Re: [OE-core] [PATCH] openssl: update from 3.0.8 to 3.1.0

[Randy MacLeod]

On 2023-03-15 00:48, Randy MacLeod via lists.openembedded.org wrote:

>From the NEWS.md file:

   ### Major changes between OpenSSL 3.0 and OpenSSL 3.1.0 [14 Mar 2023]


I know we're in feature freeze but this openssl update that came out on 
March 14th looks interesting.


I've sent it in before local tests complete so the Europeans / Brits can
put the update through the YP autobuilder tests.


The update was pretty simple and the code change isn't huge.

There's a likely very desirable FIPS 140 updated mentioned in:

https://www.openssl.org/blog/blog/2023/03/07/OpenSSL3.1Release/

    OpenSSL 3.1 is mostly a small increment over the functionality 
available in OpenSSL 3.0.

    The main changes are:

 *

   A FIPS 140-3 compliant FIPS Provider.

   The FIPS provider has been upgraded to be FIPS 140-3 compliant. ...

Local builds are still underway but going as well as expected.
See below for what I have on hand so far.

../Randy


$ cat ../b/ossl-3.1.0/openssl-buildall.log
BUILDALL-QEMU LOG FOR openssl
START TIME: 2023-03-14_18:09:37
HOSTNAME: yow-fedora-builder1
HOST OS: Fedora Linux 37 (Server Edition)
HOST KERNEL: 6.0.14-300.fc37.x86_64
===
BUILD RESULTS:
[glibc]
PASS: qemumips
PASS: qemumips64
PASS: qemuppc
PASS: qemuriscv32
PASS: qemuriscv64
PASS: qemux86
PASS: qemux86-64
PASS: qemuarm
PASS: qemuarm64
PASS: qemuarmv5
FAIL: qemuloongarch64
PASS: qemuppc64
[musl]
PASS: qemumips
PASS: qemumips64
PASS: qemuppc
FAIL: qemuriscv32
PASS: qemuriscv64
PASS: qemux86
PASS: qemux86-64

...



ptest are also still executing but seem to be in good shape:

Poky (Yocto Project Reference Distro) 
4.1+snapshot-c9c1d6af8f00ad11cadd400c860a439349ce5b7d qemux86-64 /dev/ttyS0


qemux86-64 login: root
root@qemux86-64:~# ptest-runner openssl
START: ptest-runner
2023-03-15T04:46
BEGIN: /usr/lib/openssl/ptest
SKIP: 00-prep_fipsmodule_cnf.t .. skipped: FIPS module config file only 
supported in a fips build
Files=1, Tests=0,  0 wallclock secs ( 0.02 usr  0.00 sys +  0.38 cusr  
0.11 csys =  0.51 CPU)

Result: NOTESTS
PASS: 01-test_abort.t  ok
SKIP: 01-test_fipsmodule_cnf.t ... skipped: Test only supported 
in a fips build

PASS: 01-test_sanity.t ... ok
PASS: 01-test_symbol_presence.t .. ok
PASS: 01-test_test.t . ok
PASS: 02-test_errstr.t ... ok
PASS: 02-test_internal_context.t . ok
PASS: 02-test_internal_ctype.t ... ok
PASS: 02-test_internal_exts.t  ok
PASS: 02-test_internal_keymgmt.t . ok
PASS: 02-test_internal_provider.t  ok
PASS: 02-test_lhash.t  ok
PASS: 02-test_localetest.t ... ok
PASS: 02-test_ordinals.t . ok
PASS: 02-test_sparse_array.t . ok
PASS: 02-test_stack.t  ok
PASS: 03-test_exdata.t ... ok
SKIP: 03-test_fipsinstall.t .. skipped: Test only supported 
in a fips build

PASS: 03-test_internal_asn1.t  ok
PASS: 03-test_internal_asn1_dsa.t  ok
PASS: 03-test_internal_bn.t .. ok
PASS: 03-test_internal_chacha.t .. ok
PASS: 03-test_internal_curve448.t  ok
PASS: 03-test_internal_ec.t .. ok
PASS: 03-test_internal_ffc.t . ok
PASS: 03-test_internal_mdc2.t  ok
PASS: 03-test_internal_modes.t ... ok
PASS: 03-test_internal_namemap.t . ok
PASS: 03-test_internal_poly1305.t  ok
PASS: 03-test_internal_rsa_sp800_56b.t ... ok
PASS: 03-test_internal_siphash.t . ok
PASS: 03-test_internal_sm2.t . ok
PASS: 03-test_internal_sm3.t . ok
PASS: 03-test_internal_sm4.t . ok
PASS: 03-test_internal_ssl_cert_table.t .. ok
PASS: 03-test_internal_x509.t  ok
PASS: 03-test_params_api.t ... ok
PASS: 03-test_property.t . ok
PASS: 03-test_ui.t ... ok
PASS: 04-test_asn1_decode.t .. ok
PASS: 04-test_asn1_encode.t .. ok
PASS: 04-test_asn1_string_table.t  ok
PASS: 04-test_bio_callback.t . ok
PASS: 04-test_bio_core.t . ok
PASS: 04-test_bioprint.t . ok
PASS: 04-test_conf.t . ok
PASS: 04-test_encoder_decoder.t .. ok
PASS: 04-test_encoder_decoder_legacy.t ... ok
PASS: 04-test_err.t .. ok
PASS: 04-test_hexstring.t  ok
PASS: 04-test_nodefltctx.t ... ok
PASS: 04-test_param_build.t .. ok
PASS: 04-test_params.t ... ok
PASS: 04-test_params_conversion.t  ok
PASS: 04-test_pem_read_depr.t  ok
PASS: 04-test_pem_reading.t .. ok
PASS: 04-test_provfetch.t  ok
PASS: 04-test_provider.t . ok
PASS: 04-test_provider_fallback.t  ok
PASS: 04-test_provider_pkey.t  ok
PASS: 04-test_punycode.t . ok
PASS: 04-test_upcalls.t .. ok
PASS: 

[OE-core] [PATCH] openssl: update from 3.0.8 to 3.1.0

[Randy MacLeod]

>From the NEWS.md file:

  ### Major changes between OpenSSL 3.0 and OpenSSL 3.1.0 [14 Mar 2023]

  * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
  * Performance enhancements and new platform support including new
assembler code algorithm implementations.
  * Deprecated LHASH statistics functions.
  * FIPS 140-3 compliance changes.

Drop the upstreamed afalg.patch:
   c425e365f4 Configure: don't try to be clever when configuring afalgeng

Signed-off-by: Randy MacLeod 
---
 .../openssl/openssl/afalg.patch   | 31 ---
 .../{openssl_3.0.8.bb => openssl_3.1.0.bb}|  3 +-
 2 files changed, 1 insertion(+), 33 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/afalg.patch
 rename meta/recipes-connectivity/openssl/{openssl_3.0.8.bb => 
openssl_3.1.0.bb} (98%)

diff --git a/meta/recipes-connectivity/openssl/openssl/afalg.patch 
b/meta/recipes-connectivity/openssl/openssl/afalg.patch
deleted file mode 100644
index cf77e873a2..00
--- a/meta/recipes-connectivity/openssl/openssl/afalg.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Don't refuse to build afalgeng if cross-compiling or the host kernel is too 
old.
-
-Upstream-Status: Submitted [hhttps://github.com/openssl/openssl/pull/7688]
-Signed-off-by: Ross Burton 
-
-Index: openssl-3.0.4/Configure
-===
 openssl-3.0.4.orig/Configure
-+++ openssl-3.0.4/Configure
-@@ -1681,20 +1681,7 @@ $config{CFLAGS} = [ map { $_ eq '--ossl-
- unless ($disabled{afalgeng}) {
- $config{afalgeng}="";
- if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
--my $minver = 4*1 + 1*100 + 0;
--if ($config{CROSS_COMPILE} eq "") {
--my $verstr = `uname -r`;
--my ($ma, $mi1, $mi2) = split("\\.", $verstr);
--($mi2) = $mi2 =~ /(\d+)/;
--my $ver = $ma*1 + $mi1*100 + $mi2;
--if ($ver < $minver) {
--disable('too-old-kernel', 'afalgeng');
--} else {
--push @{$config{engdirs}}, "afalg";
--}
--} else {
--disable('cross-compiling', 'afalgeng');
--}
-+push @{$config{engdirs}}, "afalg";
- } else {
- disable('not-linux', 'afalgeng');
- }
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.8.bb 
b/meta/recipes-connectivity/openssl/openssl_3.1.0.bb
similarity index 98%
rename from meta/recipes-connectivity/openssl/openssl_3.0.8.bb
rename to meta/recipes-connectivity/openssl/openssl_3.1.0.bb
index 8771884dda..4ae376d18a 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.8.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.0.bb
@@ -10,7 +10,6 @@ LIC_FILES_CHKSUM = 
"file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
 SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
file://run-ptest \

file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
-   file://afalg.patch \
file://0001-Configure-do-not-tweak-mips-cflags.patch \
"
 
@@ -18,7 +17,7 @@ SRC_URI:append:class-nativesdk = " \
file://environment.d-openssl.sh \
"
 
-SRC_URI[sha256sum] = 
"6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e"
+SRC_URI[sha256sum] = 
"aaa925ad9828745c4cad9d9efeb273deca820f2cdcf2c3ac7d7c1212b7c497b4"
 
 inherit lib_package multilib_header multilib_script ptest perlnative
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
-- 
2.39.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178520): 
https://lists.openembedded.org/g/openembedded-core/message/178520
Mute This Topic: https://lists.openembedded.org/mt/97621752/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [kirkstone][PATCH v2] curl: Add fix for CVE-2023-23914, CVE-2023-23915

[Yu, Mingli]

From: Pawan Badganchi 

Add below patches to fix CVE-2023-23914 [1], CVE-2023-23915 [2]

CVE-2023-23914_5-1.patch
CVE-2023-23914_5-2.patch
CVE-2023-23914_5-3.patch
CVE-2023-23914_5-4.patch
CVE-2023-23914_5-5.patch

[1] https://curl.se/docs/CVE-2023-23914.html
[2] https://curl.se/docs/CVE-2023-23915.html

Signed-off-by: Pawan Badganchi 
Signed-off-by: pawan 
Signed-off-by: Mingli Yu 
---
 .../curl/curl/CVE-2023-23914_5-1.patch| 305 ++
 .../curl/curl/CVE-2023-23914_5-2.patch|  23 ++
 .../curl/curl/CVE-2023-23914_5-3.patch|  45 +++
 .../curl/curl/CVE-2023-23914_5-4.patch|  48 +++
 .../curl/curl/CVE-2023-23914_5-5.patch| 118 +++
 meta/recipes-support/curl/curl_7.82.0.bb  |   5 +
 6 files changed, 544 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23914_5-1.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23914_5-2.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23914_5-3.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23914_5-4.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23914_5-5.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-23914_5-1.patch 
b/meta/recipes-support/curl/curl/CVE-2023-23914_5-1.patch
new file mode 100644
index 00..94a2264a9f
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-23914_5-1.patch
@@ -0,0 +1,305 @@
+From 076a2f629119222aeeb50f5a03bf9f9052fabb9a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg 
+Date: Tue, 27 Dec 2022 11:50:20 +0100
+Subject: [PATCH] share: add sharing of HSTS cache among handles
+
+Closes #10138
+
+CVE: CVE-2023-23914 CVE-2023-23915
+Upstream-Status: Backport 
[https://github.com/curl/curl/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a]
+Comment: Refreshed hunk from hsts.c and urldata.h
+Signed-off-by: Pawan Badganchi 
+Signed-off-by: Mingli Yu 
+---
+ docs/libcurl/opts/CURLSHOPT_SHARE.3 |  4 +++
+ docs/libcurl/symbols-in-versions|  1 +
+ include/curl/curl.h |  1 +
+ lib/hsts.c  | 15 +
+ lib/hsts.h  |  2 ++
+ lib/setopt.c| 48 -
+ lib/share.c | 32 +--
+ lib/share.h |  6 +++-
+ lib/transfer.c  |  3 ++
+ lib/url.c   |  6 +++-
+ lib/urldata.h   |  2 ++
+ 11 files changed, 109 insertions(+), 11 deletions(-)
+
+--- a/docs/libcurl/opts/CURLSHOPT_SHARE.3
 b/docs/libcurl/opts/CURLSHOPT_SHARE.3
+@@ -79,6 +79,10 @@ Added in 7.61.0.
+
+ Note that when you use the multi interface, all easy handles added to the same
+ multi handle will share PSL cache by default without using this option.
++.IP CURL_LOCK_DATA_HSTS
++The in-memory HSTS cache.
++
++Added in 7.88.0
+ .SH PROTOCOLS
+ All
+ .SH EXAMPLE
+--- a/docs/libcurl/symbols-in-versions
 b/docs/libcurl/symbols-in-versions
+@@ -73,6 +73,7 @@ CURL_LOCK_ACCESS_SINGLE 7.10.3
+ CURL_LOCK_DATA_CONNECT  7.10.3
+ CURL_LOCK_DATA_COOKIE   7.10.3
+ CURL_LOCK_DATA_DNS  7.10.3
++CURL_LOCK_DATA_HSTS 7.88.0
+ CURL_LOCK_DATA_NONE 7.10.3
+ CURL_LOCK_DATA_PSL  7.61.0
+ CURL_LOCK_DATA_SHARE7.10.4
+--- a/include/curl/curl.h
 b/include/curl/curl.h
+@@ -2953,6 +2953,7 @@ typedef enum {
+   CURL_LOCK_DATA_SSL_SESSION,
+   CURL_LOCK_DATA_CONNECT,
+   CURL_LOCK_DATA_PSL,
++  CURL_LOCK_DATA_HSTS,
+   CURL_LOCK_DATA_LAST
+ } curl_lock_data;
+
+--- a/lib/hsts.c
 b/lib/hsts.c
+@@ -37,6 +37,7 @@
+ #include "parsedate.h"
+ #include "rand.h"
+ #include "rename.h"
++#include "share.h"
+ #include "strtoofft.h"
+
+ /* The last 3 #include files should be in this order */
+@@ -561,4 +562,18 @@
+   return CURLE_OK;
+ }
+
++void Curl_hsts_loadfiles(struct Curl_easy *data)
++{
++  struct curl_slist *l = data->set.hstslist;
++  if(l) {
++Curl_share_lock(data, CURL_LOCK_DATA_HSTS, CURL_LOCK_ACCESS_SINGLE);
++
++while(l) {
++  (void)Curl_hsts_loadfile(data, data->hsts, l->data);
++  l = l->next;
++}
++Curl_share_unlock(data, CURL_LOCK_DATA_HSTS);
++  }
++}
++
+ #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */
+--- a/lib/hsts.h
 b/lib/hsts.h
+@@ -59,9 +59,11 @@ CURLcode Curl_hsts_loadfile(struct Curl_
+ struct hsts *h, const char *file);
+ CURLcode Curl_hsts_loadcb(struct Curl_easy *data,
+   struct hsts *h);
++void Curl_hsts_loadfiles(struct Curl_easy *data);
+ #else
+ #define Curl_hsts_cleanup(x)
+ #define Curl_hsts_loadcb(x,y) CURLE_OK
+ #define Curl_hsts_save(x,y,z)
++#define Curl_hsts_loadfiles(x)
+ #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */
+ #endif /* HEADER_CURL_HSTS_H */
+--- a/lib/setopt.c
 b/lib/setopt.c
+@@ -2260,9 +2260,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *
+ data->cookies = NULL;
+ #endif
+
++#ifndef 

[OE-core][PATCH] rng-tools: disable rngd daemon start by default

[Xiangyu Chen]

From: Xiangyu Chen 

Since we removed the openssh dependency[1] on rng-tools, there are no package 
requiring
rng-tools in oe-core, meta-oe, meta-virt, one of the reasons for keeping 
rng-tools
build into the image is that it can be used to test[2], so adding an option to 
disable
rngd daemon by default since the linux-5.6 and later /dev/random won't block 
anymore[3].

By default, this option set to 0 to disable the rngd start, when this option 
set to 1, the
rngd daemon would start normally (if someone really need it).

Reference:
[1] 
https://git.openembedded.org/openembedded-core/commit/?id=868dfb46d96a27ec9041cb902fb769330277257d
[2] https://linux.die.net/man/1/rngtest
[3] 
https://github.com/torvalds/linux/commit/30c08efec8884fb106b8e57094baa51bb4c44e32

Signed-off-by: Xiangyu Chen 
---
 .../rng-tools/rng-tools/default   |  1 +
 meta/recipes-support/rng-tools/rng-tools/init | 42 ---
 .../rng-tools/rng-tools/rng-tools.service |  2 +-
 3 files changed, 29 insertions(+), 16 deletions(-)

diff --git a/meta/recipes-support/rng-tools/rng-tools/default 
b/meta/recipes-support/rng-tools/rng-tools/default
index b9f8e03635..02659742fd 100644
--- a/meta/recipes-support/rng-tools/rng-tools/default
+++ b/meta/recipes-support/rng-tools/rng-tools/default
@@ -1 +1,2 @@
 EXTRA_ARGS="-r /dev/hwrng"
+RUN_RNGD=0
diff --git a/meta/recipes-support/rng-tools/rng-tools/init 
b/meta/recipes-support/rng-tools/rng-tools/init
index 13f0ecd37c..6c8ce00104 100644
--- a/meta/recipes-support/rng-tools/rng-tools/init
+++ b/meta/recipes-support/rng-tools/rng-tools/init
@@ -12,27 +12,39 @@ test -x "$rngd" || exit 1
 
 case "$1" in
   start)
-echo -n "Starting random number generator daemon"
-start-stop-daemon -S -q -x $rngd -- $EXTRA_ARGS
-echo "."
+if [ $RUN_RNGD = 1 ]
+then
+echo -n "Starting random number generator daemon"
+start-stop-daemon -S -q -x $rngd -- $EXTRA_ARGS
+echo "."
+fi
 ;;
   stop)
-echo -n "Stopping random number generator daemon"
-start-stop-daemon -K -q -n rngd
-echo "."
+if [ $RUN_RNGD = 1 ]
+then
+echo -n "Stopping random number generator daemon"
+start-stop-daemon -K -q -n rngd
+echo "."
+fi
 ;;
   reload|force-reload)
-echo -n "Signalling rng daemon restart"
-start-stop-daemon -K -q -s 1 -x $rngd
-start-stop-daemon -K -q -s 1 -x $rngd
+if [ $RUN_RNGD = 1 ]
+then
+echo -n "Signalling rng daemon restart"
+start-stop-daemon -K -q -s 1 -x $rngd
+start-stop-daemon -K -q -s 1 -x $rngd
+fi
 ;;
   restart)
-echo -n "Stopping random number generator daemon"
-start-stop-daemon -K -q -n rngd
-echo "."
-echo -n "Starting random number generator daemon"
-start-stop-daemon -S -q -x $rngd -- $EXTRA_ARGS
-echo "."
+if [ $RUN_RNGD = 1 ]
+then
+echo -n "Stopping random number generator daemon"
+start-stop-daemon -K -q -n rngd
+echo "."
+echo -n "Starting random number generator daemon"
+start-stop-daemon -S -q -x $rngd -- $EXTRA_ARGS
+echo "."
+fi
 ;;
   *)
 echo "Usage: @SYSCONFDIR@/init.d/rng-tools 
{start|stop|reload|restart|force-reload}"
diff --git a/meta/recipes-support/rng-tools/rng-tools/rng-tools.service 
b/meta/recipes-support/rng-tools/rng-tools/rng-tools.service
index 5ae2fba215..be88ab125a 100644
--- a/meta/recipes-support/rng-tools/rng-tools/rng-tools.service
+++ b/meta/recipes-support/rng-tools/rng-tools/rng-tools.service
@@ -7,7 +7,7 @@ ConditionVirtualization=!container
 
 [Service]
 EnvironmentFile=-@SYSCONFDIR@/default/rng-tools
-ExecStart=@SBINDIR@/rngd -f $EXTRA_ARGS
+ExecStart=/bin/sh -c '[ x$RUN_RNGD != x1 ] || exec @SBINDIR@/rngd -f 
$EXTRA_ARGS '
 CapabilityBoundingSet=CAP_SYS_ADMIN
 IPAddressDeny=any
 LockPersonality=yes
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178518): 
https://lists.openembedded.org/g/openembedded-core/message/178518
Mute This Topic: https://lists.openembedded.org/mt/97619573/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [oe-core][PATCH] glib: update 2.74.6 -> 2.76.0

[Alexandre Belloni via lists.openembedded.org]

Hello,

This causes those new ptest failures:

{'glib-2.0': ['glib/utils.test',
  'glib/utils-c-99.test',
  'glib/utils-c-11.test',
  'glib/utils-c-17.test',
  'glib/utils-c-90.test']}

https://autobuilder.yoctoproject.org/typhoon/#/builders/82/builds/4608/steps/12/logs/stdio
https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/4800/steps/13/logs/stdio
https://autobuilder.yoctoproject.org/typhoon/#/builders/82/builds/4607/steps/13/logs/stdio
https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/4799/steps/12/logs/stdio

Running test: glib/utils-c-99.test
TAP version 13
# random seed: R02Sd33eb79c6996b71ba8de48ed4c4fee72
1..40
# Start of utils tests
ok 1 /utils/language-names
ok 2 /utils/locale-variants
ok 3 /utils/version
ok 4 /utils/appname
# Bug Reference: https://gitlab.gnome.org/GNOME/glib/-/issues/847
# /utils/prgname-thread-safety summary: Test that threads racing to get and set 
the program name always receive a valid program name.
ok 5 /utils/prgname-thread-safety
# Bug Reference: https://bugzilla.gnome.org/show_bug.cgi?id=627969
ok 6 /utils/tmpdir
ok 7 /utils/basic_bits
ok 8 /utils/bits
ok 9 /utils/swap
ok 10 /utils/find-program
**
GLib:ERROR:/usr/src/debug/glib-2.0/1_2.76.0-r0/glib/tests/utils.c:577:test_find_program_for_path:
 assertion failed (exe_path == found_path): 
("/tmp/find_program_for_path_X5MZW11/sub-path/just-an-exe-file.cmd" == 
"/var/volatile/tmp/find_program_for_path_X5MZW11/sub-path/just-an-exe-file.cmd")
not ok /utils/find-program-for-path - 
GLib:ERROR:/usr/src/debug/glib-2.0/1_2.76.0-r0/glib/tests/utils.c:577:test_find_program_for_path:
 assertion failed (exe_path == found_path): 
("/tmp/find_program_for_path_X5MZW11/sub-path/just-an-exe-file.cmd" == 
"/var/volatile/tmp/find_program_for_path_X5MZW11/sub-path/just-an-exe-file.cmd")
Bail out!
FAIL: glib/utils-c-99.test (Child process killed by signal 6)

http://autobuilder.yocto.io/pub/non-release/20230314-13/testresults/qemux86-64-ptest/core-image-ptest-glib-2.0/log.do_testimage.55875.20230314110502

On 13/03/2023 10:20:17+0100, Markus Volk wrote:
> - remove backported patches
> - update relocate-modules.patch
> 
> Signed-off-by: Markus Volk 
> ---
>  ...-info-don-t-assume-million-in-one-ev.patch | 50 
>  ...build-do-not-use-can_run_host_binari.patch | 48 
>  .../glib-2.0/glib-2.0/cpp-null.patch  | 77 ---
>  .../glib-2.0/glib-2.0/cpp-null2.patch | 31 
>  .../glib-2.0/glib-2.0/relocate-modules.patch  | 11 ++-
>  ...{glib-2.0_2.74.6.bb => glib-2.0_2.76.0.bb} |  6 +-
>  6 files changed, 8 insertions(+), 215 deletions(-)
>  delete mode 100644 
> meta/recipes-core/glib-2.0/glib-2.0/0001-gio-tests-g-file-info-don-t-assume-million-in-one-ev.patch
>  delete mode 100644 
> meta/recipes-core/glib-2.0/glib-2.0/0001-gio-tests-meson.build-do-not-use-can_run_host_binari.patch
>  delete mode 100644 meta/recipes-core/glib-2.0/glib-2.0/cpp-null.patch
>  delete mode 100644 meta/recipes-core/glib-2.0/glib-2.0/cpp-null2.patch
>  rename meta/recipes-core/glib-2.0/{glib-2.0_2.74.6.bb => glib-2.0_2.76.0.bb} 
> (87%)
> 
> diff --git 
> a/meta/recipes-core/glib-2.0/glib-2.0/0001-gio-tests-g-file-info-don-t-assume-million-in-one-ev.patch
>  
> b/meta/recipes-core/glib-2.0/glib-2.0/0001-gio-tests-g-file-info-don-t-assume-million-in-one-ev.patch
> deleted file mode 100644
> index 57ada66907..00
> --- 
> a/meta/recipes-core/glib-2.0/glib-2.0/0001-gio-tests-g-file-info-don-t-assume-million-in-one-ev.patch
> +++ /dev/null
> @@ -1,50 +0,0 @@
> -From 3c56ff21b9a5fe18f9cec9b97ae1788fdf5d563e Mon Sep 17 00:00:00 2001
> -From: Ross Burton 
> -Date: Tue, 6 Jul 2021 19:26:03 +0100
> -Subject: [PATCH] gio/tests/g-file-info: don't assume million-in-one events
> -
> -Upstream-Status: Backport 
> [https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2990]
> -Signed-off-by: Ross Burton 
> -
> - don't happen
> -
> -The access and creation time tests create a file, gets the time in
> -seconds, then gets the time in microseconds and assumes that the
> -difference between the two has to be above 0.
> -
> -As rare as this may be, it can happen:
> -
> -$ stat g-file-info-test-50A450 -c %y
> -2021-07-06 18:24:56.00767 +0100
> -
> -Change the test to simply assert that the difference not negative to
> -handle this case.
> -
> -This is the same fix as 289f8b, but that was just modification time.
> -
> 
> - gio/tests/g-file-info.c | 4 ++--
> - 1 file changed, 2 insertions(+), 2 deletions(-)
> -
> -diff --git a/gio/tests/g-file-info.c b/gio/tests/g-file-info.c
> -index d9ad045..c9b12b0 100644
>  a/gio/tests/g-file-info.c
> -+++ b/gio/tests/g-file-info.c
> -@@ -307,7 +307,7 @

Re: [OE-core] base-files: any reason hosts contains localhost.localdomain

[Steve Sakoman]

On Tue, Mar 14, 2023, 1:19 AM Jermain Horsman 
wrote:

> Would it be appropriate to backport this to dunfell too?
>
> If so, should I send in a patch? I'm not entirely sure what the general
> process is in these cases.
>


The correct procedure would be to send a patch to the mailing list for
review. If there are no objections I'll add it to my test queue and see if
any issues emerge on the autobuilder.

Steve


> 
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178516): 
https://lists.openembedded.org/g/openembedded-core/message/178516
Mute This Topic: https://lists.openembedded.org/mt/97522170/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] systemtap: Disable dangling-pointer warning

[Khem Raj]

This is to fix build in RISCV64

| In constructor 'symresolution_info::symresolution_info(systemtap_session&, 
bool)',
| inlined from 'int semantic_pass_symbols(systemtap_session&)' at 
../git/elaborate.cxx:1884:28:
| ../git/elaborate.cxx:2601:21: error: storing the address of local variable 
'sym' in '*s.systemtap_session::symbol_resolver' [-Werror=dangling-pointer=]
|  2601 |   s.symbol_resolver = this; // save resolver for early PR25841 
function resolution
|   |   ~~^~
| ../git/elaborate.cxx: In function 'int 
semantic_pass_symbols(systemtap_session&)':
| ../git/elaborate.cxx:1884:22: note: 'sym' declared here
|  1884 |   symresolution_info sym (s);
|   |  ^~~
| ../git/elaborate.cxx:1884:22: note: 's' declared here

Signed-off-by: Khem Raj 
---
 meta/recipes-kernel/systemtap/systemtap_git.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-kernel/systemtap/systemtap_git.bb 
b/meta/recipes-kernel/systemtap/systemtap_git.bb
index 072fcb310a..d320a8a5e0 100644
--- a/meta/recipes-kernel/systemtap/systemtap_git.bb
+++ b/meta/recipes-kernel/systemtap/systemtap_git.bb
@@ -34,6 +34,9 @@ PACKAGECONFIG[python3-probes] = 
"--with-python3-probes,--without-python3-probes,
 inherit autotools gettext pkgconfig systemd
 inherit ${@bb.utils.contains('PACKAGECONFIG', 'python3-probes', 
'setuptools3-base', '', d)}
 
+# | ../git/elaborate.cxx:2601:21: error: storing the address of local variable 
'sym' in '*s.systemtap_session::symbol_resolver' [-Werror=dangling-pointer=]
+CXXFLAGS += "-Wno-dangling-pointer"
+
 # exporter comes with python3-probes
 PACKAGES =+ "${PN}-exporter"
 FILES:${PN}-exporter = "${sysconfdir}/stap-exporter/* \
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178515): 
https://lists.openembedded.org/g/openembedded-core/message/178515
Mute This Topic: https://lists.openembedded.org/mt/97609946/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

[Frederic Martinsons]

I think I'll dig into the checksum capability on crate fetcher in the
coming days.

For the offline option and the modication of the patch mentioned above, how
do you want me to proceed?

Submit a dedicated patch for each of these (one for offline option and one
for checksum if I can come up with a suitable patch)?

For the modification of the patch for using a local directory and not
relying on git clone during build time, do you want me to provide something
in particular?

Note that I saw the downloaded crates not being cleaned up from DL_DIR when
I issue a bitbake -c cleanall but I need to confirm this on master branch.

Le mar. 14 mars 2023, 17:49, Alex Kiernan  a écrit :

> On Tue, Mar 14, 2023 at 12:22 PM Alex Kiernan 
> wrote:
> >
> > On Tue, Mar 14, 2023 at 10:25 AM Frédéric Martinsons
> >  wrote:
> > >
> > > Moreover, I think we should add the `--offline` option to cargo build
> > > because the error generated will be more clear:
> > >
> >
> > Let me chuck that across our code base, I was fairly sure I'd seen
> > different problems with it, but it may have been whilst I was
> > debugging this first time around and am mis-remembering.
> >
>
> I'm wrong, seems to be fine.
>
> --
> Alex Kiernan
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178514): 
https://lists.openembedded.org/g/openembedded-core/message/178514
Mute This Topic: https://lists.openembedded.org/mt/97555635/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [poky] [meta-yocto][langdale][connman] Partial integration of CVE-2022-32293 fixes

[Steve Sakoman]

On Tue, Mar 14, 2023 at 7:16 AM VAUTRIN Emmanuel (Canal Plus
Prestataire)  wrote:

> I have noticed that 2 patches fixing CVE-2022-32293 have been backported on 
> meta/recipes-connectivity/connman/connman_1.41.bb (b33cf2d113d0 "connman: 
> Backports for security fixes")
> Unfortunately, the last one (CVE-2022-32293_p2.patch) brings some 
> regressions, which have been fixed by  e6523511d736 ("wispr: Fix context 
> refcounting in wispr_portal_request_portal()"). Can you integrate this commit 
> as patch?

Hi Emmanuel,

Thanks for bringing this to my attention.

In the future please send this sort of thing to the openembedded-core
mailing list.  It would also be good to copy the author of the patch
you are commenting on. (I've cc'd  the openembedded-core list as wel
as Khem)

Would you be willing to send a patch to the openembedded-core list
that implements this regression fix?

Thanks!

Steve

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178513): 
https://lists.openembedded.org/g/openembedded-core/message/178513
Mute This Topic: https://lists.openembedded.org/mt/97609177/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

[Alex Kiernan]

On Tue, Mar 14, 2023 at 12:22 PM Alex Kiernan  wrote:
>
> On Tue, Mar 14, 2023 at 10:25 AM Frédéric Martinsons
>  wrote:
> >
> > Moreover, I think we should add the `--offline` option to cargo build
> > because the error generated will be more clear:
> >
>
> Let me chuck that across our code base, I was fairly sure I'd seen
> different problems with it, but it may have been whilst I was
> debugging this first time around and am mis-remembering.
>

I'm wrong, seems to be fine.

-- 
Alex Kiernan

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178512): 
https://lists.openembedded.org/g/openembedded-core/message/178512
Mute This Topic: https://lists.openembedded.org/mt/97555635/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [meta][kirkstone][PATCH 2/2] curl: Add fix for CVE-2023-23916

[Steve Sakoman]

On Thu, Mar 2, 2023 at 9:52 PM Pawan Badganchi  wrote:
>
> From: Pawan Badganchi 
>
> Add below patch to fix CVE-2023-23916
>
> CVE-2023-23916.patch
>
> Link: https://launchpad.net/ubuntu/+source/curl/7.87.0-2ubuntu2/
>
> Signed-off-by: Pawan Badganchi 
> Signed-off-by: pawan 
> ---
>  .../curl/curl/CVE-2023-23916.patch| 223 ++
>  meta/recipes-support/curl/curl_7.82.0.bb  |   1 +
>  2 files changed, 224 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23916.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2023-23916.patch 
> b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
> new file mode 100644
> index 00..4839124d5c
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
> @@ -0,0 +1,223 @@
> +Backport of:
> +
> +From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001
> +From: Patrick Monnerat 
> +Date: Mon, 13 Feb 2023 08:33:09 +0100
> +Subject: [PATCH] content_encoding: do not reset stage counter for each header
> +
> +Test 418 verifies
> +
> +Closes #10492
> +
> +CVE: CVE-2023-23916
> +Upstream-Status: Backport 
> [http://launchpadlibrarian.net/652022114/curl_7.87.0-2ubuntu1_7.87.0-2ubuntu2.diff.gz]

Launchpad is not a valid upstream for curl, please reference patches
from the actual upstream: https://github.com/curl/curl

Thanks!

Steve

> +Comment: Refreshed hunk from content_encoding.c and Makefile.inc. Removed 
> test387 from patch as
> +it is not available in the source code.
> +Signed-off-by: Pawan Badganchi 
> +---
> + lib/content_encoding.c  |   7 +-
> + lib/urldata.h   |   1 +
> + tests/data/Makefile.inc |   2 +-
> + tests/data/test387  |   2 +-
> + tests/data/test418  | 152 
> + 5 files changed, 158 insertions(+), 6 deletions(-)
> + create mode 100644 tests/data/test418
> +
> +--- a/lib/content_encoding.c
>  b/lib/content_encoding.c
> +@@ -1035,7 +1035,6 @@
> +  const char *enclist, int maybechunked)
> + {
> +   struct SingleRequest *k = >req;
> +-  int counter = 0;
> +
> +   do {
> + const char *name;
> +@@ -1070,9 +1069,9 @@
> +   if(!encoding)
> + encoding = _encoding;  /* Defer error at stack use. */
> +
> +-  if(++counter >= MAX_ENCODE_STACK) {
> +-failf(data, "Reject response due to %u content encodings",
> +-  counter);
> ++  if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
> ++failf(data, "Reject response due to more than %u content encodings",
> ++  MAX_ENCODE_STACK);
> + return CURLE_BAD_CONTENT_ENCODING;
> +   }
> +   /* Stack the unencoding stage. */
> +--- a/lib/urldata.h
>  b/lib/urldata.h
> +@@ -707,6 +707,7 @@ struct SingleRequest {
> +   struct dohdata *doh; /* DoH specific data for this request */
> + #endif
> +   unsigned char setcookies;
> ++  unsigned char writer_stack_depth; /* Unencoding stack depth. */
> +   BIT(header);/* incoming data has HTTP header */
> +   BIT(content_range); /* set TRUE if Content-Range: was found */
> +   BIT(upload_done);   /* set to TRUE when doing chunked transfer-encoding
> +--- a/tests/data/Makefile.inc
>  b/tests/data/Makefile.inc
> +@@ -69,6 +69,7 @@
> + \
> + test400 test401 test402 test403 test404 test405 test406 test407 test408 \
> + test409 test410 \
> ++test418 \
> + \
> + test430 test431 test432 test433 test434 test435 test436 \
> + \
> +--- /dev/null
>  b/tests/data/test418
> +@@ -0,0 +1,152 @@
> ++
> ++
> ++
> ++HTTP
> ++gzip
> ++
> ++
> ++
> ++#
> ++# Server-side
> ++
> ++
> ++HTTP/1.1 200 OK
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> ++Transfer-Encoding: gzip
> 

Re: [OE-core] [meta][kirkstone][PATCH 1/2] curl: Add fix for CVE-2023-23914, CVE-2023-23915

[Steve Sakoman]

On Thu, Mar 2, 2023 at 9:52 PM Pawan Badganchi  wrote:
>
> From: Pawan Badganchi 
>
> Add below patches to fix CVE-2023-23914, CVE-2023-23915
>
> CVE-2023-23914_5-1.patch
> CVE-2023-23914_5-2.patch
> CVE-2023-23914_5-3.patch
> CVE-2023-23914_5-4.patch
> CVE-2023-23914_5-5.patch
>
> Link: https://launchpad.net/ubuntu/+source/curl/7.87.0-2ubuntu2/
>
> Signed-off-by: Pawan Badganchi 
> Signed-off-by: pawan 
> ---
>  .../curl/curl/CVE-2023-23914_5-1.patch| 304 ++
>  .../curl/curl/CVE-2023-23914_5-2.patch|  22 ++
>  .../curl/curl/CVE-2023-23914_5-3.patch|  44 +++
>  .../curl/curl/CVE-2023-23914_5-4.patch|  47 +++
>  .../curl/curl/CVE-2023-23914_5-5.patch| 117 +++
>  meta/recipes-support/curl/curl_7.82.0.bb  |   5 +
>  6 files changed, 539 insertions(+)
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23914_5-1.patch
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23914_5-2.patch
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23914_5-3.patch
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23914_5-4.patch
>  create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23914_5-5.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2023-23914_5-1.patch 
> b/meta/recipes-support/curl/curl/CVE-2023-23914_5-1.patch
> new file mode 100644
> index 00..a75406c92e
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2023-23914_5-1.patch
> @@ -0,0 +1,304 @@
> +From 076a2f629119222aeeb50f5a03bf9f9052fabb9a Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg 
> +Date: Tue, 27 Dec 2022 11:50:20 +0100
> +Subject: [PATCH] share: add sharing of HSTS cache among handles
> +
> +Closes #10138
> +
> +CVE: CVE-2023-23914 CVE-2023-23915
> +Upstream-Status: Backport 
> [http://launchpadlibrarian.net/652022114/curl_7.87.0-2ubuntu1_7.87.0-2ubuntu2.diff.gz]

Launchpad is not a valid upstream for curl, please reference patches
from the actual upstream: https://github.com/curl/curl

Thanks!

Steve

> +Comment: Refreshed hunk from hsts.c and urldata.h
> +Signed-off-by: Pawan Badganchi 
> +---
> + docs/libcurl/opts/CURLSHOPT_SHARE.3 |  4 +++
> + docs/libcurl/symbols-in-versions|  1 +
> + include/curl/curl.h |  1 +
> + lib/hsts.c  | 15 +
> + lib/hsts.h  |  2 ++
> + lib/setopt.c| 48 -
> + lib/share.c | 32 +--
> + lib/share.h |  6 +++-
> + lib/transfer.c  |  3 ++
> + lib/url.c   |  6 +++-
> + lib/urldata.h   |  2 ++
> + 11 files changed, 109 insertions(+), 11 deletions(-)
> +
> +--- a/docs/libcurl/opts/CURLSHOPT_SHARE.3
>  b/docs/libcurl/opts/CURLSHOPT_SHARE.3
> +@@ -79,6 +79,10 @@ Added in 7.61.0.
> +
> + Note that when you use the multi interface, all easy handles added to the 
> same
> + multi handle will share PSL cache by default without using this option.
> ++.IP CURL_LOCK_DATA_HSTS
> ++The in-memory HSTS cache.
> ++
> ++Added in 7.88.0
> + .SH PROTOCOLS
> + All
> + .SH EXAMPLE
> +--- a/docs/libcurl/symbols-in-versions
>  b/docs/libcurl/symbols-in-versions
> +@@ -73,6 +73,7 @@ CURL_LOCK_ACCESS_SINGLE 7.10.3
> + CURL_LOCK_DATA_CONNECT  7.10.3
> + CURL_LOCK_DATA_COOKIE   7.10.3
> + CURL_LOCK_DATA_DNS  7.10.3
> ++CURL_LOCK_DATA_HSTS 7.88.0
> + CURL_LOCK_DATA_NONE 7.10.3
> + CURL_LOCK_DATA_PSL  7.61.0
> + CURL_LOCK_DATA_SHARE7.10.4
> +--- a/include/curl/curl.h
>  b/include/curl/curl.h
> +@@ -2953,6 +2953,7 @@ typedef enum {
> +   CURL_LOCK_DATA_SSL_SESSION,
> +   CURL_LOCK_DATA_CONNECT,
> +   CURL_LOCK_DATA_PSL,
> ++  CURL_LOCK_DATA_HSTS,
> +   CURL_LOCK_DATA_LAST
> + } curl_lock_data;
> +
> +--- a/lib/hsts.c
>  b/lib/hsts.c
> +@@ -37,6 +37,7 @@
> + #include "parsedate.h"
> + #include "rand.h"
> + #include "rename.h"
> ++#include "share.h"
> + #include "strtoofft.h"
> +
> + /* The last 3 #include files should be in this order */
> +@@ -561,4 +562,18 @@
> +   return CURLE_OK;
> + }
> +
> ++void Curl_hsts_loadfiles(struct Curl_easy *data)
> ++{
> ++  struct curl_slist *l = data->set.hstslist;
> ++  if(l) {
> ++Curl_share_lock(data, CURL_LOCK_DATA_HSTS, CURL_LOCK_ACCESS_SINGLE);
> ++
> ++while(l) {
> ++  (void)Curl_hsts_loadfile(data, data->hsts, l->data);
> ++  l = l->next;
> ++}
> ++Curl_share_unlock(data, CURL_LOCK_DATA_HSTS);
> ++  }
> ++}
> ++
> + #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */
> +--- a/lib/hsts.h
>  b/lib/hsts.h
> +@@ -59,9 +59,11 @@ CURLcode Curl_hsts_loadfile(struct Curl_
> + struct hsts *h, const char *file);
> + CURLcode Curl_hsts_loadcb(struct Curl_easy *data,
> +   struct hsts *h);
> ++void Curl_hsts_loadfiles(struct Curl_easy *data);
> + #else
> + 

[OE-core][langdale 00/24] Pull request (cover letter only)

[Steve Sakoman]

The following changes since commit b995ea45773211bd7bdd60eabcc9bbffda6beb5c:

  build-appliance-image: Update to langdale head revision (2023-03-06 15:17:13 
+)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/langdale-next
  
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/langdale-next

Bhabu Bindu (1):
  qemu: Fix CVE-2022-4144

Bruce Ashfield (3):
  linux-yocto/5.15: update to v5.15.94
  linux-yocto/5.15: update to v5.15.96
  linux-yocto-rt/5.15: update to -rt59

Carlos Alberto Lopez Perez (1):
  mesa-demos: packageconfig weston should have a dependency on
wayland-protocols

Chee Yang Lee (1):
  tiff: fix multiple CVEs

Dmitry Baryshkov (1):
  ffmpeg: fix build failure when vulkan is enabled

Hitendra Prajapati (1):
  libxml2: Fix CVE-2022-40303 && CVE-2022-40304

Khem Raj (2):
  libcomps: Fix callback function prototype for PyCOMPS_hash
  rpm: Fix hdr_hash function prototype

Ming Liu (1):
  linux: inherit pkgconfig in kernel.bbclass

Pavel Zhukov (1):
  u-boot: Map arm64 into map for u-boot dts installation

Peter Marko (1):
  systemd: add group sgx to udev package

Richard Purdie (2):
  binutils: Fix nativesdk ld.so search
  oeqa/selftest/prservice: Improve debug output for failure

Ross Burton (2):
  shadow: ignore CVE-2016-15024
  vim: add missing pkgconfig inherit

Siddharth Doshi (1):
  epiphany: Security fix for CVE-2023-26081

Tom Hochstein (2):
  meson: Fix wrapper handling of implicit setup command
  oeqa/sdk: Improve Meson test

Wang Mingyu (4):
  iso-codes: upgrade 4.12.0 -> 4.13.0
  libmicrohttpd: upgrade 0.9.75 -> 0.9.76
  lua: Fix install conflict when enable multilib.
  vala: Fix install conflict when enable multilib.

 meta-selftest/files/static-group  |   1 +
 meta/classes-recipe/kernel.bbclass|   2 +-
 meta/lib/oeqa/sdk/cases/buildepoxy.py |   2 +-
 meta/lib/oeqa/selftest/cases/prservice.py |   2 +-
 meta/recipes-bsp/u-boot/u-boot.inc|   4 +-
 .../libxml/libxml2/CVE-2022-40303.patch   | 624 ++
 .../libxml/libxml2/CVE-2022-40304.patch   | 106 +++
 meta/recipes-core/libxml/libxml2_2.9.14.bb|   2 +
 meta/recipes-core/systemd/systemd_251.8.bb|   2 +-
 ...dk-Search-for-alternative-ld.so.conf.patch |   2 +-
 ...hash_t-instead-of-long-in-PyCOMPS_ha.patch |  66 ++
 .../libcomps/libcomps_0.1.19.bb   |   1 +
 meta/recipes-devtools/lua/lua_5.4.4.bb|   3 +
 .../meson/meson/meson-wrapper |  17 +-
 meta/recipes-devtools/qemu/qemu.inc   |   1 +
 .../qemu/qemu/CVE-2022-4144.patch |  99 +++
 ...y_hash_t-instead-of-long-in-hdr_hash.patch |  35 +
 meta/recipes-devtools/rpm/rpm_4.18.0.bb   |   1 +
 meta/recipes-devtools/vala/vala.inc   |   5 +-
 meta/recipes-extended/shadow/shadow_4.12.3.bb |   3 +
 meta/recipes-gnome/epiphany/epiphany_42.4.bb  |   1 +
 .../epiphany/files/CVE-2023-26081.patch   |  90 +++
 .../recipes-graphics/mesa/mesa-demos_8.5.0.bb |   2 +-
 meta/recipes-kernel/linux/linux-yocto-dev.bb  |   2 -
 .../linux/linux-yocto-rt_5.15.bb  |   6 +-
 .../linux/linux-yocto-tiny_5.15.bb|   6 +-
 meta/recipes-kernel/linux/linux-yocto.inc |   1 -
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |  26 +-
 .../ffmpeg/ffmpeg/ffmpeg-fix-vulkan.patch |  34 +
 .../recipes-multimedia/ffmpeg/ffmpeg_5.1.2.bb |   1 +
 .../libtiff/files/CVE-2022-48281.patch|  26 +
 .../CVE-2023-0800_0801_0802_0803_0804.patch   | 128 
 meta/recipes-multimedia/libtiff/tiff_4.4.0.bb |   2 +
 ...so-codes_4.12.0.bb => iso-codes_4.13.0.bb} |   2 +-
 ...ttpd_0.9.75.bb => libmicrohttpd_0.9.76.bb} |   2 +-
 meta/recipes-support/vim/vim.inc  |   2 +-
 36 files changed, 1266 insertions(+), 43 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch
 create mode 100644 
meta/recipes-devtools/libcomps/libcomps/0001-libcomps-Use-Py_hash_t-instead-of-long-in-PyCOMPS_ha.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
 create mode 100644 
meta/recipes-devtools/rpm/files/0001-python-Use-Py_hash_t-instead-of-long-in-hdr_hash.patch
 create mode 100644 meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch
 create mode 100644 
meta/recipes-multimedia/ffmpeg/ffmpeg/ffmpeg-fix-vulkan.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch
 create mode 100644 
meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch
 rename meta/recipes-support/iso-codes/{iso-codes_4.12.0.bb => 
iso-codes_4.13.0.bb} (94%)
 rename meta/recipes-support/libmicrohttpd/{libmicrohttpd_0.9.75.bb => 
libmicrohttpd_0.9.76.bb} (90%)

-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178509): 

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

[Alexander Kanavin]

On Tue, 14 Mar 2023 at 16:10, Frédéric Martinsons
 wrote:

> Understood, I searched how to add checksum support in crate fetcher but I 
> don't know enough of bitbake to be effective.

You can check how for example http:// fetcher does it by utilizing
verify_checksum() from lib/bb/fetch2/__init__.py in
lib/bb/fetch2/wget.py.

Something like that should happen in crate.py as well.

Alex

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178508): 
https://lists.openembedded.org/g/openembedded-core/message/178508
Mute This Topic: https://lists.openembedded.org/mt/97555635/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 4/6] oeqa/selftest/prservice: Improve debug output for failure

[Steve Sakoman]

From: Richard Purdie 

We keep seeing this failure on the autobuilder but the output amounts
to "False is not True". Improve the debug message on the chance it may
make the issue clearer.

Signed-off-by: Richard Purdie 
(cherry picked from commit d03f4cf19c2cc96e9d942252a451521dfec42ebc)
Signed-off-by: Steve Sakoman 
---
 meta/lib/oeqa/selftest/cases/prservice.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/lib/oeqa/selftest/cases/prservice.py 
b/meta/lib/oeqa/selftest/cases/prservice.py
index 578b2b4dd9..fdc1e40058 100644
--- a/meta/lib/oeqa/selftest/cases/prservice.py
+++ b/meta/lib/oeqa/selftest/cases/prservice.py
@@ -75,7 +75,7 @@ class BitbakePrTests(OESelftestTestCase):
 exported_db_path = os.path.join(self.builddir, 'export.inc')
 export_result = runCmd("bitbake-prserv-tool export %s" % 
exported_db_path, ignore_status=True)
 self.assertEqual(export_result.status, 0, msg="PR Service database 
export failed: %s" % export_result.output)
-self.assertTrue(os.path.exists(exported_db_path))
+self.assertTrue(os.path.exists(exported_db_path), msg="%s didn't 
exist, tool output %s" % (exported_db_path, export_result.output))
 
 if replace_current_db:
 current_db_path = os.path.join(get_bb_var('PERSISTENT_DIR'), 
'prserv.sqlite3')
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178505): 
https://lists.openembedded.org/g/openembedded-core/message/178505
Mute This Topic: https://lists.openembedded.org/mt/97606127/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 6/6] linux: inherit pkgconfig in kernel.bbclass

[Steve Sakoman]

From: Ming Liu 

pkgconfig is being required to find dependencies for building kernel
native tools, move "inherit pkgconfig" to kernel.bbclass so BSP kernel
recipes can also benefit from it.

Signed-off-by: Ming Liu 
Signed-off-by: Alexandre Belloni 
(cherry picked from commit 8a84bd98e3fbc16c782f83064801e469d086911e)
Signed-off-by: Steve Sakoman 
---
 meta/classes/kernel.bbclass  | 2 +-
 meta/recipes-kernel/linux/linux-yocto-dev.bb | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index 8b89360991..c6310d8de7 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -595,7 +595,7 @@ do_savedefconfig() {
 do_savedefconfig[nostamp] = "1"
 addtask savedefconfig after do_configure
 
-inherit cml1
+inherit cml1 pkgconfig
 
 KCONFIG_CONFIG_COMMAND_append = " LD='${KERNEL_LD}' 
HOSTLDFLAGS='${BUILD_LDFLAGS}'"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-dev.bb 
b/meta/recipes-kernel/linux/linux-yocto-dev.bb
index 06a9108fab..a1c0de9981 100644
--- a/meta/recipes-kernel/linux/linux-yocto-dev.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-dev.bb
@@ -10,8 +10,6 @@
 
 inherit kernel
 require recipes-kernel/linux/linux-yocto.inc
-# for ncurses tests
-inherit pkgconfig
 
 # provide this .inc to set specific revisions
 include recipes-kernel/linux/linux-yocto-dev-revisions.inc
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178507): 
https://lists.openembedded.org/g/openembedded-core/message/178507
Mute This Topic: https://lists.openembedded.org/mt/97606131/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 5/6] vim: add missing pkgconfig inherit

[Steve Sakoman]

From: Ross Burton 

Vim uses pkgconfig to find dependencies but it wasn't present, so it
silently doesn't enable features like GTK+ UI.

[ YOCTO #15044 ]

Signed-off-by: Ross Burton 
Signed-off-by: Alexandre Belloni 
(cherry picked from commit 70900616298f5e70732a34e7406e585e323479ed)
Signed-off-by: Steve Sakoman 
---
 meta/recipes-support/vim/vim.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 234ecd0027..828cf84757 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -33,7 +33,7 @@ S = "${WORKDIR}/git"
 
 VIMDIR = "vim${@d.getVar('PV').split('.')[0]}${@d.getVar('PV').split('.')[1]}"
 
-inherit autotools-brokensep update-alternatives mime-xdg
+inherit autotools-brokensep update-alternatives mime-xdg pkgconfig
 
 CLEANBROKEN = "1"
 
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178506): 
https://lists.openembedded.org/g/openembedded-core/message/178506
Mute This Topic: https://lists.openembedded.org/mt/97606128/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 2/6] harfbuzz: Security fix for CVE-2023-25193

[Steve Sakoman]

From: Siddharth Doshi 

Upstream-Status: Backport from 
[https://github.com/harfbuzz/harfbuzz/commit/8708b9e081192786c027bb7f5f23d76dbe5c19e8]
Signed-off-by: Siddharth Doshi 
Signed-off-by: Steve Sakoman 
---
 .../harfbuzz/CVE-2023-25193-pre0.patch| 335 ++
 .../harfbuzz/CVE-2023-25193-pre1.patch| 135 +++
 .../harfbuzz/harfbuzz/CVE-2023-25193.patch| 179 ++
 .../harfbuzz/harfbuzz_2.6.4.bb|   5 +-
 4 files changed, 653 insertions(+), 1 deletion(-)
 create mode 100644 
meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch
 create mode 100644 
meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch
 create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch

diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch 
b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch
new file mode 100644
index 00..90d4cfefb4
--- /dev/null
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch
@@ -0,0 +1,335 @@
+From 3122c2cdc45a964efedad8953a2df67205c3e3a8 Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod 
+Date: Sat, 4 Dec 2021 19:50:33 -0800
+Subject: [PATCH] [buffer] Add HB_GLYPH_FLAG_UNSAFE_TO_CONCAT
+
+Fixes https://github.com/harfbuzz/harfbuzz/issues/1463
+Upstream-Status: Backport from 
[https://github.com/harfbuzz/harfbuzz/commit/3122c2cdc45a964efedad8953a2df67205c3e3a8]
+Comment1: To backport the fix for CVE-2023-25193, add defination for 
HB_GLYPH_FLAG_UNSAFE_TO_CONCAT. This patch is needed along with 
CVE-2023-25193-pre1.patch for sucessfull porting.
+Signed-off-by: Siddharth Doshi 
+---
+ src/hb-buffer.cc | 10 ++---
+ src/hb-buffer.h  | 76 ++--
+ src/hb-buffer.hh | 33 ++--
+ src/hb-ot-layout-gsubgpos.hh | 39 +++---
+ src/hb-ot-shape.cc   |  8 +---
+ 5 files changed, 124 insertions(+), 42 deletions(-)
+
+diff --git a/src/hb-buffer.cc b/src/hb-buffer.cc
+index 6131c86..bba5eae 100644
+--- a/src/hb-buffer.cc
 b/src/hb-buffer.cc
+@@ -610,14 +610,14 @@ done:
+ }
+ 
+ void
+-hb_buffer_t::unsafe_to_break_impl (unsigned int start, unsigned int end)
++hb_buffer_t::unsafe_to_break_impl (unsigned int start, unsigned int end, 
hb_mask_t mask)
+ {
+   unsigned int cluster = (unsigned int) -1;
+   cluster = _unsafe_to_break_find_min_cluster (info, start, end, cluster);
+-  _unsafe_to_break_set_mask (info, start, end, cluster);
++  _unsafe_to_break_set_mask (info, start, end, cluster, mask);
+ }
+ void
+-hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int 
end)
++hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int 
end, hb_mask_t mask)
+ {
+   if (!have_output)
+   {
+@@ -631,8 +631,8 @@ hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int 
start, unsigned int en
+   unsigned int cluster = (unsigned int) -1;
+   cluster = _unsafe_to_break_find_min_cluster (out_info, start, out_len, 
cluster);
+   cluster = _unsafe_to_break_find_min_cluster (info, idx, end, cluster);
+-  _unsafe_to_break_set_mask (out_info, start, out_len, cluster);
+-  _unsafe_to_break_set_mask (info, idx, end, cluster);
++  _unsafe_to_break_set_mask (out_info, start, out_len, cluster, mask);
++  _unsafe_to_break_set_mask (info, idx, end, cluster, mask);
+ }
+ 
+ void
+diff --git a/src/hb-buffer.h b/src/hb-buffer.h
+index d5cb746..42dc92a 100644
+--- a/src/hb-buffer.h
 b/src/hb-buffer.h
+@@ -77,26 +77,76 @@ typedef struct hb_glyph_info_t
+  * @HB_GLYPH_FLAG_UNSAFE_TO_BREAK: Indicates that if input text is broken at 
the
+  *   beginning of the cluster this glyph is part 
of,
+  *   then both sides need to be re-shaped, as the
+- *   result might be different.  On the flip side,
+- *   it means that when this flag is not present,
+- *   then it's safe to break the glyph-run at the
+- *   beginning of this cluster, and the two sides
+- *   represent the exact same result one would get
+- *   if breaking input text at the beginning of
+- *   this cluster and shaping the two sides
+- *   separately.  This can be used to optimize
+- *   paragraph layout, by avoiding re-shaping
+- *   of each line after line-breaking, or limiting
+- *   the reshaping to a small piece around the
+- *   breaking point only.
++ *   result might be different.
++ *
++ *   On the flip side, it means that when this
++ *   flag is not present, then it is safe to break
++ *  

[OE-core][dunfell 3/6] shadow: ignore CVE-2016-15024

[Steve Sakoman]

From: Ross Burton 

This recently got an updated CPE which matches this recipe, but the issue
is related to an entirely different shadow project so ignore it.

Signed-off-by: Ross Burton 
Signed-off-by: Alexandre Belloni 
(cherry picked from commit 2331e98abb09cbcd56625d65c4e5d258dc29dd04)
Signed-off-by: Steve Sakoman 
---
 meta/recipes-extended/shadow/shadow_4.8.1.bb | 4 
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-extended/shadow/shadow_4.8.1.bb 
b/meta/recipes-extended/shadow/shadow_4.8.1.bb
index ff4aad926f..9dfcd4bc10 100644
--- a/meta/recipes-extended/shadow/shadow_4.8.1.bb
+++ b/meta/recipes-extended/shadow/shadow_4.8.1.bb
@@ -9,3 +9,7 @@ BBCLASSEXTEND = "native nativesdk"
 # Severity is low and marked as closed and won't fix.
 # https://bugzilla.redhat.com/show_bug.cgi?id=884658
 CVE_CHECK_WHITELIST += "CVE-2013-4235"
+
+# This is an issue for a different shadow
+CVE_CHECK_WHITELIST += "CVE-2016-15024"
+
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178504): 
https://lists.openembedded.org/g/openembedded-core/message/178504
Mute This Topic: https://lists.openembedded.org/mt/97606126/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 0/6] Patch review

[Steve Sakoman]

Please review this final set of patches for the dunfell 3.1.24 release.

We hope to do the release build this Thursday, so please have any comments
back as soon as possible.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5043

The following changes since commit 51424b9955374196307aaf73cf4b6c184ce4fb6d:

  devshell: Do not add scripts/git-intercept to PATH (2023-03-06 04:54:35 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Ming Liu (1):
  linux: inherit pkgconfig in kernel.bbclass

Richard Purdie (1):
  oeqa/selftest/prservice: Improve debug output for failure

Ross Burton (2):
  shadow: ignore CVE-2016-15024
  vim: add missing pkgconfig inherit

Siddharth Doshi (1):
  harfbuzz: Security fix for CVE-2023-25193

Vivek Kumbhar (1):
  gnutls: fix CVE-2023-0361 timing side-channel in the TLS RSA key
exchange code

 meta/classes/kernel.bbclass   |   2 +-
 meta/lib/oeqa/selftest/cases/prservice.py |   2 +-
 meta/recipes-extended/shadow/shadow_4.8.1.bb  |   4 +
 .../harfbuzz/CVE-2023-25193-pre0.patch| 335 ++
 .../harfbuzz/CVE-2023-25193-pre1.patch| 135 +++
 .../harfbuzz/harfbuzz/CVE-2023-25193.patch| 179 ++
 .../harfbuzz/harfbuzz_2.6.4.bb|   5 +-
 meta/recipes-kernel/linux/linux-yocto-dev.bb  |   2 -
 .../gnutls/gnutls/CVE-2023-0361.patch |  85 +
 meta/recipes-support/gnutls/gnutls_3.6.14.bb  |   1 +
 meta/recipes-support/vim/vim.inc  |   2 +-
 11 files changed, 746 insertions(+), 6 deletions(-)
 create mode 100644 
meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch
 create mode 100644 
meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch
 create mode 100644 meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch

-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178501): 
https://lists.openembedded.org/g/openembedded-core/message/178501
Mute This Topic: https://lists.openembedded.org/mt/97606117/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 1/6] gnutls: fix CVE-2023-0361 timing side-channel in the TLS RSA key exchange code

[Steve Sakoman]

From: Vivek Kumbhar 

Remove branching that depends on secret data.

since the `ok` variable isn't used any more, we can remove all code
used to calculate it

Signed-off-by: Vivek Kumbhar 
Signed-off-by: Steve Sakoman 
---
 .../gnutls/gnutls/CVE-2023-0361.patch | 85 +++
 meta/recipes-support/gnutls/gnutls_3.6.14.bb  |  1 +
 2 files changed, 86 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch 
b/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch
new file mode 100644
index 00..943f4ca704
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch
@@ -0,0 +1,85 @@
+From 80a6ce8ddb02477cd724cd5b2944791aaddb702a Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin 
+Date: Tue, 9 Aug 2022 16:05:53 +0200
+Subject: [PATCH] auth/rsa: side-step potential side-channel
+
+Signed-off-by: Alexander Sosedkin 
+Signed-off-by: Hubert Kario 
+Tested-by: Hubert Kario 
+Upstream-Status: Backport 
[https://gitlab.com/gnutls/gnutls/-/commit/80a6ce8ddb02477cd724cd5b2944791aaddb702a
+   
https://gitlab.com/gnutls/gnutls/-/commit/4b7ff428291c7ed77c6d2635577c83a43bbae558]
+CVE: CVE-2023-0361
+Signed-off-by: Vivek Kumbhar 
+---
+ lib/auth/rsa.c | 30 +++---
+ 1 file changed, 3 insertions(+), 27 deletions(-)
+
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index 8108ee8..858701f 100644
+--- a/lib/auth/rsa.c
 b/lib/auth/rsa.c
+@@ -155,13 +155,10 @@ static int
+ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+  size_t _data_size)
+ {
+-  const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n";
+   gnutls_datum_t ciphertext;
+   int ret, dsize;
+   ssize_t data_size = _data_size;
+   volatile uint8_t ver_maj, ver_min;
+-  volatile uint8_t check_ver_min;
+-  volatile uint32_t ok;
+
+ #ifdef ENABLE_SSL3
+   if (get_num_version(session) == GNUTLS_SSL3) {
+@@ -187,7 +184,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * 
data,
+
+   ver_maj = _gnutls_get_adv_version_major(session);
+   ver_min = _gnutls_get_adv_version_minor(session);
+-  check_ver_min = (session->internals.allow_wrong_pms == 0);
+
+   session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+   if (session->key.key.data == NULL) {
+@@ -206,10 +202,9 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * 
data,
+   return ret;
+   }
+
+-  ret =
+-  gnutls_privkey_decrypt_data2(session->internals.selected_key,
+-   0, , session->key.key.data,
+-   session->key.key.size);
++  gnutls_privkey_decrypt_data2(session->internals.selected_key,
++   0, , session->key.key.data,
++   session->key.key.size);
+   /* After this point, any conditional on failure that cause differences
+* in execution may create a timing or cache access pattern side
+* channel that can be used as an oracle, so treat very carefully */
+@@ -225,25 +220,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * 
data,
+* Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
+*/
+
+-  /* ok is 0 in case of error and 1 in case of success. */
+-
+-  /* if ret < 0 */
+-  ok = CONSTCHECK_EQUAL(ret, 0);
+-  /* session->key.key.data[0] must equal ver_maj */
+-  ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj);
+-  /* if check_ver_min then session->key.key.data[1] must equal ver_min */
+-  ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
+-  CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
+-
+-  if (ok) {
+-  /* call logging function unconditionally so all branches are
+-   * indistinguishable for timing and cache access when debug
+-   * logging is disabled */
+-  _gnutls_no_log("%s", attack_error);
+-  } else {
+-  _gnutls_debug_log("%s", attack_error);
+-  }
+-
+   /* This is here to avoid the version check attack
+* discussed above.
+*/
+--
+2.25.1
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb 
b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
index f1757871ce..0c3392d521 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
@@ -27,6 +27,7 @@ SRC_URI = 
"https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
file://CVE-2021-20232.patch \
file://CVE-2022-2509.patch \
file://CVE-2021-4209.patch \
+   file://CVE-2023-0361.patch \
 "
 
 SRC_URI[sha256sum] = 
"5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63"
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178502): 

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

[Frederic Martinsons]

Understood, I searched how to add checksum support in crate fetcher but I
don't know enough of bitbake to be effective.

I'll check in the Cargo.lock in my project, backport your patch and
continue my exploration of the wonderful rust world on embedded device ^^

Thank you very much for the help on the subject guys and like I said
earlier, if you need me to do some more tests to help the patch being
merged in the master, I'm available.



Le mar. 14 mars 2023, 15:59, Alex Kiernan  a écrit :

> On Tue, Mar 14, 2023 at 12:58 PM Frédéric Martinsons
>  wrote:
> >
> > On Tue, 14 Mar 2023 at 11:35, Alexander Kanavin 
> wrote:
> > >
> > > --offline seems like the right thing to add, if it produces better
> errors.
> > >
> > > Generating Cargo.lock on the other hand is not right. We rely on rust
> > > checking the source tree against the checksums in Cargo.lock (to
> > > prevent supply chain attacks), and this would completely subvert that.
> > > There could be better diagnostics around missing Cargo.lock, and steps
> > > to address the issue, but such steps must be manually taken (even
> > > though they could be codified in a special task, similar to how
> > > generating list of crates in SRC_URI is a task).
> > >
> > > Alex
> > >
> >
> > Ok I see what you mean, generating the Cargo.lock in a dedicated task
> > inside  meta/classes-recipe/cargo-update-recipe-crates.bbclass
> > or maybe a dedicated meta/classes-recipe/cargo-generate-lockfile.bbclass
> ?
>
> I'm really not sure we want Cargo.lock generation as part of the OE
> workflow - Cargo.lock should be part of your checked in sources for
> non-library projects.
>
>
> --
> Alex Kiernan
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178500): 
https://lists.openembedded.org/g/openembedded-core/message/178500
Mute This Topic: https://lists.openembedded.org/mt/97555635/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551

[Steve Sakoman]

On Tue, Mar 14, 2023 at 5:07 AM Valek, Andrej  wrote:
>
> Hello Steve,
>
> Ok, looks like I received a wrong notification, sorry. So you can keep
> there only the 42916.
> Basically all the HSTS check features are not implemented in the 7.69.1
> version.

I still have the same comment on how we should handle this issue:

> > > Is this due to an error in the CPE database?  If so, perhaps the
> > > better approach would be to send a version correction request to
> > > cpe_diction...@nist.gov

Steve

> > > > Signed-off-by: Andrej Valek 
> > > > ---
> > > >  meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
> > > >  1 file changed, 3 insertions(+)
> > > >
> > > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb
> > > > b/meta/recipes-support/curl/curl_7.69.1.bb
> > > > index 899daf8eac..ea36c0bd3d 100644
> > > > --- a/meta/recipes-support/curl/curl_7.69.1.bb
> > > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> > > > @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-
> > > > 22923 CVE-2021-22926 CVE-2021-229
> > > >  # This CVE issue affects Windows only Hence whitelisting this
> > > > CVE
> > > >  CVE_CHECK_WHITELIST += "CVE-2021-22897"
> > > >
> > > > +# HSTS check feature is not implemented
> > > > +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-
> > > > 43551"
> > > > +
> > > >  inherit autotools pkgconfig binconfig multilib_header
> > > >
> > > >  PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6',
> > > > d)} gnutls libidn proxy threaded-resolver verbose zlib"
> > > > --
> > > > 2.39.2
> > > >
> > > >
> > > >
> > > >
> > >
> > > 
> > >
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178499): 
https://lists.openembedded.org/g/openembedded-core/message/178499
Mute This Topic: https://lists.openembedded.org/mt/97516349/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551

[Andrej Valek]

Hello Steve,

Ok, looks like I received a wrong notification, sorry. So you can keep
there only the 42916.
Basically all the HSTS check features are not implemented in the 7.69.1
version.

Regards,
Andrej

On Tue, 2023-03-14 at 04:39 -1000, Steve Sakoman wrote:
> On Tue, Mar 14, 2023 at 4:26 AM Steve Sakoman via
> lists.openembedded.org 
> wrote:
> > 
> > On Thu, Mar 9, 2023 at 11:54 PM Andrej Valek
> >  wrote:
> > > 
> > > All mentioned CVEs are related to HSTS check feature, which is
> > > not
> > > implemented in version 7.69.1 .
> > 
> > Is this due to an error in the CPE database?  If so, perhaps the
> > better approach would be to send a version correction request to
> > cpe_diction...@nist.gov
> 
> Hmmm . . . looking at the most recent dunfell CVE report I see that
> only CVE-2022-42916 is listed.
> 
> The CPE database indicates the issue is present for versions 7.57.0
> onwards up to but not including 7.88.0
> 
> Steve
> 
> 
> > > Signed-off-by: Andrej Valek 
> > > ---
> > >  meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
> > >  1 file changed, 3 insertions(+)
> > > 
> > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb
> > > b/meta/recipes-support/curl/curl_7.69.1.bb
> > > index 899daf8eac..ea36c0bd3d 100644
> > > --- a/meta/recipes-support/curl/curl_7.69.1.bb
> > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> > > @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-
> > > 22923 CVE-2021-22926 CVE-2021-229
> > >  # This CVE issue affects Windows only Hence whitelisting this
> > > CVE
> > >  CVE_CHECK_WHITELIST += "CVE-2021-22897"
> > > 
> > > +# HSTS check feature is not implemented
> > > +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-
> > > 43551"
> > > +
> > >  inherit autotools pkgconfig binconfig multilib_header
> > > 
> > >  PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6',
> > > d)} gnutls libidn proxy threaded-resolver verbose zlib"
> > > --
> > > 2.39.2
> > > 
> > > 
> > > 
> > > 
> > 
> > 
> > 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178498): 
https://lists.openembedded.org/g/openembedded-core/message/178498
Mute This Topic: https://lists.openembedded.org/mt/97516349/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

[Alex Kiernan]

On Tue, Mar 14, 2023 at 12:58 PM Frédéric Martinsons
 wrote:
>
> On Tue, 14 Mar 2023 at 11:35, Alexander Kanavin  
> wrote:
> >
> > --offline seems like the right thing to add, if it produces better errors.
> >
> > Generating Cargo.lock on the other hand is not right. We rely on rust
> > checking the source tree against the checksums in Cargo.lock (to
> > prevent supply chain attacks), and this would completely subvert that.
> > There could be better diagnostics around missing Cargo.lock, and steps
> > to address the issue, but such steps must be manually taken (even
> > though they could be codified in a special task, similar to how
> > generating list of crates in SRC_URI is a task).
> >
> > Alex
> >
>
> Ok I see what you mean, generating the Cargo.lock in a dedicated task
> inside  meta/classes-recipe/cargo-update-recipe-crates.bbclass
> or maybe a dedicated meta/classes-recipe/cargo-generate-lockfile.bbclass ?

I'm really not sure we want Cargo.lock generation as part of the OE
workflow - Cargo.lock should be part of your checked in sources for
non-library projects.


--
Alex Kiernan

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178497): 
https://lists.openembedded.org/g/openembedded-core/message/178497
Mute This Topic: https://lists.openembedded.org/mt/97555635/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] Yocto Project Status 14 March 2023 (WW11)

[Stephen Jolley]

Current Dev Position: YP 4.2 M4

Next Deadline: 3rd April 2023 YP 4.2 M4 Build

 

Next Team Meetings:

*   Bug Triage meeting Thursday March 16th 7:30 am PDT (

https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5aVpHVVZ6dz09)
*   Weekly Project Engineering Sync Tuesday March 14th at 8 am PDT (

https://zoom.us/j/990892712?pwd=cHU1MjhoM2x6ck81bkcrYjRrcmJsUT09
 )
*   Twitch -  See  
https://www.twitch.tv/theyoctojester

 

Key Status/Updates:

*   YP 4.0.8 was released
*   YP 4.1.3 passed QA and is due to be released
*   We are now in feature freeze for 4.2 and preparing for final build
in ~2.5 weeks
*   Patches continue to merge into master and there are some good bug
fixes in there. Some version upgrades are merging either due to low risk or
due to the likely need from other components during the lifetime of the
release.
*   Support for parallel ptest execution with a ptest per image was
merged, along with various dependency fixes for the ptest packages to ensure
this works as expected. This takes ptest execution time from 3.5 hours to
around 45 minutes on the autobuilder.
*   The bugzilla was upgraded to the version 5 series which brings
access to the REST API and functionality useful to the triage team. Testopia
was dropped.
*   Regression reports for release builds are now looking fairly
accurate
*   CVE levels in the LTS releases are at higher levels than they have
been for a while which is a concern.
*   We have a growing number of bugs in bugzilla, any help with them is
appreciated.

 

Ways to contribute:

*   As people are likely aware, the project has a number of components
which are either unmaintained, or have people with little to no time trying
to keep them alive. These components include: patchtest, layerindex,
devtool, toaster, wic, oeqa, autobuilder, CROPs containers, pseudo and more.
Many have open bugs. Help is welcome in trying to better look after these
components!
*   There are bugs identified as possible for newcomers to the project:

https://wiki.yoctoproject.org/wiki/Newcomers
*   There are bugs that are currently unassigned for YP 4.2. See:

https://wiki.yoctoproject.org/wiki/Bug_Triage#Medium.2B_4.2_Unassigned_Enhan
cements.2FBugs
*   We'd welcome new maintainers for recipes in OE-Core. Please see the
list at:

http://git.yoctoproject.org/cgit.cgi/poky/tree/meta/conf/distro/include/main
tainers.inc and discuss with the existing maintainer, or ask on the OE-Core
mailing list. We will likely move a chunk of these to "Unassigned" soon to
help facilitate this.
*   Help is very much welcome in trying to resolve our autobuilder
intermittent issues. You can see the list of failures we're continuing to
see by searching for the "AB-INT" tag in bugzilla:

https://bugzilla.yoctoproject.org/buglist.cgi?quicksearch=AB-INT.
*   Help us resolve CVE issues:
 CVE metrics 

 

YP 4.2 Milestone Dates:

*   YP 4.2 M4 build date 2023/04/03
*   YP 4.2 M4 Release date 2023/04/28

 

Upcoming dot releases:

*   YP 4.0.8 is released
*   YP 4.1.3 is ready for release
*   YP 3.1.24 build date 2023/03/20
*   YP 3.1.24 Release date 2023/03/31
*   YP 4.0.9 build date 2023/04/10
*   YP 4.0.9 Release date 2023/04/21
*   YP 4.1.4 build date 2023/05/01
*   YP 4.1.4 Release date 2023/05/13
*   YP 3.1.25 build date 2023/05/08
*   YP 3.1.25 Release date 2023/05/19
*   YP 4.0.10 build date 2023/05/15
*   YP 4.0.10 Release date 2023/05/26

 

Tracking Metrics:

*   WDD 2472 (last week 2497) (

https://wiki.yoctoproject.org/charts/combo.html)
*   OE-Core/Poky Patch Metrics

*   Total patches found: 1185 (last week 1185)
*   Patches in the Pending State: 277 (23%) [last week 277 (23%)]

*
https://autobuilder.yocto.io/pub/non-release/patchmetrics/

 

The Yocto Project's technical governance is through its Technical Steering
Committee, more information is available at:

 
https://wiki.yoctoproject.org/wiki/TSC

 

The Status reports are now stored on the wiki at:

https://wiki.yoctoproject.org/wiki/Weekly_Status

 

[If anyone has suggestions for other information you'd like to see on this
weekly status update, let us know!]

 

Re: [OE-core] [RFC]] cve-update-nvd2-native: new CVE database fetcher

[Ross Burton]

On 14 Mar 2023, at 14:24, Marta Rybczynska  wrote:
> On Fri, Feb 24, 2023 at 5:16 PM Marta Rybczynska  wrote:
> Add new fetcher for the NVD database using the 2.0 API [1].
> The implementation changes as little as possible, keeping the current
> database format (but using a different database file for the transition
> period), with a notable exception of not using the META table.
> 
> Minor changes that could be visible:
> - the database starts in 1999 instead of 2002
> - the complete fetch is longer (30 minutes typically)
> 
> 
> Tests VERY MUCH welcome, I have found some bugs today still.
> 
> Docs (with a mandatory note according to the terms of use) will come with v2.
> 
> For the swap between v1 and v2 I'm not sure what will be the best solution:
> - a configuration option allows to migrate when the user decides to do so
> - ... but does not protect the day they disconnect the feed
> What do you think?
> 
> 
> Still interested in your opinions on this. Currently I'm investigating some 
> differences between
> both fetchers.

Sorry, I utterly failed to actually reply.

I did some basic code review and had some tweaks, and grumbled at the 
performance of NIST’s servers… I’m in meetings for the rest of today but I’ll 
actually write my reply tomorrow.

Ross
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178495): 
https://lists.openembedded.org/g/openembedded-core/message/178495
Mute This Topic: https://lists.openembedded.org/mt/97209064/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551

[Steve Sakoman]

On Tue, Mar 14, 2023 at 4:26 AM Steve Sakoman via
lists.openembedded.org 
wrote:
>
> On Thu, Mar 9, 2023 at 11:54 PM Andrej Valek  wrote:
> >
> > All mentioned CVEs are related to HSTS check feature, which is not
> > implemented in version 7.69.1 .
>
> Is this due to an error in the CPE database?  If so, perhaps the
> better approach would be to send a version correction request to
> cpe_diction...@nist.gov

Hmmm . . . looking at the most recent dunfell CVE report I see that
only CVE-2022-42916 is listed.

The CPE database indicates the issue is present for versions 7.57.0
onwards up to but not including 7.88.0

Steve


> > Signed-off-by: Andrej Valek 
> > ---
> >  meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb 
> > b/meta/recipes-support/curl/curl_7.69.1.bb
> > index 899daf8eac..ea36c0bd3d 100644
> > --- a/meta/recipes-support/curl/curl_7.69.1.bb
> > +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> > @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 
> > CVE-2021-22926 CVE-2021-229
> >  # This CVE issue affects Windows only Hence whitelisting this CVE
> >  CVE_CHECK_WHITELIST += "CVE-2021-22897"
> >
> > +# HSTS check feature is not implemented
> > +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551"
> > +
> >  inherit autotools pkgconfig binconfig multilib_header
> >
> >  PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} 
> > gnutls libidn proxy threaded-resolver verbose zlib"
> > --
> > 2.39.2
> >
> >
> >
> >
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178494): 
https://lists.openembedded.org/g/openembedded-core/message/178494
Mute This Topic: https://lists.openembedded.org/mt/97516349/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551

[Steve Sakoman]

On Thu, Mar 9, 2023 at 11:54 PM Andrej Valek  wrote:
>
> All mentioned CVEs are related to HSTS check feature, which is not
> implemented in version 7.69.1 .

Is this due to an error in the CPE database?  If so, perhaps the
better approach would be to send a version correction request to
cpe_diction...@nist.gov

Steve

> Signed-off-by: Andrej Valek 
> ---
>  meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-support/curl/curl_7.69.1.bb 
> b/meta/recipes-support/curl/curl_7.69.1.bb
> index 899daf8eac..ea36c0bd3d 100644
> --- a/meta/recipes-support/curl/curl_7.69.1.bb
> +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 
> CVE-2021-22926 CVE-2021-229
>  # This CVE issue affects Windows only Hence whitelisting this CVE
>  CVE_CHECK_WHITELIST += "CVE-2021-22897"
>
> +# HSTS check feature is not implemented
> +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551"
> +
>  inherit autotools pkgconfig binconfig multilib_header
>
>  PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls 
> libidn proxy threaded-resolver verbose zlib"
> --
> 2.39.2
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178493): 
https://lists.openembedded.org/g/openembedded-core/message/178493
Mute This Topic: https://lists.openembedded.org/mt/97516349/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [RFC]] cve-update-nvd2-native: new CVE database fetcher

[Marta Rybczynska]

On Fri, Feb 24, 2023 at 5:22 PM Marta Rybczynska via lists.openembedded.org
 wrote:

>
>
> On Fri, Feb 24, 2023 at 5:16 PM Marta Rybczynska 
> wrote:
>
>> Add new fetcher for the NVD database using the 2.0 API [1].
>> The implementation changes as little as possible, keeping the current
>> database format (but using a different database file for the transition
>> period), with a notable exception of not using the META table.
>>
>> Minor changes that could be visible:
>> - the database starts in 1999 instead of 2002
>> - the complete fetch is longer (30 minutes typically)
>>
>>
> Tests VERY MUCH welcome, I have found some bugs today still.
>
> Docs (with a mandatory note according to the terms of use) will come with
> v2.
>
> For the swap between v1 and v2 I'm not sure what will be the best solution:
> - a configuration option allows to migrate when the user decides to do so
> - ... but does not protect the day they disconnect the feed
>
> What do you think?
>
>
Still interested in your opinions on this. Currently I'm investigating some
differences between
both fetchers.

Kind regards,
Marta

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178492): 
https://lists.openembedded.org/g/openembedded-core/message/178492
Mute This Topic: https://lists.openembedded.org/mt/97209064/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] systemd: fix wrong nobody-group assignment

[Piotr Łobacz]

The generated /etc/group file had a wrong group name for nobody-group
which was nobody with same id as nogroup groupd. This was leading to
duplcate groups, with same ids and different names.

More can be read on this link:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=11766

Signed-off-by: Piotr Łobacz 
---
 meta/recipes-core/systemd/systemd_250.5.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/systemd/systemd_250.5.bb 
b/meta/recipes-core/systemd/systemd_250.5.bb
index 7df7bca4cc..9bb42b971f 100644
--- a/meta/recipes-core/systemd/systemd_250.5.bb
+++ b/meta/recipes-core/systemd/systemd_250.5.bb
@@ -221,7 +221,7 @@ rootlibdir ?= "${base_libdir}"
 rootlibexecdir = "${rootprefix}/lib"
 
 EXTRA_OEMESON += "-Dnobody-user=nobody \
-  -Dnobody-group=nobody \
+  -Dnobody-group=nogroup \
   -Drootlibdir=${rootlibdir} \
   -Drootprefix=${rootprefix} \
   -Ddefault-locale=C \
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178491): 
https://lists.openembedded.org/g/openembedded-core/message/178491
Mute This Topic: https://lists.openembedded.org/mt/97604579/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

[Alex Kiernan]

On Tue, Mar 14, 2023 at 1:00 PM Frédéric Martinsons
 wrote:
>
> On Tue, 14 Mar 2023 at 12:25, Alexander Kanavin  
> wrote:
> >
> > The other option is to add checksumming support to crate fetcher in 
> > bitbake. If all items in src_uri are verified by fetchers directly for 
> > integrity from checksums in the recipe, the cargo can generate cargo.lock 
> > anytime it wants to.
> >
> > Alex
> >
>
> Ok, so If I understand correctly, that would mean a modification
> inside bitbake/lib/bb/fetch2/crate.py to add such support ?
> And if we have that, where the Cargo.lock generation should be made ?
> it can only be during do_fetch step since it will
> require network if a "git" dependencies is to be found in the project 
> manifest.

You'd have to list all the crate checksums in your recipe, so the
crate fetcher could check them.

--
Alex Kiernan

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178490): 
https://lists.openembedded.org/g/openembedded-core/message/178490
Mute This Topic: https://lists.openembedded.org/mt/97555635/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [kirkstone][PATCH] qemu: fix compile error

[Kai Kang]

On 3/13/23 23:43, Steve Sakoman wrote:

On Tue, Feb 14, 2023 at 4:22 PM Kai Kang  wrote:

On 2/14/23 22:30, Martin Jansa wrote:

Thanks Kai,

this should fix what I've reported in:
https://lists.openembedded.org/g/openembedded-core/message/176508

once this is merged, can you please add both oe-core changes (3 qemu patches) 
to dunfell as well, so that similar patch is included in both branches? The 
broken version wasn't merged to dunfell after my report.

You mean CVE-2022-4144.patch and this commit, right? OK, will do.

Hi Kai,

Do you still plan to submit the above referenced patches for dunfell?


Sent just now.

Regards,
Kai



Thanks,

Steve



Regards,

On Tue, Feb 14, 2023 at 3:22 PM Kai Kang  wrote:

From: Kai Kang 

Backport 2 patches and rebase
0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch to fix
compile error:

../qemu-6.2.0/hw/display/qxl.c: In function 'qxl_phys2virt':
../qemu-6.2.0/hw/display/qxl.c:1477:67: error: 'size' undeclared (first use in 
this function); did you mean 'gsize'?
  1477 | if (!qxl_get_check_slot_offset(qxl, pqxl, , , 
size)) {
   |   ^~~~
   |   gsize
../qemu-6.2.0/hw/display/qxl.c:1477:67: note: each undeclared identifier is 
reported only once for each function it appears in

Signed-off-by: Kai Kang 
---
  meta/recipes-devtools/qemu/qemu.inc   |   2 +
  ...ave-qxl_log_command-Return-early-if-.patch |  57 +
  ...ass-requested-buffer-size-to-qxl_phy.patch | 217 ++
  3 files changed, 276 insertions(+)
  create mode 100644 
meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch
  create mode 100644 
meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index b68be447f1..5430718f75 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -93,6 +93,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
 file://0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch 
\
 file://CVE-2022-3165.patch \
 file://CVE-2022-4144.patch \
+   
file://0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch \
+   
file://0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
 "
  UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"

diff --git 
a/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch
 
b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch
new file mode 100644
index 00..cd846222c9
--- /dev/null
+++ 
b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch
@@ -0,0 +1,57 @@
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/61c34fc]
+
+Signed-off-by: Kai Kang 
+
+From 61c34fc194b776ecadc39fb26b061331107e5599 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= 
+Date: Mon, 28 Nov 2022 21:27:37 +0100
+Subject: [PATCH] hw/display/qxl: Have qxl_log_command Return early if no
+ log_cmd handler
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Only 3 command types are logged: no need to call qxl_phys2virt()
+for the other types. Using different cases will help to pass
+different structure sizes to qxl_phys2virt() in a pair of commits.
+
+Reviewed-by: Marc-André Lureau 
+Signed-off-by: Philippe Mathieu-Daudé 
+Signed-off-by: Stefan Hajnoczi 
+Message-Id: <20221128202741.4945-2-phi...@linaro.org>
+---
+ hw/display/qxl-logger.c | 11 +++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c
+index 68bfa47568..1bcf803db6 100644
+--- a/hw/display/qxl-logger.c
 b/hw/display/qxl-logger.c
+@@ -247,6 +247,16 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, 
QXLCommandExt *ext)
+ qxl_name(qxl_type, ext->cmd.type),
+ compat ? "(compat)" : "");
+
++switch (ext->cmd.type) {
++case QXL_CMD_DRAW:
++break;
++case QXL_CMD_SURFACE:
++break;
++case QXL_CMD_CURSOR:
++break;
++default:
++goto out;
++}
+ data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
+ if (!data) {
+ return 1;
+@@ -269,6 +279,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, 
QXLCommandExt *ext)
+ qxl_log_cmd_cursor(qxl, data, ext->group_id);
+ break;
+ }
++out:
+ fprintf(stderr, "\n");
+ return 0;
+ }
+--
+2.34.1
+
diff --git 
a/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch
 
b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch
new 

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

[Frederic Martinsons]

On Tue, 14 Mar 2023 at 12:25, Alexander Kanavin  wrote:
>
> The other option is to add checksumming support to crate fetcher in bitbake. 
> If all items in src_uri are verified by fetchers directly for integrity from 
> checksums in the recipe, the cargo can generate cargo.lock anytime it wants 
> to.
>
> Alex
>

Ok, so If I understand correctly, that would mean a modification
inside bitbake/lib/bb/fetch2/crate.py to add such support ?
And if we have that, where the Cargo.lock generation should be made ?
it can only be during do_fetch step since it will
require network if a "git" dependencies is to be found in the project manifest.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178488): 
https://lists.openembedded.org/g/openembedded-core/message/178488
Mute This Topic: https://lists.openembedded.org/mt/97555635/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [dunfell][PATCH 2/2] qemu: fix compile error

[Kai Kang]

From: Kai Kang 

Backport 2 patches and rebase
0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch to fix
compile error:

../qemu-6.2.0/hw/display/qxl.c: In function 'qxl_phys2virt':
../qemu-6.2.0/hw/display/qxl.c:1477:67: error: 'size' undeclared (first use in 
this function); did you mean 'gsize'?
 1477 | if (!qxl_get_check_slot_offset(qxl, pqxl, , , 
size)) {
  |   ^~~~
  |   gsize
../qemu-6.2.0/hw/display/qxl.c:1477:67: note: each undeclared identifier is 
reported only once for each function it appears in

(From OE-Core rev: b3f42317c1932253e7e6b2fd7a263bdbd6c2f69a)

Signed-off-by: Kai Kang 
Signed-off-by: Steve Sakoman 
Signed-off-by: Richard Purdie 
---
 meta/recipes-devtools/qemu/qemu.inc   |   2 +
 ...ave-qxl_log_command-Return-early-if-.patch |  57 +
 ...ass-requested-buffer-size-to-qxl_phy.patch | 217 ++
 3 files changed, 276 insertions(+)
 create mode 100644 
meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch
 create mode 100644 
meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 0649727338..b2b04c4536 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -117,6 +117,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3507.patch \
file://CVE-2021-3929.patch \
file://CVE-2022-4144.patch \
+   
file://0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch \
+   
file://0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git 
a/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch
 
b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch
new file mode 100644
index 00..cd846222c9
--- /dev/null
+++ 
b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch
@@ -0,0 +1,57 @@
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/61c34fc]
+
+Signed-off-by: Kai Kang 
+
+From 61c34fc194b776ecadc39fb26b061331107e5599 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= 
+Date: Mon, 28 Nov 2022 21:27:37 +0100
+Subject: [PATCH] hw/display/qxl: Have qxl_log_command Return early if no
+ log_cmd handler
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Only 3 command types are logged: no need to call qxl_phys2virt()
+for the other types. Using different cases will help to pass
+different structure sizes to qxl_phys2virt() in a pair of commits.
+
+Reviewed-by: Marc-André Lureau 
+Signed-off-by: Philippe Mathieu-Daudé 
+Signed-off-by: Stefan Hajnoczi 
+Message-Id: <20221128202741.4945-2-phi...@linaro.org>
+---
+ hw/display/qxl-logger.c | 11 +++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c
+index 68bfa47568..1bcf803db6 100644
+--- a/hw/display/qxl-logger.c
 b/hw/display/qxl-logger.c
+@@ -247,6 +247,16 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, 
QXLCommandExt *ext)
+ qxl_name(qxl_type, ext->cmd.type),
+ compat ? "(compat)" : "");
+ 
++switch (ext->cmd.type) {
++case QXL_CMD_DRAW:
++break;
++case QXL_CMD_SURFACE:
++break;
++case QXL_CMD_CURSOR:
++break;
++default:
++goto out;
++}
+ data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
+ if (!data) {
+ return 1;
+@@ -269,6 +279,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, 
QXLCommandExt *ext)
+ qxl_log_cmd_cursor(qxl, data, ext->group_id);
+ break;
+ }
++out:
+ fprintf(stderr, "\n");
+ return 0;
+ }
+-- 
+2.34.1
+
diff --git 
a/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch
 
b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch
new file mode 100644
index 00..ac51cf567a
--- /dev/null
+++ 
b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch
@@ -0,0 +1,217 @@
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/8efec0e]
+
+Backport and rebase patch to fix compile error which imported by 
CVE-2022-4144.patch:
+
+../qemu-6.2.0/hw/display/qxl.c: In function 'qxl_phys2virt':
+../qemu-6.2.0/hw/display/qxl.c:1477:67: error: 'size' undeclared (first use in 
this function); did you mean 'gsize'?
+   1477 | if (!qxl_get_check_slot_offset(qxl, pqxl, , 
, size)) {
+   |   

[OE-core] [dunfell][PATCH 1/2] QEMU: CVE-2022-4144 QXL: qxl_phys2virt unsafe address translation can lead to out-of-bounds read

[Kai Kang]

From: Hitendra Prajapati 

Upstream-Status: Backport from 
https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622

Signed-off-by: Hitendra Prajapati 
Signed-off-by: Steve Sakoman 

Replace the tabs with spaces to correct the indent.

Signed-off-by: Kai Kang 
---
 meta/recipes-devtools/qemu/qemu.inc   |   9 +-
 .../qemu/qemu/CVE-2022-4144.patch | 103 ++
 2 files changed, 108 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 36d0b9320f..0649727338 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -112,10 +112,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2022-0216-1.patch \
file://CVE-2022-0216-2.patch \
file://CVE-2021-3750.patch \
-  file://CVE-2021-3638.patch \
-  file://CVE-2021-20196.patch \
-  file://CVE-2021-3507.patch \
-  file://CVE-2021-3929.patch \
+   file://CVE-2021-3638.patch \
+   file://CVE-2021-20196.patch \
+   file://CVE-2021-3507.patch \
+   file://CVE-2021-3929.patch \
+   file://CVE-2022-4144.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
new file mode 100644
index 00..3f0d5fbd5c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
@@ -0,0 +1,103 @@
+From 6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= 
+Date: Mon, 28 Nov 2022 21:27:40 +0100
+Subject: [PATCH] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt
+ (CVE-2022-4144)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Have qxl_get_check_slot_offset() return false if the requested
+buffer size does not fit within the slot memory region.
+
+Similarly qxl_phys2virt() now returns NULL in such case, and
+qxl_dirty_one_surface() aborts.
+
+This avoids buffer overrun in the host pointer returned by
+memory_region_get_ram_ptr().
+
+Fixes: CVE-2022-4144 (out-of-bounds read)
+Reported-by: Wenxu Yin (@awxylitol)
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336
+
+Signed-off-by: Philippe Mathieu-Daudé 
+Signed-off-by: Stefan Hajnoczi 
+Message-Id: <20221128202741.4945-5-phi...@linaro.org>
+
+Upstream-Status: Backport 
[https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622]
+CVE: CVE-2022-4144
+Comments: Deleted patch hunk in qxl.h,as it contains change
+in comments which is not present in current version of qemu.
+
+Signed-off-by: Hitendra Prajapati 
+---
+ hw/display/qxl.c | 27 +++
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index cd7eb39d..6bc8385b 100644
+--- a/hw/display/qxl.c
 b/hw/display/qxl.c
+@@ -1440,11 +1440,13 @@ static void qxl_reset_surfaces(PCIQXLDevice *d)
+ 
+ /* can be also called from spice server thread context */
+ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
+-  uint32_t *s, uint64_t *o)
++  uint32_t *s, uint64_t *o,
++  size_t size_requested)
+ {
+ uint64_t phys   = le64_to_cpu(pqxl);
+ uint32_t slot   = (phys >> (64 -  8)) & 0xff;
+ uint64_t offset = phys & 0x;
++uint64_t size_available;
+ 
+ if (slot >= NUM_MEMSLOTS) {
+ qxl_set_guest_bug(qxl, "slot too large %d >= %d", slot,
+@@ -1468,6 +1470,23 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice 
*qxl, QXLPHYSICAL pqxl,
+   slot, offset, qxl->guest_slots[slot].size);
+ return false;
+ }
++size_available = memory_region_size(qxl->guest_slots[slot].mr);
++if (qxl->guest_slots[slot].offset + offset >= size_available) {
++qxl_set_guest_bug(qxl,
++  "slot %d offset %"PRIu64" > region size 
%"PRIu64"\n",
++  slot, qxl->guest_slots[slot].offset + offset,
++  size_available);
++return false;
++}
++size_available -= qxl->guest_slots[slot].offset + offset;
++if (size_requested > size_available) {
++qxl_set_guest_bug(qxl,
++  "slot %d offset %"PRIu64" size %zu: "
++  "overrun by %"PRIu64" bytes\n",
++  slot, offset, size_requested,
++  size_requested - size_available);
++return false;
++}
+ 
+ *s = slot;
+ *o = offset;
+@@ -1486,7 +1505,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, 
int group_id)
+ 

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

[Frederic Martinsons]

On Tue, 14 Mar 2023 at 11:35, Alexander Kanavin  wrote:
>
> --offline seems like the right thing to add, if it produces better errors.
>
> Generating Cargo.lock on the other hand is not right. We rely on rust
> checking the source tree against the checksums in Cargo.lock (to
> prevent supply chain attacks), and this would completely subvert that.
> There could be better diagnostics around missing Cargo.lock, and steps
> to address the issue, but such steps must be manually taken (even
> though they could be codified in a special task, similar to how
> generating list of crates in SRC_URI is a task).
>
> Alex
>

Ok I see what you mean, generating the Cargo.lock in a dedicated task
inside  meta/classes-recipe/cargo-update-recipe-crates.bbclass
or maybe a dedicated meta/classes-recipe/cargo-generate-lockfile.bbclass ?

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178485): 
https://lists.openembedded.org/g/openembedded-core/message/178485
Mute This Topic: https://lists.openembedded.org/mt/97555635/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

[Frederic Martinsons]

> Cool, will pick that up... the code needs some tests which is where it
> stalled last time.

Any help I can provide to you for having this patch merge ? Are you
talking about unit testing ?

> >  
> > https://doc.rust-lang.org/cargo/faq.html#why-do-binaries-have-cargolock-in-version-control-but-not-libraries
> > It is not for "library" project.
> >
>
> So I'm clear, you're building a library project here?
>
> Could you consume your library into a wrapper project which brings
> Cargo.lock along with it? Other than running tests on it, I'm not sure
> what the value in building a library project is.
>

No, I build a binary but was not aware of the recommendation to add Cargo.lock
in version control (and was not aware that was the missing of this
file which make
cargo execute network operation during build),
I just started using rust  several weeks ago so every day I learn new
things ;)

> > Maybe we can add a "cargo generate-lockfile"
> > (https://doc.rust-lang.org/cargo/commands/cargo-generate-lockfile.html)
> > at the end of do_fetch ?
> > Moreover, I think we should add the `--offline` option to cargo build
> > because the error generated will be more clear:
> >
>
> Let me chuck that across our code base, I was fairly sure I'd seen
> different problems with it, but it may have been whilst I was
> debugging this first time around and am mis-remembering.
>

Alright.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178484): 
https://lists.openembedded.org/g/openembedded-core/message/178484
Mute This Topic: https://lists.openembedded.org/mt/97555635/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

[Alex Kiernan]

On Tue, Mar 14, 2023 at 10:25 AM Frédéric Martinsons
 wrote:
>
> Hello, I finally found why my setup didn't work. That was not related
> to https versus ssh.
> For the patch provided in
> https://patchwork.yoctoproject.org/project/oe-core/patch/20221030173815.10212-2-alex.kier...@gmail.com/
> to work, the repository should have a Cargo.lock file.
> WIthout the Cargo.lock file, the cargo build will try to generate it
> (and so needs network access).
>
> Note that I made a little change to the patch to support user in url
> (the patch process in cargo only work if url is exact match):
>
> @@ -135,7 +135,10 @@ python cargo_common_do_patch_paths() {
>  name = ud.parm.get('name')
>  destsuffix = ud.parm.get('destsuffix')
>  if name is not None and destsuffix is not None:
> -repo = '%s://%s%s' % (ud.proto, ud.host, ud.path)
> +if ud.user:
> +repo = '%s://%s@%s%s' % (ud.proto, ud.user,
> ud.host, ud.path)
> +else:
> +repo = '%s://%s%s' % (ud.proto, ud.host, ud.path)
>  path = '%s = { path = "%s" }' % (name,
> os.path.join(workdir, destsuffix))
>  patches.setdefault(repo, []).append(path)
>

Cool, will pick that up... the code needs some tests which is where it
stalled last time.

> Anyway, I would like to know how to you feel with this need for
> Cargo.lock problem ?
> Because for it to be generated, the project needs to be built once and
> if this is expected for binary type to have Cargo.lock under version
> control:
>  
> https://doc.rust-lang.org/cargo/faq.html#why-do-binaries-have-cargolock-in-version-control-but-not-libraries
> It is not for "library" project.
>

So I'm clear, you're building a library project here?

Could you consume your library into a wrapper project which brings
Cargo.lock along with it? Other than running tests on it, I'm not sure
what the value in building a library project is.

> Maybe we can add a "cargo generate-lockfile"
> (https://doc.rust-lang.org/cargo/commands/cargo-generate-lockfile.html)
> at the end of do_fetch ?
> Moreover, I think we should add the `--offline` option to cargo build
> because the error generated will be more clear:
>

Let me chuck that across our code base, I was fairly sure I'd seen
different problems with it, but it may have been whilst I was
debugging this first time around and am mis-remembering.

> | DEBUG: Executing shell function do_compile
> | NOTE: Using rust targets from
> /var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/rust-targets/
> | NOTE: cargo =
> /var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/recipe-sysroot-native/usr/bin/cargo
> | NOTE: cargo build -v --offline --target x86_64-poky-linux-gnu
> --release 
> --manifest-path=/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/git//Cargo.toml
> | error: failed to get `zbus-git-dep-test` as a dependency of package
> `zbus-test v0.0.1
> (/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/git)`
> |
> | Caused by:
> |  failed to load source for dependency `zbus-git-dep-test`
> |
> | Caused by:
> |  Unable to update
> ssh://g...@gitlab.com/fmartinsons/zbus-git-dep-test.git?branch=main
> |
> | Caused by:
> |  can't checkout from
> 'ssh://g...@gitlab.com/fmartinsons/zbus-git-dep-test.git': you are in
> the offline mode (--offline)
> | WARNING: exit code 101 from a shell command.
>
> Instead of
>
> | DEBUG: Executing shell function do_compile
> | NOTE: Using rust targets from
> /var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/rust-targets/
> | NOTE: cargo =
> /var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/recipe-sysroot-native/usr/bin/cargo
> | NOTE: cargo build -v --target x86_64-poky-linux-gnu --release
> --manifest-path=/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/git//Cargo.toml
> |   Updating git repository
> `ssh://g...@gitlab.com/fmartinsons/zbus-git-dep-test.git`
> | warning: spurious network error (2 tries remaining): failed to
> resolve address for gitlab.com: Temporary failure in name resolution;
> class=Net (12)
> | warning: spurious network error (1 tries remaining): failed to
> resolve address for gitlab.com: Temporary failure in name resolution;
> class=Net (12)
> | error: failed to get `zbus-git-dep-test` as a dependency of package
> `zbus-test v0.0.1
> (/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/git)`
> |
> | Caused by:
> |  failed to load source for dependency 

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

[Alexander Kanavin]

The other option is to add checksumming support to crate fetcher in
bitbake. If all items in src_uri are verified by fetchers directly for
integrity from checksums in the recipe, the cargo can generate cargo.lock
anytime it wants to.

Alex

On Tue 14. Mar 2023 at 11.35, Alexander Kanavin via lists.openembedded.org
 wrote:

> --offline seems like the right thing to add, if it produces better errors.
>
> Generating Cargo.lock on the other hand is not right. We rely on rust
> checking the source tree against the checksums in Cargo.lock (to
> prevent supply chain attacks), and this would completely subvert that.
> There could be better diagnostics around missing Cargo.lock, and steps
> to address the issue, but such steps must be manually taken (even
> though they could be codified in a special task, similar to how
> generating list of crates in SRC_URI is a task).
>
> Alex
>
> On Tue, 14 Mar 2023 at 11:25, Frédéric Martinsons
>  wrote:
> >
> > Hello, I finally found why my setup didn't work. That was not related
> > to https versus ssh.
> > For the patch provided in
> >
> https://patchwork.yoctoproject.org/project/oe-core/patch/20221030173815.10212-2-alex.kier...@gmail.com/
> > to work, the repository should have a Cargo.lock file.
> > WIthout the Cargo.lock file, the cargo build will try to generate it
> > (and so needs network access).
> >
> > Note that I made a little change to the patch to support user in url
> > (the patch process in cargo only work if url is exact match):
> >
> > @@ -135,7 +135,10 @@ python cargo_common_do_patch_paths() {
> >  name = ud.parm.get('name')
> >  destsuffix = ud.parm.get('destsuffix')
> >  if name is not None and destsuffix is not None:
> > -repo = '%s://%s%s' % (ud.proto, ud.host, ud.path)
> > +if ud.user:
> > +repo = '%s://%s@%s%s' % (ud.proto, ud.user,
> > ud.host, ud.path)
> > +else:
> > +repo = '%s://%s%s' % (ud.proto, ud.host, ud.path)
> >  path = '%s = { path = "%s" }' % (name,
> > os.path.join(workdir, destsuffix))
> >  patches.setdefault(repo, []).append(path)
> >
> > Anyway, I would like to know how to you feel with this need for
> > Cargo.lock problem ?
> > Because for it to be generated, the project needs to be built once and
> > if this is expected for binary type to have Cargo.lock under version
> > control:
> >
> https://doc.rust-lang.org/cargo/faq.html#why-do-binaries-have-cargolock-in-version-control-but-not-libraries
> > It is not for "library" project.
> >
> > Maybe we can add a "cargo generate-lockfile"
> > (https://doc.rust-lang.org/cargo/commands/cargo-generate-lockfile.html)
> > at the end of do_fetch ?
> > Moreover, I think we should add the `--offline` option to cargo build
> > because the error generated will be more clear:
> >
> > | DEBUG: Executing shell function do_compile
> > | NOTE: Using rust targets from
> >
> /var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/rust-targets/
> > | NOTE: cargo =
> >
> /var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/recipe-sysroot-native/usr/bin/cargo
> > | NOTE: cargo build -v --offline --target x86_64-poky-linux-gnu
> > --release
> --manifest-path=/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/git//Cargo.toml
> > | error: failed to get `zbus-git-dep-test` as a dependency of package
> > `zbus-test v0.0.1
> >
> (/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/git)`
> > |
> > | Caused by:
> > |  failed to load source for dependency `zbus-git-dep-test`
> > |
> > | Caused by:
> > |  Unable to update
> > ssh://g...@gitlab.com/fmartinsons/zbus-git-dep-test.git?branch=main
> > |
> > | Caused by:
> > |  can't checkout from
> > 'ssh://g...@gitlab.com/fmartinsons/zbus-git-dep-test.git': you are in
> > the offline mode (--offline)
> > | WARNING: exit code 101 from a shell command.
> >
> > Instead of
> >
> > | DEBUG: Executing shell function do_compile
> > | NOTE: Using rust targets from
> >
> /var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/rust-targets/
> > | NOTE: cargo =
> >
> /var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/recipe-sysroot-native/usr/bin/cargo
> > | NOTE: cargo build -v --target x86_64-poky-linux-gnu --release
> >
> --manifest-path=/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/git//Cargo.toml
> > |   Updating git repository
> > `ssh://g...@gitlab.com/fmartinsons/zbus-git-dep-test.git`
> 
> > | warning: spurious 

Re: [OE-core] base-files: any reason hosts contains localhost.localdomain

[Jermain Horsman]

Would it be appropriate to backport this to dunfell too?

If so, should I send in a patch? I'm not entirely sure what the general process 
is in these cases.

Sincerely,

Jermain Horsman

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178481): 
https://lists.openembedded.org/g/openembedded-core/message/178481
Mute This Topic: https://lists.openembedded.org/mt/97522170/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

[Alexander Kanavin]

--offline seems like the right thing to add, if it produces better errors.

Generating Cargo.lock on the other hand is not right. We rely on rust
checking the source tree against the checksums in Cargo.lock (to
prevent supply chain attacks), and this would completely subvert that.
There could be better diagnostics around missing Cargo.lock, and steps
to address the issue, but such steps must be manually taken (even
though they could be codified in a special task, similar to how
generating list of crates in SRC_URI is a task).

Alex

On Tue, 14 Mar 2023 at 11:25, Frédéric Martinsons
 wrote:
>
> Hello, I finally found why my setup didn't work. That was not related
> to https versus ssh.
> For the patch provided in
> https://patchwork.yoctoproject.org/project/oe-core/patch/20221030173815.10212-2-alex.kier...@gmail.com/
> to work, the repository should have a Cargo.lock file.
> WIthout the Cargo.lock file, the cargo build will try to generate it
> (and so needs network access).
>
> Note that I made a little change to the patch to support user in url
> (the patch process in cargo only work if url is exact match):
>
> @@ -135,7 +135,10 @@ python cargo_common_do_patch_paths() {
>  name = ud.parm.get('name')
>  destsuffix = ud.parm.get('destsuffix')
>  if name is not None and destsuffix is not None:
> -repo = '%s://%s%s' % (ud.proto, ud.host, ud.path)
> +if ud.user:
> +repo = '%s://%s@%s%s' % (ud.proto, ud.user,
> ud.host, ud.path)
> +else:
> +repo = '%s://%s%s' % (ud.proto, ud.host, ud.path)
>  path = '%s = { path = "%s" }' % (name,
> os.path.join(workdir, destsuffix))
>  patches.setdefault(repo, []).append(path)
>
> Anyway, I would like to know how to you feel with this need for
> Cargo.lock problem ?
> Because for it to be generated, the project needs to be built once and
> if this is expected for binary type to have Cargo.lock under version
> control:
>  
> https://doc.rust-lang.org/cargo/faq.html#why-do-binaries-have-cargolock-in-version-control-but-not-libraries
> It is not for "library" project.
>
> Maybe we can add a "cargo generate-lockfile"
> (https://doc.rust-lang.org/cargo/commands/cargo-generate-lockfile.html)
> at the end of do_fetch ?
> Moreover, I think we should add the `--offline` option to cargo build
> because the error generated will be more clear:
>
> | DEBUG: Executing shell function do_compile
> | NOTE: Using rust targets from
> /var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/rust-targets/
> | NOTE: cargo =
> /var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/recipe-sysroot-native/usr/bin/cargo
> | NOTE: cargo build -v --offline --target x86_64-poky-linux-gnu
> --release 
> --manifest-path=/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/git//Cargo.toml
> | error: failed to get `zbus-git-dep-test` as a dependency of package
> `zbus-test v0.0.1
> (/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/git)`
> |
> | Caused by:
> |  failed to load source for dependency `zbus-git-dep-test`
> |
> | Caused by:
> |  Unable to update
> ssh://g...@gitlab.com/fmartinsons/zbus-git-dep-test.git?branch=main
> |
> | Caused by:
> |  can't checkout from
> 'ssh://g...@gitlab.com/fmartinsons/zbus-git-dep-test.git': you are in
> the offline mode (--offline)
> | WARNING: exit code 101 from a shell command.
>
> Instead of
>
> | DEBUG: Executing shell function do_compile
> | NOTE: Using rust targets from
> /var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/rust-targets/
> | NOTE: cargo =
> /var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/recipe-sysroot-native/usr/bin/cargo
> | NOTE: cargo build -v --target x86_64-poky-linux-gnu --release
> --manifest-path=/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/git//Cargo.toml
> |   Updating git repository
> `ssh://g...@gitlab.com/fmartinsons/zbus-git-dep-test.git`
> | warning: spurious network error (2 tries remaining): failed to
> resolve address for gitlab.com: Temporary failure in name resolution;
> class=Net (12)
> | warning: spurious network error (1 tries remaining): failed to
> resolve address for gitlab.com: Temporary failure in name resolution;
> class=Net (12)
> | error: failed to get `zbus-git-dep-test` as a dependency of package
> `zbus-test v0.0.1
> (/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/git)`
> |
> | Caused by:
> |  failed to load source for dependency 

Re: [OE-core] [PATCH] cargo_common.bbclass: do not use buit-in git to fetch crates

[Frederic Martinsons]

Hello, I finally found why my setup didn't work. That was not related
to https versus ssh.
For the patch provided in
https://patchwork.yoctoproject.org/project/oe-core/patch/20221030173815.10212-2-alex.kier...@gmail.com/
to work, the repository should have a Cargo.lock file.
WIthout the Cargo.lock file, the cargo build will try to generate it
(and so needs network access).

Note that I made a little change to the patch to support user in url
(the patch process in cargo only work if url is exact match):

@@ -135,7 +135,10 @@ python cargo_common_do_patch_paths() {
 name = ud.parm.get('name')
 destsuffix = ud.parm.get('destsuffix')
 if name is not None and destsuffix is not None:
-repo = '%s://%s%s' % (ud.proto, ud.host, ud.path)
+if ud.user:
+repo = '%s://%s@%s%s' % (ud.proto, ud.user,
ud.host, ud.path)
+else:
+repo = '%s://%s%s' % (ud.proto, ud.host, ud.path)
 path = '%s = { path = "%s" }' % (name,
os.path.join(workdir, destsuffix))
 patches.setdefault(repo, []).append(path)

Anyway, I would like to know how to you feel with this need for
Cargo.lock problem ?
Because for it to be generated, the project needs to be built once and
if this is expected for binary type to have Cargo.lock under version
control:
 
https://doc.rust-lang.org/cargo/faq.html#why-do-binaries-have-cargolock-in-version-control-but-not-libraries
It is not for "library" project.

Maybe we can add a "cargo generate-lockfile"
(https://doc.rust-lang.org/cargo/commands/cargo-generate-lockfile.html)
at the end of do_fetch ?
Moreover, I think we should add the `--offline` option to cargo build
because the error generated will be more clear:

| DEBUG: Executing shell function do_compile
| NOTE: Using rust targets from
/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/rust-targets/
| NOTE: cargo =
/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/recipe-sysroot-native/usr/bin/cargo
| NOTE: cargo build -v --offline --target x86_64-poky-linux-gnu
--release 
--manifest-path=/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/git//Cargo.toml
| error: failed to get `zbus-git-dep-test` as a dependency of package
`zbus-test v0.0.1
(/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/git)`
|
| Caused by:
|  failed to load source for dependency `zbus-git-dep-test`
|
| Caused by:
|  Unable to update
ssh://g...@gitlab.com/fmartinsons/zbus-git-dep-test.git?branch=main
|
| Caused by:
|  can't checkout from
'ssh://g...@gitlab.com/fmartinsons/zbus-git-dep-test.git': you are in
the offline mode (--offline)
| WARNING: exit code 101 from a shell command.

Instead of

| DEBUG: Executing shell function do_compile
| NOTE: Using rust targets from
/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/rust-targets/
| NOTE: cargo =
/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/recipe-sysroot-native/usr/bin/cargo
| NOTE: cargo build -v --target x86_64-poky-linux-gnu --release
--manifest-path=/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/git//Cargo.toml
|   Updating git repository
`ssh://g...@gitlab.com/fmartinsons/zbus-git-dep-test.git`
| warning: spurious network error (2 tries remaining): failed to
resolve address for gitlab.com: Temporary failure in name resolution;
class=Net (12)
| warning: spurious network error (1 tries remaining): failed to
resolve address for gitlab.com: Temporary failure in name resolution;
class=Net (12)
| error: failed to get `zbus-git-dep-test` as a dependency of package
`zbus-test v0.0.1
(/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/git)`
|
| Caused by:
|  failed to load source for dependency `zbus-git-dep-test`
|
| Caused by:
|  Unable to update
ssh://g...@gitlab.com/fmartinsons/zbus-git-dep-test.git?branch=main
|
| Caused by:
|  failed to clone into:
/var/lib/jenkins/YOCTO_POKY_MASTER_TEST/poky/build/tmp/work/core2-64-poky-linux/zbus-test/0.1.0.AUTOINC+507d3327e2-r0/cargo_home/git/db/zbus-git-dep-test-7f2b6322e3bb0cd5
|
| Caused by:
|  network failure seems to have happened
|  if a proxy or similar is necessary `net.git-fetch-with-cli` may help here
|  https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli
|
| Caused by:
|  failed to resolve address for gitlab.com: Temporary failure in name
resolution; class=Net (12)|
|  WARNING: exit code 101 from a shell command.


In any case, I'll be glad to work on this patch if you tell me 

Re: [OE-core] [PATCH 2/7] bitbake.conf: do not set native opengl distro feature from target

[Alexander Kanavin]

On second thought I'm not sure anymore. The issue comes from items
requiring -native versions of themselves, and REQUIRED_DISTRO_FEATURES
(which skips unbuildable recipes) doesn't cross that boundary. If
opengl is in target features, but not in native features, then it
won't figure out that skipping is required.

Should we just keep opengl in native distro features by default?
Sooner or later there will be an item in core that needs gtk4-native
(and thus mesa-native and llvm-native). Llvm is not *that* heavy, rust
for example is four times heavier.

Alex

On Tue, 14 Mar 2023 at 09:37, Alexander Kanavin via
lists.openembedded.org 
wrote:
>
> This means opengl has to be added to DISTRO_FEATURES_NATIVE for this
> build. I'll send a patch.
>
> Alex
>
> On Tue, 14 Mar 2023 at 00:10, Khem Raj  wrote:
> >
> > also seeing below errors which are related too
> >
> > ERROR: Nothing PROVIDES 'gtk4-native' (but
> > /mnt/b/yoe/master/sources/meta-openembedded/meta-gnome/recipes-gnome/gnome-bluetooth/gnome-bluetooth_42.5.bb,
> > /mnt/b/yoe/master/
> > sources/meta-openembedded/meta-gnome/recipes-gnome/gnome-text-editor/gnome-text-editor_43.1.bb,
> > /mnt/b/yoe/master/sources/meta-openembedded/meta-gnome/recipes-gnome/gnome-
> > chess/gnome-chess_43.1.bb,
> > /mnt/b/yoe/master/sources/meta-openembedded/meta-gnome/recipes-gnome/gnome-calculator/gnome-calculator_43.0.1.bb
> > DEPENDS on or otherwise require
> > s it)
> > gtk4-native was skipped: missing required distro feature 'opengl' (not
> > in DISTRO_FEATURES)
> >
> > On Mon, Mar 13, 2023 at 3:45 PM Khem Raj  wrote:
> > >
> > > I am seeing waylandpp failing to build and YP layer compatibility tests 
> > > failing.
> > >
> > > https://autobuilder.yoctoproject.org/typhoon/#/builders/88/builds/2557/steps/11/logs/stdio
> > >
> > > On Sun, Mar 12, 2023 at 7:51 AM Alexander Kanavin
> > >  wrote:
> > > >
> > > > This makes native opengl (and thus accelerated graphics in qemu) opt-in;
> > > > the reason is that latest mesa tightly couples hardware drivers with 
> > > > its libraries,
> > > > so we have to build both in mesa-native. Doing so significantly 
> > > > lengthens
> > > > the builds, and so cannot be imposed by default.
> > > >
> > > > Add a check and a hint to runqemu so that there is a helpful error when
> > > > there is no native/nativesdk opengl/virgl support.
> > > >
> > > > Signed-off-by: Alexander Kanavin 
> > > > ---
> > > >  meta/conf/bitbake.conf   |  4 ++--
> > > >  meta/lib/oeqa/selftest/cases/runtime_test.py |  4 ++--
> > > >  scripts/runqemu  | 11 ++-
> > > >  3 files changed, 14 insertions(+), 5 deletions(-)
> > > >
> > > > diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
> > > > index afd9e2f552..d1dc428583 100644
> > > > --- a/meta/conf/bitbake.conf
> > > > +++ b/meta/conf/bitbake.conf
> > > > @@ -912,8 +912,8 @@ DISTRO_FEATURES_NATIVESDK ?= "x11"
> > > >
> > > >  # Normally target distro features will not be applied to native builds:
> > > >  # Native distro features on this list will use the target feature value
> > > > -DISTRO_FEATURES_FILTER_NATIVE ?= "api-documentation debuginfod opengl 
> > > > wayland"
> > > > -DISTRO_FEATURES_FILTER_NATIVESDK ?= "api-documentation debuginfod 
> > > > opengl wayland"
> > > > +DISTRO_FEATURES_FILTER_NATIVE ?= "api-documentation debuginfod wayland"
> > > > +DISTRO_FEATURES_FILTER_NATIVESDK ?= "api-documentation debuginfod 
> > > > wayland"
> > > >
> > > >  DISTRO_FEATURES_BACKFILL = "pulseaudio sysvinit 
> > > > gobject-introspection-data ldconfig"
> > > >  MACHINE_FEATURES_BACKFILL = "rtc qemu-usermode"
> > > > diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py 
> > > > b/meta/lib/oeqa/selftest/cases/runtime_test.py
> > > > index 81b8d056cc..661c09c109 100644
> > > > --- a/meta/lib/oeqa/selftest/cases/runtime_test.py
> > > > +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
> > > > @@ -232,7 +232,7 @@ class TestImage(OESelftestTestCase):
> > > >  if 'sdl' not in qemu_packageconfig:
> > > >  features += 'PACKAGECONFIG:append:pn-qemu-system-native = 
> > > > " sdl"\n'
> > > >  if 'opengl' not in qemu_distrofeatures:
> > > > -features += 'DISTRO_FEATURES:append = " opengl"\n'
> > > > +features += 'DISTRO_FEATURES_NATIVE:append = " opengl"\n'
> > > >  features += 'TEST_SUITES = "ping ssh virgl"\n'
> > > >  features += 'IMAGE_FEATURES:append = " ssh-server-dropbear"\n'
> > > >  features += 'IMAGE_INSTALL:append = " kmscube"\n'
> > > > @@ -264,7 +264,7 @@ class TestImage(OESelftestTestCase):
> > > >  qemu_distrofeatures = get_bb_var('DISTRO_FEATURES', 
> > > > 'qemu-system-native')
> > > >  features = 'IMAGE_CLASSES += "testimage"\n'
> > > >  if 'opengl' not in qemu_distrofeatures:
> > > > -features += 'DISTRO_FEATURES:append = " opengl"\n'
> > > > +features += 'DISTRO_FEATURES_NATIVE:append = " opengl"\n'
> > > > 

[OE-core][dunfell][PATCH] libarchive: fix CVE-2022-26280

[Andrej Valek]

Backport fix from https://github.com/libarchive/libarchive/issues/1672

Signed-off-by: Andrej Valek 
---
 .../libarchive/CVE-2022-26280.patch   | 29 +++
 .../libarchive/libarchive_3.4.2.bb|  1 +
 2 files changed, 30 insertions(+)
 create mode 100644 
meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch 
b/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch
new file mode 100644
index 00..501fcc5848
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch
@@ -0,0 +1,29 @@
+From cfaa28168a07ea4a53276b63068f94fce37d6aff Mon Sep 17 00:00:00 2001
+From: Tim Kientzle 
+Date: Thu, 24 Mar 2022 10:35:00 +0100
+Subject: [PATCH] ZIP reader: fix possible out-of-bounds read in
+ zipx_lzma_alone_init()
+
+Fixes #1672
+
+CVE: CVE-2022-26280
+Upstream-Status: Backport 
[https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff]
+Signed-off-by: Andrej Valek 
+
+---
+ libarchive/archive_read_support_format_zip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_zip.c 
b/libarchive/archive_read_support_format_zip.c
+index 38ada70b5..9d6c900b2 100644
+--- a/libarchive/archive_read_support_format_zip.c
 b/libarchive/archive_read_support_format_zip.c
+@@ -1667,7 +1667,7 @@ zipx_lzma_alone_init(struct archive_read *a, struct zip 
*zip)
+*/
+ 
+   /* Read magic1,magic2,lzma_params from the ZIPX stream. */
+-  if((p = __archive_read_ahead(a, 9, NULL)) == NULL) {
++  if(zip->entry_bytes_remaining < 9 || (p = __archive_read_ahead(a, 9, 
NULL)) == NULL) {
+   archive_set_error(>archive, ARCHIVE_ERRNO_FILE_FORMAT,
+   "Truncated lzma data");
+   return (ARCHIVE_FATAL);
diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb 
b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
index e0a6174d8b..582787d3f3 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
@@ -39,6 +39,7 @@ SRC_URI = 
"http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
file://CVE-2021-23177.patch \
file://CVE-2021-31566-01.patch \
file://CVE-2021-31566-02.patch \
+   file://CVE-2022-26280.patch \
file://CVE-2022-36227.patch \
 "
 
-- 
2.39.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178477): 
https://lists.openembedded.org/g/openembedded-core/message/178477
Mute This Topic: https://lists.openembedded.org/mt/9759/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH 2/7] bitbake.conf: do not set native opengl distro feature from target

[Alexander Kanavin]

This means opengl has to be added to DISTRO_FEATURES_NATIVE for this
build. I'll send a patch.

Alex

On Tue, 14 Mar 2023 at 00:10, Khem Raj  wrote:
>
> also seeing below errors which are related too
>
> ERROR: Nothing PROVIDES 'gtk4-native' (but
> /mnt/b/yoe/master/sources/meta-openembedded/meta-gnome/recipes-gnome/gnome-bluetooth/gnome-bluetooth_42.5.bb,
> /mnt/b/yoe/master/
> sources/meta-openembedded/meta-gnome/recipes-gnome/gnome-text-editor/gnome-text-editor_43.1.bb,
> /mnt/b/yoe/master/sources/meta-openembedded/meta-gnome/recipes-gnome/gnome-
> chess/gnome-chess_43.1.bb,
> /mnt/b/yoe/master/sources/meta-openembedded/meta-gnome/recipes-gnome/gnome-calculator/gnome-calculator_43.0.1.bb
> DEPENDS on or otherwise require
> s it)
> gtk4-native was skipped: missing required distro feature 'opengl' (not
> in DISTRO_FEATURES)
>
> On Mon, Mar 13, 2023 at 3:45 PM Khem Raj  wrote:
> >
> > I am seeing waylandpp failing to build and YP layer compatibility tests 
> > failing.
> >
> > https://autobuilder.yoctoproject.org/typhoon/#/builders/88/builds/2557/steps/11/logs/stdio
> >
> > On Sun, Mar 12, 2023 at 7:51 AM Alexander Kanavin
> >  wrote:
> > >
> > > This makes native opengl (and thus accelerated graphics in qemu) opt-in;
> > > the reason is that latest mesa tightly couples hardware drivers with its 
> > > libraries,
> > > so we have to build both in mesa-native. Doing so significantly lengthens
> > > the builds, and so cannot be imposed by default.
> > >
> > > Add a check and a hint to runqemu so that there is a helpful error when
> > > there is no native/nativesdk opengl/virgl support.
> > >
> > > Signed-off-by: Alexander Kanavin 
> > > ---
> > >  meta/conf/bitbake.conf   |  4 ++--
> > >  meta/lib/oeqa/selftest/cases/runtime_test.py |  4 ++--
> > >  scripts/runqemu  | 11 ++-
> > >  3 files changed, 14 insertions(+), 5 deletions(-)
> > >
> > > diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
> > > index afd9e2f552..d1dc428583 100644
> > > --- a/meta/conf/bitbake.conf
> > > +++ b/meta/conf/bitbake.conf
> > > @@ -912,8 +912,8 @@ DISTRO_FEATURES_NATIVESDK ?= "x11"
> > >
> > >  # Normally target distro features will not be applied to native builds:
> > >  # Native distro features on this list will use the target feature value
> > > -DISTRO_FEATURES_FILTER_NATIVE ?= "api-documentation debuginfod opengl 
> > > wayland"
> > > -DISTRO_FEATURES_FILTER_NATIVESDK ?= "api-documentation debuginfod opengl 
> > > wayland"
> > > +DISTRO_FEATURES_FILTER_NATIVE ?= "api-documentation debuginfod wayland"
> > > +DISTRO_FEATURES_FILTER_NATIVESDK ?= "api-documentation debuginfod 
> > > wayland"
> > >
> > >  DISTRO_FEATURES_BACKFILL = "pulseaudio sysvinit 
> > > gobject-introspection-data ldconfig"
> > >  MACHINE_FEATURES_BACKFILL = "rtc qemu-usermode"
> > > diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py 
> > > b/meta/lib/oeqa/selftest/cases/runtime_test.py
> > > index 81b8d056cc..661c09c109 100644
> > > --- a/meta/lib/oeqa/selftest/cases/runtime_test.py
> > > +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
> > > @@ -232,7 +232,7 @@ class TestImage(OESelftestTestCase):
> > >  if 'sdl' not in qemu_packageconfig:
> > >  features += 'PACKAGECONFIG:append:pn-qemu-system-native = " 
> > > sdl"\n'
> > >  if 'opengl' not in qemu_distrofeatures:
> > > -features += 'DISTRO_FEATURES:append = " opengl"\n'
> > > +features += 'DISTRO_FEATURES_NATIVE:append = " opengl"\n'
> > >  features += 'TEST_SUITES = "ping ssh virgl"\n'
> > >  features += 'IMAGE_FEATURES:append = " ssh-server-dropbear"\n'
> > >  features += 'IMAGE_INSTALL:append = " kmscube"\n'
> > > @@ -264,7 +264,7 @@ class TestImage(OESelftestTestCase):
> > >  qemu_distrofeatures = get_bb_var('DISTRO_FEATURES', 
> > > 'qemu-system-native')
> > >  features = 'IMAGE_CLASSES += "testimage"\n'
> > >  if 'opengl' not in qemu_distrofeatures:
> > > -features += 'DISTRO_FEATURES:append = " opengl"\n'
> > > +features += 'DISTRO_FEATURES_NATIVE:append = " opengl"\n'
> > >  features += 'TEST_SUITES = "ping ssh virgl"\n'
> > >  features += 'IMAGE_FEATURES:append = " ssh-server-dropbear"\n'
> > >  features += 'IMAGE_INSTALL:append = " kmscube"\n'
> > > diff --git a/scripts/runqemu b/scripts/runqemu
> > > index 8e915f3d4c..9f82aa12f1 100755
> > > --- a/scripts/runqemu
> > > +++ b/scripts/runqemu
> > > @@ -447,7 +447,16 @@ class BaseConfig(object):
> > >  self.set("MACHINE", arg)
> > >
> > >  def set_dri_path(self):
> > > -self.qemu_environ['LIBGL_DRIVERS_PATH'] = 
> > > os.path.join(self.bindir_native, '../lib/dri')
> > > +drivers_path = os.path.join(self.bindir_native, '../lib/dri')
> > > +if not os.path.exists(drivers_path) or not 
> > > os.listdir(drivers_path):
> > > +raise RunQemuError("""
> > > +qemu has been built 

Re: [OE-core] [PATCH V2 4/5] xcb-proto: Fix install conflict when enable multilib.

[Alexander Kanavin]

Thanks, in this case the correct fix would be to install xcb-proto.pc
into $libdir, as it is indeed library specific. You need to patch
Makefile.am in xcb-proto's source tree, and offer the patch to
upstream.

Alex

On Tue, 14 Mar 2023 at 01:49, wan...@fujitsu.com  wrote:
>
> libxcb needs to find the python package in the path specified by pythondir 
> recorded in xcb-proto.pc. If the libdir line is deleted, libxcb will report 
> an error when compiling:
> | Failed to load the xcbgen Python package!
> | Make sure that xcb/proto installed it on your Python path.
> | If not, you will need to create a .pth file or define $PYTHONPATH
> | to extend the path.
> | Refer to the README file in xcb/proto for more info.
>
> The file contents after deleting libdir are compared as follows:
> @@ -2,10 +2,8 @@
>  exec_prefix=/usr
>  datarootdir=${prefix}/share
>  datadir=/usr/share
> -libdir=/usr/lib
>  xcbincludedir=${pc_sysrootdir}${datadir}/xcb
>  PYTHON_PREFIX=${prefix}
> -pythondir=${pc_sysrootdir}${libdir}/python3.11/site-packages
>
>  Name: XCB Proto
>  Description: X protocol descriptions for XCB
>
>   --
> Best Regards
> ---
> Wang Mingyu
> Development Dept.I
> Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST) No. 6 Wenzhu Road, 
> Nanjing, 210012, China
> TEL: +86+25-86630566-8568
> COINS: 79988548
> FAX: +86+25-83317685
> MAIL: wan...@fujitsu.com
> http://www.fujitsu.com/cn/fnst/
>
> > -Original Message-
> > From: Alexander Kanavin 
> > Sent: Monday, March 13, 2023 3:50 PM
> > To: Wang, Mingyu/王 鸣瑜 
> > Cc: Richard Purdie ;
> > openembedded-core@lists.openembedded.org
> > Subject: Re: [OE-core] [PATCH V2 4/5] xcb-proto: Fix install conflict when 
> > enable
> > multilib.
> >
> > On Mon, 13 Mar 2023 at 08:29, wangmy  wrote:
> > > When libxcb is compiled, it will read libdir from xcb-proto.pc to find 
> > > the library.
> > > If delete this line, libxcb will report an error because it cannot find 
> > > the
> > directory of the library.
> >
> > Which library in particular? Can you show the error, and the point in 
> > libxcb's
> > code where it happens?
> > xcb-proto does not install any libraries, and so there is no reason for
> > xcb-proto.pc to tell where the libraries are.
> >
> > Alex

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178475): 
https://lists.openembedded.org/g/openembedded-core/message/178475
Mute This Topic: https://lists.openembedded.org/mt/97464370/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] scripts/combo-layer: Fix python deprecation warning

[Richard Purdie]

Address:
DeprecationWarning: 'pipes' is deprecated and slated for removal in Python 3.13

pipes.quote is an alias for shlex.quote so switch to that.

Signed-off-by: Richard Purdie 
---
 scripts/combo-layer | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/combo-layer b/scripts/combo-layer
index 7f2020fca71..2312cef9ac1 100755
--- a/scripts/combo-layer
+++ b/scripts/combo-layer
@@ -19,7 +19,7 @@ import tempfile
 import configparser
 import re
 import copy
-import pipes
+import shlex
 import shutil
 from string import Template
 from functools import reduce
@@ -1275,7 +1275,7 @@ def apply_commit(parent, rev, largs, wargs, dest_dir, 
file_filter=None):
 target = os.path.join(wargs["destdir"], dest_dir)
 if not os.path.isdir(target):
 os.makedirs(target)
-quoted_target = pipes.quote(target)
+quoted_target = shlex.quote(target)
 # os.sysconf('SC_ARG_MAX') is lying: running a command with
 # string length 629343 already failed with "Argument list too
 # long" although SC_ARG_MAX = 2097152. "man execve" explains
@@ -1287,7 +1287,7 @@ def apply_commit(parent, rev, largs, wargs, dest_dir, 
file_filter=None):
 unquoted_args = []
 cmdsize = 100 + len(quoted_target)
 while update:
-quoted_next = pipes.quote(update[0])
+quoted_next = shlex.quote(update[0])
 size_next = len(quoted_next) + len(dest_dir) + 1
 logger.debug('cmdline length %d + %d < %d?' % (cmdsize, 
size_next, os.sysconf('SC_ARG_MAX')))
 if cmdsize + size_next < max_cmdsize:
-- 
2.38.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#178474): 
https://lists.openembedded.org/g/openembedded-core/message/178474
Mute This Topic: https://lists.openembedded.org/mt/97599500/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-