[OE-core] [PATCH 2/2] python: fix CVE-2019-16935
Signed-off-by: Chen Qi --- ...cape-the-server-title-of-DocXMLRPCSe.patch | 101 ++ meta/recipes-devtools/python/python_2.7.16.bb | 1 + 2 files changed, 102 insertions(+) create mode 100644 meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch new file mode 100644 index 00..3025cf7bc8 --- /dev/null +++ b/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch @@ -0,0 +1,101 @@ +From b161c89c8bd66fe928192e21364678c8e9b8fcc0 Mon Sep 17 00:00:00 2001 +From: Dong-hee Na +Date: Tue, 1 Oct 2019 19:58:01 +0900 +Subject: [PATCH] [2.7] bpo-38243: Escape the server title of DocXMLRPCServer + (GH-16447) + +Escape the server title of DocXMLRPCServer.DocXMLRPCServer +when rendering the document page as HTML. + +CVE: CVE-2019-16935 + +Upstream-Status: Backport [https://github.com/python/cpython/pull/16447/commits/b41cde823d026f2adc21ef14b1c2e92b1006de06] + +Signed-off-by: Chen Qi +--- + Lib/DocXMLRPCServer.py| 13 +++- + Lib/test/test_docxmlrpc.py| 20 +++ + .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++ + 3 files changed, 35 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst + +diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py +index 4064ec2e48..90b037dd35 100644 +--- a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py +@@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXMLRPCServer, + CGIXMLRPCRequestHandler, + resolve_dotted_attribute) + ++ ++def _html_escape_quote(s): ++s = s.replace("&", "") # Must be done first! ++s = s.replace("<", "") ++s = s.replace(">", "") ++s = s.replace('"', "") ++s = s.replace('\'', "") ++return s ++ ++ + class ServerHTMLDoc(pydoc.HTMLDoc): + """Class used to generate pydoc HTML document for a server""" + +@@ -210,7 +220,8 @@ class XMLRPCDocGenerator: + methods + ) + +-return documenter.page(self.server_title, documentation) ++title = _html_escape_quote(self.server_title) ++return documenter.page(title, documentation) + + class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler): + """XML-RPC and documentation request handler class. +diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py +index 4dff4159e2..c45b892b8b 100644 +--- a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py +@@ -1,5 +1,6 @@ + from DocXMLRPCServer import DocXMLRPCServer + import httplib ++import re + import sys + from test import test_support + threading = test_support.import_module('threading') +@@ -176,6 +177,25 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase): + self.assertIn("""Tryself.add,too.""", + response.read()) + ++def test_server_title_escape(self): ++"""Test that the server title and documentation ++are escaped for HTML. ++""" ++
[OE-core] [PATCH 1/2] python3: fix CVE-2019-16935
Signed-off-by: Chen Qi --- server-Escape-the-server_title-GH-1.patch | 86 +++ meta/recipes-devtools/python/python3_3.7.4.bb | 1 + 2 files changed, 87 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch diff --git a/meta/recipes-devtools/python/python3/0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch b/meta/recipes-devtools/python/python3/0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch new file mode 100644 index 00..1a4c932070 --- /dev/null +++ b/meta/recipes-devtools/python/python3/0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch @@ -0,0 +1,86 @@ +From c25abd43e8877b4a7098f79eaacb248710731c2b Mon Sep 17 00:00:00 2001 +From: Dong-hee Na +Date: Sat, 28 Sep 2019 04:59:37 +0900 +Subject: [PATCH] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) + +Escape the server title of xmlrpc.server.DocXMLRPCServer +when rendering the document page as HTML. + +CVE: CVE-2019-16935 + +Upstream-Status: Backport [https://github.com/python/cpython/commit/e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa] + +Signed-off-by: Chen Qi +--- + Lib/test/test_docxmlrpc.py | 16 + Lib/xmlrpc/server.py | 3 ++- + .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++ + 3 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst + +diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py +index f077f05f5b..38215659b6 100644 +--- a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py +@@ -1,5 +1,6 @@ + from xmlrpc.server import DocXMLRPCServer + import http.client ++import re + import sys + import threading + from test import support +@@ -193,6 +194,21 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase): + b'method_annotation(x: bytes)'), + response.read()) + ++def test_server_title_escape(self): ++# bpo-38243: Ensure that the server title and documentation ++# are escaped for HTML. ++
Re: [OE-core] [PATCH] unfs3: fixed the issue that unfsd consumes 100% CPU
On 10/23/19 7:33 PM, Haiqing Bai wrote: > The 'accept' function on the socket of unfsd daemon > is always in below error state: > accept(4, 0x7ffd5e6dddc0, [128]) = -1 EINVAL (Invalid argument) > accept(6, 0x7ffd5e6dddc0, [128]) = -1 EINVAL (Invalid argument) with backport to zeus? > > And 'strace -c -p ' shows: > % time seconds usecs/call callserrors syscall > -- --- --- - - > 70.870.005392 0513886513886 accept > 29.130.002216 0256943 poll > > This error state is in the 'for' loop of the daemon, so it consumes 100% > CPU. The reason is that 'listen' is not called for the TCP socket before > 'accept'. Actually the called 'svc_tli_create' from libtirpc will not call > 'listen' on a bound socket. > > Signed-off-by: Haiqing Bai > --- > .../0001-Add-listen-action-for-a-tcp-socket.patch | 54 > ++ > meta/recipes-devtools/unfs3/unfs3_git.bb | 1 + > 2 files changed, 55 insertions(+) > create mode 100644 > meta/recipes-devtools/unfs3/unfs3/0001-Add-listen-action-for-a-tcp-socket.patch > > diff --git > a/meta/recipes-devtools/unfs3/unfs3/0001-Add-listen-action-for-a-tcp-socket.patch > > b/meta/recipes-devtools/unfs3/unfs3/0001-Add-listen-action-for-a-tcp-socket.patch > new file mode 100644 > index 000..e9b9d3d > --- /dev/null > +++ > b/meta/recipes-devtools/unfs3/unfs3/0001-Add-listen-action-for-a-tcp-socket.patch > @@ -0,0 +1,54 @@ > +From b42ab8e1aca951dd06c113159491b3fd5cf06f2e Mon Sep 17 00:00:00 2001 > +From: Haiqing Bai > +Date: Thu, 24 Oct 2019 09:39:04 +0800 > +Subject: [PATCH] Add "listen" action for a tcp socket which does not call > + 'listen' after 'bind' > + > +It is found that /usr/bin/unfsd customus 100% cpu after starting qemu with > 'nfs' > +option, and below lots of error messages shows when strace the process: > + > +poll([{fd=3, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND},{fd=4, > events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}, > +{fd=5, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND},{fd=6, events > =POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], > +4, 2000) = 2 ([{fd=4, revents=POLLHUP},{fd=6, revents=POLLHUP}]) > +accept(4, 0x7ffd5e6dddc0, [128]) = -1 EINVAL (Invalid argument) > +accept(6, 0x7ffd5e6dddc0, [128]) = -1 EINVAL (Invalid argument) > + > +% time seconds usecs/call callserrors syscall > +-- --- --- - - > + 70.870.005392 0513886513886 accept > + 29.130.002216 0256943 poll > + 0.000.00 0 4 read > + > +The root cause is that 'listen' is not called for the binded > +socket. The depended libtipc does not call 'listen' if found > +the incomming socket is binded, so 'accept' reports the error > +in the 'for' loop and cpu consumed. > + > +Upstream-Status: Pending > + > +Signed-off-by: Haiqing Bai > +--- > + daemon.c | 7 +++ > + 1 file changed, 7 insertions(+) > + > +diff --git a/daemon.c b/daemon.c > +index 028a181..4c85903 100644 > +--- a/daemon.c > b/daemon.c > +@@ -814,6 +814,13 @@ static SVCXPRT *create_tcp_transport(unsigned int port) > + fprintf(stderr, "Couldn't bind to tcp port %d\n", port); > + exit(1); > + } > ++ > ++if (listen(sock, SOMAXCONN) < 0) { > ++perror("listen"); > ++fprintf(stderr, "Couldn't listen on the address \n"); > ++close(sock); > ++exit(1); > ++} > + } > + > + transp = svctcp_create(sock, 0, 0); > +-- > +1.9.1 > + > diff --git a/meta/recipes-devtools/unfs3/unfs3_git.bb > b/meta/recipes-devtools/unfs3/unfs3_git.bb > index 79d0978..d60cee8 100644 > --- a/meta/recipes-devtools/unfs3/unfs3_git.bb > +++ b/meta/recipes-devtools/unfs3/unfs3_git.bb > @@ -23,6 +23,7 @@ SRC_URI = "git://github.com/unfs3/unfs3.git;protocol=https \ > file://tcp_no_delay.patch \ > file://0001-daemon.c-Libtirpc-porting-fixes.patch \ > file://0001-attr-fix-utime-for-symlink.patch \ > + file://0001-Add-listen-action-for-a-tcp-socket.patch \ >" > SRCREV = "c12a5c69a8d59be6916cbd0e0f41c159f1962425" > UPSTREAM_CHECK_GITTAGREGEX = "unfs3\-(?P.+)" -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] unfs3: fixed the issue that unfsd consumes 100% CPU
The 'accept' function on the socket of unfsd daemon is always in below error state: accept(4, 0x7ffd5e6dddc0, [128]) = -1 EINVAL (Invalid argument) accept(6, 0x7ffd5e6dddc0, [128]) = -1 EINVAL (Invalid argument) And 'strace -c -p ' shows: % time seconds usecs/call callserrors syscall -- --- --- - - 70.870.005392 0513886513886 accept 29.130.002216 0256943 poll This error state is in the 'for' loop of the daemon, so it consumes 100% CPU. The reason is that 'listen' is not called for the TCP socket before 'accept'. Actually the called 'svc_tli_create' from libtirpc will not call 'listen' on a bound socket. Signed-off-by: Haiqing Bai --- .../0001-Add-listen-action-for-a-tcp-socket.patch | 54 ++ meta/recipes-devtools/unfs3/unfs3_git.bb | 1 + 2 files changed, 55 insertions(+) create mode 100644 meta/recipes-devtools/unfs3/unfs3/0001-Add-listen-action-for-a-tcp-socket.patch diff --git a/meta/recipes-devtools/unfs3/unfs3/0001-Add-listen-action-for-a-tcp-socket.patch b/meta/recipes-devtools/unfs3/unfs3/0001-Add-listen-action-for-a-tcp-socket.patch new file mode 100644 index 000..e9b9d3d --- /dev/null +++ b/meta/recipes-devtools/unfs3/unfs3/0001-Add-listen-action-for-a-tcp-socket.patch @@ -0,0 +1,54 @@ +From b42ab8e1aca951dd06c113159491b3fd5cf06f2e Mon Sep 17 00:00:00 2001 +From: Haiqing Bai +Date: Thu, 24 Oct 2019 09:39:04 +0800 +Subject: [PATCH] Add "listen" action for a tcp socket which does not call + 'listen' after 'bind' + +It is found that /usr/bin/unfsd customus 100% cpu after starting qemu with 'nfs' +option, and below lots of error messages shows when strace the process: + +poll([{fd=3, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND},{fd=4, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}, +{fd=5, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND},{fd=6, events =POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], +4, 2000) = 2 ([{fd=4, revents=POLLHUP},{fd=6, revents=POLLHUP}]) +accept(4, 0x7ffd5e6dddc0, [128]) = -1 EINVAL (Invalid argument) +accept(6, 0x7ffd5e6dddc0, [128]) = -1 EINVAL (Invalid argument) + +% time seconds usecs/call callserrors syscall +-- --- --- - - + 70.870.005392 0513886513886 accept + 29.130.002216 0256943 poll + 0.000.00 0 4 read + +The root cause is that 'listen' is not called for the binded +socket. The depended libtipc does not call 'listen' if found +the incomming socket is binded, so 'accept' reports the error +in the 'for' loop and cpu consumed. + +Upstream-Status: Pending + +Signed-off-by: Haiqing Bai +--- + daemon.c | 7 +++ + 1 file changed, 7 insertions(+) + +diff --git a/daemon.c b/daemon.c +index 028a181..4c85903 100644 +--- a/daemon.c b/daemon.c +@@ -814,6 +814,13 @@ static SVCXPRT *create_tcp_transport(unsigned int port) + fprintf(stderr, "Couldn't bind to tcp port %d\n", port); + exit(1); + } ++ ++ if (listen(sock, SOMAXCONN) < 0) { ++ perror("listen"); ++ fprintf(stderr, "Couldn't listen on the address \n"); ++ close(sock); ++ exit(1); ++ } + } + + transp = svctcp_create(sock, 0, 0); +-- +1.9.1 + diff --git a/meta/recipes-devtools/unfs3/unfs3_git.bb b/meta/recipes-devtools/unfs3/unfs3_git.bb index 79d0978..d60cee8 100644 --- a/meta/recipes-devtools/unfs3/unfs3_git.bb +++ b/meta/recipes-devtools/unfs3/unfs3_git.bb @@ -23,6 +23,7 @@ SRC_URI = "git://github.com/unfs3/unfs3.git;protocol=https \ file://tcp_no_delay.patch \ file://0001-daemon.c-Libtirpc-porting-fixes.patch \ file://0001-attr-fix-utime-for-symlink.patch \ + file://0001-Add-listen-action-for-a-tcp-socket.patch \ " SRCREV = "c12a5c69a8d59be6916cbd0e0f41c159f1962425" UPSTREAM_CHECK_GITTAGREGEX = "unfs3\-(?P.+)" -- 1.9.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [zeus][PATCH 1/2] python3: fix CVE-2019-16935
On 10/23/2019 06:59 PM, Ross Burton wrote: Zeus and master I presume? Ross Yes. These two are for zeus. I will send out another two for master to avoid conflicts. Best Regards, Chen Qi -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] new meta-oe failures from master-next
On Wed, Oct 23, 2019 at 8:31 PM Richard Purdie wrote: > > On Wed, 2019-10-23 at 16:29 +0100, Ross Burton wrote: > > On 23/10/2019 14:03, Khem Raj wrote: > > > Hi Richard > > > > > > New master-next I see these fails > > > > > > https://errors.yoctoproject.org/Errors/Build/91645/ > > > > > > First two are important one's we already know why > > > ti-display-sharing-fw fails to fetch > > > > ERROR: QA Issue: libiio: Files/directories were installed but not > > shipped in any package: > >/usr/lib/python2.7 > >/usr/lib/python2.7/site-packages > >/usr/lib/python2.7/site-packages/libiio-0.18-py2.7.egg-info > >/usr/lib/python2.7/site-packages/iio.pyc > >/usr/lib/python2.7/site-packages/iio.py > > > > That may have been triggered by some change in oe-core but that's > > definitely an issue with libiio. > > Its from this cmake change: > > http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=dbba06d9153ae588c9496b40e5db18b3602bfad1 > I think its causing more failures, where suddenly, the recipes are now resorting to native python, is this patch correct I wonder ? see https://git.openembedded.org/meta-openembedded-contrib/commit/?h=yoe/mut=5d02e814bc7d30f925b2eeec85eb053cec516f26 https://git.openembedded.org/meta-openembedded-contrib/commit/?h=yoe/mut=3ab0af60e8512cbb718e8a0112d9c9aa98c620a4 > > > > > WARNING: > > TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3-astor/0.7.1- > > r0/temp/run.do_configure.7679:1 > > exit 1 from 'NO_FETCH_BUILD=1 > > TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3-astor/0.7.1- > > r0/recipe-sysroot-native/usr/bin/python3-native/python3 > > setup.py clean' > > ERROR: Execution of > > 'TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3-astor/0.7.1- > > r0/temp/run.do_configure.7679' > > failed with exit code 1: > > Traceback (most recent call last): > >File "setup.py", line 17, in > > setup(**config['options']) > >File > > "TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3-astor/0.7.1- > > r0/recipe-sysroot-native/usr/lib/python3.7/site- > > packages/setuptools/__init__.py", > > line 145, in setup > > return distutils.core.setup(**attrs) > > > > Looks like whatever astor is doing with setuptools doesn't agree > > with the upgrade to 41.4.0? > > Yes, I can confirm that reverting > http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=b9703df2853e72b974a63ef1146f09a6c197990d > locally does make it build again. > > Cheers, > > Richard > > > > > > -- > ___ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] new meta-oe failures from master-next
On Wed, Oct 23, 2019 at 10:20:29PM +0100, Richard Purdie wrote: > > Well, yes. The proposed policy is now that we should address these > kinds of issues if they get reported. Whilst I understand why and that > Khem doesn't get as much help as he needs with meta-oe, pushing the oe- > core maintainers to fix things likely won't scale. I would like to see > meta-oe quality/reliability improve though so I do understand the > desire. >... What is the proposed process for oe-core changes that are likely to break reverse dependencies in meta-oe? Python 3.8 would be a good example for that - for astor your upgrade to the latest upstream version already contains Python 3.8 fixes, but other recipes in meta-oe might require fixing by someone. > Cheers, > > Richard cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] new meta-oe failures from master-next
On Wed, 2019-10-23 at 22:23 +0300, Adrian Bunk wrote: > On Wed, Oct 23, 2019 at 04:29:13PM +0100, Ross Burton wrote: > > On 23/10/2019 14:03, Khem Raj wrote: > > > Hi Richard > > > > > > New master-next I see these fails > > > > > > https://errors.yoctoproject.org/Errors/Build/91645/ > > > > > > First two are important one's we already know why > > > ti-display-sharing-fw fails to fetch > > > > ERROR: QA Issue: libiio: Files/directories were installed but not > > shipped in > > any package: > > /usr/lib/python2.7 > > /usr/lib/python2.7/site-packages > > /usr/lib/python2.7/site-packages/libiio-0.18-py2.7.egg-info > > /usr/lib/python2.7/site-packages/iio.pyc > > /usr/lib/python2.7/site-packages/iio.py > > > > That may have been triggered by some change in oe-core but that's > > definitely > > an issue with libiio. > > I'd agree on that: > > Python bindings were converted from python2 to python3 last week, > and it picks up the host python 2.7. > > -inherit cmake pythonnative systemd > +inherit cmake python3native systemd > > This does not in any way guarantee that there is no python2 > interpreter > available. > > > WARNING: TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3- > > astor/0.7.1-r0/temp/run.do_configure.7679:1 > > exit 1 from 'NO_FETCH_BUILD=1 TOPDIR/build/tmp/work/mips32r2-yoe- > > linux/python3-astor/0.7.1-r0/recipe-sysroot-native/usr/bin/python3- > > native/python3 > > setup.py clean' > > ERROR: Execution of 'TOPDIR/build/tmp/work/mips32r2-yoe- > > linux/python3-astor/0.7.1-r0/temp/run.do_configure.7679' > > failed with exit code 1: > > Traceback (most recent call last): > > File "setup.py", line 17, in > > setup(**config['options']) > > File "TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3- > > astor/0.7.1-r0/recipe-sysroot-native/usr/lib/python3.7/site- > > packages/setuptools/__init__.py", > > line 145, in setup > > return distutils.core.setup(**attrs) > > > > Looks like whatever astor is doing with setuptools doesn't agree > > with the > > upgrade to 41.4.0? > > The recipe is behind upstream, but even the latest version needs > fixing: > https://github.com/berkerpeksag/astor/issues/162 > > Temporarily broken leaf package, not really important. Well, yes. The proposed policy is now that we should address these kinds of issues if they get reported. Whilst I understand why and that Khem doesn't get as much help as he needs with meta-oe, pushing the oe- core maintainers to fix things likely won't scale. I would like to see meta-oe quality/reliability improve though so I do understand the desire. Since I'd had to look into them, I've posted patches to oe-devel for the above two issues. Cheers, Richard -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH v3] mesa: Upgrade to 19.2.1
On Wed, Oct 23, 2019 at 6:07 PM Alistair Francis wrote: > > From: Alistair Francis > > Upgrade mesa and mesa-gl to 19.2.1. > > The license hash change was a trivial new line removal. > > The glx-tls option was removed as it isn't included in the meson.build > file. It has been replaced with 'use-elf-tls' instead. > > The -Dasm=false was removed as it also is no longer included. > > Signed-off-by: Alistair Francis > Signed-off-by: Alistair Francis Acked-by: Otavio Salvador -- Otavio Salvador O.S. Systems http://www.ossystems.com.brhttp://code.ossystems.com.br Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] systemtap: support usrmerge
On 10/23/19 1:25 PM, Alessio Igor Bogani wrote: > Signed-off-by: Alessio Igor Bogani Thanks for the patch. Could you comment on this open Yocto bug? https://bugzilla.yoctoproject.org/show_bug.cgi?id=4442 I think its fixed but would like someone who is using it to comment. - armin > --- > meta/recipes-kernel/systemtap/systemtap_git.bb | 7 +-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/meta/recipes-kernel/systemtap/systemtap_git.bb > b/meta/recipes-kernel/systemtap/systemtap_git.bb > index 6ee3e1c0f7..2efba2e06f 100644 > --- a/meta/recipes-kernel/systemtap/systemtap_git.bb > +++ b/meta/recipes-kernel/systemtap/systemtap_git.bb > @@ -52,10 +52,13 @@ do_install_append () { > fi > > # Fix makefile hardcoded path assumptions for systemd (assumes $prefix) > - install -d `dirname ${D}${systemd_unitdir}` > - mv ${D}${prefix}/lib/systemd `dirname ${D}${systemd_unitdir}` > + if not > ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then > + install -d `dirname ${D}${systemd_unitdir}` > + mv ${D}${prefix}/lib/systemd `dirname ${D}${systemd_unitdir}` > + fi > rmdir ${D}${prefix}/lib --ignore-fail-on-non-empty > > + > # Ensure correct ownership for files copied in > chown root:root ${D}${sysconfdir}/stap-exporter/* -R > } -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v3] mesa: Upgrade to 19.2.1
From: Alistair Francis Upgrade mesa and mesa-gl to 19.2.1. The license hash change was a trivial new line removal. The glx-tls option was removed as it isn't included in the meson.build file. It has been replaced with 'use-elf-tls' instead. The -Dasm=false was removed as it also is no longer included. Signed-off-by: Alistair Francis Signed-off-by: Alistair Francis --- v3: - Fix missing Upstream-Status v2: - Add back "make TLS ELF optional" patch ...02-meson.build-make-TLS-ELF-optional.patch | 48 + ...on.build-make-TLS-GLX-optional-again.patch | 52 --- .../{mesa-gl_19.1.6.bb => mesa-gl_19.2.1.bb} | 0 meta/recipes-graphics/mesa/mesa.inc | 15 +++--- .../mesa/{mesa_19.1.6.bb => mesa_19.2.1.bb} | 6 +-- 5 files changed, 57 insertions(+), 64 deletions(-) create mode 100644 meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-ELF-optional.patch delete mode 100644 meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-GLX-optional-again.patch rename meta/recipes-graphics/mesa/{mesa-gl_19.1.6.bb => mesa-gl_19.2.1.bb} (100%) rename meta/recipes-graphics/mesa/{mesa_19.1.6.bb => mesa_19.2.1.bb} (77%) diff --git a/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-ELF-optional.patch b/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-ELF-optional.patch new file mode 100644 index 00..c3b5e14cd6 --- /dev/null +++ b/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-ELF-optional.patch @@ -0,0 +1,48 @@ +From edd03b8ea66ccf81b0c1d27868756d06e2d177ab Mon Sep 17 00:00:00 2001 +From: Alistair Francis +Date: Wed, 23 Oct 2019 09:46:28 -0700 +Subject: [PATCH] meson.build: make TLS ELF optional + +USE_ELF_TLS has replaced GLX_USE_TLS so this patch is the original "make +TLS GLX optional again" patch updated to the latest mesa. + +Upstream-Status: Inappropriate [configuration] +Signed-off-by: Alistair Francis +--- + meson.build | 2 +- + meson_options.txt | 6 ++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/meson.build b/meson.build +index 7992734..06653fe 100644 +--- a/meson.build b/meson.build +@@ -378,7 +378,7 @@ if with_egl and not (with_platform_drm or with_platform_surfaceless or with_plat + endif + + # Android uses emutls for versions <= P/28. For USE_ELF_TLS we need ELF TLS. +-if not with_platform_android or get_option('platform-sdk-version') >= 29 ++if (not with_platform_android or get_option('platform-sdk-version') >= 29) and get_option('elf-tls') + pre_args += '-DUSE_ELF_TLS' + endif + +diff --git a/meson_options.txt b/meson_options.txt +index 188e132..ddd47b7 100644 +--- a/meson_options.txt b/meson_options.txt +@@ -339,6 +339,12 @@ option( + value : true, + description : 'Enable direct rendering in GLX and EGL for DRI', + ) ++option( ++ 'elf-tls', ++ type : 'boolean', ++ value : true, ++ description : 'Enable TLS support in ELF', ++) + option( + 'I-love-half-baked-turnips', + type : 'boolean', +-- +2.23.0 + diff --git a/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-GLX-optional-again.patch b/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-GLX-optional-again.patch deleted file mode 100644 index 641bacf1d9..00 --- a/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-GLX-optional-again.patch +++ /dev/null @@ -1,52 +0,0 @@ -From cee8e48c5344124e5d84307cb0c48ee0c9b3e684 Mon Sep 17 00:00:00 2001 -From: Fabio Berton -Date: Wed, 12 Jun 2019 14:15:57 -0300 -Subject: [PATCH] meson.build: make TLS GLX optional again -Organization: O.S. Systems Software LTDA. - -This was optional with autotools, and needs to be disabled -when using musl C library, for instance. - -Upstream-Status: Pending - -Signed-off-by: Alexander Kanavin -Signed-off-by: Fabio Berton -Signed-off-by: Otavio Salvador - meson.build | 4 +++- - meson_options.txt | 7 +++ - 2 files changed, 10 insertions(+), 1 deletion(-) - -diff --git a/meson.build b/meson.build -index b33b430aed4..0e50bb26c0a 100644 a/meson.build -+++ b/meson.build -@@ -369,7 +369,9 @@ if with_egl and not (with_platform_drm or with_platform_surfaceless or with_plat - endif - endif - --pre_args += '-DGLX_USE_TLS' -+if get_option('glx-tls') -+ pre_args += '-DGLX_USE_TLS' -+endif - if with_glx != 'disabled' - if not (with_platform_x11 and with_any_opengl) - error('Cannot build GLX support without X11 platform support and at least one OpenGL API') -diff --git a/meson_options.txt b/meson_options.txt -index 1f72faabee8..fcd49efea27 100644 a/meson_options.txt -+++ b/meson_options.txt -@@ -339,6 +339,13 @@ option( - value : true, - description : 'Enable direct rendering in GLX and EGL for DRI', - ) -+option( -+ 'glx-tls', -+ type : 'boolean', -+ value : true, -+ description : 'Enable TLS support in GLX', -+) -+ - option( - 'I-love-half-baked-turnips', - type : 'boolean', diff --git a/meta/recipes-graphics/mesa/mesa-gl_19.1.6.bb
[OE-core] ✗ patchtest: failure for mesa: Upgrade to 19.2.1 (rev2)
== Series Details == Series: mesa: Upgrade to 19.2.1 (rev2) Revision: 2 URL : https://patchwork.openembedded.org/series/20447/ State : failure == Summary == Thank you for submitting this patch series to OpenEmbedded Core. This is an automated response. Several tests have been executed on the proposed series by patchtest resulting in the following failures: * Issue Added patch file is missing Upstream-Status in the header [test_upstream_status_presence_format] Suggested fixAdd Upstream-Status: to the header of meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-ELF-optional.patch Standard format Upstream-Status: Valid status Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where] If you believe any of these test results are incorrect, please reply to the mailing list (openembedded-core@lists.openembedded.org) raising your concerns. Otherwise we would appreciate you correcting the issues and submitting a new version of the patchset if applicable. Please ensure you add/increment the version number when sending the new version (i.e. [PATCH] -> [PATCH v2] -> [PATCH v3] -> ...). --- Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] mesa: Upgrade to 19.2.1
On Wed, Oct 23, 2019 at 12:46 AM Richard Purdie wrote: > > On Tue, 2019-10-22 at 15:07 -0700, Alistair Francis wrote: > > On Sat, Oct 12, 2019 at 9:54 AM Alistair Francis < > > alist...@alistair23.me> wrote: > > > Upgrade mesa and mesa-gl to 19.2.1. > > > > > > The license hash change was a trivial new line removal. > > > > > > The glx-tls option was removed as it isn't included in the > > > meson.build > > > file. > > > > > > The -Dasm=false was removed as it also is no longer included. > > > > > > Signed-off-by: Alistair Francis > > > > Ping! > > It caused multiple failures on the autobuilder: > > https://autobuilder.yoctoproject.org/typhoon/#/builders/64/builds/1160 > (musl-qemux86) > https://autobuilder.yoctoproject.org/typhoon/#/builders/45/builds/1162 > (musl-qemux86-64) > https://autobuilder.yoctoproject.org/typhoon/#/builders/52/builds/1141 > (libsdl2 compile fail) > https://autobuilder.yoctoproject.org/typhoon/#/builders/108/builds/40 > (libsdl2 compile fail) I wasn't about to reproduce these, but I'm guessing the musl failures are from the glx-tls patch being dropped, so I have added the new elf-tls back, hopefully that fixes it. Alistair > > Cheers, > > Richard > -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2] mesa: Upgrade to 19.2.1
From: Alistair Francis Upgrade mesa and mesa-gl to 19.2.1. The license hash change was a trivial new line removal. The glx-tls option was removed as it isn't included in the meson.build file. It has been replaced with 'use-elf-tls' instead. The -Dasm=false was removed as it also is no longer included. Signed-off-by: Alistair Francis Signed-off-by: Alistair Francis --- ...02-meson.build-make-TLS-ELF-optional.patch | 47 + ...on.build-make-TLS-GLX-optional-again.patch | 52 --- .../{mesa-gl_19.1.6.bb => mesa-gl_19.2.1.bb} | 0 meta/recipes-graphics/mesa/mesa.inc | 15 +++--- .../mesa/{mesa_19.1.6.bb => mesa_19.2.1.bb} | 6 +-- 5 files changed, 56 insertions(+), 64 deletions(-) create mode 100644 meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-ELF-optional.patch delete mode 100644 meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-GLX-optional-again.patch rename meta/recipes-graphics/mesa/{mesa-gl_19.1.6.bb => mesa-gl_19.2.1.bb} (100%) rename meta/recipes-graphics/mesa/{mesa_19.1.6.bb => mesa_19.2.1.bb} (77%) diff --git a/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-ELF-optional.patch b/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-ELF-optional.patch new file mode 100644 index 00..2d726227c5 --- /dev/null +++ b/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-ELF-optional.patch @@ -0,0 +1,47 @@ +From edd03b8ea66ccf81b0c1d27868756d06e2d177ab Mon Sep 17 00:00:00 2001 +From: Alistair Francis +Date: Wed, 23 Oct 2019 09:46:28 -0700 +Subject: [PATCH] meson.build: make TLS ELF optional + +USE_ELF_TLS has replaced GLX_USE_TLS so this patch is the original "make +TLS GLX optional again" patch updated to the latest mesa. + +Signed-off-by: Alistair Francis +--- + meson.build | 2 +- + meson_options.txt | 6 ++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/meson.build b/meson.build +index 7992734..06653fe 100644 +--- a/meson.build b/meson.build +@@ -378,7 +378,7 @@ if with_egl and not (with_platform_drm or with_platform_surfaceless or with_plat + endif + + # Android uses emutls for versions <= P/28. For USE_ELF_TLS we need ELF TLS. +-if not with_platform_android or get_option('platform-sdk-version') >= 29 ++if (not with_platform_android or get_option('platform-sdk-version') >= 29) and get_option('elf-tls') + pre_args += '-DUSE_ELF_TLS' + endif + +diff --git a/meson_options.txt b/meson_options.txt +index 188e132..ddd47b7 100644 +--- a/meson_options.txt b/meson_options.txt +@@ -339,6 +339,12 @@ option( + value : true, + description : 'Enable direct rendering in GLX and EGL for DRI', + ) ++option( ++ 'elf-tls', ++ type : 'boolean', ++ value : true, ++ description : 'Enable TLS support in ELF', ++) + option( + 'I-love-half-baked-turnips', + type : 'boolean', +-- +2.23.0 + diff --git a/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-GLX-optional-again.patch b/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-GLX-optional-again.patch deleted file mode 100644 index 641bacf1d9..00 --- a/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-GLX-optional-again.patch +++ /dev/null @@ -1,52 +0,0 @@ -From cee8e48c5344124e5d84307cb0c48ee0c9b3e684 Mon Sep 17 00:00:00 2001 -From: Fabio Berton -Date: Wed, 12 Jun 2019 14:15:57 -0300 -Subject: [PATCH] meson.build: make TLS GLX optional again -Organization: O.S. Systems Software LTDA. - -This was optional with autotools, and needs to be disabled -when using musl C library, for instance. - -Upstream-Status: Pending - -Signed-off-by: Alexander Kanavin -Signed-off-by: Fabio Berton -Signed-off-by: Otavio Salvador - meson.build | 4 +++- - meson_options.txt | 7 +++ - 2 files changed, 10 insertions(+), 1 deletion(-) - -diff --git a/meson.build b/meson.build -index b33b430aed4..0e50bb26c0a 100644 a/meson.build -+++ b/meson.build -@@ -369,7 +369,9 @@ if with_egl and not (with_platform_drm or with_platform_surfaceless or with_plat - endif - endif - --pre_args += '-DGLX_USE_TLS' -+if get_option('glx-tls') -+ pre_args += '-DGLX_USE_TLS' -+endif - if with_glx != 'disabled' - if not (with_platform_x11 and with_any_opengl) - error('Cannot build GLX support without X11 platform support and at least one OpenGL API') -diff --git a/meson_options.txt b/meson_options.txt -index 1f72faabee8..fcd49efea27 100644 a/meson_options.txt -+++ b/meson_options.txt -@@ -339,6 +339,13 @@ option( - value : true, - description : 'Enable direct rendering in GLX and EGL for DRI', - ) -+option( -+ 'glx-tls', -+ type : 'boolean', -+ value : true, -+ description : 'Enable TLS support in GLX', -+) -+ - option( - 'I-love-half-baked-turnips', - type : 'boolean', diff --git a/meta/recipes-graphics/mesa/mesa-gl_19.1.6.bb b/meta/recipes-graphics/mesa/mesa-gl_19.2.1.bb similarity index 100% rename from meta/recipes-graphics/mesa/mesa-gl_19.1.6.bb rename to
Re: [OE-core] [PATCH] systemtap: support usrmerge
On 10/23/19 3:25 PM, Alessio Igor Bogani wrote: > Signed-off-by: Alessio Igor Bogani > --- > meta/recipes-kernel/systemtap/systemtap_git.bb | 7 +-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/meta/recipes-kernel/systemtap/systemtap_git.bb > b/meta/recipes-kernel/systemtap/systemtap_git.bb > index 6ee3e1c0f7..2efba2e06f 100644 > --- a/meta/recipes-kernel/systemtap/systemtap_git.bb > +++ b/meta/recipes-kernel/systemtap/systemtap_git.bb > @@ -52,10 +52,13 @@ do_install_append () { > fi > > # Fix makefile hardcoded path assumptions for systemd (assumes $prefix) > - install -d `dirname ${D}${systemd_unitdir}` > - mv ${D}${prefix}/lib/systemd `dirname ${D}${systemd_unitdir}` > + if not > ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then > + install -d `dirname ${D}${systemd_unitdir}` > + mv ${D}${prefix}/lib/systemd `dirname ${D}${systemd_unitdir}` > + fi > rmdir ${D}${prefix}/lib --ignore-fail-on-non-empty A better check out be: if [ {D}${prefix}/lib/systemd != `dirname ${D}${systemd_unitdir}` ]; then install -d `dirname ${D}${systemd_unitdir}` mv ${D}${prefix}/lib/systemd `dirname ${D}${systemd_unitdir}` rmdir ${D}${prefix}/lib --ignore-fail-on-non-empty fi This way the issue is resolved even if usrmerge isn't enabled, but the user manually manipulated the paths. > + > # Ensure correct ownership for files copied in > chown root:root ${D}${sysconfdir}/stap-exporter/* -R > } > -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] systemtap: support usrmerge
Signed-off-by: Alessio Igor Bogani --- meta/recipes-kernel/systemtap/systemtap_git.bb | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/meta/recipes-kernel/systemtap/systemtap_git.bb b/meta/recipes-kernel/systemtap/systemtap_git.bb index 6ee3e1c0f7..2efba2e06f 100644 --- a/meta/recipes-kernel/systemtap/systemtap_git.bb +++ b/meta/recipes-kernel/systemtap/systemtap_git.bb @@ -52,10 +52,13 @@ do_install_append () { fi # Fix makefile hardcoded path assumptions for systemd (assumes $prefix) - install -d `dirname ${D}${systemd_unitdir}` - mv ${D}${prefix}/lib/systemd `dirname ${D}${systemd_unitdir}` + if not ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then + install -d `dirname ${D}${systemd_unitdir}` + mv ${D}${prefix}/lib/systemd `dirname ${D}${systemd_unitdir}` + fi rmdir ${D}${prefix}/lib --ignore-fail-on-non-empty + # Ensure correct ownership for files copied in chown root:root ${D}${sysconfdir}/stap-exporter/* -R } -- 2.17.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v3] gsettings-desktop-schemas: upgrade 3.32.0 -> 3.34.0
Need it for gnome-settings-daemon 3.34: | meson.build:91:0: ERROR: Invalid version of dependency, need 'gsettings-desktop-schemas' ['>= 3.33.0'] found '3.32.0'. Signed-off-by: Andreas Müller --- v2: make x11 a required distro feature v3: remove gcr from depends / undo v2 ...-schemas_3.32.0.bb => gsettings-desktop-schemas_3.34.0.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-gnome/gsettings-desktop-schemas/{gsettings-desktop-schemas_3.32.0.bb => gsettings-desktop-schemas_3.34.0.bb} (74%) diff --git a/meta/recipes-gnome/gsettings-desktop-schemas/gsettings-desktop-schemas_3.32.0.bb b/meta/recipes-gnome/gsettings-desktop-schemas/gsettings-desktop-schemas_3.34.0.bb similarity index 74% rename from meta/recipes-gnome/gsettings-desktop-schemas/gsettings-desktop-schemas_3.32.0.bb rename to meta/recipes-gnome/gsettings-desktop-schemas/gsettings-desktop-schemas_3.34.0.bb index 859f70466b..a0ff1ab84e 100644 --- a/meta/recipes-gnome/gsettings-desktop-schemas/gsettings-desktop-schemas_3.32.0.bb +++ b/meta/recipes-gnome/gsettings-desktop-schemas/gsettings-desktop-schemas_3.34.0.bb @@ -11,6 +11,6 @@ GNOMEBASEBUILDCLASS = "meson" inherit gnomebase gsettings gobject-introspection gettext upstream-version-is-even -SRC_URI[archive.md5sum] = "0c2d468a482c12594757442c983aa8ea" -SRC_URI[archive.sha256sum] = "2d59b4b3a548859dfae46314ee4666787a00d5c82db382e97df7aa9d0e310a35" +SRC_URI[archive.md5sum] = "9759ef53fb2e53fc8d19190e58f2c332" +SRC_URI[archive.sha256sum] = "288b04260f7040b0e004a8d59c773cfb4e32df4f1b4a0f9d705c51afccc95ead" SRC_URI += "file://0001-Do-not-skip-gir-installation-for-cross-compiling.patch" -- 2.21.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] new meta-oe failures from master-next
On Wed, 2019-10-23 at 16:29 +0100, Ross Burton wrote: > On 23/10/2019 14:03, Khem Raj wrote: > > Hi Richard > > > > New master-next I see these fails > > > > https://errors.yoctoproject.org/Errors/Build/91645/ > > > > First two are important one's we already know why > > ti-display-sharing-fw fails to fetch > > ERROR: QA Issue: libiio: Files/directories were installed but not > shipped in any package: >/usr/lib/python2.7 >/usr/lib/python2.7/site-packages >/usr/lib/python2.7/site-packages/libiio-0.18-py2.7.egg-info >/usr/lib/python2.7/site-packages/iio.pyc >/usr/lib/python2.7/site-packages/iio.py > > That may have been triggered by some change in oe-core but that's > definitely an issue with libiio. Its from this cmake change: http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=dbba06d9153ae588c9496b40e5db18b3602bfad1 > > WARNING: > TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3-astor/0.7.1- > r0/temp/run.do_configure.7679:1 > exit 1 from 'NO_FETCH_BUILD=1 > TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3-astor/0.7.1- > r0/recipe-sysroot-native/usr/bin/python3-native/python3 > setup.py clean' > ERROR: Execution of > 'TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3-astor/0.7.1- > r0/temp/run.do_configure.7679' > failed with exit code 1: > Traceback (most recent call last): >File "setup.py", line 17, in > setup(**config['options']) >File > "TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3-astor/0.7.1- > r0/recipe-sysroot-native/usr/lib/python3.7/site- > packages/setuptools/__init__.py", > line 145, in setup > return distutils.core.setup(**attrs) > > Looks like whatever astor is doing with setuptools doesn't agree > with the upgrade to 41.4.0? Yes, I can confirm that reverting http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=b9703df2853e72b974a63ef1146f09a6c197990d locally does make it build again. Cheers, Richard -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] new meta-oe failures from master-next
On Wed, Oct 23, 2019 at 04:29:13PM +0100, Ross Burton wrote: > On 23/10/2019 14:03, Khem Raj wrote: > > Hi Richard > > > > New master-next I see these fails > > > > https://errors.yoctoproject.org/Errors/Build/91645/ > > > > First two are important one's we already know why > > ti-display-sharing-fw fails to fetch > > ERROR: QA Issue: libiio: Files/directories were installed but not shipped in > any package: > /usr/lib/python2.7 > /usr/lib/python2.7/site-packages > /usr/lib/python2.7/site-packages/libiio-0.18-py2.7.egg-info > /usr/lib/python2.7/site-packages/iio.pyc > /usr/lib/python2.7/site-packages/iio.py > > That may have been triggered by some change in oe-core but that's definitely > an issue with libiio. I'd agree on that: Python bindings were converted from python2 to python3 last week, and it picks up the host python 2.7. -inherit cmake pythonnative systemd +inherit cmake python3native systemd This does not in any way guarantee that there is no python2 interpreter available. > WARNING: > TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3-astor/0.7.1-r0/temp/run.do_configure.7679:1 > exit 1 from 'NO_FETCH_BUILD=1 > TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3-astor/0.7.1-r0/recipe-sysroot-native/usr/bin/python3-native/python3 > setup.py clean' > ERROR: Execution of > 'TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3-astor/0.7.1-r0/temp/run.do_configure.7679' > failed with exit code 1: > Traceback (most recent call last): > File "setup.py", line 17, in > setup(**config['options']) > File > "TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3-astor/0.7.1-r0/recipe-sysroot-native/usr/lib/python3.7/site-packages/setuptools/__init__.py", > line 145, in setup > return distutils.core.setup(**attrs) > > Looks like whatever astor is doing with setuptools doesn't agree with the > upgrade to 41.4.0? The recipe is behind upstream, but even the latest version needs fixing: https://github.com/berkerpeksag/astor/issues/162 Temporarily broken leaf package, not really important. > Ross cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2 2/2] meta: add missing description in recipes-gnome
Remove some trailing whitespace Signed-off-by: Maxime Roussin-Bélanger --- Changes in v2: - Fix missing \ in libsecret meta/recipes-gnome/gcr/gcr_3.28.1.bb | 3 +++ meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.38.2.bb| 3 +++ meta/recipes-gnome/gnome/gconf_3.2.6.bb | 3 +++ .../gobject-introspection/gobject-introspection_1.62.0.bb | 8 ++-- .../gsettings-desktop-schemas_3.32.0.bb | 2 ++ .../hicolor-icon-theme/hicolor-icon-theme_0.17.bb | 2 ++ meta/recipes-gnome/libdazzle/libdazzle_3.34.1.bb | 3 +++ meta/recipes-gnome/libgudev/libgudev_233.bb | 4 meta/recipes-gnome/librsvg/librsvg_2.40.20.bb | 4 meta/recipes-gnome/libsecret/libsecret_0.19.1.bb | 4 10 files changed, 34 insertions(+), 2 deletions(-) diff --git a/meta/recipes-gnome/gcr/gcr_3.28.1.bb b/meta/recipes-gnome/gcr/gcr_3.28.1.bb index 419396f049..0a9867451e 100644 --- a/meta/recipes-gnome/gcr/gcr_3.28.1.bb +++ b/meta/recipes-gnome/gcr/gcr_3.28.1.bb @@ -1,4 +1,7 @@ SUMMARY = "A library for bits of crypto UI and parsing etc" +DESCRIPTION = "GCR is a library for displaying certificates, and crypto UI, \ +accessing key stores. It also provides the viewer for crypto files on the \ +GNOME desktop." HOMEPAGE = "https://gitlab.gnome.org/GNOME/gcr; BUGTRACKER = "https://gitlab.gnome.org/GNOME/gcr/issues; diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.38.2.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.38.2.bb index 90196e8818..c99510609c 100644 --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.38.2.bb +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.38.2.bb @@ -1,4 +1,7 @@ SUMMARY = "Image loading library for GTK+" +DESCRIPTION = "The GDK Pixbuf library provides: Image loading and saving \ +facilities, fast scaling and compositing of pixbufs and Simple animation \ +loading (ie. animated GIFs)" HOMEPAGE = "https://wiki.gnome.org/Projects/GdkPixbuf; BUGTRACKER = "https://gitlab.gnome.org/GNOME/gdk-pixbuf/issues; diff --git a/meta/recipes-gnome/gnome/gconf_3.2.6.bb b/meta/recipes-gnome/gnome/gconf_3.2.6.bb index e6742f37d8..b8466d4833 100644 --- a/meta/recipes-gnome/gnome/gconf_3.2.6.bb +++ b/meta/recipes-gnome/gnome/gconf_3.2.6.bb @@ -1,4 +1,7 @@ SUMMARY = "GNOME configuration system" +DESCRIPTION = "GConf is a system for storing application preferences. \ +It is intended for user preferences; not configuration of something like \ +Apache, or arbitrary data storage." SECTION = "x11/gnome" HOMEPAGE = "https://projects.gnome.org/gconf/; LICENSE = "LGPLv2+" diff --git a/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.62.0.bb b/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.62.0.bb index 1c3697b23d..a9739cc552 100644 --- a/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.62.0.bb +++ b/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.62.0.bb @@ -1,4 +1,8 @@ SUMMARY = "Middleware layer between GObject-using C libraries and language bindings" +DESCRIPTION = "GObject Introspection is a project for providing machine \ +readable introspection data of the API of C libraries. This introspection \ +data can be used in several different use cases, for example automatic code \ +generation for bindings, API verification and documentation generation." HOMEPAGE = "https://wiki.gnome.org/action/show/Projects/GObjectIntrospection; BUGTRACKER = "https://gitlab.gnome.org/GNOME/gobject-introspection/issues; SECTION = "libs" @@ -92,7 +96,7 @@ EOF # Write out a wrapper for g-ir-scanner itself, which will be used when building introspection files # for glib-based packages. This wrapper calls the native version of the scanner, and tells it to use -# a qemu wrapper for running transient target binaries produced by the scanner, and an include directory +# a qemu wrapper for running transient target binaries produced by the scanner, and an include directory # from the target sysroot. cat > ${B}/g-ir-scanner-wrapper << EOF #!/bin/sh @@ -132,7 +136,7 @@ do_compile_prepend() { export GIR_EXTRA_LIBS_PATH=$B/.libs } -# Our wrappers need to be available system-wide, because they will be used +# Our wrappers need to be available system-wide, because they will be used # to build introspection files for all other gobject-based packages do_install_append_class-target() { install -d ${D}${bindir}/ diff --git a/meta/recipes-gnome/gsettings-desktop-schemas/gsettings-desktop-schemas_3.32.0.bb b/meta/recipes-gnome/gsettings-desktop-schemas/gsettings-desktop-schemas_3.32.0.bb index 2163260a02..8d19aed2bf 100644 --- a/meta/recipes-gnome/gsettings-desktop-schemas/gsettings-desktop-schemas_3.32.0.bb +++ b/meta/recipes-gnome/gsettings-desktop-schemas/gsettings-desktop-schemas_3.32.0.bb @@ -1,4 +1,6 @@ SUMMARY = "GNOME desktop-wide GSettings schemas" +DESCRIPTION = "GSettings
[OE-core] [PATCH v2 1/2] meta: update and add missing homepage/bugtracker links
Signed-off-by: Maxime Roussin-Bélanger --- Changes in v2: - Nothing meta/recipes-gnome/epiphany/epiphany_3.34.1.bb| 1 + meta/recipes-gnome/gcr/gcr_3.28.1.bb | 4 ++-- meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.38.2.bb| 4 ++-- meta/recipes-gnome/gnome/adwaita-icon-theme_3.34.0.bb | 4 ++-- .../gobject-introspection/gobject-introspection_1.62.0.bb | 2 +- .../gsettings-desktop-schemas_3.32.0.bb | 4 ++-- .../hicolor-icon-theme/hicolor-icon-theme_0.17.bb | 2 +- meta/recipes-gnome/json-glib/json-glib_1.4.4.bb | 3 ++- meta/recipes-gnome/libdazzle/libdazzle_3.34.1.bb | 2 ++ meta/recipes-gnome/libgudev/libgudev_233.bb | 1 + meta/recipes-gnome/libnotify/libnotify_0.7.8.bb | 3 ++- meta/recipes-gnome/librsvg/librsvg_2.40.20.bb | 4 ++-- meta/recipes-gnome/libsecret/libsecret_0.19.1.bb | 1 + 13 files changed, 21 insertions(+), 14 deletions(-) diff --git a/meta/recipes-gnome/epiphany/epiphany_3.34.1.bb b/meta/recipes-gnome/epiphany/epiphany_3.34.1.bb index f5f086391e..d1cb515a58 100644 --- a/meta/recipes-gnome/epiphany/epiphany_3.34.1.bb +++ b/meta/recipes-gnome/epiphany/epiphany_3.34.1.bb @@ -1,4 +1,5 @@ SUMMARY = "WebKit based web browser for GNOME" +BUGTRACKER = "https://gitlab.gnome.org/GNOME/epiphany; LICENSE = "GPLv3+" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" diff --git a/meta/recipes-gnome/gcr/gcr_3.28.1.bb b/meta/recipes-gnome/gcr/gcr_3.28.1.bb index 2299199c31..419396f049 100644 --- a/meta/recipes-gnome/gcr/gcr_3.28.1.bb +++ b/meta/recipes-gnome/gcr/gcr_3.28.1.bb @@ -1,6 +1,6 @@ SUMMARY = "A library for bits of crypto UI and parsing etc" -HOMEPAGE = "http://www.gnome.org/; -BUGTRACKER = "https://bugzilla.gnome.org/; +HOMEPAGE = "https://gitlab.gnome.org/GNOME/gcr; +BUGTRACKER = "https://gitlab.gnome.org/GNOME/gcr/issues; LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=55ca817ccb7d5b5b66355690e9abc605" diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.38.2.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.38.2.bb index 0f3a63d891..90196e8818 100644 --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.38.2.bb +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.38.2.bb @@ -1,6 +1,6 @@ SUMMARY = "Image loading library for GTK+" -HOMEPAGE = "http://www.gtk.org/; -BUGTRACKER = "https://bugzilla.gnome.org/; +HOMEPAGE = "https://wiki.gnome.org/Projects/GdkPixbuf; +BUGTRACKER = "https://gitlab.gnome.org/GNOME/gdk-pixbuf/issues; LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \ diff --git a/meta/recipes-gnome/gnome/adwaita-icon-theme_3.34.0.bb b/meta/recipes-gnome/gnome/adwaita-icon-theme_3.34.0.bb index 84127339b0..3f6b60fbde 100644 --- a/meta/recipes-gnome/gnome/adwaita-icon-theme_3.34.0.bb +++ b/meta/recipes-gnome/gnome/adwaita-icon-theme_3.34.0.bb @@ -1,6 +1,6 @@ SUMMARY = "GTK+ icon theme" -HOMEPAGE = "http://ftp.gnome.org/pub/GNOME/sources/adwaita-icon-theme/; -BUGTRACKER = "https://bugzilla.gnome.org/; +HOMEPAGE = "https://gitlab.gnome.org/GNOME/adwaita-icon-theme; +BUGTRACKER = "https://gitlab.gnome.org/GNOME/adwaita-icon-theme/issues; SECTION = "x11/gnome" LICENSE = "LGPL-3.0 | CC-BY-SA-3.0" diff --git a/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.62.0.bb b/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.62.0.bb index c925115fb7..1c3697b23d 100644 --- a/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.62.0.bb +++ b/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.62.0.bb @@ -1,6 +1,6 @@ SUMMARY = "Middleware layer between GObject-using C libraries and language bindings" HOMEPAGE = "https://wiki.gnome.org/action/show/Projects/GObjectIntrospection; -BUGTRACKER = "https://bugzilla.gnome.org/; +BUGTRACKER = "https://gitlab.gnome.org/GNOME/gobject-introspection/issues; SECTION = "libs" LICENSE = "LGPLv2+ & GPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=c434e8128a68bedd59b80b2ac1eb1c4a \ diff --git a/meta/recipes-gnome/gsettings-desktop-schemas/gsettings-desktop-schemas_3.32.0.bb b/meta/recipes-gnome/gsettings-desktop-schemas/gsettings-desktop-schemas_3.32.0.bb index 859f70466b..2163260a02 100644 --- a/meta/recipes-gnome/gsettings-desktop-schemas/gsettings-desktop-schemas_3.32.0.bb +++ b/meta/recipes-gnome/gsettings-desktop-schemas/gsettings-desktop-schemas_3.32.0.bb @@ -1,6 +1,6 @@ SUMMARY = "GNOME desktop-wide GSettings schemas" -HOMEPAGE = "http://live.gnome.org/gsettings-desktop-schemas; -BUGTRACKER = "https://bugzilla.gnome.org/; +HOMEPAGE = "https://gitlab.gnome.org/GNOME/gsettings-desktop-schemas; +BUGTRACKER = "https://gitlab.gnome.org/GNOME/gsettings-desktop-schemas/issues; LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" diff --git
[OE-core] [PATCH] distutils: pass along parallel make flags to setup.py build
parallel builds for native code in python modules was added about 5 years ago. distutils understands '-j N', so just pass along the right argument to setup.py build. Signed-off-by: Nick Owens --- meta/classes/distutils.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/classes/distutils.bbclass b/meta/classes/distutils.bbclass index b5c9c2fbbd..ea479f552e 100644 --- a/meta/classes/distutils.bbclass +++ b/meta/classes/distutils.bbclass @@ -23,7 +23,7 @@ distutils_do_compile() { NO_FETCH_BUILD=1 \ STAGING_INCDIR=${STAGING_INCDIR} \ STAGING_LIBDIR=${STAGING_LIBDIR} \ - ${STAGING_BINDIR_NATIVE}/${PYTHON_PN}-native/${PYTHON_PN} setup.py build ${DISTUTILS_BUILD_ARGS} || \ + ${STAGING_BINDIR_NATIVE}/${PYTHON_PN}-native/${PYTHON_PN} setup.py build ${@oe.utils.parallel_make_argument(d, "-j %d")} ${DISTUTILS_BUILD_ARGS} || \ bbfatal_log "'${PYTHON_PN} setup.py build ${DISTUTILS_BUILD_ARGS}' execution failed." } -- 2.17.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2] distutils: pass along parallel make flags to setup.py build
thanks ross, i've updated my patch. -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [zeus][PATCH] Backporting Yi Zhao's fix on master for CVE-2019-12904 to zeus.
On 10/23/19 12:24 PM, Trevor Gamblin wrote: From: Yi Zhao libgcrypt: fix CVE-2019-12904 In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-12904 Patches from: https://github.com/gpg/libgcrypt/commit/1374254c2904ab5b18ba4a890856824a102d4705 https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762 https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020 Signed-off-by: Yi Zhao Signed-off-by: Ross Burton Signed-off-by: Trevor Gamblin --- .../0001-Prefetch-GCM-look-up-tables.patch| 90 + ...-tables-to-.data-section-and-unshare.patch | 332 ++ ...-table-to-.data-section-and-unshare-.patch | 178 ++ .../libgcrypt/libgcrypt_1.8.4.bb | 3 + 4 files changed, 603 insertions(+) create mode 100644 meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch create mode 100644 meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch create mode 100644 meta/recipes-support/libgcrypt/files/0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch diff --git a/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch b/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch new file mode 100644 index 00..4df96f0011 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch @@ -0,0 +1,90 @@ +From 1374254c2904ab5b18ba4a890856824a102d4705 Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna +Date: Sat, 27 Apr 2019 19:33:28 +0300 +Subject: [PATCH 1/3] Prefetch GCM look-up tables + +* cipher/cipher-gcm.c (prefetch_table, do_prefetch_tables) +(prefetch_tables): New. +(ghash_internal): Call prefetch_tables. +-- + +Signed-off-by: Jussi Kivilinna + +Upstream-Status: Backport +[https://github.com/gpg/libgcrypt/commit/1374254c2904ab5b18ba4a890856824a102d4705] + +CVE: CVE-2019-12904 + +Signed-off-by: Yi Zhao +--- + cipher/cipher-gcm.c | 33 + + 1 file changed, 33 insertions(+) + +diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c +index c19f09f..11f119a 100644 +--- a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c +@@ -118,6 +118,34 @@ static const u16 gcmR[256] = { + 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, + }; + ++static inline ++void prefetch_table(const void *tab, size_t len) ++{ ++ const volatile byte *vtab = tab; ++ size_t i; ++ ++ for (i = 0; i < len; i += 8 * 32) ++{ ++ (void)vtab[i + 0 * 32]; ++ (void)vtab[i + 1 * 32]; ++ (void)vtab[i + 2 * 32]; ++ (void)vtab[i + 3 * 32]; ++ (void)vtab[i + 4 * 32]; ++ (void)vtab[i + 5 * 32]; ++ (void)vtab[i + 6 * 32]; ++ (void)vtab[i + 7 * 32]; ++} ++ ++ (void)vtab[len - 1]; ++} ++ ++static inline void ++do_prefetch_tables (const void *gcmM, size_t gcmM_size) ++{ ++ prefetch_table(gcmM, gcmM_size); ++ prefetch_table(gcmR, sizeof(gcmR)); ++} ++ + #ifdef GCM_TABLES_USE_U64 + static void + bshift (u64 * b0, u64 * b1) +@@ -365,6 +393,8 @@ do_ghash (unsigned char *result, const unsigned char *buf, const u32 *gcmM) + #define fillM(c) \ + do_fillM (c->u_mode.gcm.u_ghash_key.key, c->u_mode.gcm.gcm_table) + #define GHASH(c, result, buf) do_ghash (result, buf, c->u_mode.gcm.gcm_table) ++#define prefetch_tables(c) \ ++ do_prefetch_tables(c->u_mode.gcm.gcm_table, sizeof(c->u_mode.gcm.gcm_table)) + + #else + +@@ -430,6 +460,7 @@ do_ghash (unsigned char *hsub, unsigned char *result, const unsigned char *buf) + + #define fillM(c) do { } while (0) + #define GHASH(c, result, buf) do_ghash (c->u_mode.gcm.u_ghash_key.key, result, buf) ++#define prefetch_tables(c) do {} while (0) + + #endif /* !GCM_USE_TABLES */ + +@@ -441,6 +472,8 @@ ghash_internal (gcry_cipher_hd_t c, byte *result, const byte *buf, + const unsigned int blocksize = GCRY_GCM_BLOCK_LEN; + unsigned int burn = 0; + ++ prefetch_tables (c); ++ + while (nblocks) + { + burn = GHASH (c, result, buf); +-- +2.7.4 + diff --git a/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch b/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch new file mode 100644 index 00..c82c5b5c8a --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch @@ -0,0 +1,332 @@ +From 119348dd9aa52ab229afb5e2d3342d2b76fe81bf Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna +Date: Fri, 31 May 2019 17:18:09 +0300 +Subject: [PATCH 2/3] AES: move look-up tables to .data section and unshare between + processes + +* cipher/rijndael-internal.h
[OE-core] [zeus][PATCH v2] libgcrypt: fix CVE-2019-12904
From: Yi Zhao Backporting Yi Zhao's fix on master for CVE-2019-12904 to zeus. In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-12904 Patches from: https://github.com/gpg/libgcrypt/commit/1374254c2904ab5b18ba4a890856824a102d4705 https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762 https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020 Signed-off-by: Yi Zhao Signed-off-by: Ross Burton Signed-off-by: Trevor Gamblin --- .../0001-Prefetch-GCM-look-up-tables.patch| 90 + ...-tables-to-.data-section-and-unshare.patch | 332 ++ ...-table-to-.data-section-and-unshare-.patch | 178 ++ .../libgcrypt/libgcrypt_1.8.4.bb | 3 + 4 files changed, 603 insertions(+) create mode 100644 meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch create mode 100644 meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch create mode 100644 meta/recipes-support/libgcrypt/files/0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch diff --git a/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch b/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch new file mode 100644 index 00..4df96f0011 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch @@ -0,0 +1,90 @@ +From 1374254c2904ab5b18ba4a890856824a102d4705 Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna +Date: Sat, 27 Apr 2019 19:33:28 +0300 +Subject: [PATCH 1/3] Prefetch GCM look-up tables + +* cipher/cipher-gcm.c (prefetch_table, do_prefetch_tables) +(prefetch_tables): New. +(ghash_internal): Call prefetch_tables. +-- + +Signed-off-by: Jussi Kivilinna + +Upstream-Status: Backport +[https://github.com/gpg/libgcrypt/commit/1374254c2904ab5b18ba4a890856824a102d4705] + +CVE: CVE-2019-12904 + +Signed-off-by: Yi Zhao +--- + cipher/cipher-gcm.c | 33 + + 1 file changed, 33 insertions(+) + +diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c +index c19f09f..11f119a 100644 +--- a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c +@@ -118,6 +118,34 @@ static const u16 gcmR[256] = { + 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, + }; + ++static inline ++void prefetch_table(const void *tab, size_t len) ++{ ++ const volatile byte *vtab = tab; ++ size_t i; ++ ++ for (i = 0; i < len; i += 8 * 32) ++{ ++ (void)vtab[i + 0 * 32]; ++ (void)vtab[i + 1 * 32]; ++ (void)vtab[i + 2 * 32]; ++ (void)vtab[i + 3 * 32]; ++ (void)vtab[i + 4 * 32]; ++ (void)vtab[i + 5 * 32]; ++ (void)vtab[i + 6 * 32]; ++ (void)vtab[i + 7 * 32]; ++} ++ ++ (void)vtab[len - 1]; ++} ++ ++static inline void ++do_prefetch_tables (const void *gcmM, size_t gcmM_size) ++{ ++ prefetch_table(gcmM, gcmM_size); ++ prefetch_table(gcmR, sizeof(gcmR)); ++} ++ + #ifdef GCM_TABLES_USE_U64 + static void + bshift (u64 * b0, u64 * b1) +@@ -365,6 +393,8 @@ do_ghash (unsigned char *result, const unsigned char *buf, const u32 *gcmM) + #define fillM(c) \ + do_fillM (c->u_mode.gcm.u_ghash_key.key, c->u_mode.gcm.gcm_table) + #define GHASH(c, result, buf) do_ghash (result, buf, c->u_mode.gcm.gcm_table) ++#define prefetch_tables(c) \ ++ do_prefetch_tables(c->u_mode.gcm.gcm_table, sizeof(c->u_mode.gcm.gcm_table)) + + #else + +@@ -430,6 +460,7 @@ do_ghash (unsigned char *hsub, unsigned char *result, const unsigned char *buf) + + #define fillM(c) do { } while (0) + #define GHASH(c, result, buf) do_ghash (c->u_mode.gcm.u_ghash_key.key, result, buf) ++#define prefetch_tables(c) do {} while (0) + + #endif /* !GCM_USE_TABLES */ + +@@ -441,6 +472,8 @@ ghash_internal (gcry_cipher_hd_t c, byte *result, const byte *buf, + const unsigned int blocksize = GCRY_GCM_BLOCK_LEN; + unsigned int burn = 0; + ++ prefetch_tables (c); ++ + while (nblocks) + { + burn = GHASH (c, result, buf); +-- +2.7.4 + diff --git a/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch b/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch new file mode 100644 index 00..c82c5b5c8a --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch @@ -0,0 +1,332 @@ +From 119348dd9aa52ab229afb5e2d3342d2b76fe81bf Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna +Date: Fri, 31 May 2019 17:18:09 +0300 +Subject: [PATCH 2/3] AES: move look-up tables to .data section and unshare between + processes + +* cipher/rijndael-internal.h (ATTR_ALIGNED_64): New.
[OE-core] [zeus][PATCH] Backporting Yi Zhao's fix on master for CVE-2019-12904 to zeus.
From: Yi Zhao libgcrypt: fix CVE-2019-12904 In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-12904 Patches from: https://github.com/gpg/libgcrypt/commit/1374254c2904ab5b18ba4a890856824a102d4705 https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762 https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020 Signed-off-by: Yi Zhao Signed-off-by: Ross Burton Signed-off-by: Trevor Gamblin --- .../0001-Prefetch-GCM-look-up-tables.patch| 90 + ...-tables-to-.data-section-and-unshare.patch | 332 ++ ...-table-to-.data-section-and-unshare-.patch | 178 ++ .../libgcrypt/libgcrypt_1.8.4.bb | 3 + 4 files changed, 603 insertions(+) create mode 100644 meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch create mode 100644 meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch create mode 100644 meta/recipes-support/libgcrypt/files/0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch diff --git a/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch b/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch new file mode 100644 index 00..4df96f0011 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0001-Prefetch-GCM-look-up-tables.patch @@ -0,0 +1,90 @@ +From 1374254c2904ab5b18ba4a890856824a102d4705 Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna +Date: Sat, 27 Apr 2019 19:33:28 +0300 +Subject: [PATCH 1/3] Prefetch GCM look-up tables + +* cipher/cipher-gcm.c (prefetch_table, do_prefetch_tables) +(prefetch_tables): New. +(ghash_internal): Call prefetch_tables. +-- + +Signed-off-by: Jussi Kivilinna + +Upstream-Status: Backport +[https://github.com/gpg/libgcrypt/commit/1374254c2904ab5b18ba4a890856824a102d4705] + +CVE: CVE-2019-12904 + +Signed-off-by: Yi Zhao +--- + cipher/cipher-gcm.c | 33 + + 1 file changed, 33 insertions(+) + +diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c +index c19f09f..11f119a 100644 +--- a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c +@@ -118,6 +118,34 @@ static const u16 gcmR[256] = { + 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, + }; + ++static inline ++void prefetch_table(const void *tab, size_t len) ++{ ++ const volatile byte *vtab = tab; ++ size_t i; ++ ++ for (i = 0; i < len; i += 8 * 32) ++{ ++ (void)vtab[i + 0 * 32]; ++ (void)vtab[i + 1 * 32]; ++ (void)vtab[i + 2 * 32]; ++ (void)vtab[i + 3 * 32]; ++ (void)vtab[i + 4 * 32]; ++ (void)vtab[i + 5 * 32]; ++ (void)vtab[i + 6 * 32]; ++ (void)vtab[i + 7 * 32]; ++} ++ ++ (void)vtab[len - 1]; ++} ++ ++static inline void ++do_prefetch_tables (const void *gcmM, size_t gcmM_size) ++{ ++ prefetch_table(gcmM, gcmM_size); ++ prefetch_table(gcmR, sizeof(gcmR)); ++} ++ + #ifdef GCM_TABLES_USE_U64 + static void + bshift (u64 * b0, u64 * b1) +@@ -365,6 +393,8 @@ do_ghash (unsigned char *result, const unsigned char *buf, const u32 *gcmM) + #define fillM(c) \ + do_fillM (c->u_mode.gcm.u_ghash_key.key, c->u_mode.gcm.gcm_table) + #define GHASH(c, result, buf) do_ghash (result, buf, c->u_mode.gcm.gcm_table) ++#define prefetch_tables(c) \ ++ do_prefetch_tables(c->u_mode.gcm.gcm_table, sizeof(c->u_mode.gcm.gcm_table)) + + #else + +@@ -430,6 +460,7 @@ do_ghash (unsigned char *hsub, unsigned char *result, const unsigned char *buf) + + #define fillM(c) do { } while (0) + #define GHASH(c, result, buf) do_ghash (c->u_mode.gcm.u_ghash_key.key, result, buf) ++#define prefetch_tables(c) do {} while (0) + + #endif /* !GCM_USE_TABLES */ + +@@ -441,6 +472,8 @@ ghash_internal (gcry_cipher_hd_t c, byte *result, const byte *buf, + const unsigned int blocksize = GCRY_GCM_BLOCK_LEN; + unsigned int burn = 0; + ++ prefetch_tables (c); ++ + while (nblocks) + { + burn = GHASH (c, result, buf); +-- +2.7.4 + diff --git a/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch b/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch new file mode 100644 index 00..c82c5b5c8a --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch @@ -0,0 +1,332 @@ +From 119348dd9aa52ab229afb5e2d3342d2b76fe81bf Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna +Date: Fri, 31 May 2019 17:18:09 +0300 +Subject: [PATCH 2/3] AES: move look-up tables to .data section and unshare between + processes + +* cipher/rijndael-internal.h (ATTR_ALIGNED_64): New. +* cipher/rijndael-tables.h
Re: [OE-core] new meta-oe failures from master-next
Hi Khem. On Wed, 2019-10-23 at 14:03 +0100, Khem Raj wrote: > Hi Richard > > New master-next I see these fails > > https://errors.yoctoproject.org/Errors/Build/91645/ > > First two are important one's we already know why > ti-display-sharing-fw fails to fetch Firstly, before you mention it, I started merging master-next earlier today after multiple tries and finally a green build last night. I paused as there was an issue, I dropped more patches and eventually after I thought I'd handled all the remaining issues I knew about, I merged things. I didn't see this report until now (afterwards) :(. I guess I now need to bisect things and figure out where these failures came from. Cheers, Richard -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] new meta-oe failures from master-next
On 10/23/19 6:05 AM, Khem Raj wrote: > here is AB failure link > > https://autobuilder.yoctoproject.org/typhoon/#/builders/88/builds/56 Your builds are also archived on wiki https://wiki.yoctoproject.org/wiki/BuildLog > > On Wed, Oct 23, 2019 at 2:03 PM Khem Raj wrote: >> Hi Richard >> >> New master-next I see these fails >> >> https://errors.yoctoproject.org/Errors/Build/91645/ >> >> First two are important one's we already know why >> ti-display-sharing-fw fails to fetch -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] buildhistory-analysis: filter out -src changes by default
Like the -dbg package, this package is automatically generated and contains source filenames. We expect this to change on every upgrade, so don't show the differences unless the user wants to see all changes. Signed-off-by: Ross Burton --- meta/lib/oe/buildhistory_analysis.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/lib/oe/buildhistory_analysis.py b/meta/lib/oe/buildhistory_analysis.py index 708e1b388e2..5b28774c980 100644 --- a/meta/lib/oe/buildhistory_analysis.py +++ b/meta/lib/oe/buildhistory_analysis.py @@ -413,7 +413,7 @@ def compare_dict_blobs(path, ablob, bblob, report_all, report_ver): if abs(percentchg) < monitor_numeric_threshold: continue elif (not report_all) and key in list_fields: -if key == "FILELIST" and path.endswith("-dbg") and bstr.strip() != '': +if key == "FILELIST" and (path.endswith("-dbg") or path.endswith("-src")) and bstr.strip() != '': continue if key in ['RPROVIDES', 'RDEPENDS', 'RRECOMMENDS', 'RSUGGESTS', 'RREPLACES', 'RCONFLICTS']: (depvera, depverb) = compare_pkg_lists(astr, bstr) -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] new meta-oe failures from master-next
On 23/10/2019 14:03, Khem Raj wrote: Hi Richard New master-next I see these fails https://errors.yoctoproject.org/Errors/Build/91645/ First two are important one's we already know why ti-display-sharing-fw fails to fetch ERROR: QA Issue: libiio: Files/directories were installed but not shipped in any package: /usr/lib/python2.7 /usr/lib/python2.7/site-packages /usr/lib/python2.7/site-packages/libiio-0.18-py2.7.egg-info /usr/lib/python2.7/site-packages/iio.pyc /usr/lib/python2.7/site-packages/iio.py That may have been triggered by some change in oe-core but that's definitely an issue with libiio. WARNING: TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3-astor/0.7.1-r0/temp/run.do_configure.7679:1 exit 1 from 'NO_FETCH_BUILD=1 TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3-astor/0.7.1-r0/recipe-sysroot-native/usr/bin/python3-native/python3 setup.py clean' ERROR: Execution of 'TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3-astor/0.7.1-r0/temp/run.do_configure.7679' failed with exit code 1: Traceback (most recent call last): File "setup.py", line 17, in setup(**config['options']) File "TOPDIR/build/tmp/work/mips32r2-yoe-linux/python3-astor/0.7.1-r0/recipe-sysroot-native/usr/lib/python3.7/site-packages/setuptools/__init__.py", line 145, in setup return distutils.core.setup(**attrs) Looks like whatever astor is doing with setuptools doesn't agree with the upgrade to 41.4.0? Ross -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [RFC][PATCH 0/6] NPM refactoring
On Oct 22, 2019, at 1:22 PM, Richard Purdie richard.pur...@linuxfoundation.org wrote: > On Tue, 2019-10-22 at 11:03 +0200, Jean-Marie LEMETAYER wrote: >> The current NPM support have several issues: >> - The current NPM fetcher downloads the dependency tree but not the other >> fetchers. The 'subdir' parameter was used to fix this issue. >> - They are multiple issues with package names (uppercase, exotic characters, >> scoped packages) even if they are inside the dependencies. >> - The lockdown file generation have issues. When a package depends on >> multiple version of the same package (all versions have the same >> checksum). >> >> This patchset refactors the NPM support in Yocto: >> - As the NPM algorithm for dependency management is hard to handle, the new >> NPM fetcher downloads only the package source (and not the dependencies, >> like the other fetchers) (patch submitted in the bitbake-devel list). >> - The NPM class handles the dependencies using NPM (and not manually). >> - The NPM recipe creation is simplified to avoid issues. >> - The lockdown file is no more used as it is no longer relevant compared to >> the >> latest shrinkwrap file format. >> >> This patchset may remove some features (lockdown file, license management for >> dependencies) but fixes the majority of the NPM issues. All of these issues >> from the bugzilla.yoctoproject.org are resolved by this patchset: >> #10237, #10760, #11028, #11728, #11902, #12534 > > One key requirement which many of our users have from the fetcher is > that its deterministic and allows for "offline" builds. > > What this means is that should I have a populated DL_DIR, the build > should not need to touch the network. Also, only do_fetch tasks would > make network accesses. > > What is the situation for npm after these changes with regard to this? This is a good point. With this patchset the build is working but some network accesses are done during the do_compile task (the 'npm install' command). This needs to be fixed. Other people have reported some issues with this patchset which will be fixed in the v2: - Use do_fetch only to access the network. - Respect the existing MIRROR, BB_NO_NETWORK, BB_ALLOWED_NETWORKS settings. - Add some tests for the fetcher. Regards, Jean-Marie -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH v2] gsettings-desktop-schemas: upgrade 3.32.0 -> 3.34.0
On Wed, Oct 23, 2019 at 2:11 PM Ross Burton wrote: > > > -DEPENDS = "glib-2.0" > > +DEPENDS = "glib-2.0 gcr" > > I can't see a gcr dependency in the source, and it builds fine with gcr > removed. Why was this added? > > Ross Checked sources and I agree. I must have mixed up the warning with another recipe's warning. Will test again and send V3 tonight Andreas -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [RFC][PATCH 1/6] npm.bbclass: refactor the npm class
On Oct 22, 2019, at 1:35 PM, Alexander Kanavin alex.kana...@gmail.com wrote: > On Tue, 22 Oct 2019 at 11:12, Jean-Marie LEMETAYER < > jean-marie.lemeta...@savoirfairelinux.com> wrote: > >> The simplest solution is to let npm do its job. Assuming the fetcher >> only get the sources of the package, the class will now run >> 'npm install' to create a build directory. The build directory is then >> copied wisely to the destination. >> > > I agree that npm dependency handing is a mess, and we should indeed let npm > do the job. > > However, 'npm install' pulls various things from the network; this can only > be happen during do_fetch(), so that offline builds can continue to work. > Whatever has been downloaded, needs to go to DL_DIR. You are right, I am working on a v2 to fix this point. > It also needs to be reproducible (there should be a guarantee that it > always pulls the same set of sources which are verified through a checksum > of some kind), I guess that can only be achieved through upstream provided > shrinkwrap? Yes, with current npm versions the "npm-shrinkwrap.json" [1] or the "package-lock.json" [2] are both used to describe the dependency tree and verify the integrity of the dependencies. This is what makes the build reproducible. One of these files is mandatory to build the recipe (in the source files or provided by the NPM_SHRINKWRAP variable). For information the current 'node' version packed in meta-oe is '10.16.3' which includes 'npm' version '6.9.0' [3]. 1: https://docs.npmjs.com/files/shrinkwrap.json 2: https://docs.npmjs.com/files/package-lock.json 3: https://nodejs.org/en/download/releases/ Regards, Jean-Marie -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] new meta-oe failures from master-next
here is AB failure link https://autobuilder.yoctoproject.org/typhoon/#/builders/88/builds/56 On Wed, Oct 23, 2019 at 2:03 PM Khem Raj wrote: > > Hi Richard > > New master-next I see these fails > > https://errors.yoctoproject.org/Errors/Build/91645/ > > First two are important one's we already know why > ti-display-sharing-fw fails to fetch -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] new meta-oe failures from master-next
Hi Richard New master-next I see these fails https://errors.yoctoproject.org/Errors/Build/91645/ First two are important one's we already know why ti-display-sharing-fw fails to fetch -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH v2] gsettings-desktop-schemas: upgrade 3.32.0 -> 3.34.0
-DEPENDS = "glib-2.0" +DEPENDS = "glib-2.0 gcr" I can't see a gcr dependency in the source, and it builds fine with gcr removed. Why was this added? Ross -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [zeus][PATCH 1/2] python3: fix CVE-2019-16935
On Wed, Oct 23, 2019 at 11:59:37AM +0100, Ross Burton wrote: > Zeus and master I presume? And warrior. Or continue following the 3.7 stable releases in all 3 branches (see my patch to upgrade to 3.7.5 that also fixes this CVE). > Ross cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 2/2] meta: add missing description in recipes-gnome
On 23/10/2019 03:14, Maxime Roussin-Bélanger wrote: --- a/meta/recipes-gnome/libsecret/libsecret_0.19.1.bb +++ b/meta/recipes-gnome/libsecret/libsecret_0.19.1.bb @@ -1,4 +1,8 @@ SUMMARY = "libsecret is a library for storing and retrieving passwords and other secrets" +DESCRIPTION = "A GObject-based library for accessing the Secret Service API of the +freedesktop.org project, a cross-desktop effort to access passwords, tokens +and other types of secrets. libsecret provides a convenient wrapper for these +methods so consumers do not have to call the low-level DBus methods." LICENSE = "LGPLv2.1" BUGTRACKER = "https://gitlab.gnome.org/GNOME/libsecret/issues; LIC_FILES_CHKSUM = "file://COPYING;md5=23c2a5e0106b99d75238986559bb5fc6" ERROR: ParseError at /home/ross/Yocto/poky/meta/recipes-gnome/libsecret/libsecret_0.19.1.bb:2: unparsed line: 'DESCRIPTION = "A GObject-based library for accessing the Secret Service API of the' Please remember to test all patches. Ross -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [zeus][PATCH 1/2] python3: fix CVE-2019-16935
Zeus and master I presume? Ross -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] distutils: pass along parallel make flags to setup.py build
On 23/10/2019 00:59, Nick Owens wrote: parallel builds for native code in python modules was added about 5 years ago. distutils understands '-j N', so just pass along ${PARALLEL_MAKE} to setup.py build. Does distutils *only* understand -j? It's not unusual to set PARALLEL_MAKE to something like '-j10 -l5' to factor in the load average. If distutils doesn't handle -l then it's safer to use a function in oe.utils instead: ... ${@oe.utils.parallel_make_argument(d, "-j %d")} ... Ross -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] python3: Upgrade 3.7.4 -> 3.7.5
On Wed, Oct 23, 2019 at 12:40:33PM +0200, Alexander Kanavin wrote: > Python 3.8.0 is now out, so we should upgrade directly to that version. 3.7.4 -> 3.7.5 is a straightforward upgrade on a stable branch. 3.7 -> 3.8 is an upgrade to a new stable branch with incompatible changes that might break reverse dependencies. No objection from me if anyone wants to do the upgrade to 3.8, but until then we should follow the 3.7 releases. > Alex cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] python3: Upgrade 3.7.4 -> 3.7.5
Python 3.8.0 is now out, so we should upgrade directly to that version. Alex On Wed, 23 Oct 2019 at 12:37, Adrian Bunk wrote: > Backported patch removed. > > Signed-off-by: Adrian Bunk > --- > ...lib-as-location-for-site-packages-an.patch | 2 +- > ...nt-parse-domains-containing-GH-13079.patch | 132 -- > ...asename-to-replace-CC-for-checking-c.patch | 2 +- > .../{python3_3.7.4.bb => python3_3.7.5.bb}| 5 +- > 4 files changed, 4 insertions(+), 137 deletions(-) > delete mode 100644 > meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch > rename meta/recipes-devtools/python/{python3_3.7.4.bb => python3_3.7.5.bb} > (98%) > > diff --git > a/meta/recipes-devtools/python/python3/0001-Do-not-hardcode-lib-as-location-for-site-packages-an.patch > b/meta/recipes-devtools/python/python3/0001-Do-not-hardcode-lib-as-location-for-site-packages-an.patch > index 661f52d01f..ea75262c4f 100644 > --- > a/meta/recipes-devtools/python/python3/0001-Do-not-hardcode-lib-as-location-for-site-packages-an.patch > +++ > b/meta/recipes-devtools/python/python3/0001-Do-not-hardcode-lib-as-location-for-site-packages-an.patch > @@ -70,7 +70,7 @@ index 6e81b2f..671a20e 100644 > > Programs/python.o: $(srcdir)/Programs/python.c > @@ -856,7 +857,7 @@ regen-opcode: > - Python/compile.o Python/symtable.o Python/ast_unparse.o Python/ast.o: > $(srcdir)/Include/graminit.h $(srcdir)/Include/Python-ast.h > + Python/compile.o Python/symtable.o Python/ast_unparse.o Python/ast.o > Python/future.o Parser/parsetok.o: $(srcdir)/Include/graminit.h > $(srcdir)/Include/Python-ast.h > > Python/getplatform.o: $(srcdir)/Python/getplatform.c > - $(CC) -c $(PY_CORE_CFLAGS) -DPLATFORM='"$(MACHDEP)"' -o $@ > $(srcdir)/Python/getplatform.c > diff --git > a/meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch > b/meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch > deleted file mode 100644 > index 319e7ed07e..00 > --- > a/meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch > +++ /dev/null > @@ -1,132 +0,0 @@ > -From 90d56127ae15b1e452755e62c77dc475dedf7161 Mon Sep 17 00:00:00 2001 > -From: jpic > -Date: Wed, 17 Jul 2019 23:54:25 +0200 > -Subject: [PATCH] bpo-34155: Dont parse domains containing @ (GH-13079) > - > -Before: > - > ->>> email.message_from_string('From: a...@malicious.org@ > important.com', policy=email.policy.default)['from'].addresses > -(Address(display_name='', username='a', domain='malicious.org'),) > - > ->>> parseaddr('a...@malicious.org@important.com') > -('', 'a...@malicious.org') > - > -After: > - > ->>> email.message_from_string('From: a...@malicious.org@ > important.com', policy=email.policy.default)['from'].addresses > -(Address(display_name='', username='', domain=''),) > - > ->>> parseaddr('a...@malicious.org@important.com') > -('', 'a@') > - > -https://bugs.python.org/issue34155 > - > -Upstream-Status: Backport [ > https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9 > ] > - > -CVE: CVE-2019-16056 > - > -Signed-off-by: Chen Qi > > - Lib/email/_header_value_parser.py | 2 ++ > - Lib/email/_parseaddr.py| 11 ++- > - Lib/test/test_email/test__header_value_parser.py | 10 ++ > - Lib/test/test_email/test_email.py | 14 ++ > - .../2019-05-04-13-33-37.bpo-34155.MJll68.rst | 1 + > - 5 files changed, 37 insertions(+), 1 deletion(-) > - create mode 100644 > Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst > - > -diff --git a/Lib/email/_header_value_parser.py > b/Lib/email/_header_value_parser.py > -index fc00b4a098..bbc026ec71 100644 > a/Lib/email/_header_value_parser.py > -+++ b/Lib/email/_header_value_parser.py > -@@ -1582,6 +1582,8 @@ def get_domain(value): > - token, value = get_dot_atom(value) > - except errors.HeaderParseError: > - token, value = get_atom(value) > -+if value and value[0] == '@': > -+raise errors.HeaderParseError('Invalid Domain') > - if leader is not None: > - token[:0] = [leader] > - domain.append(token) > -diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py > -index cdfa3729ad..41ff6f8c00 100644 > a/Lib/email/_parseaddr.py > -+++ b/Lib/email/_parseaddr.py > -@@ -379,7 +379,12 @@ class AddrlistClass: > - aslist.append('@') > - self.pos += 1 > - self.gotonext() > --return EMPTYSTRING.join(aslist) + self.getdomain() > -+domain = self.getdomain() > -+if not domain: > -+# Invalid domain, return an empty address instead of > returning a > -+# local part to denote failed parsing. > -+return EMPTYSTRING > -+return
[OE-core] [PATCH] python3: Upgrade 3.7.4 -> 3.7.5
Backported patch removed. Signed-off-by: Adrian Bunk --- ...lib-as-location-for-site-packages-an.patch | 2 +- ...nt-parse-domains-containing-GH-13079.patch | 132 -- ...asename-to-replace-CC-for-checking-c.patch | 2 +- .../{python3_3.7.4.bb => python3_3.7.5.bb}| 5 +- 4 files changed, 4 insertions(+), 137 deletions(-) delete mode 100644 meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch rename meta/recipes-devtools/python/{python3_3.7.4.bb => python3_3.7.5.bb} (98%) diff --git a/meta/recipes-devtools/python/python3/0001-Do-not-hardcode-lib-as-location-for-site-packages-an.patch b/meta/recipes-devtools/python/python3/0001-Do-not-hardcode-lib-as-location-for-site-packages-an.patch index 661f52d01f..ea75262c4f 100644 --- a/meta/recipes-devtools/python/python3/0001-Do-not-hardcode-lib-as-location-for-site-packages-an.patch +++ b/meta/recipes-devtools/python/python3/0001-Do-not-hardcode-lib-as-location-for-site-packages-an.patch @@ -70,7 +70,7 @@ index 6e81b2f..671a20e 100644 Programs/python.o: $(srcdir)/Programs/python.c @@ -856,7 +857,7 @@ regen-opcode: - Python/compile.o Python/symtable.o Python/ast_unparse.o Python/ast.o: $(srcdir)/Include/graminit.h $(srcdir)/Include/Python-ast.h + Python/compile.o Python/symtable.o Python/ast_unparse.o Python/ast.o Python/future.o Parser/parsetok.o: $(srcdir)/Include/graminit.h $(srcdir)/Include/Python-ast.h Python/getplatform.o: $(srcdir)/Python/getplatform.c - $(CC) -c $(PY_CORE_CFLAGS) -DPLATFORM='"$(MACHDEP)"' -o $@ $(srcdir)/Python/getplatform.c diff --git a/meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch b/meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch deleted file mode 100644 index 319e7ed07e..00 --- a/meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 90d56127ae15b1e452755e62c77dc475dedf7161 Mon Sep 17 00:00:00 2001 -From: jpic -Date: Wed, 17 Jul 2019 23:54:25 +0200 -Subject: [PATCH] bpo-34155: Dont parse domains containing @ (GH-13079) - -Before: - ->>> email.message_from_string('From: a...@malicious.org@important.com', policy=email.policy.default)['from'].addresses -(Address(display_name='', username='a', domain='malicious.org'),) - ->>> parseaddr('a...@malicious.org@important.com') -('', 'a...@malicious.org') - -After: - ->>> email.message_from_string('From: a...@malicious.org@important.com', policy=email.policy.default)['from'].addresses -(Address(display_name='', username='', domain=''),) - ->>> parseaddr('a...@malicious.org@important.com') -('', 'a@') - -https://bugs.python.org/issue34155 - -Upstream-Status: Backport [https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9] - -CVE: CVE-2019-16056 - -Signed-off-by: Chen Qi - Lib/email/_header_value_parser.py | 2 ++ - Lib/email/_parseaddr.py| 11 ++- - Lib/test/test_email/test__header_value_parser.py | 10 ++ - Lib/test/test_email/test_email.py | 14 ++ - .../2019-05-04-13-33-37.bpo-34155.MJll68.rst | 1 + - 5 files changed, 37 insertions(+), 1 deletion(-) - create mode 100644 Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst - -diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py -index fc00b4a098..bbc026ec71 100644 a/Lib/email/_header_value_parser.py -+++ b/Lib/email/_header_value_parser.py -@@ -1582,6 +1582,8 @@ def get_domain(value): - token, value = get_dot_atom(value) - except errors.HeaderParseError: - token, value = get_atom(value) -+if value and value[0] == '@': -+raise errors.HeaderParseError('Invalid Domain') - if leader is not None: - token[:0] = [leader] - domain.append(token) -diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py -index cdfa3729ad..41ff6f8c00 100644 a/Lib/email/_parseaddr.py -+++ b/Lib/email/_parseaddr.py -@@ -379,7 +379,12 @@ class AddrlistClass: - aslist.append('@') - self.pos += 1 - self.gotonext() --return EMPTYSTRING.join(aslist) + self.getdomain() -+domain = self.getdomain() -+if not domain: -+# Invalid domain, return an empty address instead of returning a -+# local part to denote failed parsing. -+return EMPTYSTRING -+return EMPTYSTRING.join(aslist) + domain - - def getdomain(self): - """Get the complete domain name from an address.""" -@@ -394,6 +399,10 @@ class AddrlistClass: - elif self.field[self.pos] == '.': - self.pos += 1 - sdlist.append('.') -+elif self.field[self.pos] == '@': -+
Re: [OE-core] [thud][PATCH] Revert "OpkgPM: use --add-ignore-recommends to process BAD_RECOMMENDATIONS"
On Thu, Oct 17, 2019 at 12:21:11PM -0700, akuster808 wrote: > On 10/17/19 11:42 AM, Denys Dmytriyenko wrote: > > Thank you for this revert! I've been pulling my hair out past couple days > > figuring out why BAD_RECOMMENDATIONS stopped working for us. This fixed it. > > What I find curious is that the offending commit has been in thud since > July 29th and we are just now hearing about issues. >... The "Yocto is not a distribution, it is a tool to build distributions" adds a layer between Yocto upstream and users that results in users usually using old Yocto releases. How large is actually the fraction of users who are creating their own distributions based on Yocto releases taken directly from upstream? I would suspect most users are using 3rd party distributions provided by hardware vendors or companies like Wind River. This adds quite a delay between a change being released in a Yocto stable release, and users actually using it. When the distribution they are using is based on a thud release, new Yocto releases from that branch will only reach them when/if their distribution provider has updated and validated this change and made a new release of the distribution. Related, many of the Yocto user questions in various places tend to be for 2-3 year old Yocto releases. Often these sound like people just starting a new project with a distibution based on an old Yocto release. > - armin cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2 1/1] bind: fix CVE-2019-6471 and CVE-2018-5743
From: Kai Kang Backport patches to fix CVE-2019-6471 and CVE-2018-5743 for bind. CVE-2019-6471 is fixed by 0001-bind-fix-CVE-2019-6471.patch and the other 6 patches are for CVE-2018-5743. And backport one more patch to fix compile error on arm caused by these 6 commits. Signed-off-by: Kai Kang --- .../bind/0001-bind-fix-CVE-2019-6471.patch| 64 ++ ...01-fix-enforcement-of-tcp-clients-v1.patch | 60 ++ ...p-clients-could-still-be-exceeded-v2.patch | 670 + ...rence-counter-for-pipeline-groups-v3.patch | 278 ++ ...accounting-and-client-mortality-chec.patch | 512 ++ ...a-and-pipeline-refs-allow-special-ca.patch | 911 ++ ...allowance-for-tcp-clients-interfaces.patch | 80 ++ ...perations-in-bin-named-client.c-with.patch | 140 +++ .../bind/bind_9.11.5-P4.bb| 8 + 9 files changed, 2723 insertions(+) create mode 100644 meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch create mode 100644 meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch create mode 100644 meta/recipes-connectivity/bind/bind/0002-tcp-clients-could-still-be-exceeded-v2.patch create mode 100644 meta/recipes-connectivity/bind/bind/0003-use-reference-counter-for-pipeline-groups-v3.patch create mode 100644 meta/recipes-connectivity/bind/bind/0004-better-tcpquota-accounting-and-client-mortality-chec.patch create mode 100644 meta/recipes-connectivity/bind/bind/0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch create mode 100644 meta/recipes-connectivity/bind/bind/0006-restore-allowance-for-tcp-clients-interfaces.patch create mode 100644 meta/recipes-connectivity/bind/bind/0007-Replace-atomic-operations-in-bin-named-client.c-with.patch diff --git a/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch b/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch new file mode 100644 index 00..2fed99e1bb --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch @@ -0,0 +1,64 @@ +Backport patch to fix CVE-2019-6471. + +Ref: +https://security-tracker.debian.org/tracker/CVE-2019-6471 + +CVE: CVE-2019-6471 +Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/3a9c7bb] + +Signed-off-by: Kai Kang + +From 3a9c7bb80d4a609b86427406d9dd783199920b5b Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 19 Mar 2019 14:14:21 +1100 +Subject: [PATCH] move item_out test inside lock in dns_dispatch_getnext() + +(cherry picked from commit 60c42f849d520564ed42e5ed0ba46b4b69c07712) +--- + lib/dns/dispatch.c | 12 + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c +index 408beda367..3278db4a07 100644 +--- a/lib/dns/dispatch.c b/lib/dns/dispatch.c +@@ -134,7 +134,7 @@ struct dns_dispentry { + isc_task_t *task; + isc_taskaction_taction; + void *arg; +- boolitem_out; ++ boolitem_out; + dispsocket_t*dispsocket; + ISC_LIST(dns_dispatchevent_t) items; + ISC_LINK(dns_dispentry_t) link; +@@ -3422,13 +3422,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) { + disp = resp->disp; + REQUIRE(VALID_DISPATCH(disp)); + +- REQUIRE(resp->item_out == true); +- resp->item_out = false; +- + ev = *sockevent; + *sockevent = NULL; + + LOCK(>lock); ++ ++ REQUIRE(resp->item_out == true); ++ resp->item_out = false; ++ + if (ev->buffer.base != NULL) + free_buffer(disp, ev->buffer.base, ev->buffer.length); + free_devent(disp, ev); +@@ -3573,6 +3574,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp, + isc_task_send(disp->task[0], >ctlevent); + } + ++/* ++ * disp must be locked. ++ */ + static void + do_cancel(dns_dispatch_t *disp) { + dns_dispatchevent_t *ev; +-- +2.20.1 + diff --git a/meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch b/meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch new file mode 100644 index 00..48ae125f84 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch @@ -0,0 +1,60 @@ +Backport patch to fix CVE-2018-5743. + +Ref: +https://security-tracker.debian.org/tracker/CVE-2018-5743 + +CVE: CVE-2018-5743 +Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/ec2d50d] + +Signed-off-by: Kai Kang + +From ec2d50da8d81814640e28593d912f4b96c7efece Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= +Date: Thu, 3 Jan 2019 14:17:43 +0100 +Subject: [PATCH 1/6] fix enforcement of tcp-clients (v1) + +tcp-clients settings could be exceeded in some cases by +creating more and more active TCP clients that
[OE-core] [PATCH v2 0/1] bind: fix CVE-2019-6471 and CVE-2018-5743
From: Kai Kang v2: * add tag CVE in patch files Kai Kang (1): bind: fix CVE-2019-6471 and CVE-2018-5743 .../bind/0001-bind-fix-CVE-2019-6471.patch| 64 ++ ...01-fix-enforcement-of-tcp-clients-v1.patch | 60 ++ ...p-clients-could-still-be-exceeded-v2.patch | 670 + ...rence-counter-for-pipeline-groups-v3.patch | 278 ++ ...accounting-and-client-mortality-chec.patch | 512 ++ ...a-and-pipeline-refs-allow-special-ca.patch | 911 ++ ...allowance-for-tcp-clients-interfaces.patch | 80 ++ ...perations-in-bin-named-client.c-with.patch | 140 +++ .../bind/bind_9.11.5-P4.bb| 8 + 9 files changed, 2723 insertions(+) create mode 100644 meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch create mode 100644 meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch create mode 100644 meta/recipes-connectivity/bind/bind/0002-tcp-clients-could-still-be-exceeded-v2.patch create mode 100644 meta/recipes-connectivity/bind/bind/0003-use-reference-counter-for-pipeline-groups-v3.patch create mode 100644 meta/recipes-connectivity/bind/bind/0004-better-tcpquota-accounting-and-client-mortality-chec.patch create mode 100644 meta/recipes-connectivity/bind/bind/0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch create mode 100644 meta/recipes-connectivity/bind/bind/0006-restore-allowance-for-tcp-clients-interfaces.patch create mode 100644 meta/recipes-connectivity/bind/bind/0007-Replace-atomic-operations-in-bin-named-client.c-with.patch -- 2.17.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] mesa: Upgrade to 19.2.1
On Tue, 2019-10-22 at 15:07 -0700, Alistair Francis wrote: > On Sat, Oct 12, 2019 at 9:54 AM Alistair Francis < > alist...@alistair23.me> wrote: > > Upgrade mesa and mesa-gl to 19.2.1. > > > > The license hash change was a trivial new line removal. > > > > The glx-tls option was removed as it isn't included in the > > meson.build > > file. > > > > The -Dasm=false was removed as it also is no longer included. > > > > Signed-off-by: Alistair Francis > > Ping! It caused multiple failures on the autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/64/builds/1160 (musl-qemux86) https://autobuilder.yoctoproject.org/typhoon/#/builders/45/builds/1162 (musl-qemux86-64) https://autobuilder.yoctoproject.org/typhoon/#/builders/52/builds/1141 (libsdl2 compile fail) https://autobuilder.yoctoproject.org/typhoon/#/builders/108/builds/40 (libsdl2 compile fail) Cheers, Richard -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] ✗ patchtest: failure for bind: fix CVE-2019-6471 and CVE-2018-5743
== Series Details == Series: bind: fix CVE-2019-6471 and CVE-2018-5743 Revision: 1 URL : https://patchwork.openembedded.org/series/20611/ State : failure == Summary == Thank you for submitting this patch series to OpenEmbedded Core. This is an automated response. Several tests have been executed on the proposed series by patchtest resulting in the following failures: * Patchbind: fix CVE-2019-6471 and CVE-2018-5743 Issue Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format] Suggested fixCorrect or include the CVE tag on cve patch with format: "CVE: CVE--" If you believe any of these test results are incorrect, please reply to the mailing list (openembedded-core@lists.openembedded.org) raising your concerns. Otherwise we would appreciate you correcting the issues and submitting a new version of the patchset if applicable. Please ensure you add/increment the version number when sending the new version (i.e. [PATCH] -> [PATCH v2] -> [PATCH v3] -> ...). --- Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] bind: fix CVE-2019-6471 and CVE-2018-5743
From: Kai Kang Backport patches to fix CVE-2019-6471 and CVE-2018-5743 for bind. CVE-2019-6471 is fixed by 0001-bind-fix-CVE-2019-6471.patch and the other 6 patches are for CVE-2018-5743. And backport one more patch to fix compile error on arm caused by these 6 commits. Signed-off-by: Kai Kang --- .../bind/0001-bind-fix-CVE-2019-6471.patch| 63 ++ ...01-fix-enforcement-of-tcp-clients-v1.patch | 59 ++ ...p-clients-could-still-be-exceeded-v2.patch | 669 + ...rence-counter-for-pipeline-groups-v3.patch | 277 ++ ...accounting-and-client-mortality-chec.patch | 511 ++ ...a-and-pipeline-refs-allow-special-ca.patch | 910 ++ ...allowance-for-tcp-clients-interfaces.patch | 79 ++ ...perations-in-bin-named-client.c-with.patch | 139 +++ .../bind/bind_9.11.5-P4.bb| 8 + 9 files changed, 2715 insertions(+) create mode 100644 meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch create mode 100644 meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch create mode 100644 meta/recipes-connectivity/bind/bind/0002-tcp-clients-could-still-be-exceeded-v2.patch create mode 100644 meta/recipes-connectivity/bind/bind/0003-use-reference-counter-for-pipeline-groups-v3.patch create mode 100644 meta/recipes-connectivity/bind/bind/0004-better-tcpquota-accounting-and-client-mortality-chec.patch create mode 100644 meta/recipes-connectivity/bind/bind/0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch create mode 100644 meta/recipes-connectivity/bind/bind/0006-restore-allowance-for-tcp-clients-interfaces.patch create mode 100644 meta/recipes-connectivity/bind/bind/0007-Replace-atomic-operations-in-bin-named-client.c-with.patch diff --git a/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch b/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch new file mode 100644 index 00..b2b7cfef60 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch @@ -0,0 +1,63 @@ +Backport patch to fix CVE-2019-6471. + +Ref: +https://security-tracker.debian.org/tracker/CVE-2019-6471 + +Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/3a9c7bb] + +Signed-off-by: Kai Kang + +From 3a9c7bb80d4a609b86427406d9dd783199920b5b Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 19 Mar 2019 14:14:21 +1100 +Subject: [PATCH] move item_out test inside lock in dns_dispatch_getnext() + +(cherry picked from commit 60c42f849d520564ed42e5ed0ba46b4b69c07712) +--- + lib/dns/dispatch.c | 12 + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c +index 408beda367..3278db4a07 100644 +--- a/lib/dns/dispatch.c b/lib/dns/dispatch.c +@@ -134,7 +134,7 @@ struct dns_dispentry { + isc_task_t *task; + isc_taskaction_taction; + void *arg; +- boolitem_out; ++ boolitem_out; + dispsocket_t*dispsocket; + ISC_LIST(dns_dispatchevent_t) items; + ISC_LINK(dns_dispentry_t) link; +@@ -3422,13 +3422,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) { + disp = resp->disp; + REQUIRE(VALID_DISPATCH(disp)); + +- REQUIRE(resp->item_out == true); +- resp->item_out = false; +- + ev = *sockevent; + *sockevent = NULL; + + LOCK(>lock); ++ ++ REQUIRE(resp->item_out == true); ++ resp->item_out = false; ++ + if (ev->buffer.base != NULL) + free_buffer(disp, ev->buffer.base, ev->buffer.length); + free_devent(disp, ev); +@@ -3573,6 +3574,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp, + isc_task_send(disp->task[0], >ctlevent); + } + ++/* ++ * disp must be locked. ++ */ + static void + do_cancel(dns_dispatch_t *disp) { + dns_dispatchevent_t *ev; +-- +2.20.1 + diff --git a/meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch b/meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch new file mode 100644 index 00..8fe14f7ad7 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch @@ -0,0 +1,59 @@ +Backport patch to fix CVE-2018-5743. + +Ref: +https://security-tracker.debian.org/tracker/CVE-2018-5743 + +Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/ec2d50d] + +Signed-off-by: Kai Kang + +From ec2d50da8d81814640e28593d912f4b96c7efece Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= +Date: Thu, 3 Jan 2019 14:17:43 +0100 +Subject: [PATCH 1/6] fix enforcement of tcp-clients (v1) + +tcp-clients settings could be exceeded in some cases by +creating more and more active TCP clients that are over +the set quota limit, which in
[OE-core] [PATCH] kernel-fitimage: introduce FIT_SIGN_ALG
make fitImage configuration signature algorithm selectable with FIT_SIGN_ALG. Signed-off-by: Richard Leitner --- meta/classes/kernel-fitimage.bbclass | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index 1bcb09c598..6cd1b76fde 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass @@ -53,6 +53,9 @@ UBOOT_MKIMAGE_DTCOPTS ??= "" # fitImage Hash Algo FIT_HASH_ALG ?= "sha256" +# fitImage Signature Algo +FIT_SIGN_ALG ?= "rsa2048" + # # Emit the fitImage ITS header # @@ -246,6 +249,7 @@ EOF fitimage_emit_section_config() { conf_csum="${FIT_HASH_ALG}" + conf_sign_algo="${FIT_SIGN_ALG}" if [ -n "${UBOOT_SIGN_ENABLE}" ] ; then conf_sign_keyname="${UBOOT_SIGN_KEYNAME}" fi @@ -327,7 +331,7 @@ EOF cat << EOF >> ${1} signature@1 { -algo = "${conf_csum},rsa2048"; +algo = "${conf_csum},${conf_sign_algo}"; key-name-hint = "${conf_sign_keyname}"; ${sign_line} }; -- 2.21.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core