[ptxdist] [PATCH v2] procps: Version bump. 4.0.3 -> 4.0.4
Minor release. Bugfixes and some minor enhancements. https://gitlab.com/procps-ng/procps/-/releases/v4.0.4 Plugs CVE: CVE-2023-4016 ps buffer overflow. * Add patch to explicitly link w with the correct library. Needed to build with systemd. Signed-off-by: Christian Melki --- ...1-build-sys-Add-systemd-elogind-to-w.patch | 42 +++ patches/procps-ng-4.0.4/series| 4 ++ rules/procps.make | 4 +- 3 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 patches/procps-ng-4.0.4/0001-build-sys-Add-systemd-elogind-to-w.patch create mode 100644 patches/procps-ng-4.0.4/series diff --git a/patches/procps-ng-4.0.4/0001-build-sys-Add-systemd-elogind-to-w.patch b/patches/procps-ng-4.0.4/0001-build-sys-Add-systemd-elogind-to-w.patch new file mode 100644 index 0..6eb5de4e1 --- /dev/null +++ b/patches/procps-ng-4.0.4/0001-build-sys-Add-systemd-elogind-to-w.patch @@ -0,0 +1,42 @@ +From: Craig Small +Date: Thu, 31 Aug 2023 22:24:23 +1000 +Subject: [PATCH] build-sys: Add systemd/elogind to w + +Depending on the compiler flags, w needs to be explictly linked +to libsystemd or elogind even though libproc2 is linked to it. + +Signed-off-by: Craig Small +--- + Makefile.am | 7 +++ + NEWS| 3 +++ + 2 files changed, 10 insertions(+) + +diff --git a/Makefile.am b/Makefile.am +index f70c8fb1eb49..ddfc0141d869 100644 +--- a/Makefile.am b/Makefile.am +@@ -149,6 +149,13 @@ endif + + dist_man_MANS += man/w.1 + src_w_SOURCES = src/w.c local/fileutils.c ++src_w_LDADD = $(LDADD) ++if WITH_SYSTEMD ++src_w_LDADD += @SYSTEMD_LIBS@ ++endif ++if WITH_ELOGIND ++src_w_LDADD += @ELOGIND_LIBS@ ++endif + else + EXTRA_DIST += man/w.1 + endif +diff --git a/NEWS b/NEWS +index 3f2158d40683..4ad9f74e8c2e 100644 +--- a/NEWS b/NEWS +@@ -1,3 +1,6 @@ ++procps-ng-NEXT ++--- ++ + procps-ng-4.0.4 + --- + * library (API & ABI unchanged) diff --git a/patches/procps-ng-4.0.4/series b/patches/procps-ng-4.0.4/series new file mode 100644 index 0..fecb289bb --- /dev/null +++ b/patches/procps-ng-4.0.4/series @@ -0,0 +1,4 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +0001-build-sys-Add-systemd-elogind-to-w.patch +# c14bc921db0bebb737d88875f00cb44f - git-ptx-patches magic diff --git a/rules/procps.make b/rules/procps.make index 9ed658f70..40110d909 100644 --- a/rules/procps.make +++ b/rules/procps.make @@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_PROCPS) += procps # # Paths and names # -PROCPS_VERSION := 4.0.3 -PROCPS_MD5 := 22b287bcd758831cbaf3356cd3054fe7 +PROCPS_VERSION := 4.0.4 +PROCPS_MD5 := 2f747fc7df8ccf402d03e375c565cf96 PROCPS := procps-ng-$(PROCPS_VERSION) PROCPS_SUFFIX := tar.xz PROCPS_URL := $(call ptx/mirror, SF, procps-ng/Production/$(PROCPS).$(PROCPS_SUFFIX)) -- 2.34.1
Re: [ptxdist] [PATCH] RFC: ptxd_make_world: Extract CPE for packages
Hi Michael,
> From: ptxdist On Behalf Of Michael
> Olbrich
> Sent: Friday, September 15, 2023 12:39
>
> On Fri, Sep 15, 2023 at 12:14:30PM +0200, Simon Falsig wrote:
> > From: Simon Falsig
> >
> > If a package specifies a CPE or CPE_VENDOR and CPE_PRODUCT, this is
> > extracted into the fast report for that package. If no CPE is
> > specified, or not both of CPE_VENDOR and CPE_PRODUCT, then no value is
> > added.
> >
> > By default, the existing VERSION is used, but can be overridden with
> > CPE_VERSION.
> >
> > Constructed CPEs are validated against the official CPE regex.
> >
> > The CPE (Common Platform Enumerator) allows matching CVEs to specific
> > packages, and see if these apply to a specific deployment.
> > ---
> > rules/post/ptxd_make_world_common.make | 4
> > scripts/lib/ptxd_make_world_report.sh | 29 ++
> > 2 files changed, 33 insertions(+)
> >
> > diff --git a/rules/post/ptxd_make_world_common.make
> > b/rules/post/ptxd_make_world_common.make
> > index 08120607a..0804f0b81 100644
> > --- a/rules/post/ptxd_make_world_common.make
> > +++ b/rules/post/ptxd_make_world_common.make
> > @@ -78,6 +78,10 @@ world/env/impl = \
> > pkg_PKG="$(call ptx/escape,$(1))"
> > \
> > pkg_pkg="$(call ptx/escape,$($(1)))"
> > \
> > pkg_version="$(call ptx/escape,$($(1)_VERSION))"
> > \
> > + pkg_cpe_vendor="$(call ptx/escape,$($(1)_CPE_VENDOR))"
> \
> > + pkg_cpe_product="$(call ptx/escape,$($(1)_CPE_PRODUCT))"
> > \
> > + pkg_cpe_version="$(call ptx/escape,$($(1)_CPE_VERSION))"
> > \
> > + pkg_cpe="$(call ptx/escape,$($(1)_CPE))"
> > \
> > pkg_config="$(call ptx/escape,$($(1)_CONFIG))"
> > \
> > pkg_ref_config="$(call ptx/escape,$($(1)_REF_CONFIG))"
> \
> > pkg_path="$(call ptx/escape,$($(1)_PATH))"
> > \
> > diff --git a/scripts/lib/ptxd_make_world_report.sh
> > b/scripts/lib/ptxd_make_world_report.sh
> > index dbdae5736..11f17b405 100644
> > --- a/scripts/lib/ptxd_make_world_report.sh
> > +++ b/scripts/lib/ptxd_make_world_report.sh
> > @@ -31,6 +31,30 @@ ptxd_make_world_report_yaml() {
> > awk "BEGIN { RS=\" \" } { if (\$1) print \"- '\" \$1 \"'\" }"
> <<<"${2}"
> > fi
> > }
> > +do_build_cpe() {
> > +prefix="${1}"
> > +cpe="${2}"
> > +vendor="${3}"
> > +product="${4}"
> > +version="${5}"
> > +if [ -n "${cpe}" ]; then
> > +# If a cpe is fully specified, then use that
> > +:
> > +elif [ -n "${vendor}" -a -n "${product}" -a -n "${version}" ];
> then
> > +# Otherwise, if we have vendor, product and version, then
> build a CPE2.3 string from it
> > +
> cpe="cpe:2.3:a:${vendor}:${product}:${version}:*:*:*:*:*:*:*"
> > +fi
>
> Hmmm, I think we should preserve the original data in the report. Building
> the cpe string should happen in the SBOM script. So:
>
> cpe:
>
> or:
>
> cpe-vendor: ...
> cpe-product: ...
>
> and maybe:
>
> cpe-version: ...
>
Makes sense - changed.
> > +if [ -n "$cpe" ]; then
> > +# Validate the resulting CPE string
> > +# Regex taken from:
> https://csrc.nis/
> t.gov%2Fschema%2Fcpe%2F2.3%2Fcpe-
> naming_2.3.xsd=05%7C01%7Csfalsig%40verity.net%7Cc9dea8f344e64c0f2a570
> 8dbb5daf98c%7C06487c727d884632bf56071603defa0a%7C1%7C0%7C63830372431499528
> 3%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h
> aWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=RQxWOHS3iGwu%2BUXaR%2Bc1FZRzo4rHk
> XX8U4fjSmWtalQ%3D=0
> > +if echo "$cpe" | grep -Eq 'cpe:2\.3:[aho\*\-
> ](:(((\?*|\*?)([a-zA-Z0-9\-
> \._]|(\\[\\\*\?!"#$$%&'\''\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-
> ])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-
> ]))(:(((\?*|\*?)([a-zA-Z0-9\-
> \._]|(\\[\\\*\?!"#$$%&''\''\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-
> ])){4}'; then
> > +echo "${prefix} ${cpe}"
> > +else
> > +>&2 echo "Error! $cpe is not valid CPE format string"
> > +return 1
> > +fi
>
> Hmmm, I'm not sure where the validation should take place. Here or the
> SBOM script. I don't mind either way.
>
I've switched to do the validation in the SBOM script. Matches better with
having the original cpe_... values in the individual reports, then building
and validating the complete CPE when doing the full report.
> FYI, your indention is wrong. Please check the rest of the script. I know
> the style is a bit strange, but lets keep things consistent.
Argh, sorry. I've tried fixing things up now - hope it's good!
>
> Michael
Thanks for the input!
- Simon
[ptxdist] [PATCH] RFC: sbom_report: Add support
From: Simon Falsig
This provides support for building SBOMs in CycloneDX format.
A target is added alongside the other reports, that (based on the
fast-bsp-report) extracts name, version, cpe and license of each target
package, and puts these into a final sbom-report in CycloneDX/JSON
format.
This requires a working Python3 setup with the cyclonedx-bom package
installed.
---
bin/ptxdist | 3 +-
rules/post/ptxd_make_report.make | 15 ++--
scripts/lib/ptxd_make_report.sh | 16 +
scripts/lib/ptxd_make_sbom_report.py | 54
4 files changed, 85 insertions(+), 3 deletions(-)
create mode 100644 scripts/lib/ptxd_make_sbom_report.py
diff --git a/bin/ptxdist b/bin/ptxdist
index dfb619cbd..15be851f5 100755
--- a/bin/ptxdist
+++ b/bin/ptxdist
@@ -780,6 +780,7 @@ Misc:
full-bsp-report generate a yaml file that describes the BSP and
all packages. More data but will build all
packages if necessary.
+ sbom-report generate a CycloneDX json SBOM
print print the contents of a variable, in the way
it is known by "make"
printnext assumes that the contents of is another
@@ -1807,7 +1808,7 @@ EOF
ptxd_make_log export_src EXPORTDIR="${1}"
exit
;;
- fast-bsp-report|full-bsp-report)
+ fast-bsp-report|full-bsp-report|sbom-report)
check_premake_compiler &&
ptxd_make_log "${cmd}"
exit
diff --git a/rules/post/ptxd_make_report.make b/rules/post/ptxd_make_report.make
index eecd2a577..ffa398c95 100644
--- a/rules/post/ptxd_make_report.make
+++ b/rules/post/ptxd_make_report.make
@@ -10,7 +10,9 @@ ptx/report-env = \
$(image/env) \
ptx_report_target="$(strip $(1))" \
ptx_packages_selected="$(filter-out
$(IMAGE_PACKAGES),$(PTX_PACKAGES_SELECTED))" \
- ptx_image_packages="$(IMAGE_PACKAGES)"
+ ptx_image_packages="$(IMAGE_PACKAGES)" \
+ ptx_target_packages="$(PACKAGES)"
+
PHONY += full-bsp-report
full-bsp-report: $(RELEASEDIR)/full-bsp-report.yaml
@@ -26,13 +28,22 @@ $(RELEASEDIR)/full-bsp-report.yaml: \
@$(call ptx/report-env, $@) ptxd_make_full_bsp_report
@$(call finish)
+
PHONY += fast-bsp-report
fast-bsp-report: $(RELEASEDIR)/fast-bsp-report.yaml
-
$(RELEASEDIR)/fast-bsp-report.yaml: $(addprefix $(STATEDIR)/,$(addsuffix
.fast-report,$(PTX_PACKAGES_SELECTED)))
@$(call targetinfo)
@$(call ptx/report-env, $@) ptxd_make_fast_bsp_report
@$(call finish)
+
+PHONY += sbom-report
+sbom-report: $(RELEASEDIR)/sbom-report.json
+
+$(RELEASEDIR)/sbom-report.json: $(addprefix $(STATEDIR)/,$(addsuffix
.fast-report,$(PACKAGES)))
+ @$(call targetinfo)
+ @$(call ptx/report-env, $@) ptxd_make_sbom_report
+ @$(call finish)
+
# vim: syntax=make
diff --git a/scripts/lib/ptxd_make_report.sh b/scripts/lib/ptxd_make_report.sh
index a363ca5b3..e2da4c05f 100644
--- a/scripts/lib/ptxd_make_report.sh
+++ b/scripts/lib/ptxd_make_report.sh
@@ -144,3 +144,19 @@ ptxd_make_fast_bsp_report() {
}
export -f ptxd_make_fast_bsp_report
+ptxd_make_sbom_report() {
+local -a ptxd_reply
+local pkg_lic pkg
+
+ptxd_make_layer_init || return
+
+echo "Generating $(ptxd_print_path "${ptx_report_target}") ..."
+echo
+
+mkdir -p "$(dirname "${ptx_report_target}")" &&
+python3 ${PTXDIST_LIB_DIR}/ptxd_make_sbom_report.py
"${ptx_report_dir}/fast/" ${ptx_target_packages} >
${PTXDIST_TEMPDIR}/sbom-report &&
+mv "${PTXDIST_TEMPDIR}/sbom-report" "${ptx_report_target}" ||
+ptxd_bailout "failed to create SBOM report"
+}
+export -f ptxd_make_sbom_report
+
diff --git a/scripts/lib/ptxd_make_sbom_report.py
b/scripts/lib/ptxd_make_sbom_report.py
new file mode 100644
index 0..cc6a6f703
--- /dev/null
+++ b/scripts/lib/ptxd_make_sbom_report.py
@@ -0,0 +1,54 @@
+from cyclonedx.factory.license import LicenseFactory
+from cyclonedx.factory.license import LicenseChoiceFactory
+from cyclonedx.model.bom import Bom
+from cyclonedx.model.component import Component
+from cyclonedx.output.json import JsonV1Dot4
+import sys
+import re
+
+lFac = LicenseFactory()
+lcFac = LicenseChoiceFactory(license_factory=lFac)
+bom = Bom()
+
+for i in range(2, len(sys.argv)):
+pkg_report = sys.argv[1] + sys.argv[i] + ".yaml"
+with open(pkg_report, 'r') as file:
+content = file.read()
+name_ = re.search("name: \'(.+)\'", content).group(1)
+version_ = re.search("version: \'(.+)\'", content).group(1)
+
+# First see if we have a full CPE specified, then use that
+cpe_match = re.search("cpe: \'(.+)\'", content)
+cpe_ = None
+if cpe_match is not None:
+cpe_ = cpe_match.group(1)
+
[ptxdist] [PATCH] RFC: ptxd_make_world: Extract CPE for packages
From: Simon Falsig
If a package specifies a CPE or CPE_VENDOR and CPE_PRODUCT, this is
extracted into the fast report for that package. If no CPE is
specified, or not both of CPE_VENDOR and CPE_PRODUCT, then no value is
added.
By default, the existing VERSION is used, but can be overridden with
CPE_VERSION.
Constructed CPEs are validated against the official CPE regex.
The CPE (Common Platform Enumerator) allows matching CVEs to specific
packages, and see if these apply to a specific deployment.
---
rules/post/ptxd_make_world_common.make | 4
scripts/lib/ptxd_make_world_report.sh | 9 +
2 files changed, 13 insertions(+)
diff --git a/rules/post/ptxd_make_world_common.make
b/rules/post/ptxd_make_world_common.make
index 08120607a..0804f0b81 100644
--- a/rules/post/ptxd_make_world_common.make
+++ b/rules/post/ptxd_make_world_common.make
@@ -78,6 +78,10 @@ world/env/impl = \
pkg_PKG="$(call ptx/escape,$(1))"
\
pkg_pkg="$(call ptx/escape,$($(1)))"
\
pkg_version="$(call ptx/escape,$($(1)_VERSION))"
\
+ pkg_cpe_vendor="$(call ptx/escape,$($(1)_CPE_VENDOR))"
\
+ pkg_cpe_product="$(call ptx/escape,$($(1)_CPE_PRODUCT))"
\
+ pkg_cpe_version="$(call ptx/escape,$($(1)_CPE_VERSION))"
\
+ pkg_cpe="$(call ptx/escape,$($(1)_CPE))"
\
pkg_config="$(call ptx/escape,$($(1)_CONFIG))"
\
pkg_ref_config="$(call ptx/escape,$($(1)_REF_CONFIG))"
\
pkg_path="$(call ptx/escape,$($(1)_PATH))"
\
diff --git a/scripts/lib/ptxd_make_world_report.sh
b/scripts/lib/ptxd_make_world_report.sh
index dbdae5736..dea25635b 100644
--- a/scripts/lib/ptxd_make_world_report.sh
+++ b/scripts/lib/ptxd_make_world_report.sh
@@ -39,6 +39,15 @@ ptxd_make_world_report_yaml() {
do_list "rundeps:" "${pkg_run_deps}"
do_echo "config:" "${pkg_config}"
do_echo "version:" "${pkg_version}"
+if [ ! -n "${pkg_cpe_version}" -a ! -n "${pkg_cpe}" ]; then
+ # Default to using pkg_version for the CPE string, unless _CPE_VERSION
or _CPE are explicitly
+ # specified. In the case of the latter, there's no need to keep track
of the version separately.
+ pkg_cpe_version="${pkg_version}"
+fi
+do_echo "cpe:" "${pkg_cpe}"
+do_echo "cpe_vendor:" "${pkg_cpe_vendor}"
+do_echo "cpe_product:" "${pkg_cpe_product}"
+do_echo "cpe_version:" "${pkg_cpe_version}"
do_list "url:" "${pkg_url}"
do_echo "md5:" "${pkg_md5}"
do_echo "source:" "${pkg_src}"
--
2.25.1
[ptxdist] [PATCH] pipewire: version bump 0.3.79 -> 0.3.80
https://gitlab.freedesktop.org/pipewire/pipewire/-/releases/0.3.80 Signed-off-by: Philipp Zabel --- rules/pipewire.make | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/pipewire.make b/rules/pipewire.make index fbc23f51d1da..b0fba3fa8d4d 100644 --- a/rules/pipewire.make +++ b/rules/pipewire.make @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_PIPEWIRE) += pipewire # # Paths and names # -PIPEWIRE_VERSION := 0.3.79 -PIPEWIRE_MD5 := 221d9128b085d17295964c7f15622f13 +PIPEWIRE_VERSION := 0.3.80 +PIPEWIRE_MD5 := 0b74d8fb146176aa0bd94918bb094bbe PIPEWIRE := pipewire-$(PIPEWIRE_VERSION) PIPEWIRE_SUFFIX:= tar.bz2 PIPEWIRE_URL := https://gitlab.freedesktop.org/pipewire/pipewire/-/archive/$(PIPEWIRE_VERSION)/$(PIPEWIRE).$(PIPEWIRE_SUFFIX) -- 2.39.2
[ptxdist] [PATCH] uhubctl: version bump 2.4.0 -> 2.5.0
> * Added support for Linux sysfs based power switching provided in > Linux kernel 6.0+ - it allows to solve reliability issues when > turning power off on Linux (#450). > * Added option --nodesc to skip querying device string descriptors > (necessary for some buggy devices which otherwise would completely freeze). > * New simpler way to configure udev rules on Linux > (one rule works for any USB hub). > * Even more supported devices. License file hash changed due to copyright year update. Link: https://github.com/mvp/uhubctl/pull/450 Link: https://github.com/mvp/uhubctl/releases/tag/v2.5.0 Signed-off-by: Alexander Dahl --- rules/uhubctl.make | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/uhubctl.make b/rules/uhubctl.make index 394b46855..53bf1025a 100644 --- a/rules/uhubctl.make +++ b/rules/uhubctl.make @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_UHUBCTL) += uhubctl # # Paths and names # -UHUBCTL_VERSION:= 2.4.0 -UHUBCTL_MD5:= 9bdf73940881df02574a94703ad8b582 +UHUBCTL_VERSION:= 2.5.0 +UHUBCTL_MD5:= e4e66d445ba8fda181ce4aa4abcd4247 UHUBCTL:= uhubctl-$(UHUBCTL_VERSION) UHUBCTL_SUFFIX := tar.gz UHUBCTL_URL:= https://github.com/mvp/uhubctl/archive/v$(UHUBCTL_VERSION).$(UHUBCTL_SUFFIX) @@ -23,7 +23,7 @@ UHUBCTL_SOURCE:= $(SRCDIR)/$(UHUBCTL).$(UHUBCTL_SUFFIX) UHUBCTL_DIR:= $(BUILDDIR)/$(UHUBCTL) UHUBCTL_LICENSE:= GPL-2.0-only UHUBCTL_LICENSE_FILES := \ - file://LICENSE;md5=a79e6a142b69522fe7757fe7313895eb + file://LICENSE;md5=1e7b16e6ef7cd15d58b0f1c58dbf9817 # # Prepare base-commit: 62f61865b380ca0064e7e8a3b7a81a8fb74ea51c -- 2.30.2
