[ptxdist] [PATCH v2] procps: Version bump. 4.0.3 -> 4.0.4
Minor release. Bugfixes and some minor enhancements. https://gitlab.com/procps-ng/procps/-/releases/v4.0.4 Plugs CVE: CVE-2023-4016 ps buffer overflow. * Add patch to explicitly link w with the correct library. Needed to build with systemd. Signed-off-by: Christian Melki --- ...1-build-sys-Add-systemd-elogind-to-w.patch | 42 +++ patches/procps-ng-4.0.4/series| 4 ++ rules/procps.make | 4 +- 3 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 patches/procps-ng-4.0.4/0001-build-sys-Add-systemd-elogind-to-w.patch create mode 100644 patches/procps-ng-4.0.4/series diff --git a/patches/procps-ng-4.0.4/0001-build-sys-Add-systemd-elogind-to-w.patch b/patches/procps-ng-4.0.4/0001-build-sys-Add-systemd-elogind-to-w.patch new file mode 100644 index 0..6eb5de4e1 --- /dev/null +++ b/patches/procps-ng-4.0.4/0001-build-sys-Add-systemd-elogind-to-w.patch @@ -0,0 +1,42 @@ +From: Craig Small +Date: Thu, 31 Aug 2023 22:24:23 +1000 +Subject: [PATCH] build-sys: Add systemd/elogind to w + +Depending on the compiler flags, w needs to be explictly linked +to libsystemd or elogind even though libproc2 is linked to it. + +Signed-off-by: Craig Small +--- + Makefile.am | 7 +++ + NEWS| 3 +++ + 2 files changed, 10 insertions(+) + +diff --git a/Makefile.am b/Makefile.am +index f70c8fb1eb49..ddfc0141d869 100644 +--- a/Makefile.am b/Makefile.am +@@ -149,6 +149,13 @@ endif + + dist_man_MANS += man/w.1 + src_w_SOURCES = src/w.c local/fileutils.c ++src_w_LDADD = $(LDADD) ++if WITH_SYSTEMD ++src_w_LDADD += @SYSTEMD_LIBS@ ++endif ++if WITH_ELOGIND ++src_w_LDADD += @ELOGIND_LIBS@ ++endif + else + EXTRA_DIST += man/w.1 + endif +diff --git a/NEWS b/NEWS +index 3f2158d40683..4ad9f74e8c2e 100644 +--- a/NEWS b/NEWS +@@ -1,3 +1,6 @@ ++procps-ng-NEXT ++--- ++ + procps-ng-4.0.4 + --- + * library (API & ABI unchanged) diff --git a/patches/procps-ng-4.0.4/series b/patches/procps-ng-4.0.4/series new file mode 100644 index 0..fecb289bb --- /dev/null +++ b/patches/procps-ng-4.0.4/series @@ -0,0 +1,4 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +0001-build-sys-Add-systemd-elogind-to-w.patch +# c14bc921db0bebb737d88875f00cb44f - git-ptx-patches magic diff --git a/rules/procps.make b/rules/procps.make index 9ed658f70..40110d909 100644 --- a/rules/procps.make +++ b/rules/procps.make @@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_PROCPS) += procps # # Paths and names # -PROCPS_VERSION := 4.0.3 -PROCPS_MD5 := 22b287bcd758831cbaf3356cd3054fe7 +PROCPS_VERSION := 4.0.4 +PROCPS_MD5 := 2f747fc7df8ccf402d03e375c565cf96 PROCPS := procps-ng-$(PROCPS_VERSION) PROCPS_SUFFIX := tar.xz PROCPS_URL := $(call ptx/mirror, SF, procps-ng/Production/$(PROCPS).$(PROCPS_SUFFIX)) -- 2.34.1
Re: [ptxdist] [PATCH] RFC: ptxd_make_world: Extract CPE for packages
Hi Michael, > From: ptxdist On Behalf Of Michael > Olbrich > Sent: Friday, September 15, 2023 12:39 > > On Fri, Sep 15, 2023 at 12:14:30PM +0200, Simon Falsig wrote: > > From: Simon Falsig > > > > If a package specifies a CPE or CPE_VENDOR and CPE_PRODUCT, this is > > extracted into the fast report for that package. If no CPE is > > specified, or not both of CPE_VENDOR and CPE_PRODUCT, then no value is > > added. > > > > By default, the existing VERSION is used, but can be overridden with > > CPE_VERSION. > > > > Constructed CPEs are validated against the official CPE regex. > > > > The CPE (Common Platform Enumerator) allows matching CVEs to specific > > packages, and see if these apply to a specific deployment. > > --- > > rules/post/ptxd_make_world_common.make | 4 > > scripts/lib/ptxd_make_world_report.sh | 29 ++ > > 2 files changed, 33 insertions(+) > > > > diff --git a/rules/post/ptxd_make_world_common.make > > b/rules/post/ptxd_make_world_common.make > > index 08120607a..0804f0b81 100644 > > --- a/rules/post/ptxd_make_world_common.make > > +++ b/rules/post/ptxd_make_world_common.make > > @@ -78,6 +78,10 @@ world/env/impl = \ > > pkg_PKG="$(call ptx/escape,$(1))" > > \ > > pkg_pkg="$(call ptx/escape,$($(1)))" > > \ > > pkg_version="$(call ptx/escape,$($(1)_VERSION))" > > \ > > + pkg_cpe_vendor="$(call ptx/escape,$($(1)_CPE_VENDOR))" > \ > > + pkg_cpe_product="$(call ptx/escape,$($(1)_CPE_PRODUCT))" > > \ > > + pkg_cpe_version="$(call ptx/escape,$($(1)_CPE_VERSION))" > > \ > > + pkg_cpe="$(call ptx/escape,$($(1)_CPE))" > > \ > > pkg_config="$(call ptx/escape,$($(1)_CONFIG))" > > \ > > pkg_ref_config="$(call ptx/escape,$($(1)_REF_CONFIG))" > \ > > pkg_path="$(call ptx/escape,$($(1)_PATH))" > > \ > > diff --git a/scripts/lib/ptxd_make_world_report.sh > > b/scripts/lib/ptxd_make_world_report.sh > > index dbdae5736..11f17b405 100644 > > --- a/scripts/lib/ptxd_make_world_report.sh > > +++ b/scripts/lib/ptxd_make_world_report.sh > > @@ -31,6 +31,30 @@ ptxd_make_world_report_yaml() { > > awk "BEGIN { RS=\" \" } { if (\$1) print \"- '\" \$1 \"'\" }" > <<<"${2}" > > fi > > } > > +do_build_cpe() { > > +prefix="${1}" > > +cpe="${2}" > > +vendor="${3}" > > +product="${4}" > > +version="${5}" > > +if [ -n "${cpe}" ]; then > > +# If a cpe is fully specified, then use that > > +: > > +elif [ -n "${vendor}" -a -n "${product}" -a -n "${version}" ]; > then > > +# Otherwise, if we have vendor, product and version, then > build a CPE2.3 string from it > > + > cpe="cpe:2.3:a:${vendor}:${product}:${version}:*:*:*:*:*:*:*" > > +fi > > Hmmm, I think we should preserve the original data in the report. Building > the cpe string should happen in the SBOM script. So: > > cpe: > > or: > > cpe-vendor: ... > cpe-product: ... > > and maybe: > > cpe-version: ... > Makes sense - changed. > > +if [ -n "$cpe" ]; then > > +# Validate the resulting CPE string > > +# Regex taken from: > https://csrc.nis/ > t.gov%2Fschema%2Fcpe%2F2.3%2Fcpe- > naming_2.3.xsd=05%7C01%7Csfalsig%40verity.net%7Cc9dea8f344e64c0f2a570 > 8dbb5daf98c%7C06487c727d884632bf56071603defa0a%7C1%7C0%7C63830372431499528 > 3%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h > aWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=RQxWOHS3iGwu%2BUXaR%2Bc1FZRzo4rHk > XX8U4fjSmWtalQ%3D=0 > > +if echo "$cpe" | grep -Eq 'cpe:2\.3:[aho\*\- > ](:(((\?*|\*?)([a-zA-Z0-9\- > \._]|(\\[\\\*\?!"#$$%&'\''\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\- > ])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\- > ]))(:(((\?*|\*?)([a-zA-Z0-9\- > \._]|(\\[\\\*\?!"#$$%&''\''\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\- > ])){4}'; then > > +echo "${prefix} ${cpe}" > > +else > > +>&2 echo "Error! $cpe is not valid CPE format string" > > +return 1 > > +fi > > Hmmm, I'm not sure where the validation should take place. Here or the > SBOM script. I don't mind either way. > I've switched to do the validation in the SBOM script. Matches better with having the original cpe_... values in the individual reports, then building and validating the complete CPE when doing the full report. > FYI, your indention is wrong. Please check the rest of the script. I know > the style is a bit strange, but lets keep things consistent. Argh, sorry. I've tried fixing things up now - hope it's good! > > Michael Thanks for the input! - Simon
[ptxdist] [PATCH] RFC: sbom_report: Add support
From: Simon Falsig This provides support for building SBOMs in CycloneDX format. A target is added alongside the other reports, that (based on the fast-bsp-report) extracts name, version, cpe and license of each target package, and puts these into a final sbom-report in CycloneDX/JSON format. This requires a working Python3 setup with the cyclonedx-bom package installed. --- bin/ptxdist | 3 +- rules/post/ptxd_make_report.make | 15 ++-- scripts/lib/ptxd_make_report.sh | 16 + scripts/lib/ptxd_make_sbom_report.py | 54 4 files changed, 85 insertions(+), 3 deletions(-) create mode 100644 scripts/lib/ptxd_make_sbom_report.py diff --git a/bin/ptxdist b/bin/ptxdist index dfb619cbd..15be851f5 100755 --- a/bin/ptxdist +++ b/bin/ptxdist @@ -780,6 +780,7 @@ Misc: full-bsp-report generate a yaml file that describes the BSP and all packages. More data but will build all packages if necessary. + sbom-report generate a CycloneDX json SBOM print print the contents of a variable, in the way it is known by "make" printnext assumes that the contents of is another @@ -1807,7 +1808,7 @@ EOF ptxd_make_log export_src EXPORTDIR="${1}" exit ;; - fast-bsp-report|full-bsp-report) + fast-bsp-report|full-bsp-report|sbom-report) check_premake_compiler && ptxd_make_log "${cmd}" exit diff --git a/rules/post/ptxd_make_report.make b/rules/post/ptxd_make_report.make index eecd2a577..ffa398c95 100644 --- a/rules/post/ptxd_make_report.make +++ b/rules/post/ptxd_make_report.make @@ -10,7 +10,9 @@ ptx/report-env = \ $(image/env) \ ptx_report_target="$(strip $(1))" \ ptx_packages_selected="$(filter-out $(IMAGE_PACKAGES),$(PTX_PACKAGES_SELECTED))" \ - ptx_image_packages="$(IMAGE_PACKAGES)" + ptx_image_packages="$(IMAGE_PACKAGES)" \ + ptx_target_packages="$(PACKAGES)" + PHONY += full-bsp-report full-bsp-report: $(RELEASEDIR)/full-bsp-report.yaml @@ -26,13 +28,22 @@ $(RELEASEDIR)/full-bsp-report.yaml: \ @$(call ptx/report-env, $@) ptxd_make_full_bsp_report @$(call finish) + PHONY += fast-bsp-report fast-bsp-report: $(RELEASEDIR)/fast-bsp-report.yaml - $(RELEASEDIR)/fast-bsp-report.yaml: $(addprefix $(STATEDIR)/,$(addsuffix .fast-report,$(PTX_PACKAGES_SELECTED))) @$(call targetinfo) @$(call ptx/report-env, $@) ptxd_make_fast_bsp_report @$(call finish) + +PHONY += sbom-report +sbom-report: $(RELEASEDIR)/sbom-report.json + +$(RELEASEDIR)/sbom-report.json: $(addprefix $(STATEDIR)/,$(addsuffix .fast-report,$(PACKAGES))) + @$(call targetinfo) + @$(call ptx/report-env, $@) ptxd_make_sbom_report + @$(call finish) + # vim: syntax=make diff --git a/scripts/lib/ptxd_make_report.sh b/scripts/lib/ptxd_make_report.sh index a363ca5b3..e2da4c05f 100644 --- a/scripts/lib/ptxd_make_report.sh +++ b/scripts/lib/ptxd_make_report.sh @@ -144,3 +144,19 @@ ptxd_make_fast_bsp_report() { } export -f ptxd_make_fast_bsp_report +ptxd_make_sbom_report() { +local -a ptxd_reply +local pkg_lic pkg + +ptxd_make_layer_init || return + +echo "Generating $(ptxd_print_path "${ptx_report_target}") ..." +echo + +mkdir -p "$(dirname "${ptx_report_target}")" && +python3 ${PTXDIST_LIB_DIR}/ptxd_make_sbom_report.py "${ptx_report_dir}/fast/" ${ptx_target_packages} > ${PTXDIST_TEMPDIR}/sbom-report && +mv "${PTXDIST_TEMPDIR}/sbom-report" "${ptx_report_target}" || +ptxd_bailout "failed to create SBOM report" +} +export -f ptxd_make_sbom_report + diff --git a/scripts/lib/ptxd_make_sbom_report.py b/scripts/lib/ptxd_make_sbom_report.py new file mode 100644 index 0..cc6a6f703 --- /dev/null +++ b/scripts/lib/ptxd_make_sbom_report.py @@ -0,0 +1,54 @@ +from cyclonedx.factory.license import LicenseFactory +from cyclonedx.factory.license import LicenseChoiceFactory +from cyclonedx.model.bom import Bom +from cyclonedx.model.component import Component +from cyclonedx.output.json import JsonV1Dot4 +import sys +import re + +lFac = LicenseFactory() +lcFac = LicenseChoiceFactory(license_factory=lFac) +bom = Bom() + +for i in range(2, len(sys.argv)): +pkg_report = sys.argv[1] + sys.argv[i] + ".yaml" +with open(pkg_report, 'r') as file: +content = file.read() +name_ = re.search("name: \'(.+)\'", content).group(1) +version_ = re.search("version: \'(.+)\'", content).group(1) + +# First see if we have a full CPE specified, then use that +cpe_match = re.search("cpe: \'(.+)\'", content) +cpe_ = None +if cpe_match is not None: +cpe_ = cpe_match.group(1) +
[ptxdist] [PATCH] RFC: ptxd_make_world: Extract CPE for packages
From: Simon Falsig If a package specifies a CPE or CPE_VENDOR and CPE_PRODUCT, this is extracted into the fast report for that package. If no CPE is specified, or not both of CPE_VENDOR and CPE_PRODUCT, then no value is added. By default, the existing VERSION is used, but can be overridden with CPE_VERSION. Constructed CPEs are validated against the official CPE regex. The CPE (Common Platform Enumerator) allows matching CVEs to specific packages, and see if these apply to a specific deployment. --- rules/post/ptxd_make_world_common.make | 4 scripts/lib/ptxd_make_world_report.sh | 9 + 2 files changed, 13 insertions(+) diff --git a/rules/post/ptxd_make_world_common.make b/rules/post/ptxd_make_world_common.make index 08120607a..0804f0b81 100644 --- a/rules/post/ptxd_make_world_common.make +++ b/rules/post/ptxd_make_world_common.make @@ -78,6 +78,10 @@ world/env/impl = \ pkg_PKG="$(call ptx/escape,$(1))" \ pkg_pkg="$(call ptx/escape,$($(1)))" \ pkg_version="$(call ptx/escape,$($(1)_VERSION))" \ + pkg_cpe_vendor="$(call ptx/escape,$($(1)_CPE_VENDOR))" \ + pkg_cpe_product="$(call ptx/escape,$($(1)_CPE_PRODUCT))" \ + pkg_cpe_version="$(call ptx/escape,$($(1)_CPE_VERSION))" \ + pkg_cpe="$(call ptx/escape,$($(1)_CPE))" \ pkg_config="$(call ptx/escape,$($(1)_CONFIG))" \ pkg_ref_config="$(call ptx/escape,$($(1)_REF_CONFIG))" \ pkg_path="$(call ptx/escape,$($(1)_PATH))" \ diff --git a/scripts/lib/ptxd_make_world_report.sh b/scripts/lib/ptxd_make_world_report.sh index dbdae5736..dea25635b 100644 --- a/scripts/lib/ptxd_make_world_report.sh +++ b/scripts/lib/ptxd_make_world_report.sh @@ -39,6 +39,15 @@ ptxd_make_world_report_yaml() { do_list "rundeps:" "${pkg_run_deps}" do_echo "config:" "${pkg_config}" do_echo "version:" "${pkg_version}" +if [ ! -n "${pkg_cpe_version}" -a ! -n "${pkg_cpe}" ]; then + # Default to using pkg_version for the CPE string, unless _CPE_VERSION or _CPE are explicitly + # specified. In the case of the latter, there's no need to keep track of the version separately. + pkg_cpe_version="${pkg_version}" +fi +do_echo "cpe:" "${pkg_cpe}" +do_echo "cpe_vendor:" "${pkg_cpe_vendor}" +do_echo "cpe_product:" "${pkg_cpe_product}" +do_echo "cpe_version:" "${pkg_cpe_version}" do_list "url:" "${pkg_url}" do_echo "md5:" "${pkg_md5}" do_echo "source:" "${pkg_src}" -- 2.25.1
[ptxdist] [PATCH] pipewire: version bump 0.3.79 -> 0.3.80
https://gitlab.freedesktop.org/pipewire/pipewire/-/releases/0.3.80 Signed-off-by: Philipp Zabel --- rules/pipewire.make | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/pipewire.make b/rules/pipewire.make index fbc23f51d1da..b0fba3fa8d4d 100644 --- a/rules/pipewire.make +++ b/rules/pipewire.make @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_PIPEWIRE) += pipewire # # Paths and names # -PIPEWIRE_VERSION := 0.3.79 -PIPEWIRE_MD5 := 221d9128b085d17295964c7f15622f13 +PIPEWIRE_VERSION := 0.3.80 +PIPEWIRE_MD5 := 0b74d8fb146176aa0bd94918bb094bbe PIPEWIRE := pipewire-$(PIPEWIRE_VERSION) PIPEWIRE_SUFFIX:= tar.bz2 PIPEWIRE_URL := https://gitlab.freedesktop.org/pipewire/pipewire/-/archive/$(PIPEWIRE_VERSION)/$(PIPEWIRE).$(PIPEWIRE_SUFFIX) -- 2.39.2
[ptxdist] [PATCH] uhubctl: version bump 2.4.0 -> 2.5.0
> * Added support for Linux sysfs based power switching provided in > Linux kernel 6.0+ - it allows to solve reliability issues when > turning power off on Linux (#450). > * Added option --nodesc to skip querying device string descriptors > (necessary for some buggy devices which otherwise would completely freeze). > * New simpler way to configure udev rules on Linux > (one rule works for any USB hub). > * Even more supported devices. License file hash changed due to copyright year update. Link: https://github.com/mvp/uhubctl/pull/450 Link: https://github.com/mvp/uhubctl/releases/tag/v2.5.0 Signed-off-by: Alexander Dahl --- rules/uhubctl.make | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/uhubctl.make b/rules/uhubctl.make index 394b46855..53bf1025a 100644 --- a/rules/uhubctl.make +++ b/rules/uhubctl.make @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_UHUBCTL) += uhubctl # # Paths and names # -UHUBCTL_VERSION:= 2.4.0 -UHUBCTL_MD5:= 9bdf73940881df02574a94703ad8b582 +UHUBCTL_VERSION:= 2.5.0 +UHUBCTL_MD5:= e4e66d445ba8fda181ce4aa4abcd4247 UHUBCTL:= uhubctl-$(UHUBCTL_VERSION) UHUBCTL_SUFFIX := tar.gz UHUBCTL_URL:= https://github.com/mvp/uhubctl/archive/v$(UHUBCTL_VERSION).$(UHUBCTL_SUFFIX) @@ -23,7 +23,7 @@ UHUBCTL_SOURCE:= $(SRCDIR)/$(UHUBCTL).$(UHUBCTL_SUFFIX) UHUBCTL_DIR:= $(BUILDDIR)/$(UHUBCTL) UHUBCTL_LICENSE:= GPL-2.0-only UHUBCTL_LICENSE_FILES := \ - file://LICENSE;md5=a79e6a142b69522fe7757fe7313895eb + file://LICENSE;md5=1e7b16e6ef7cd15d58b0f1c58dbf9817 # # Prepare base-commit: 62f61865b380ca0064e7e8a3b7a81a8fb74ea51c -- 2.30.2