test results
consistent.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9a8b49208f3c99e184eab426360b137bc773aa31)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/runtime/cases/ltp.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/lib/oeqa/runtime/cases/ltp.py b/meta/lib/oeqa/runtime/cases/ltp.py
index a66d5d13d7..879f2a673c 100644
--- a/meta/lib/oeqa/runtime/cases/ltp.py
+++ b/meta/lib/oeqa/runtime/cases/ltp.py
@@ -67,7 +67,7 @@ class LtpTest(LtpTestBase):
def runltp(self, ltp_group):
cmd = '/opt/ltp/runltp -f %s -p -q -r /opt/ltp -l /opt/ltp/results/%s -I 1 -d /opt/ltp' % (ltp_group, ltp_group)
starttime = time.time()
- (status, output) = self.target.run(cmd)
+ (status, output) = self.target.run(cmd, timeout=1200)
endtime = time.time()
with open(os.path.join(self.ltptest_log_dir, "%s-raw.log" % ltp_group), 'w') as f:
--
2.34.1
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review
@ 2023-08-25 2:47 Steve Sakoman
0 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2023-08-25 2:47 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for dunfell and have comments back by
end of day Satuday, August 26.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5779
The following changes since commit b70a8333a7467162b9d148b99f5970c0af2a531f:
kernel: skip installing fitImage when using Initramfs bundles (2023-08-12 05:38:11 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Ashish Sharma (1):
curl: Backport fix CVE-2023-32001
BELOUARGA Mohamed (1):
linux-firmware : Add firmware of RTL8822 serie
Chee Yang Lee (1):
tiff: CVE-2022-3599.patch also fix CVE-2022-4645 CVE-2023-30774
Dmitry Baryshkov (2):
linux-firmware: package firmare for Dragonboard 410c
linux-firmware: split platform-specific Adreno shaders to separate
packages
Jasper Orschulko (1):
cve_check: Fix cpe_id generation
Kai Kang (1):
grub2.inc: remove '-O2' from CFLAGS
Michael Halstead (2):
yocto-uninative: Update hashes for uninative 4.1
yocto-uninative: Update to 4.2 for glibc 2.38
Ross Burton (1):
oeqa/runtime/cases/rpm: fix wait_for_no_process_for_user failure case
Trevor Gamblin (1):
linux-firmware: upgrade 20230515 -> 20230625
Vijay Anusuri (1):
elfutils: Backport fix for CVE-2021-33294
Wang Mingyu (1):
libnss-nis: upgrade 3.1 -> 3.2
Yoann Congal (1):
recipetool: Fix inherit in created -native* recipes
meta/conf/distro/include/yocto-uninative.inc | 10 +--
meta/lib/oe/cve_check.py | 2 +-
meta/lib/oeqa/runtime/cases/rpm.py | 4 +-
meta/recipes-bsp/grub/grub2.inc | 2 +
.../elfutils/elfutils_0.178.bb | 1 +
.../elfutils/files/CVE-2021-33294.patch | 72 +++++++++++++++++++
.../recipes-extended/libnss-nis/libnss-nis.bb | 4 +-
...20230515.bb => linux-firmware_20230625.bb} | 37 +++++++---
.../libtiff/files/CVE-2022-3599.patch | 2 +-
.../curl/curl/CVE-2023-32001.patch | 38 ++++++++++
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
scripts/lib/recipetool/create.py | 4 ++
12 files changed, 158 insertions(+), 19 deletions(-)
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2021-33294.patch
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230515.bb => linux-firmware_20230625.bb} (96%)
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-32001.patch
--
2.34.1
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [OE-core][dunfell 00/14] Patch review
2023-06-22 15:31 Steve Sakoman
@ 2023-08-02 12:05 ` Marta Rybczynska
0 siblings, 0 replies; 30+ messages in thread
From: Marta Rybczynska @ 2023-08-02 12:05 UTC (permalink / raw)
To: Steve Sakoman; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2867 bytes --]
On Thu, Jun 22, 2023 at 5:31 PM Steve Sakoman <steve@sakoman.com> wrote:
> Please review this set of changes for dunfell and have comments back by
> end of day Monday.
>
> Passed a-full on autobuilder:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5493
>
> The following changes since commit
> 77f6fbfa18b4ad77c3756cfdc45d441a20210781:
>
> build-appliance-image: Update to dunfell head revision (2023-06-17
> 09:47:49 -1000)
>
> are available in the Git repository at:
>
> https://git.openembedded.org/openembedded-core-contrib
> stable/dunfell-nut
>
> http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
>
> Abdellatif El Khlifi (1):
> kernel-fitimage: adding support for Initramfs bundle and u-boot script
>
> Andrej Valek (1):
> kernel-fitimage: use correct kernel image
>
> Hitendra Prajapati (1):
> openssl: CVE-2023-2650 Possible DoS translating ASN.1 object
> identifiers
>
> Ian Ray (1):
> systemd-systemctl: support instance expansion in WantedBy
>
> Jan Vermaete (1):
> cve-update-nvd2-native: added the missing http import
>
> Marta Rybczynska (1):
> cve-update-nvd2-native: new CVE database fetcher
>
> Martin Siegumfeldt (1):
> systemd-systemctl: fix instance template WantedBy symlink construction
>
> Michael Halstead (4):
> uninative: Upgrade to 3.8.1 to include libgcc
> uninative: Upgrade to 3.9 to include glibc 2.37
> uninative: Upgrade to 3.10 to support gcc 13
> uninative: Upgrade to 4.0 to include latest gcc 13.1.1
>
> Richard Purdie (1):
> uninative: Ensure uninative is enabled in all cases for BuildStarted
> event
>
> Sanjay Chitroda (1):
> cups: Fix CVE-2023-32324
>
> Steve Sakoman (1):
> uninative.bbclass: handle read only files outside of patchelf
>
> meta/classes/cve-check.bbclass | 4 +-
> meta/classes/kernel-fitimage.bbclass | 142 ++++++--
> meta/classes/uninative.bbclass | 4 +
> meta/conf/distro/include/yocto-uninative.inc | 10 +-
> .../openssl/openssl/CVE-2023-2650.patch | 122 +++++++
> .../openssl/openssl_1.1.1t.bb | 1 +
> .../meta/cve-update-nvd2-native.bb | 334 ++++++++++++++++++
> .../systemd/systemd-systemctl/systemctl | 8 +-
> meta/recipes-extended/cups/cups.inc | 1 +
> .../cups/cups/CVE-2023-32324.patch | 36 ++
> 10 files changed, 629 insertions(+), 33 deletions(-)
> create mode 100644
> meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch
> create mode 100644 meta/recipes-core/meta/cve-update-nvd2-native.bb
> create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32324.patch
>
>
Tested this version for the CVE fetcher backport to dunfell, no unexpected
issues seen.
Kind regards,
Marta
[-- Attachment #2: Type: text/html, Size: 4051 bytes --]
^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review
@ 2023-06-22 15:31 Steve Sakoman
2023-08-02 12:05 ` Marta Rybczynska
0 siblings, 1 reply; 30+ messages in thread
From: Steve Sakoman @ 2023-06-22 15:31 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for dunfell and have comments back by
end of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5493
The following changes since commit 77f6fbfa18b4ad77c3756cfdc45d441a20210781:
build-appliance-image: Update to dunfell head revision (2023-06-17 09:47:49 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Abdellatif El Khlifi (1):
kernel-fitimage: adding support for Initramfs bundle and u-boot script
Andrej Valek (1):
kernel-fitimage: use correct kernel image
Hitendra Prajapati (1):
openssl: CVE-2023-2650 Possible DoS translating ASN.1 object
identifiers
Ian Ray (1):
systemd-systemctl: support instance expansion in WantedBy
Jan Vermaete (1):
cve-update-nvd2-native: added the missing http import
Marta Rybczynska (1):
cve-update-nvd2-native: new CVE database fetcher
Martin Siegumfeldt (1):
systemd-systemctl: fix instance template WantedBy symlink construction
Michael Halstead (4):
uninative: Upgrade to 3.8.1 to include libgcc
uninative: Upgrade to 3.9 to include glibc 2.37
uninative: Upgrade to 3.10 to support gcc 13
uninative: Upgrade to 4.0 to include latest gcc 13.1.1
Richard Purdie (1):
uninative: Ensure uninative is enabled in all cases for BuildStarted
event
Sanjay Chitroda (1):
cups: Fix CVE-2023-32324
Steve Sakoman (1):
uninative.bbclass: handle read only files outside of patchelf
meta/classes/cve-check.bbclass | 4 +-
meta/classes/kernel-fitimage.bbclass | 142 ++++++--
meta/classes/uninative.bbclass | 4 +
meta/conf/distro/include/yocto-uninative.inc | 10 +-
.../openssl/openssl/CVE-2023-2650.patch | 122 +++++++
.../openssl/openssl_1.1.1t.bb | 1 +
.../meta/cve-update-nvd2-native.bb | 334 ++++++++++++++++++
.../systemd/systemd-systemctl/systemctl | 8 +-
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2023-32324.patch | 36 ++
10 files changed, 629 insertions(+), 33 deletions(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch
create mode 100644 meta/recipes-core/meta/cve-update-nvd2-native.bb
create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32324.patch
--
2.34.1
^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review
@ 2023-03-21 14:20 Steve Sakoman
0 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2023-03-21 14:20 UTC (permalink / raw)
To: openembedded-core
Please review these patches for dunfell and have comments back by
end of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5073
The following changes since commit efb1a73a13907bed3acac8e06053aef3e2ef57f5:
build-appliance-image: Update to dunfell head revision (2023-03-15 23:09:39 +0000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alban Bedel (1):
systemd: Fix systemd when used with busybox less
Andrej Valek (1):
libarchive: fix CVE-2022-26280
Chee Yang Lee (2):
ghostscript: add CVE tag for
check-stack-limits-after-function-evalution.patch
libksba: fix CVE-2022-3515
Hitendra Prajapati (1):
QEMU: CVE-2022-4144 QXL: qxl_phys2virt unsafe address translation can
lead to out-of-bounds read
Kenfe-Mickael Laventure (3):
buildtools-tarball: Handle spaces within user $PATH
toolchain-scripts: Handle spaces within user $PATH
populate_sdk_ext: Handle spaces within user $PATH
Richard Purdie (4):
staging: Separate out different multiconfig manifests
staging/multilib: Fix manifest corruption
glibc: Add missing binutils dependency
base-files: Drop localhost.localdomain from hosts file
Ross Burton (2):
vim: upgrade to 9.0.1403
vim: set modified-by to the recipe MAINTAINER
meta/classes/multilib.bbclass | 1 +
meta/classes/populate_sdk_ext.bbclass | 2 +-
meta/classes/staging.bbclass | 4 +
meta/classes/toolchain-scripts.bbclass | 2 +-
meta/recipes-core/base-files/base-files/hosts | 2 +-
meta/recipes-core/glibc/glibc.inc | 4 +-
meta/recipes-core/meta/buildtools-tarball.bb | 2 +-
.../systemd/systemd/systemd-pager.sh | 7 ++
meta/recipes-core/systemd/systemd_244.5.bb | 5 +
meta/recipes-devtools/qemu/qemu.inc | 9 +-
.../qemu/qemu/CVE-2022-4144.patch | 103 ++++++++++++++++++
...tack-limits-after-function-evalution.patch | 2 +-
.../libarchive/CVE-2022-26280.patch | 29 +++++
.../libarchive/libarchive_3.4.2.bb | 1 +
.../libksba/libksba/CVE-2022-3515.patch | 47 ++++++++
meta/recipes-support/libksba/libksba_1.3.5.bb | 1 +
meta/recipes-support/vim/vim.inc | 8 +-
17 files changed, 215 insertions(+), 14 deletions(-)
create mode 100644 meta/recipes-core/systemd/systemd/systemd-pager.sh
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch
create mode 100644 meta/recipes-support/libksba/libksba/CVE-2022-3515.patch
--
2.34.1
^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review
@ 2022-08-29 21:02 Steve Sakoman
0 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2022-08-29 21:02 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for dunfell and have comments back by end
of day Wednesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4151
The following changes since commit a3cba15142e98177119ef36c09f553d09acf35ef:
build-appliance-image: Update to dunfell head revision (2022-08-22 16:07:02 +0100)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexander Kanavin (3):
mobile-broadband-provider-info: upgrade 20220511 -> 20220725
tzdata: upgrade 2022a -> 2022b
wireless-regdb: upgrade 2022.06.06 -> 2022.08.12
Anuj Mittal (1):
cryptodev-module: fix build with 5.11+ kernels
Bruce Ashfield (1):
linux-yocto/5.4: update to v5.4.210
Ernst Sjöstrand (1):
cve-check: Don't use f-strings
Hitendra Prajapati (5):
libtiff: CVE-2022-34526 A stack overflow was discovered
golang: fix CVE-2022-30629 and CVE-2022-30631
golang: fix CVE-2022-30632 and CVE-2022-30633
golang: fix CVE-2022-30635 and CVE-2022-32148
golang: CVE-2022-32189 a denial of service
Paul Eggleton (1):
relocate_sdk.py: ensure interpreter size error causes relocation to
fail
Pawan Badganchi (1):
libxml2: Add fix for CVE-2016-3709
Richard Purdie (1):
vim: Upgrade 9.0.0115 -> 9.0.0242
meta/lib/oe/cve_check.py | 2 +-
.../mobile-broadband-provider-info_git.bb | 4 +-
.../libxml/libxml2/CVE-2016-3709.patch | 89 ++++++++++++
meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 +
meta/recipes-devtools/go/go-1.14.inc | 7 +
.../go/go-1.14/CVE-2022-30629.patch | 47 +++++++
.../go/go-1.14/CVE-2022-30631.patch | 116 ++++++++++++++++
.../go/go-1.14/CVE-2022-30632.patch | 71 ++++++++++
.../go/go-1.14/CVE-2022-30633.patch | 131 ++++++++++++++++++
.../go/go-1.14/CVE-2022-30635.patch | 120 ++++++++++++++++
.../go/go-1.14/CVE-2022-32148.patch | 49 +++++++
.../go/go-1.14/CVE-2022-32189.patch | 113 +++++++++++++++
meta/recipes-extended/timezone/timezone.inc | 6 +-
.../cryptodev/cryptodev-module_1.10.bb | 1 +
.../files/fix-build-for-Linux-5.11-rc1.patch | 32 +++++
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +--
....06.06.bb => wireless-regdb_2022.08.12.bb} | 2 +-
.../libtiff/files/CVE-2022-34526.patch | 29 ++++
meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 +
meta/recipes-support/vim/vim.inc | 4 +-
scripts/relocate_sdk.py | 10 +-
23 files changed, 842 insertions(+), 29 deletions(-)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30635.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-32148.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch
create mode 100644 meta/recipes-kernel/cryptodev/files/fix-build-for-Linux-5.11-rc1.patch
rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2022.06.06.bb => wireless-regdb_2022.08.12.bb} (94%)
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch
--
2.25.1
^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review
@ 2022-07-07 21:59 Steve Sakoman
0 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2022-07-07 21:59 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3880
The following changes since commit b75caf4a985e3c20996531785125eaffdc832104:
insane.bbclass: host-user-contaminated: Correct per package home path (2022-06-29 05:15:49 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Anuj Mittal (1):
efivar: change branch name to main
Bruce Ashfield (2):
linux-yocto/5.4: update to v5.4.199
linux-yocto/5.4: update to v5.4.203
Jate Sujjavanich (1):
IMAGE_LOCALES_ARCHIVE: add option to prevent locale archive creation
Ranjitsinh Rathod (1):
openssl: Minor security upgrade 1.1.1o to 1.1.1p
Richard Purdie (5):
cve-extra-exclusions: Clean up and ignore three CVEs (2xqemu and nasm)
vim: 8.2.5083 -> 9.0.0005
oeqa/runtime/scp: Disable scp test for dropbear
packagegroup-core-ssh-dropbear: Add openssh-sftp-server recommendation
oe-selftest-image: Ensure the image has sftp as well as dropbear
Ross Burton (1):
cve-check: hook cleanup to the BuildCompleted event, not CookerExit
Steve Sakoman (3):
openssh: break dependency on base package for -dev package
dropbear: break dependency on base package for -dev package
qemu: add PACKAGECONFIG for capstone
.../recipes-test/images/oe-selftest-image.bb | 2 +-
meta/classes/cve-check.bbclass | 2 +-
meta/classes/image.bbclass | 5 +-
.../distro/include/cve-extra-exclusions.inc | 31 ++-
meta/lib/oe/package_manager.py | 13 +-
meta/lib/oeqa/runtime/cases/scp.py | 2 +-
meta/recipes-bsp/efivar/efivar_37.bb | 2 +-
.../openssh/openssh_8.2p1.bb | 5 +
...5d82489b3ec09ccc772dfcee14fef0e8e908.patch | 192 ------------------
...611887cfac633aacc052b2e71a7f195418b8.patch | 29 ---
.../{openssl_1.1.1o.bb => openssl_1.1.1p.bb} | 4 +-
meta/recipes-core/dropbear/dropbear.inc | 5 +
.../packagegroup-core-ssh-dropbear.bb | 1 +
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +-
.../vim/{vim-tiny_8.2.bb => vim-tiny_9.0.bb} | 0
meta/recipes-support/vim/vim.inc | 6 +-
.../vim/{vim_8.2.bb => vim_9.0.bb} | 0
20 files changed, 64 insertions(+), 272 deletions(-)
delete mode 100644 meta/recipes-connectivity/openssl/openssl/73db5d82489b3ec09ccc772dfcee14fef0e8e908.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/b7ce611887cfac633aacc052b2e71a7f195418b8.patch
rename meta/recipes-connectivity/openssl/{openssl_1.1.1o.bb => openssl_1.1.1p.bb} (97%)
rename meta/recipes-support/vim/{vim-tiny_8.2.bb => vim-tiny_9.0.bb} (100%)
rename meta/recipes-support/vim/{vim_8.2.bb => vim_9.0.bb} (100%)
--
2.25.1
^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review
@ 2022-06-08 14:46 Steve Sakoman
0 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2022-06-08 14:46 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Friday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3760
The following changes since commit 4051d1a3aa5f70da96c381f9dea5f52cd9306939:
openssl: Backport fix for ptest cert expiry (2022-06-07 11:33:46 +0100)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Bruce Ashfield (1):
linux-yocto/5.4: update to v5.4.196
Hitendra Prajapati (2):
e2fsprogs: CVE-2022-1304 out-of-bounds read/write via crafted
filesystem
pcre2: CVE-2022-1587 Out-of-bounds read
Marta Rybczynska (4):
cve-check: move update_symlinks to a library
cve-check: write empty fragment files in the text mode
cve-check: add coverage statistics on recipes with/without CVEs
cve-update-db-native: make it possible to disable database updates
Richard Purdie (1):
libxslt: Mark CVE-2022-29824 as not applying
Robert Joslyn (2):
curl: Backport CVE fixes
curl: Fix CVE_CHECK_WHITELIST typo
Steve Sakoman (3):
Revert "openssl: Backport fix for ptest cert expiry"
openssl: backport fix for ptest certificate expiration
openssl: update the epoch time for ct_test ptest
omkar patil (1):
libxslt: Fix CVE-2021-30560
meta/classes/cve-check.bbclass | 86 ++-
meta/lib/oe/cve_check.py | 10 +
...5d82489b3ec09ccc772dfcee14fef0e8e908.patch | 192 +++++
...ea88c3888cc5cb3ebc94ffcef706c68bc1d2.patch | 55 --
...611887cfac633aacc052b2e71a7f195418b8.patch | 29 +
.../openssl/openssl_1.1.1o.bb | 3 +-
.../recipes-core/meta/cve-update-db-native.bb | 6 +-
.../e2fsprogs/e2fsprogs/CVE-2022-1304.patch | 42 ++
.../e2fsprogs/e2fsprogs_1.45.7.bb | 1 +
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +-
.../curl/curl/CVE-2022-27774-1.patch | 45 ++
.../curl/curl/CVE-2022-27774-2.patch | 80 +++
.../curl/curl/CVE-2022-27774-3.patch | 83 +++
.../curl/curl/CVE-2022-27774-4.patch | 35 +
.../curl/curl/CVE-2022-27781.patch | 46 ++
.../curl/curl/CVE-2022-27782-1.patch | 363 ++++++++++
.../curl/curl/CVE-2022-27782-2.patch | 71 ++
meta/recipes-support/curl/curl_7.69.1.bb | 9 +-
.../libpcre/libpcre2/CVE-2022-1587.patch | 660 ++++++++++++++++++
.../recipes-support/libpcre/libpcre2_10.34.bb | 1 +
.../libxslt/libxslt/CVE-2021-30560.patch | 201 ++++++
.../recipes-support/libxslt/libxslt_1.1.34.bb | 5 +
24 files changed, 1949 insertions(+), 110 deletions(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/73db5d82489b3ec09ccc772dfcee14fef0e8e908.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/770aea88c3888cc5cb3ebc94ffcef706c68bc1d2.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/b7ce611887cfac633aacc052b2e71a7f195418b8.patch
create mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2022-1304.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-2.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-3.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-4.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27781.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-2.patch
create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch
create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch
--
2.25.1
^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review
@ 2022-05-11 18:19 Steve Sakoman
0 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2022-05-11 18:19 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Friday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3648
with the exception of the newly added meta-virt test (which has never
worked with dunfell)
The following changes since commit 7c0345ab1058a7e29d37f110923ecd368e102ed7:
uninative: Upgrade to 3.6 with gcc 12 support (2022-05-09 11:51:55 +0100)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Bruce Ashfield (1):
linux-yocto/5.4: update to v5.4.192
Davide Gardenal (3):
cve-check: add JSON format to summary output
cve-check: fix symlinks where link and output path are equal
rootfs-postcommands: fix symlinks where link and output path are equal
Marta Rybczynska (2):
cve-update-db-native: update the CVE database once a day only
cve-update-db-native: let the user to drive the update interval
Pawan Badganchi (2):
fribidi: Add fix for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310
libinput: Add fix for CVE-2022-1215
Portia (1):
volatile-binds: Change DefaultDependencies from false to no
Richard Purdie (3):
base: Avoid circular references to our own scripts
scripts: Make git intercept global
scripts/git: Ensure we don't have circular references
Ross Burton (1):
cve-check: no need to depend on the fetch task
Steve Sakoman (1):
busybox: fix CVE-2022-28391
meta/classes/base.bbclass | 4 +
meta/classes/cve-check.bbclass | 72 ++--
meta/classes/rootfs-postcommands.bbclass | 14 +-
...tr-ensure-only-printable-characters-.patch | 38 ++
...e-all-printed-strings-with-printable.patch | 64 ++++
meta/recipes-core/busybox/busybox_1.31.1.bb | 2 +
.../recipes-core/meta/cve-update-db-native.bb | 13 +-
.../files/volatile-binds.service.in | 2 +-
.../wayland/libinput/CVE-2022-1215.patch | 360 ++++++++++++++++++
.../wayland/libinput_1.15.2.bb | 1 +
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +-
.../fribidi/fribidi/CVE-2022-25308.patch | 50 +++
.../fribidi/fribidi/CVE-2022-25309.patch | 31 ++
.../fribidi/fribidi/CVE-2022-25310.patch | 30 ++
meta/recipes-support/fribidi/fribidi_1.0.9.bb | 3 +
scripts/{git-intercept => }/git | 9 +-
18 files changed, 674 insertions(+), 55 deletions(-)
create mode 100644 meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
create mode 100644 meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
create mode 100644 meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch
create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
rename scripts/{git-intercept => }/git (52%)
--
2.25.1
^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review
@ 2021-12-22 14:12 Steve Sakoman
0 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2021-12-22 14:12 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3047
with the exception of a known intermittent autobuilder issue on oe-selftest-centos
which passed on subsequent retest:
https://autobuilder.yoctoproject.org/typhoon/#/builders/79/builds/2977
The following changes since commit 90a07178ea26be453d101c2e8b33d3a0f437635d:
build-appliance-image: Update to dunfell head revision (2021-12-14 22:49:32 +0000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Anuj Mittal (1):
gstreamer1.0: fix failing ptest
Bruce Ashfield (5):
linux-yocto/5.4: update to v5.4.159
linux-yocto/5.4: update to v5.4.162
linux-yocto/5.4: update to v5.4.163
linux-yocto/5.4: update to v5.4.165
linux-yocto/5.4: update to v5.4.167
Ernst Sjöstrand (1):
dropbear: Fix CVE-2020-36254
Marta Rybczynska (1):
bluez: fix CVE-2021-0129
Mingli Yu (1):
bootchart2: remove wait_boot logic
Minjae Kim (2):
vim: fix CVE-2021-4069
inetutils: fix CVE-2021-40491
Steve Sakoman (1):
selftest: skip virgl test on fedora 34 entirely
sana kazi (2):
openssh: Fix CVE-2021-41617
openssh: Whitelist CVE-2016-20012
meta/lib/oeqa/selftest/cases/runtime_test.py | 2 +
meta/recipes-connectivity/bluez5/bluez5.inc | 1 +
.../bluez5/bluez5/CVE-2021-0129.patch | 109 ++++++++++++++++++
.../inetutils/inetutils/CVE-2021-40491.patch | 67 +++++++++++
.../inetutils/inetutils_1.9.4.bb | 1 +
.../openssh/openssh/CVE-2021-41617.patch | 52 +++++++++
.../openssh/openssh_8.2p1.bb | 10 ++
meta/recipes-core/dropbear/dropbear.inc | 4 +-
.../dropbear/dropbear/CVE-2020-36254.patch | 29 +++++
...ake-sure-only-one-bootchartd-process.patch | 68 +++++++++++
.../bootchart2/bootchart2_0.14.9.bb | 1 +
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 ++--
...-use-too-strict-timeout-for-validati.patch | 33 ++++++
.../gstreamer/gstreamer1.0_1.16.3.bb | 1 +
.../vim/files/CVE-2021-4069.patch | 43 +++++++
meta/recipes-support/vim/vim.inc | 1 +
18 files changed, 439 insertions(+), 19 deletions(-)
create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch
create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2020-36254.patch
create mode 100644 meta/recipes-devtools/bootchart2/bootchart2/0001-bootchartd.in-make-sure-only-one-bootchartd-process.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0/0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch
create mode 100644 meta/recipes-support/vim/files/CVE-2021-4069.patch
--
2.25.1
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [OE-core][dunfell 00/14] Patch review
[not found] <16B6626DB9B02798.14836@lists.openembedded.org>
@ 2021-11-11 14:16 ` Steve Sakoman
0 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2021-11-11 14:16 UTC (permalink / raw)
To: steve; +Cc: openembedded-core
On Wed, Nov 10, 2021 at 6:08 PM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> Please review this set of patches for dunfell and have comments back by end
> of day Friday.
I forgot to add:
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2910
>
> The following changes since commit 38fc0807eea14dc12610da4ba73c082d5a4b0744:
>
> meta/scripts: Manual git url branch additions (2021-11-03 08:43:53 -1000)
>
> are available in the Git repository at:
>
> git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
> http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
>
> Jose Quaresma (1):
> sstate: another fix for touching files inside pseudo
>
> Joshua Watt (1):
> oeqa: reproducible: Fix test not producing diffs
>
> Khem Raj (1):
> webkitgtk: Fix reproducibility in minibrowser
>
> Marek Vasut (1):
> piglit: upgrade to latest revision
>
> Mark Hatle (1):
> reproducible_build: Remove BUILD_REPRODUCIBLE_BINARIES checking
>
> Mingli Yu (1):
> python3-magic: add the missing rdepends
>
> Richard Purdie (6):
> linunistring: Add missing gperf-native dependency
> pseudo: Add in ability to flush database with shutdown request
> pseudo: Add fcntl64 wrapper
> mirrors: Add uninative mirror on kernel.org
> sstate: Ensure SDE is accounted for in package task timestamps
> sstate: Avoid deploy_source_date_epoch sstate when unneeded
>
> Steve Sakoman (2):
> python3-magic: add missing DEPENDS
> selftest/reproducible: add webkitgtk back to exclusion list for
> dunfell
>
> meta/classes/mirrors.bbclass | 1 +
> meta/classes/reproducible_build.bbclass | 53 ++++++++++++-------
> meta/classes/sstate.bbclass | 34 +++++++++---
> .../oeqa/selftest/cases/diffoscope/A/file.txt | 1 +
> .../oeqa/selftest/cases/diffoscope/B/file.txt | 1 +
> meta/lib/oeqa/selftest/cases/reproducible.py | 29 +++++++++-
> meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
> .../python/python3-magic_0.4.15.bb | 7 ++-
> ...ssing-include-for-htobe32-definition.patch | 27 ++++++++++
> ...file.py-make-test-lists-reproducible.patch | 31 +++++++++++
> ...gen_tcs-tes_input_tests.py-do-not-ha.patch | 44 +++++++++++++++
> ...lizer.py-make-.gz-files-reproducible.patch | 30 +++++++++++
> ...sort-the-file-list-before-working-on.patch | 28 ++++++++++
> ...t-shader.c-do-not-hardcode-build-pat.patch | 30 +++++++++++
> meta/recipes-graphics/piglit/piglit_git.bb | 12 ++++-
> .../0001-MiniBrowser-Fix-reproduciblity.patch | 31 +++++++++++
> meta/recipes-sato/webkit/webkitgtk_2.28.4.bb | 1 +
> .../libunistring/libunistring_0.9.10.bb | 1 +
> 18 files changed, 333 insertions(+), 30 deletions(-)
> create mode 100644 meta/lib/oeqa/selftest/cases/diffoscope/A/file.txt
> create mode 100644 meta/lib/oeqa/selftest/cases/diffoscope/B/file.txt
> create mode 100644 meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch
> create mode 100644 meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch
> create mode 100644 meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch
> create mode 100644 meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch
> create mode 100644 meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch
> create mode 100644 meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch
> create mode 100644 meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch
>
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#158132): https://lists.openembedded.org/g/openembedded-core/message/158132
> Mute This Topic: https://lists.openembedded.org/mt/86975084/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review
@ 2021-11-11 4:08 Steve Sakoman
0 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2021-11-11 4:08 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Friday.
The following changes since commit 38fc0807eea14dc12610da4ba73c082d5a4b0744:
meta/scripts: Manual git url branch additions (2021-11-03 08:43:53 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Jose Quaresma (1):
sstate: another fix for touching files inside pseudo
Joshua Watt (1):
oeqa: reproducible: Fix test not producing diffs
Khem Raj (1):
webkitgtk: Fix reproducibility in minibrowser
Marek Vasut (1):
piglit: upgrade to latest revision
Mark Hatle (1):
reproducible_build: Remove BUILD_REPRODUCIBLE_BINARIES checking
Mingli Yu (1):
python3-magic: add the missing rdepends
Richard Purdie (6):
linunistring: Add missing gperf-native dependency
pseudo: Add in ability to flush database with shutdown request
pseudo: Add fcntl64 wrapper
mirrors: Add uninative mirror on kernel.org
sstate: Ensure SDE is accounted for in package task timestamps
sstate: Avoid deploy_source_date_epoch sstate when unneeded
Steve Sakoman (2):
python3-magic: add missing DEPENDS
selftest/reproducible: add webkitgtk back to exclusion list for
dunfell
meta/classes/mirrors.bbclass | 1 +
meta/classes/reproducible_build.bbclass | 53 ++++++++++++-------
meta/classes/sstate.bbclass | 34 +++++++++---
.../oeqa/selftest/cases/diffoscope/A/file.txt | 1 +
.../oeqa/selftest/cases/diffoscope/B/file.txt | 1 +
meta/lib/oeqa/selftest/cases/reproducible.py | 29 +++++++++-
meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
.../python/python3-magic_0.4.15.bb | 7 ++-
...ssing-include-for-htobe32-definition.patch | 27 ++++++++++
...file.py-make-test-lists-reproducible.patch | 31 +++++++++++
...gen_tcs-tes_input_tests.py-do-not-ha.patch | 44 +++++++++++++++
...lizer.py-make-.gz-files-reproducible.patch | 30 +++++++++++
...sort-the-file-list-before-working-on.patch | 28 ++++++++++
...t-shader.c-do-not-hardcode-build-pat.patch | 30 +++++++++++
meta/recipes-graphics/piglit/piglit_git.bb | 12 ++++-
.../0001-MiniBrowser-Fix-reproduciblity.patch | 31 +++++++++++
meta/recipes-sato/webkit/webkitgtk_2.28.4.bb | 1 +
.../libunistring/libunistring_0.9.10.bb | 1 +
18 files changed, 333 insertions(+), 30 deletions(-)
create mode 100644 meta/lib/oeqa/selftest/cases/diffoscope/A/file.txt
create mode 100644 meta/lib/oeqa/selftest/cases/diffoscope/B/file.txt
create mode 100644 meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch
create mode 100644 meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch
create mode 100644 meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch
create mode 100644 meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch
create mode 100644 meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch
create mode 100644 meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch
create mode 100644 meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch
--
2.25.1
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [OE-core] [dunfell 00/14] Patch review
2021-06-29 0:13 ` [dunfell " Minjae Kim
@ 2021-06-29 14:09 ` Steve Sakoman
0 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2021-06-29 14:09 UTC (permalink / raw)
To: Minjae Kim; +Cc: Patches and discussions about the oe-core layer
On Mon, Jun 28, 2021 at 2:13 PM Minjae Kim <flowergom@gmail.com> wrote:
> How about this patch? I already tested on qemux86-64.
> https://lists.openembedded.org/g/openembedded-core/message/153284
> Do I need more testing?
It will be in the next set of patches. I haven't seen any issues on
the autobuilder.
Steve
^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review
@ 2021-06-28 15:05 Steve Sakoman
2021-06-29 0:13 ` [dunfell " Minjae Kim
0 siblings, 1 reply; 30+ messages in thread
From: Steve Sakoman @ 2021-06-28 15:05 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back by
end of day Wednesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2291
The following changes since commit ac8181d9b9ad8360f7dba03aba8b00f008c6ebb4:
Revert "python3: fix CVE-2021-23336" (2021-06-19 13:11:58 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Jasper Orschulko (3):
expat: fix CVE-2013-0340
libxml2: Fix CVE-2021-3518
libx11: Fix CVE-2021-31535
Michael Halstead (1):
uninative: Upgrade to 3.2 (gcc11 support)
Tim Orling (10):
python3: upgrade 3.8.2 -> 3.8.3
python3: upgrade 3.8.3 -> 3.8.4
python3: upgrade 3.8.4 -> 3.8.5
python3: upgrade 3.8.5 -> 3.8.6
python3: upgrade 3.8.6 -> 3.8.7
python3: upgrade 3.8.7 -> 3.8.8
powertop: fix aclocal error too many loops
python3: upgrade 3.8.8 -> 3.8.9
python3: upgrade 3.8.9 -> 3.8.10
python3-ptest: add newly discovered missing rdeps
meta/conf/distro/include/yocto-uninative.inc | 8 +-
.../expat/expat/CVE-2013-0340.patch | 1758 +++++++++++++++++
.../expat/expat/libtool-tag.patch | 41 +-
meta/recipes-core/expat/expat_2.2.9.bb | 12 +-
.../libxml/libxml2/CVE-2021-3518.patch | 112 ++
meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 +
...20-8492-Fix-AbstractBasicAuthHandler.patch | 248 ---
...le.py-correct-the-test-output-format.patch | 24 +-
.../python/python3/CVE-2019-20907.patch | 44 -
.../python/python3/CVE-2020-14422.patch | 77 -
.../python/python3/CVE-2020-26116.patch | 104 -
.../python/python3/CVE-2020-27619.patch | 70 -
.../python/python3/CVE-2021-3177.patch | 191 --
.../{python3_3.8.2.bb => python3_3.8.10.bb} | 19 +-
.../xorg-lib/libx11/CVE-2021-31535.patch | 333 ++++
.../recipes-graphics/xorg-lib/libx11_1.6.9.bb | 1 +
...2-configure.ac-ax_add_fortify_source.patch | 70 +
...003-configure-Use-AX_REQUIRE_DEFINED.patch | 29 +
meta/recipes-kernel/powertop/powertop_2.10.bb | 8 +-
19 files changed, 2357 insertions(+), 793 deletions(-)
create mode 100644 meta/recipes-core/expat/expat/CVE-2013-0340.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
delete mode 100644 meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2019-20907.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-14422.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-26116.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-27619.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2021-3177.patch
rename meta/recipes-devtools/python/{python3_3.8.2.bb => python3_3.8.10.bb} (95%)
create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch
create mode 100644 meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch
create mode 100644 meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch
--
2.25.1
^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review
@ 2020-10-22 15:51 Steve Sakoman
0 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2020-10-22 15:51 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back
by end of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1501
The following changes since commit 3ee9590f96cb50e93864db768b254773e2ff9465:
uninative: Fix typo in error message (2020-10-19 04:27:15 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexander Kanavin (1):
selftest/virgl: drop the custom 30 sec timeout
Changqing Li (1):
toolchain-shar-extract.sh: don't print useless info
Khem Raj (1):
packagegroup-core-tools-debug: Disable for rv32/glibc as well
Lee Chee Yang (3):
libproxy: fix CVE-2020-25219
python3: fix CVE-2020-26116
grub2: fix CVE-2020-10713
Martin Jansa (7):
arch-armv7a.inc: fix typo
arch-mips.inc: remove duplicated mips64el-o32 from
PACKAGE_EXTRA_ARCHS_tune-mips64el-o32
tune-mips64r6.inc: fix typo in mipsisa64r6-nf
tune-ep9312.inc: add t suffix for thumb to
PACKAGE_EXTRA_ARCHS_tune-ep9312
tune-riscv.inc: use nf suffix also for TUNE_PKGARCH
siteinfo: Recognize 32bit PPC LE
siteinfo: Recognize bigendian sh3be and sh4be
Victor Kamensky (1):
qemu: change TLBs number to 64 in 34Kf mips cpu model
meta-selftest/lib/oeqa/runtime/cases/virgl.py | 2 +-
meta/classes/siteinfo.bbclass | 5 +
meta/conf/machine/include/arm/arch-armv7a.inc | 2 +-
meta/conf/machine/include/mips/arch-mips.inc | 2 +-
.../conf/machine/include/riscv/tune-riscv.inc | 4 +-
meta/conf/machine/include/tune-ep9312.inc | 3 +-
meta/conf/machine/include/tune-mips64r6.inc | 2 +-
meta/files/toolchain-shar-extract.sh | 2 +-
.../grub/files/CVE-2020-10713.patch | 73 ++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
.../packagegroup-core-tools-debug.bb | 2 +-
.../python/python3/CVE-2020-26116.patch | 104 ++++++++++++++++++
meta/recipes-devtools/python/python3_3.8.2.bb | 1 +
meta/recipes-devtools/qemu/qemu.inc | 1 +
...ease-number-of-TLB-entries-on-the-34.patch | 59 ++++++++++
.../libproxy/libproxy/CVE-2020-25219.patch | 61 ++++++++++
.../libproxy/libproxy_0.4.15.bb | 1 +
17 files changed, 315 insertions(+), 10 deletions(-)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-10713.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2020-26116.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch
create mode 100644 meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch
--
2.17.1
^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review
@ 2020-10-09 14:18 Steve Sakoman
0 siblings, 0 replies; 30+ messages in thread
From: Steve Sakoman @ 2020-10-09 14:18 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back
by end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1464
The following changes since commit 552739383321bd9b4780bd0026d6107ece530522:
perl: fix ptest test count (2020-10-05 04:29:40 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Bruce Ashfield (4):
linux-yocto/5.4: fix kprobes build warning
linux-yocto/5.4: update to v5.4.67
linux-yocto/5.4: update to v5.4.68
linux-yocto/5.4: update to v5.4.69
Joshua Watt (1):
classes/sanity: Bump minimum python version to 3.5
Marek Vasut (4):
lttng-modules: update to 2.11.6
lttng-tools: update to 2.11.5
lttng-ust: update to 2.11.1
stress-ng: Upgrade 0.11.01 -> 0.11.17
Richard Purdie (2):
glibc: do_stash_locale must not delete files from ${D}
libtools-cross/shadow-sysroot: Use nopackages inherit
Steve Sakoman (1):
Revert "lttng-modules: backport writeback.h changes from 2.12.x to fix
kernel 5.4.62+"
Victor Kamensky (2):
qemu: add 34Kf-64tlb fictitious cpu type
qemumips: use 34Kf-64tlb CPU emulation
meta/classes/sanity.bbclass | 4 +-
meta/conf/machine/qemumips.conf | 2 +-
meta/recipes-core/glibc/glibc-package.inc | 1 -
.../libtool/libtool-cross_2.4.6.bb | 2 +
meta/recipes-devtools/qemu/qemu.inc | 1 +
...tlb-fictitious-cpu-type-like-34Kf-bu.patch | 118 ++++++++++++++++
.../shadow/shadow-sysroot_4.6.bb | 2 +
...ownership-when-installing-example-jo.patch | 2 +-
...ess-ng_0.11.01.bb => stress-ng_0.11.17.bb} | 4 +-
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +--
...ckport-writeback.h-changes-from-2.12.patch | 128 ------------------
...ules_2.11.2.bb => lttng-modules_2.11.6.bb} | 11 +-
...-tools_2.11.2.bb => lttng-tools_2.11.5.bb} | 4 +-
...ttng-ust_2.11.1.bb => lttng-ust_2.11.2.bb} | 4 +-
16 files changed, 156 insertions(+), 163 deletions(-)
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-mips-add-34Kf-64tlb-fictitious-cpu-type-like-34Kf-bu.patch
rename meta/recipes-extended/stress-ng/{stress-ng_0.11.01.bb => stress-ng_0.11.17.bb} (83%)
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-lttng-modules-backport-writeback.h-changes-from-2.12.patch
rename meta/recipes-kernel/lttng/{lttng-modules_2.11.2.bb => lttng-modules_2.11.6.bb} (81%)
rename meta/recipes-kernel/lttng/{lttng-tools_2.11.2.bb => lttng-tools_2.11.5.bb} (98%)
rename meta/recipes-kernel/lttng/{lttng-ust_2.11.1.bb => lttng-ust_2.11.2.bb} (93%)
--
2.17.1
^ permalink raw reply [flat|nested] 30+ messages in thread
end of thread, other threads:[~2023-09-12 13:54 UTC | newest]
Thread overview: 30+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 01/14] bind: Backport fix for CVE-2023-2828 Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 02/14] openssh: Securiry fix for CVE-2023-38408 Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 03/14] qemu: Backport fix CVE-2023-3180 Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 04/14] qemu: Backport fix for CVE-2023-0330 Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 05/14] rootfs-post: remove traling blanks from tasks Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 06/14] yocto-uninative: Update to 4.3 Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 07/14] resulttool/resultutils: allow index generation despite corrupt json Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 08/14] kernel: Fix path comparison in kernel staging dir symlinking Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 09/14] glibc/check-test-wrapper: don't emit warnings from ssh Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 10/14] selftest/cases/glibc.py: increase the memory for testing Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 11/14] oeqa/utils/nfs: allow requesting non-udp ports Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 12/14] selftest/cases/glibc.py: switch to using NFS over TCP Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 13/14] oeqa/target/ssh: Ensure EAGAIN doesn't truncate output Steve Sakoman
2023-09-12 13:53 ` [OE-core][dunfell 14/14] oeqa/runtime/ltp: Increase ltp test output timeout Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2023-08-25 2:47 [OE-core][dunfell 00/14] Patch review Steve Sakoman
2023-06-22 15:31 Steve Sakoman
2023-08-02 12:05 ` Marta Rybczynska
2023-03-21 14:20 Steve Sakoman
2022-08-29 21:02 Steve Sakoman
2022-07-07 21:59 Steve Sakoman
2022-06-08 14:46 Steve Sakoman
2022-05-11 18:19 Steve Sakoman
2021-12-22 14:12 Steve Sakoman
[not found] <16B6626DB9B02798.14836@lists.openembedded.org>
2021-11-11 14:16 ` Steve Sakoman
2021-11-11 4:08 Steve Sakoman
2021-06-28 15:05 Steve Sakoman
2021-06-29 0:13 ` [dunfell " Minjae Kim
2021-06-29 14:09 ` [OE-core] " Steve Sakoman
2020-10-22 15:51 [OE-core][dunfell " Steve Sakoman
2020-10-09 14:18 Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.