[OE-core][kirkstone][PATCH v2] shadow: backport patch to fix CVE-2023-29383

[Xiangyu Chen]

From: Xiangyu Chen 

The fix of CVE-2023-29383.patch contains a bug that it rejects all
characters that are not control ones, so backup another patch named
"0001-Overhaul-valid_field.patch" from upstream to fix it.

Signed-off-by: Xiangyu Chen 
---
Changes

v1->v2: 
1. Based on latest oe-core commit
2. The fix of cve caused useradd/groupadd report errors as below:
"configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator)"
"configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator)"
so backport another patch to fix useradd/groupadd wrong paramter's issue.
3. Using CVE-xxx as fix of cve patch file name
---
 .../files/0001-Overhaul-valid_field.patch | 65 +++
 .../shadow/files/CVE-2023-29383.patch | 53 +++
 meta/recipes-extended/shadow/shadow.inc   |  2 +
 3 files changed, 120 insertions(+)
 create mode 100644 
meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
 create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-29383.patch

diff --git a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch 
b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
new file mode 100644
index 00..ac08be515b
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
@@ -0,0 +1,65 @@
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= 
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+
+Upstream-Status: Backport 
[https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4]
+
+Signed-off-by: Xiangyu Chen 
+---
+ lib/fields.c | 24 ++--
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index fb51b582..53929248 100644
+--- a/lib/fields.c
 b/lib/fields.c
+@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
+ 
+   /* For each character of field, search if it appears in the list
+* of illegal characters. */
++  if (illegal && NULL != strpbrk (field, illegal)) {
++  return -1;
++  }
++
++  /* Search if there are non-printable or control characters */
+   for (cp = field; '\0' != *cp; cp++) {
+-  if (strchr (illegal, *cp) != NULL) {
++  unsigned char c = *cp;
++  if (!isprint (c)) {
++  err = 1;
++  }
++  if (iscntrl (c)) {
+   err = -1;
+   break;
+   }
+   }
+ 
+-  if (0 == err) {
+-  /* Search if there are non-printable or control characters */
+-  for (cp = field; '\0' != *cp; cp++) {
+-  if (!isprint (*cp)) {
+-  err = 1;
+-  }
+-  if (!iscntrl (*cp)) {
+-  err = -1;
+-  break;
+-  }
+-  }
+-  }
+-
+   return err;
+ }
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch 
b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
new file mode 100644
index 00..f53341d3fc
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
@@ -0,0 +1,53 @@
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderl...@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +
+Subject: [PATCH] Added control character check
+
+Added control character check, returning -1 (to "err") if control characters 
are present.
+
+CVE: CVE-2023-29383
+Upstream-Status: Backport
+
+Reference to upstream:
+https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
+
+Signed-off-by: Xiangyu Chen 
+---
+ lib/fields.c | 11 +++
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index 640be931..fb51b582 100644
+--- a/lib/fields.c
 b/lib/fields.c
+@@ -21,9 +21,9 @@
+  *
+  * The supplied field is scanned for non-printable and other illegal
+  * characters.
+- *  + -1 is returned if an illegal character is present.
+- *  +  1 is returned if no illegal characters are present, but the field
+- *   contains a non-printable character.
++ *  + -1 is returned if an illegal or control character is present.
++ *  +  1 is returned if no illegal or control characters are present,
++ *   but the field contains a non-printable character.
+  *  +  0 is returned otherwise.
+

[OE-core] [PATCH] apt-util: Fix ptest on musl

[Khem Raj]

Signed-off-by: Khem Raj 
---
 ...ion-Check-if-transform-is-supported-.patch | 37 +++
 meta/recipes-support/apr/apr-util_1.6.3.bb|  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 
meta/recipes-support/apr/apr-util/0001-test_transformation-Check-if-transform-is-supported-.patch

diff --git 
a/meta/recipes-support/apr/apr-util/0001-test_transformation-Check-if-transform-is-supported-.patch
 
b/meta/recipes-support/apr/apr-util/0001-test_transformation-Check-if-transform-is-supported-.patch
new file mode 100644
index 00..261b78736f
--- /dev/null
+++ 
b/meta/recipes-support/apr/apr-util/0001-test_transformation-Check-if-transform-is-supported-.patch
@@ -0,0 +1,37 @@
+From 3a97f58cfb40fc1911bbfd067e8457a472613d75 Mon Sep 17 00:00:00 2001
+From: Khem Raj 
+Date: Tue, 18 Apr 2023 22:58:00 -0700
+Subject: [PATCH] test_transformation: Check if transform is supported before
+ using it
+
+This helps in excluding these tests on systems where these are not
+available e.g. musl
+
+Upstream-Status: Submitted 
[https://bz.apache.org/bugzilla/show_bug.cgi?id=66570]
+Signed-off-by: Khem Raj 
+---
+ test/testxlate.c | 8 ++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/test/testxlate.c b/test/testxlate.c
+index 6981eff..de00fa4 100644
+--- a/test/testxlate.c
 b/test/testxlate.c
+@@ -116,8 +116,12 @@ static void test_transformation(abts_case *tc, void *data)
+ }
+ 
+ /* 4. Transformation using charset aliases */
+-one_test(tc, "UTF-8", "UTF-7", test_utf8, test_utf7, p);
+-one_test(tc, "UTF-7", "UTF-8", test_utf7, test_utf8, p);
++if (is_transform_supported(tc, "UTF-8", "UTF-7", p)) {
++one_test(tc, "UTF-8", "UTF-7", test_utf8, test_utf7, p);
++}
++if (is_transform_supported(tc, "UTF-7", "UTF-8", p)) {
++one_test(tc, "UTF-7", "UTF-8", test_utf7, test_utf8, p);
++}
+ }
+ 
+ #endif /* APR_HAS_XLATE */
+-- 
+2.40.0
+
diff --git a/meta/recipes-support/apr/apr-util_1.6.3.bb 
b/meta/recipes-support/apr/apr-util_1.6.3.bb
index 7c6fcc699b..1371e262dd 100644
--- a/meta/recipes-support/apr/apr-util_1.6.3.bb
+++ b/meta/recipes-support/apr/apr-util_1.6.3.bb
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = 
"file://LICENSE;md5=158aa0b1efe0c12f23d4b007ddb9a5db \
 SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.gz \
file://configfix.patch \
file://configure_fixes.patch \
+  
file://0001-test_transformation-Check-if-transform-is-supported-.patch \
file://run-ptest \
"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180211): 
https://lists.openembedded.org/g/openembedded-core/message/180211
Mute This Topic: https://lists.openembedded.org/mt/98361141/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][kirkstone][PATCH] go-runtime: Security fix for CVE-2022-41722

[Shubham Kulkarni]

Thank you Steve! Apologies for the inconvenience caused. I will take care
next time.

Thanks,
Shubham

On Tue, Apr 18, 2023 at 8:04 PM Steve Sakoman  wrote:

> There were a couple of issues with this patch.  I've fixed both so no
> need to resubmit, but in the future please be sure to check the
> following:
>
> 1. Patch should be based on the latest kirkstone head -- you were
> using an earlier state which was missing "go: fix CVE-2022-41724,
> 41725" so the patch didn't apply.
> 2. CVE patch files should have a CVE: tag in addition to the
> Upstream-status: and Signed-off-by: tags
>
> Thanks for helping fix CVEs!
>
> Steve
>
> On Tue, Apr 18, 2023 at 1:54 AM Shubham Kulkarni 
> wrote:
> >
> > From: Shubham Kulkarni 
> >
> > path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
> >
> > Backport from
> https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c
> >
> > Signed-off-by: Shubham Kulkarni 
> > ---
> >  meta/recipes-devtools/go/go-1.17.13.inc   |   1 +
> >  .../go/go-1.18/CVE-2022-41722.patch   | 102 ++
> >  2 files changed, 103 insertions(+)
> >  create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
> >
> > diff --git a/meta/recipes-devtools/go/go-1.17.13.inc
> b/meta/recipes-devtools/go/go-1.17.13.inc
> > index 14d58932dc..d104e34408 100644
> > --- a/meta/recipes-devtools/go/go-1.17.13.inc
> > +++ b/meta/recipes-devtools/go/go-1.17.13.inc
> > @@ -23,6 +23,7 @@ SRC_URI += "\
> >  file://CVE-2022-2879.patch \
> >  file://CVE-2022-41720.patch \
> >  file://CVE-2022-41723.patch \
> > +file://CVE-2022-41722.patch \
> >  "
> >  SRC_URI[main.sha256sum] =
> "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
> >
> > diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
> b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
> > new file mode 100644
> > index 00..447c3d45bd
> > --- /dev/null
> > +++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
> > @@ -0,0 +1,102 @@
> > +From a826b19625caebed6dd0f3fbd9d0111f6c83737c Mon Sep 17 00:00:00 2001
> > +From: Damien Neil 
> > +Date: Mon, 12 Dec 2022 16:43:37 -0800
> > +Subject: [PATCH] path/filepath: do not Clean("a/../c:/b") into c:\b on
> Windows
> > +
> > +Do not permit Clean to convert a relative path into one starting
> > +with a drive reference. This change causes Clean to insert a .
> > +path element at the start of a path when the original path does not
> > +start with a volume name, and the first path element would contain
> > +a colon.
> > +
> > +This may introduce a spurious but harmless . path element under
> > +some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`.
> > +
> > +This reverts CL 401595, since the change here supersedes the one
> > +in that CL.
> > +
> > +Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this
> issue.
> > +
> > +Updates #57274
> > +Fixes #57276
> > +Fixes CVE-2022-41722
> > +
> > +Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17
> > +Reviewed-on:
> https://team-review.git.corp.google.com/c/golang/go-private/+/1675249
> > +Reviewed-by: Roland Shoemaker 
> > +Run-TryBot: Damien Neil 
> > +Reviewed-by: Julie Qiu 
> > +TryBot-Result: Security TryBots <
> security-tryb...@go-security-trybots.iam.gserviceaccount.com>
> > +(cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5)
> > +Reviewed-on:
> https://team-review.git.corp.google.com/c/golang/go-private/+/1728944
> > +Run-TryBot: Roland Shoemaker 
> > +Reviewed-by: Tatiana Bradley 
> > +Reviewed-by: Damien Neil 
> > +Reviewed-on: https://go-review.googlesource.com/c/go/+/468119
> > +Reviewed-by: Than McIntosh 
> > +Run-TryBot: Michael Pratt 
> > +TryBot-Result: Gopher Robot 
> > +Auto-Submit: Michael Pratt 
> > +
> > +Upstream-Status: Backport from
> https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18
> > +Signed-off-by: Shubham Kulkarni 
> > +---
> > + src/path/filepath/path.go | 27 ++-
> > + 1 file changed, 14 insertions(+), 13 deletions(-)
> > +
> > +diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
> > +index 8300a32..94621a0 100644
> > +--- a/src/path/filepath/path.go
> >  b/src/path/filepath/path.go
> > +@@ -15,6 +15,7 @@ import (
> > +   "errors"
> > +   "io/fs"
> > +   "os"
> > ++  "runtime"
> > +   "sort"
> > +   "strings"
> > + )
> > +@@ -117,21 +118,9 @@ func Clean(path string) string {
> > +   case os.IsPathSeparator(path[r]):
> > +   // empty path element
> > +   r++
> > +-  case path[r] == '.' && r+1 == n:
> > ++  case path[r] == '.' && (r+1 == n ||
> os.IsPathSeparator(path[r+1])):
> > +   // . element
> > +   r++
> > +-  case path[r] == '.' && os.IsPathSeparator(path[r+1]):
> > +-  // ./ element
> > +-  r++
> > +-
> > +-  

[OE-core][PATCH v2] shadow: backport patch to fix CVE-2023-29383

[Xiangyu Chen]

From: Xiangyu Chen 

The fix of CVE-2023-29383.patch contains a bug that it rejects all
characters that are not control ones, so backup another patch named
"0001-Overhaul-valid_field.patch" from upstream to fix it.

Signed-off-by: Xiangyu Chen 
---
Changes

v1->v2: 
1. Based on latest oe-core commit
2. The fix of cve caused useradd/groupadd report errors as below:
"configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator)"
"configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator)"
so backport another patch to fix useradd/groupadd wrong paramter's issue.
3. Using CVE-xxx as fix of cve patch file name
---
 .../files/0001-Overhaul-valid_field.patch | 65 +++
 .../shadow/files/CVE-2023-29383.patch | 53 +++
 meta/recipes-extended/shadow/shadow.inc   |  2 +
 3 files changed, 120 insertions(+)
 create mode 100644 
meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
 create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-29383.patch

diff --git a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch 
b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
new file mode 100644
index 00..ac08be515b
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
@@ -0,0 +1,65 @@
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= 
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+
+Upstream-Status: Backport 
[https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4]
+
+Signed-off-by: Xiangyu Chen 
+---
+ lib/fields.c | 24 ++--
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index fb51b582..53929248 100644
+--- a/lib/fields.c
 b/lib/fields.c
+@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
+ 
+   /* For each character of field, search if it appears in the list
+* of illegal characters. */
++  if (illegal && NULL != strpbrk (field, illegal)) {
++  return -1;
++  }
++
++  /* Search if there are non-printable or control characters */
+   for (cp = field; '\0' != *cp; cp++) {
+-  if (strchr (illegal, *cp) != NULL) {
++  unsigned char c = *cp;
++  if (!isprint (c)) {
++  err = 1;
++  }
++  if (iscntrl (c)) {
+   err = -1;
+   break;
+   }
+   }
+ 
+-  if (0 == err) {
+-  /* Search if there are non-printable or control characters */
+-  for (cp = field; '\0' != *cp; cp++) {
+-  if (!isprint (*cp)) {
+-  err = 1;
+-  }
+-  if (!iscntrl (*cp)) {
+-  err = -1;
+-  break;
+-  }
+-  }
+-  }
+-
+   return err;
+ }
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch 
b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
new file mode 100644
index 00..f53341d3fc
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
@@ -0,0 +1,53 @@
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderl...@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +
+Subject: [PATCH] Added control character check
+
+Added control character check, returning -1 (to "err") if control characters 
are present.
+
+CVE: CVE-2023-29383
+Upstream-Status: Backport
+
+Reference to upstream:
+https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
+
+Signed-off-by: Xiangyu Chen 
+---
+ lib/fields.c | 11 +++
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index 640be931..fb51b582 100644
+--- a/lib/fields.c
 b/lib/fields.c
+@@ -21,9 +21,9 @@
+  *
+  * The supplied field is scanned for non-printable and other illegal
+  * characters.
+- *  + -1 is returned if an illegal character is present.
+- *  +  1 is returned if no illegal characters are present, but the field
+- *   contains a non-printable character.
++ *  + -1 is returned if an illegal or control character is present.
++ *  +  1 is returned if no illegal or control characters are present,
++ *   but the field contains a non-printable character.
+  *  +  0 is returned otherwise.
+

Re: [OE-core] [kirkstone][PATCH] curl: Fix CVE-2023-27536

[Yu, Mingli]

On 4/18/23 00:42, Steve Sakoman wrote:

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

There is also a patch submitted today that fixes this CVE as well as
two others: https://lists.openembedded.org/g/openembedded-core/message/180143


I'm fine with the patch as 
https://lists.openembedded.org/g/openembedded-core/message/180143.


Thanks,



Could you review the above patch and ack if you approve.  It would be
nice to fix all three patches in a single commit if possible.

Thanks!

Steve

On Sun, Apr 16, 2023 at 8:22 PM Yu, Mingli  wrote:


From: Mingli Yu 

Backport patch [1] to fix CVE-2023-27536.

[1] https://github.com/curl/curl/commit/cb49e67303dba

Signed-off-by: Mingli Yu 
---
  .../curl/curl/CVE-2023-27536.patch| 57 +++
  meta/recipes-support/curl/curl_7.82.0.bb  |  1 +
  2 files changed, 58 insertions(+)
  create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch 
b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
new file mode 100644
index 00..842c70785a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
@@ -0,0 +1,57 @@
+From 6b1ef6d5ebbfd5e68dea1eea2dc0c6cc4dc2e394 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg 
+Date: Mon, 17 Apr 2023 05:36:18 +
+Subject: [PATCH] url: only reuse connections with same GSS delegation
+
+Reported-by: Harry Sintonen
+Closes #10731
+
+CVE: CVE-2023-27536
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/cb49e67303dba]
+
+Signed-off-by: Mingli Yu 
+---
+ lib/url.c | 6 ++
+ lib/urldata.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index df4377d..8c43c3b 100644
+--- a/lib/url.c
 b/lib/url.c
+@@ -1350,6 +1350,11 @@ ConnectionExists(struct Curl_easy *data,
+ }
+   }
+
++  /* GSS delegation differences do not actually affect every connection
++ and auth method, but this check takes precaution before efficiency */
++  if(needle->gssapi_delegation != check->gssapi_delegation)
++continue;
++
+   /* If multiplexing isn't enabled on the h2 connection and h1 is
+  explicitly requested, handle it: */
+   if((needle->handler->protocol & PROTO_FAMILY_HTTP) &&
+@@ -1807,6 +1812,7 @@ static struct connectdata *allocate_conn(struct 
Curl_easy *data)
+   conn->fclosesocket = data->set.fclosesocket;
+   conn->closesocket_client = data->set.closesocket_client;
+   conn->lastused = Curl_now(); /* used now */
++  conn->gssapi_delegation = data->set.gssapi_delegation;
+
+   return conn;
+   error:
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 69eb2ee..c2a7e6c 100644
+--- a/lib/urldata.h
 b/lib/urldata.h
+@@ -1131,6 +1131,7 @@ struct connectdata {
+   int socks5_gssapi_enctype;
+ #endif
+   unsigned short localport;
++  unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
+ };
+
+ /* The end of connectdata. */
+--
+2.23.0
+
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb 
b/meta/recipes-support/curl/curl_7.82.0.bb
index 945745cdde..888527857a 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -40,6 +40,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
 file://CVE-2023-23914_5-4.patch \
 file://CVE-2023-23914_5-5.patch \
 file://CVE-2023-23916.patch \
+   file://CVE-2023-27536.patch \
 "
  SRC_URI[sha256sum] = 
"0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"

--
2.25.1





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180208): 
https://lists.openembedded.org/g/openembedded-core/message/180208
Mute This Topic: https://lists.openembedded.org/mt/98313621/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH v2] report-error: make it catch ParseError error

[Yu, Mingli]

From: Mingli Yu 

Make the report-error catch ParseError error as below and then
we can check it directly via error report web.

ParseError at 
/build/layers/oe-core/meta/recipes-support/curl/curl_7.88.1.bb:32: unparsed 
line: 'PACKAGECONFIG[ares] = 
"--enable-ares,--disable-ares,c-ares,,,threaded-resolver'

Signed-off-by: Mingli Yu 
---
 meta/classes/report-error.bbclass | 52 ++-
 1 file changed, 31 insertions(+), 21 deletions(-)

diff --git a/meta/classes/report-error.bbclass 
b/meta/classes/report-error.bbclass
index 2b2ad56514..1452513a66 100644
--- a/meta/classes/report-error.bbclass
+++ b/meta/classes/report-error.bbclass
@@ -39,6 +39,19 @@ def get_conf_data(e, filename):
 jsonstring=jsonstring + line
 return jsonstring
 
+def get_common_data(e):
+data = {}
+data['machine'] = e.data.getVar("MACHINE")
+data['build_sys'] = e.data.getVar("BUILD_SYS")
+data['distro'] = e.data.getVar("DISTRO")
+data['target_sys'] = e.data.getVar("TARGET_SYS")
+data['branch_commit'] = str(oe.buildcfg.detect_branch(e.data)) + ": " + 
str(oe.buildcfg.detect_revision(e.data))
+data['bitbake_version'] = e.data.getVar("BB_VERSION")
+data['layer_version'] = get_layers_branch_rev(e.data)
+data['local_conf'] = get_conf_data(e, 'local.conf')
+data['auto_conf'] = get_conf_data(e, 'auto.conf')
+return data
+
 python errorreport_handler () {
 import json
 import codecs
@@ -56,19 +69,10 @@ python errorreport_handler () {
 if isinstance(e, bb.event.BuildStarted):
 bb.utils.mkdirhier(logpath)
 data = {}
-machine = e.data.getVar("MACHINE")
-data['machine'] = machine
-data['build_sys'] = e.data.getVar("BUILD_SYS")
+data = get_common_data(e)
 data['nativelsb'] = nativelsb()
-data['distro'] = e.data.getVar("DISTRO")
-data['target_sys'] = e.data.getVar("TARGET_SYS")
 data['failures'] = []
 data['component'] = " ".join(e.getPkgs())
-data['branch_commit'] = str(oe.buildcfg.detect_branch(e.data)) + 
": " + str(oe.buildcfg.detect_revision(e.data))
-data['bitbake_version'] = e.data.getVar("BB_VERSION")
-data['layer_version'] = get_layers_branch_rev(e.data)
-data['local_conf'] = get_conf_data(e, 'local.conf')
-data['auto_conf'] = get_conf_data(e, 'auto.conf')
 lock = bb.utils.lockfile(datafile + '.lock')
 errorreport_savedata(e, data, "error-report.txt")
 bb.utils.unlockfile(lock)
@@ -110,19 +114,10 @@ python errorreport_handler () {
 elif isinstance(e, bb.event.NoProvider):
 bb.utils.mkdirhier(logpath)
 data = {}
-machine = e.data.getVar("MACHINE")
-data['machine'] = machine
-data['build_sys'] = e.data.getVar("BUILD_SYS")
+data = get_common_data(e)
 data['nativelsb'] = nativelsb()
-data['distro'] = e.data.getVar("DISTRO")
-data['target_sys'] = e.data.getVar("TARGET_SYS")
 data['failures'] = []
 data['component'] = str(e._item)
-data['branch_commit'] = str(oe.buildcfg.detect_branch(e.data)) + 
": " + str(oe.buildcfg.detect_revision(e.data))
-data['bitbake_version'] = e.data.getVar("BB_VERSION")
-data['layer_version'] = get_layers_branch_rev(e.data)
-data['local_conf'] = get_conf_data(e, 'local.conf')
-data['auto_conf'] = get_conf_data(e, 'auto.conf')
 taskdata={}
 taskdata['log'] = str(e)
 taskdata['package'] = str(e._item)
@@ -132,6 +127,21 @@ python errorreport_handler () {
 errorreport_savedata(e, data, "error-report.txt")
 bb.utils.unlockfile(lock)
 
+elif isinstance(e, bb.event.ParseError):
+bb.utils.mkdirhier(logpath)
+data = {}
+data = get_common_data(e)
+data['nativelsb'] = nativelsb()
+data['failures'] = []
+data['component'] = "parse"
+taskdata={}
+taskdata['log'] = str(e._msg)
+taskdata['task'] = str(e._msg)
+data['failures'].append(taskdata)
+lock = bb.utils.lockfile(datafile + '.lock')
+errorreport_savedata(e, data, "error-report.txt")
+bb.utils.unlockfile(lock)
+
 elif isinstance(e, bb.event.BuildCompleted):
 lock = bb.utils.lockfile(datafile + '.lock')
 jsondata = json.loads(errorreport_getdata(e))
@@ -145,4 +155,4 @@ python errorreport_handler () {
 }
 
 addhandler errorreport_handler
-errorreport_handler[eventmask] = "bb.event.BuildStarted 
bb.event.BuildCompleted bb.build.TaskFailed bb.event.NoProvider"
+errorreport_handler[eventmask] = "bb.event.BuildStarted 
bb.event.BuildCompleted bb.build.TaskFailed bb.event.NoProvider 
bb.event.ParseErro

[OE-core] [PATCH V2] coreutils: delete gcc parameter for ptest

[qi...@fujitsu.com]

From: Qiu Tingting 

If gcc is installed in image, ptest result has 4 ERROR.
  ERROR: tests/rm/r-root.sh
  ERROR: tests/rm/rm-readdir-fail.sh
  ERROR: tests/cp/nfs-removal-race.sh
  ERROR: tests/ls/getxattr-speedup.sh

r-root.log as an example:
  --
  k.c:1:10: fatal error: stdio.h: No such file or directory
  1 | #include 
|  ^
  compilation terminated.
  r-root.sh: set-up failure: failed to build shared library
  ERROR tests/rm/r-root.sh (exit status: 99)
  --

reason:
  The run-ptest calls make cmd to run test cases.
  In these cases, k.c file is created and compiled by gcc before run.
  There is a stdio.h file in /usr/include/ directory.
  Normally, gcc has /usr/include as part of its default search path.
  But in Makefile, it has the "--sysroot=recipe-sysroot" parameter
  which makes it does not work.

solution:
  Delete "--sysroot=recipe-sysroot" from Makefile.

other:
  If gcc is not installed in image, these cases will be skipped.
---
 meta/recipes-core/coreutils/coreutils_9.1.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-core/coreutils/coreutils_9.1.bb 
b/meta/recipes-core/coreutils/coreutils_9.1.bb
index 4807eefd04..e12a6d6797 100644
--- a/meta/recipes-core/coreutils/coreutils_9.1.bb
+++ b/meta/recipes-core/coreutils/coreutils_9.1.bb
@@ -193,6 +193,7 @@ do_install_ptest () {
 sed -i '/^abs_top_builddir/s/= .*$/= \$\{PWD\}/g' 
${D}${PTEST_PATH}/Makefile
 sed -i '/^abs_top_srcdir/s/= .*$/= \$\{PWD\}/g' ${D}${PTEST_PATH}/Makefile
 sed -i '/^built_programs/s/ginstall/install/g' ${D}${PTEST_PATH}/Makefile
+sed -i '/^CC =/s/ --sysroot=.*recipe-sysroot/ /g' 
${D}${PTEST_PATH}/Makefile
 chmod -R 777 ${D}${PTEST_PATH}
 
 # Disable subcase stty-pairs.sh, it will cause test framework hang
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180206): 
https://lists.openembedded.org/g/openembedded-core/message/180206
Mute This Topic: https://lists.openembedded.org/mt/98358118/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] parted: upgrade 3.5 -> 3.6

[Khem Raj]

fails during do_patch see
https://autobuilder.yoctoproject.org/typhoon/#/builders/88/builds/2669/steps/14/logs/stdio

On Mon, Apr 17, 2023 at 1:08 AM wangmy  wrote:
>
> From: Wang Mingyu 
>
> Signed-off-by: Wang Mingyu 
> ---
>  meta/recipes-extended/parted/{parted_3.5.bb => parted_3.6.bb} | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>  rename meta/recipes-extended/parted/{parted_3.5.bb => parted_3.6.bb} (96%)
>
> diff --git a/meta/recipes-extended/parted/parted_3.5.bb 
> b/meta/recipes-extended/parted/parted_3.6.bb
> similarity index 96%
> rename from meta/recipes-extended/parted/parted_3.5.bb
> rename to meta/recipes-extended/parted/parted_3.6.bb
> index ea2b68bbd8..05d57507fb 100644
> --- a/meta/recipes-extended/parted/parted_3.5.bb
> +++ b/meta/recipes-extended/parted/parted_3.6.bb
> @@ -11,7 +11,7 @@ SRC_URI = "${GNU_MIRROR}/parted/parted-${PV}.tar.xz \
> file://run-ptest \
> "
>
> -SRC_URI[sha256sum] = 
> "4938dd5c1c125f6c78b1f4b3e297526f18ee74aa43d45c248578b1d2470c05a2"
> +SRC_URI[sha256sum] = 
> "3b43dbe33cca0f9a18601ebab56b7852b128ec1a3df3a9b30ccde5e73359e612"
>
>  inherit autotools pkgconfig gettext texinfo ptest
>
> --
> 2.34.1
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180205): 
https://lists.openembedded.org/g/openembedded-core/message/180205
Mute This Topic: https://lists.openembedded.org/mt/98314724/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH 09/14] image-artifact-names: add IMAGE_MACHINE_SUFFIX variable

[Paul Eggleton]

Hi Martin

On Tuesday, 14 March 2023 01:15:36 NZST Martin Jansa wrote:
> * to make it easier for projects to avoid default -${MACHINE} suffix if
>   the ${MACHINE} named DEPLOY_DIR_IMAGE works better for them
> 
> * also use IMAGE_LINK_NAME in IMAGE_NAME to make it more clear
>   that IMAGE_NAME is the same as IMAGE_LINK_NAME but with version
>   suffix
> 
> * adding it as separate variable helps us to catch the cases
>   where we didn't respect ${IMAGE_LINK_NAME} variable and just used
>   the common default ${IMAGE_BASENAME}-${MACHINE}.
> 
> [YOCTO #12937]
> 
> Signed-off-by: Martin Jansa 
> ---
>  meta/classes-recipe/image-artifact-names.bbclass  | 15 ---
>  meta/classes-recipe/kernel-artifact-names.bbclass |  2 +-
>  2 files changed, 13 insertions(+), 4 deletions(-)
> 
> diff --git a/meta/classes-recipe/image-artifact-names.bbclass
> b/meta/classes-recipe/image-artifact-names.bbclass index
> 9dc25b6dde..ac2376d59a 100644
> --- a/meta/classes-recipe/image-artifact-names.bbclass
> +++ b/meta/classes-recipe/image-artifact-names.bbclass
> @@ -11,11 +11,20 @@
>  IMAGE_BASENAME ?= "${PN}"
>  IMAGE_VERSION_SUFFIX ?= "-${DATETIME}"
>  IMAGE_VERSION_SUFFIX[vardepsexclude] += "DATETIME SOURCE_DATE_EPOCH"
> -IMAGE_NAME ?= "${IMAGE_BASENAME}-${MACHINE}${IMAGE_VERSION_SUFFIX}"
> -IMAGE_LINK_NAME ?= "${IMAGE_BASENAME}-${MACHINE}"
> +IMAGE_NAME ?= "${IMAGE_LINK_NAME}${IMAGE_VERSION_SUFFIX}"
> +IMAGE_LINK_NAME ?= "${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}"

So there's a minor unfortunate side-effect of this in that you can no longer 
just set IMAGE_LINK_NAME = "" to drop the symlinks - a minority use case, but 
something I have used. Of course you can just re-set the value of IMAGE_NAME. 
I am making a note in the manual and migration guide.

Cheers
Paul





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180204): 
https://lists.openembedded.org/g/openembedded-core/message/180204
Mute This Topic: https://lists.openembedded.org/mt/97578959/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] make-mod-scripts: preserve libraries when rm_work is used

[Bruce Ashfield]

On Tue, Apr 18, 2023 at 5:04 PM Richard Purdie
 wrote:
>
> On Tue, 2023-04-18 at 16:25 -0400, Bruce Ashfield wrote:
> > On Mon, Apr 17, 2023 at 6:31 PM Jose Quaresma  
> > wrote:
> > >
> > >
> > >
> > > Richard Purdie  escreveu no dia 
> > > segunda, 17/04/2023 à(s) 20:51:
> > > >
> > > > On Sun, 2023-04-16 at 12:30 +0200, Christoph Lauer wrote:
> > > > > From: Christoph Lauer 
> > > > >
> > > > > With rm_work active, external module signing throws an error:
> > > > > scripts/sign-file: error while loading shared libraries: 
> > > > > libcrypto.so.3: cannot open shared object file: No such file or 
> > > > > directory
> > > > > Preserve libraries that sign-file script needs during runtime.
> > > > >
> > > > > Signed-off-by: Christoph Lauer 
> > > > > ---
> > > > >  meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb | 3 +++
> > > > >  1 file changed, 3 insertions(+)
> > > > >
> > > > > diff --git 
> > > > > a/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb 
> > > > > b/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
> > > > > index 28e0807d1d..0e24efc597 100644
> > > > > --- a/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
> > > > > +++ b/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
> > > > > @@ -32,3 +32,6 @@ do_configure() {
> > > > >   -C ${STAGING_KERNEL_DIR} O=${STAGING_KERNEL_BUILDDIR} $t
> > > > >   done
> > > > >  }
> > > > > +
> > > > > +# keep native libraries required for module signing
> > > > > +RM_WORK_EXCLUDE_ITEMS += "recipe-sysroot-native"
> > > >
> > > > I'm really reluctant to take this change as it isn't the way
> > > > dependencies are meant to work.
> > > >
> > > > It sounds like something in a shared workdir is depending on something
> > > > in a recipe workdir and we simply don't support that. Everything needed
> > > > should be in the shared workdir. At best this is a bandaid and there
> > > > will be other ways to make this fail such as cleaning make-mod-scripts.
> > >
> > >
> > > The problem is because for signing the kernel modules the sign-file.c [1] 
> > > is linked dynamically with openssl-native.
> > > This works when building the in tree kernel modules but will fail when we 
> > > try to sing any out of tree kernel module.
> > > To sign the out of tree kernel we will use the binaries from the shared 
> > > workdir but the native libcrypto.so.3 is removed by
> > > the rm_work bbclass. We need to link the sign-file statically otherwise 
> > > it will not work with the rm_work bbclass.
> > >
> > > [1] https://github.com/torvalds/linux/blob/master/scripts/sign-file.c
> > >
> > > Another solution for this problem can be changing the make-mod-scripts to 
> > > be a native tool and in this way
> > > they will be installed and the dependencies will be handled correctly.
> >
> > There would very likely be different issues if the scripts were
> > generated and then packaged as a native tool / package. Since they are
> > so tightly coupled to the kernel. We'd just trade one set of issues
> > for another (out of sync artifacts, etc).
> >
> > I'm going to hack on this a bit.
> >
> > That being said, I've never done any module signing .. since I don't
> > need it in my development workflow.
> >
> > Is there a canonical guide to getting it setup so I can test my static
> > link and relocated artifacts fixes ? is it with meta-integrity and the
> > kernel-modsign bbclass ?
>
> I did think about this a bit more. It does likely depend on the version
> of libcrypto from the host system as to whether it reproduces or not.
> The possible solution ideas I came up with are:
>
> a) statically link sign-file so we don't need libcrypto
> b) copy the libcrypto.so into a known location in the shared workdir
> (probably some new path) and then adding an RPATH/RUNPATH using chrpath
> to the binary.

Agreed. I have sign-file statically building here, and it works, but
objtool is blowing up under static linking.

If I can't break the tools into separate bits, or fix that static link
.. My other idea is the same as yours, if we copy out the .so and make
sure it is in a recognized location in the artifacts dir, we are good
to go.

Bruce

>
> Cheers,
>
> Richard
>
>


-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180203): 
https://lists.openembedded.org/g/openembedded-core/message/180203
Mute This Topic: https://lists.openembedded.org/mt/98296212/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] make-mod-scripts: preserve libraries when rm_work is used

[Richard Purdie]

On Tue, 2023-04-18 at 16:25 -0400, Bruce Ashfield wrote:
> On Mon, Apr 17, 2023 at 6:31 PM Jose Quaresma  wrote:
> > 
> > 
> > 
> > Richard Purdie  escreveu no dia 
> > segunda, 17/04/2023 à(s) 20:51:
> > > 
> > > On Sun, 2023-04-16 at 12:30 +0200, Christoph Lauer wrote:
> > > > From: Christoph Lauer 
> > > > 
> > > > With rm_work active, external module signing throws an error:
> > > > scripts/sign-file: error while loading shared libraries: 
> > > > libcrypto.so.3: cannot open shared object file: No such file or 
> > > > directory
> > > > Preserve libraries that sign-file script needs during runtime.
> > > > 
> > > > Signed-off-by: Christoph Lauer 
> > > > ---
> > > >  meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb | 3 +++
> > > >  1 file changed, 3 insertions(+)
> > > > 
> > > > diff --git 
> > > > a/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb 
> > > > b/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
> > > > index 28e0807d1d..0e24efc597 100644
> > > > --- a/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
> > > > +++ b/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
> > > > @@ -32,3 +32,6 @@ do_configure() {
> > > >   -C ${STAGING_KERNEL_DIR} O=${STAGING_KERNEL_BUILDDIR} $t
> > > >   done
> > > >  }
> > > > +
> > > > +# keep native libraries required for module signing
> > > > +RM_WORK_EXCLUDE_ITEMS += "recipe-sysroot-native"
> > > 
> > > I'm really reluctant to take this change as it isn't the way
> > > dependencies are meant to work.
> > > 
> > > It sounds like something in a shared workdir is depending on something
> > > in a recipe workdir and we simply don't support that. Everything needed
> > > should be in the shared workdir. At best this is a bandaid and there
> > > will be other ways to make this fail such as cleaning make-mod-scripts.
> > 
> > 
> > The problem is because for signing the kernel modules the sign-file.c [1] 
> > is linked dynamically with openssl-native.
> > This works when building the in tree kernel modules but will fail when we 
> > try to sing any out of tree kernel module.
> > To sign the out of tree kernel we will use the binaries from the shared 
> > workdir but the native libcrypto.so.3 is removed by
> > the rm_work bbclass. We need to link the sign-file statically otherwise it 
> > will not work with the rm_work bbclass.
> > 
> > [1] https://github.com/torvalds/linux/blob/master/scripts/sign-file.c
> > 
> > Another solution for this problem can be changing the make-mod-scripts to 
> > be a native tool and in this way
> > they will be installed and the dependencies will be handled correctly.
> 
> There would very likely be different issues if the scripts were
> generated and then packaged as a native tool / package. Since they are
> so tightly coupled to the kernel. We'd just trade one set of issues
> for another (out of sync artifacts, etc).
> 
> I'm going to hack on this a bit.
> 
> That being said, I've never done any module signing .. since I don't
> need it in my development workflow.
> 
> Is there a canonical guide to getting it setup so I can test my static
> link and relocated artifacts fixes ? is it with meta-integrity and the
> kernel-modsign bbclass ?

I did think about this a bit more. It does likely depend on the version
of libcrypto from the host system as to whether it reproduces or not.
The possible solution ideas I came up with are:

a) statically link sign-file so we don't need libcrypto
b) copy the libcrypto.so into a known location in the shared workdir
(probably some new path) and then adding an RPATH/RUNPATH using chrpath
to the binary.

Cheers,

Richard



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180202): 
https://lists.openembedded.org/g/openembedded-core/message/180202
Mute This Topic: https://lists.openembedded.org/mt/98296212/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] make-mod-scripts: preserve libraries when rm_work is used

[Bruce Ashfield]

On Tue, Apr 18, 2023 at 4:25 PM Bruce Ashfield via
lists.openembedded.org
 wrote:
>
> On Mon, Apr 17, 2023 at 6:31 PM Jose Quaresma  wrote:
> >
> >
> >
> > Richard Purdie  escreveu no dia 
> > segunda, 17/04/2023 à(s) 20:51:
> >>
> >> On Sun, 2023-04-16 at 12:30 +0200, Christoph Lauer wrote:
> >> > From: Christoph Lauer 
> >> >
> >> > With rm_work active, external module signing throws an error:
> >> > scripts/sign-file: error while loading shared libraries: libcrypto.so.3: 
> >> > cannot open shared object file: No such file or directory
> >> > Preserve libraries that sign-file script needs during runtime.
> >> >
> >> > Signed-off-by: Christoph Lauer 
> >> > ---
> >> >  meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb | 3 +++
> >> >  1 file changed, 3 insertions(+)
> >> >
> >> > diff --git 
> >> > a/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb 
> >> > b/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
> >> > index 28e0807d1d..0e24efc597 100644
> >> > --- a/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
> >> > +++ b/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
> >> > @@ -32,3 +32,6 @@ do_configure() {
> >> >   -C ${STAGING_KERNEL_DIR} O=${STAGING_KERNEL_BUILDDIR} $t
> >> >   done
> >> >  }
> >> > +
> >> > +# keep native libraries required for module signing
> >> > +RM_WORK_EXCLUDE_ITEMS += "recipe-sysroot-native"
> >>
> >> I'm really reluctant to take this change as it isn't the way
> >> dependencies are meant to work.
> >>
> >> It sounds like something in a shared workdir is depending on something
> >> in a recipe workdir and we simply don't support that. Everything needed
> >> should be in the shared workdir. At best this is a bandaid and there
> >> will be other ways to make this fail such as cleaning make-mod-scripts.
> >
> >
> > The problem is because for signing the kernel modules the sign-file.c [1] 
> > is linked dynamically with openssl-native.
> > This works when building the in tree kernel modules but will fail when we 
> > try to sing any out of tree kernel module.
> > To sign the out of tree kernel we will use the binaries from the shared 
> > workdir but the native libcrypto.so.3 is removed by
> > the rm_work bbclass. We need to link the sign-file statically otherwise it 
> > will not work with the rm_work bbclass.
> >
> > [1] https://github.com/torvalds/linux/blob/master/scripts/sign-file.c
> >
> > Another solution for this problem can be changing the make-mod-scripts to 
> > be a native tool and in this way
> > they will be installed and the dependencies will be handled correctly.
>
> There would very likely be different issues if the scripts were
> generated and then packaged as a native tool / package. Since they are
> so tightly coupled to the kernel. We'd just trade one set of issues
> for another (out of sync artifacts, etc).
>
> I'm going to hack on this a bit.
>
> That being said, I've never done any module signing .. since I don't
> need it in my development workflow.
>
> Is there a canonical guide to getting it setup so I can test my static
> link and relocated artifacts fixes ? is it with meta-integrity and the
> kernel-modsign bbclass ?

or are you maining just using the force-signing fragments (or
equivalent) kernel configuration ?

Bruce

>
> Bruce
>
>
> Bruce
>
> >
> >>
> >> I'm even less keen to take it when I think it's going to be backported
> >> "everywhere" as if is the correct solution too.
> >>
> >> I don't know what the right fix is unfortunately. I'm sure people would
> >> like me to think about it and come up with one but there are simply too
> >> many different things people would like me to do that with and even for
> >> me, it does take a while to work these things out. I'm just out of
> >> bandwidth, sorry :(
> >
> >
> > It is true that it is not the correct solution but it is the most suitable 
> > in my opinion.
> > I totally understand what you say and I'm a little sorry that I could still 
> > help in this same fix.
> >
> > This problem is something I would also like to fix because I am using the 
> > RM_WORK_EXCLUDE
> > for quite some time to fix this issue on my distro.
> > I would like to convert the make-mod-scripts to be a native tool but I 
> > haven't had time for that either.
> >
> > Sorry and thank you for all your dedication and help.
> >
> > Jose
> >
> >>
> >> Cheers,
> >>
> >> Richard
> >>
> >>
> >>
> >>
> >>
> >
> >
> > --
> > Best regards,
> >
> > José Quaresma
> >
> >
> >
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II
>
> 
>


-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180201): 
https://lists.openembedded.org/g/openembedded-core/message/180201
Mute This Topic: https://lis

Re: [OE-core] [PATCH] make-mod-scripts: preserve libraries when rm_work is used

[Bruce Ashfield]

On Mon, Apr 17, 2023 at 6:31 PM Jose Quaresma  wrote:
>
>
>
> Richard Purdie  escreveu no dia segunda, 
> 17/04/2023 à(s) 20:51:
>>
>> On Sun, 2023-04-16 at 12:30 +0200, Christoph Lauer wrote:
>> > From: Christoph Lauer 
>> >
>> > With rm_work active, external module signing throws an error:
>> > scripts/sign-file: error while loading shared libraries: libcrypto.so.3: 
>> > cannot open shared object file: No such file or directory
>> > Preserve libraries that sign-file script needs during runtime.
>> >
>> > Signed-off-by: Christoph Lauer 
>> > ---
>> >  meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb | 3 +++
>> >  1 file changed, 3 insertions(+)
>> >
>> > diff --git a/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb 
>> > b/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
>> > index 28e0807d1d..0e24efc597 100644
>> > --- a/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
>> > +++ b/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
>> > @@ -32,3 +32,6 @@ do_configure() {
>> >   -C ${STAGING_KERNEL_DIR} O=${STAGING_KERNEL_BUILDDIR} $t
>> >   done
>> >  }
>> > +
>> > +# keep native libraries required for module signing
>> > +RM_WORK_EXCLUDE_ITEMS += "recipe-sysroot-native"
>>
>> I'm really reluctant to take this change as it isn't the way
>> dependencies are meant to work.
>>
>> It sounds like something in a shared workdir is depending on something
>> in a recipe workdir and we simply don't support that. Everything needed
>> should be in the shared workdir. At best this is a bandaid and there
>> will be other ways to make this fail such as cleaning make-mod-scripts.
>
>
> The problem is because for signing the kernel modules the sign-file.c [1] is 
> linked dynamically with openssl-native.
> This works when building the in tree kernel modules but will fail when we try 
> to sing any out of tree kernel module.
> To sign the out of tree kernel we will use the binaries from the shared 
> workdir but the native libcrypto.so.3 is removed by
> the rm_work bbclass. We need to link the sign-file statically otherwise it 
> will not work with the rm_work bbclass.
>
> [1] https://github.com/torvalds/linux/blob/master/scripts/sign-file.c
>
> Another solution for this problem can be changing the make-mod-scripts to be 
> a native tool and in this way
> they will be installed and the dependencies will be handled correctly.

There would very likely be different issues if the scripts were
generated and then packaged as a native tool / package. Since they are
so tightly coupled to the kernel. We'd just trade one set of issues
for another (out of sync artifacts, etc).

I'm going to hack on this a bit.

That being said, I've never done any module signing .. since I don't
need it in my development workflow.

Is there a canonical guide to getting it setup so I can test my static
link and relocated artifacts fixes ? is it with meta-integrity and the
kernel-modsign bbclass ?

Bruce


Bruce

>
>>
>> I'm even less keen to take it when I think it's going to be backported
>> "everywhere" as if is the correct solution too.
>>
>> I don't know what the right fix is unfortunately. I'm sure people would
>> like me to think about it and come up with one but there are simply too
>> many different things people would like me to do that with and even for
>> me, it does take a while to work these things out. I'm just out of
>> bandwidth, sorry :(
>
>
> It is true that it is not the correct solution but it is the most suitable in 
> my opinion.
> I totally understand what you say and I'm a little sorry that I could still 
> help in this same fix.
>
> This problem is something I would also like to fix because I am using the 
> RM_WORK_EXCLUDE
> for quite some time to fix this issue on my distro.
> I would like to convert the make-mod-scripts to be a native tool but I 
> haven't had time for that either.
>
> Sorry and thank you for all your dedication and help.
>
> Jose
>
>>
>> Cheers,
>>
>> Richard
>>
>>
>>
>>
>>
>
>
> --
> Best regards,
>
> José Quaresma
>
> 
>


--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180200): 
https://lists.openembedded.org/g/openembedded-core/message/180200
Mute This Topic: https://lists.openembedded.org/mt/98296212/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH v2] machine/qemuarm*: don't explicitly set vmalloc

[Khem Raj]

On Tue, Apr 18, 2023 at 9:41 AM Ross Burton  wrote:
>
> In 5c6064 the qemuarm* machines gained vmalloc=256, because in testing
> Bruce was seeing problems when the vmalloc area was too big for the
> memory size of the machine (eg 256MB).
>

default seems to be 128M for 32bit systems with memory < 1G and 256M
for memory < 2G
but I think using defaults might be preferred it works with original problem too

> The intention was for the area to be very small, but 256 bytes is too
> small and the kernel sets a minimal vmalloc area of 16MiB:
>
> [0.00] vmalloc area is too small, limiting to 16MiB
>
> However, a 16MiB area is too small and results in pages of messages when
> you try and use the system:
>
> [  242.822481] vmap allocation for size 4100096 failed: use vmalloc= to 
> increase size
>
> There have been a number of changes since this commit, remove the
> explicit vmalloc argument and use the default.  I've tested that the
> system still boots locally.
>
> [1] early_vmalloc(), 
> https://elixir.bootlin.com/linux/latest/source/arch/arm/mm/mmu.c#L1170
> Signed-off-by: Ross Burton 
> ---
>  meta/conf/machine/qemuarm.conf   | 2 --
>  meta/conf/machine/qemuarmv5.conf | 1 -
>  2 files changed, 3 deletions(-)
>
> diff --git a/meta/conf/machine/qemuarm.conf b/meta/conf/machine/qemuarm.conf
> index c5234231e2e..aa9ce882035 100644
> --- a/meta/conf/machine/qemuarm.conf
> +++ b/meta/conf/machine/qemuarm.conf
> @@ -17,8 +17,6 @@ QB_SYSTEM_NAME = "qemu-system-arm"
>  QB_MACHINE = "-machine virt,highmem=off"
>  QB_CPU = "-cpu cortex-a15"
>  QB_SMP ?= "-smp 4"
> -# Standard Serial console
> -QB_KERNEL_CMDLINE_APPEND = "vmalloc=256"
>  # For graphics to work we need to define the VGA device as well as the 
> necessary USB devices
>  QB_GRAPHICS = "-device virtio-gpu-pci"
>  QB_OPT_APPEND = "-device qemu-xhci -device usb-tablet -device usb-kbd"
> diff --git a/meta/conf/machine/qemuarmv5.conf 
> b/meta/conf/machine/qemuarmv5.conf
> index 6e59e42c3ab..ef1b4ece230 100644
> --- a/meta/conf/machine/qemuarmv5.conf
> +++ b/meta/conf/machine/qemuarmv5.conf
> @@ -12,7 +12,6 @@ SERIAL_CONSOLES ?= "115200;ttyAMA0 115200;ttyAMA1"
>  # For runqemu
>  QB_SYSTEM_NAME = "qemu-system-arm"
>  QB_MACHINE = "-machine versatilepb"
> -QB_KERNEL_CMDLINE_APPEND = "vmalloc=256"
>  QB_GRAPHICS = "-device virtio-gpu-pci"
>  QB_OPT_APPEND = "-device qemu-xhci -device usb-tablet -device usb-kbd"
>  QB_DTB = "${@oe.utils.version_less_or_equal('PREFERRED_VERSION_linux-yocto', 
> '4.7', '', 'zImage-versatile-pb.dtb', d)}"
> --
> 2.34.1
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180199): 
https://lists.openembedded.org/g/openembedded-core/message/180199
Mute This Topic: https://lists.openembedded.org/mt/98348317/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH v2] machine/qemuarm*: don't explicitly set vmalloc

[Ross Burton]

In 5c6064 the qemuarm* machines gained vmalloc=256, because in testing
Bruce was seeing problems when the vmalloc area was too big for the
memory size of the machine (eg 256MB).

The intention was for the area to be very small, but 256 bytes is too
small and the kernel sets a minimal vmalloc area of 16MiB:

[0.00] vmalloc area is too small, limiting to 16MiB

However, a 16MiB area is too small and results in pages of messages when
you try and use the system:

[  242.822481] vmap allocation for size 4100096 failed: use vmalloc= to 
increase size

There have been a number of changes since this commit, remove the
explicit vmalloc argument and use the default.  I've tested that the
system still boots locally.

[1] early_vmalloc(), 
https://elixir.bootlin.com/linux/latest/source/arch/arm/mm/mmu.c#L1170
Signed-off-by: Ross Burton 
---
 meta/conf/machine/qemuarm.conf   | 2 --
 meta/conf/machine/qemuarmv5.conf | 1 -
 2 files changed, 3 deletions(-)

diff --git a/meta/conf/machine/qemuarm.conf b/meta/conf/machine/qemuarm.conf
index c5234231e2e..aa9ce882035 100644
--- a/meta/conf/machine/qemuarm.conf
+++ b/meta/conf/machine/qemuarm.conf
@@ -17,8 +17,6 @@ QB_SYSTEM_NAME = "qemu-system-arm"
 QB_MACHINE = "-machine virt,highmem=off"
 QB_CPU = "-cpu cortex-a15"
 QB_SMP ?= "-smp 4"
-# Standard Serial console
-QB_KERNEL_CMDLINE_APPEND = "vmalloc=256"
 # For graphics to work we need to define the VGA device as well as the 
necessary USB devices
 QB_GRAPHICS = "-device virtio-gpu-pci"
 QB_OPT_APPEND = "-device qemu-xhci -device usb-tablet -device usb-kbd"
diff --git a/meta/conf/machine/qemuarmv5.conf b/meta/conf/machine/qemuarmv5.conf
index 6e59e42c3ab..ef1b4ece230 100644
--- a/meta/conf/machine/qemuarmv5.conf
+++ b/meta/conf/machine/qemuarmv5.conf
@@ -12,7 +12,6 @@ SERIAL_CONSOLES ?= "115200;ttyAMA0 115200;ttyAMA1"
 # For runqemu
 QB_SYSTEM_NAME = "qemu-system-arm"
 QB_MACHINE = "-machine versatilepb"
-QB_KERNEL_CMDLINE_APPEND = "vmalloc=256"
 QB_GRAPHICS = "-device virtio-gpu-pci"
 QB_OPT_APPEND = "-device qemu-xhci -device usb-tablet -device usb-kbd"
 QB_DTB = "${@oe.utils.version_less_or_equal('PREFERRED_VERSION_linux-yocto', 
'4.7', '', 'zImage-versatile-pb.dtb', d)}"
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180198): 
https://lists.openembedded.org/g/openembedded-core/message/180198
Mute This Topic: https://lists.openembedded.org/mt/98348317/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] machine/qemuarm*: don't explicitly set vmalloc

[Bruce Ashfield]

On Tue, Apr 18, 2023 at 11:59 AM Ross Burton  wrote:
>
> In 5c6064 the qemuarm* machines gained vmalloc=256, because in testing
> Bruce was seeing vmap allocation failures.
>
> However, this parameter is in bytes, so the kernel was setting a minimal
> vmalloc area of 16MiB:
>
> [0.00] vmalloc area is too small, limiting to 16MiB
>
> The default value is 240MiB[1] which is close to the value that Bruce
> was presumably aiming for, so I don't believe we should be setting this
> value explicitly.

I was shooting for the minimum at the time, since in coordination with
the mem= and -m options to qemu, we were getting too large a vmalloc
size.

Setting that value (incorrectly) silenced the warnings .. I can't
recall if we added that "to small" warning to an allow list ?
Otherwise, the AB should have been having issues with that as well.

Either way, the kernel versions have changed enough, as have our boot
parameters. It is worth just letting it be the default again, and
seeing if anything breaks.

Bruce

>
> [1] early_vmalloc(), 
> https://elixir.bootlin.com/linux/latest/source/arch/arm/mm/mmu.c#L1170
> Signed-off-by: Ross Burton 
> ---
>  meta/conf/machine/qemuarm.conf   | 2 --
>  meta/conf/machine/qemuarmv5.conf | 1 -
>  2 files changed, 3 deletions(-)
>
> diff --git a/meta/conf/machine/qemuarm.conf b/meta/conf/machine/qemuarm.conf
> index c5234231e2e..aa9ce882035 100644
> --- a/meta/conf/machine/qemuarm.conf
> +++ b/meta/conf/machine/qemuarm.conf
> @@ -17,8 +17,6 @@ QB_SYSTEM_NAME = "qemu-system-arm"
>  QB_MACHINE = "-machine virt,highmem=off"
>  QB_CPU = "-cpu cortex-a15"
>  QB_SMP ?= "-smp 4"
> -# Standard Serial console
> -QB_KERNEL_CMDLINE_APPEND = "vmalloc=256"
>  # For graphics to work we need to define the VGA device as well as the 
> necessary USB devices
>  QB_GRAPHICS = "-device virtio-gpu-pci"
>  QB_OPT_APPEND = "-device qemu-xhci -device usb-tablet -device usb-kbd"
> diff --git a/meta/conf/machine/qemuarmv5.conf 
> b/meta/conf/machine/qemuarmv5.conf
> index 6e59e42c3ab..ef1b4ece230 100644
> --- a/meta/conf/machine/qemuarmv5.conf
> +++ b/meta/conf/machine/qemuarmv5.conf
> @@ -12,7 +12,6 @@ SERIAL_CONSOLES ?= "115200;ttyAMA0 115200;ttyAMA1"
>  # For runqemu
>  QB_SYSTEM_NAME = "qemu-system-arm"
>  QB_MACHINE = "-machine versatilepb"
> -QB_KERNEL_CMDLINE_APPEND = "vmalloc=256"
>  QB_GRAPHICS = "-device virtio-gpu-pci"
>  QB_OPT_APPEND = "-device qemu-xhci -device usb-tablet -device usb-kbd"
>  QB_DTB = "${@oe.utils.version_less_or_equal('PREFERRED_VERSION_linux-yocto', 
> '4.7', '', 'zImage-versatile-pb.dtb', d)}"
> --
> 2.34.1
>


-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180197): 
https://lists.openembedded.org/g/openembedded-core/message/180197
Mute This Topic: https://lists.openembedded.org/mt/98347317/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] Last call for langdale patches

[Steve Sakoman]

The final langdale release build will occur on 2023/05/01

If you have any patches you'd like to get in before langdale support
ends, please submit them now!

Steve

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180196): 
https://lists.openembedded.org/g/openembedded-core/message/180196
Mute This Topic: https://lists.openembedded.org/mt/98347842/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] machine/qemuarm*: don't explicitly set vmalloc

[Ross Burton]

In 5c6064 the qemuarm* machines gained vmalloc=256, because in testing
Bruce was seeing vmap allocation failures.

However, this parameter is in bytes, so the kernel was setting a minimal
vmalloc area of 16MiB:

[0.00] vmalloc area is too small, limiting to 16MiB

The default value is 240MiB[1] which is close to the value that Bruce
was presumably aiming for, so I don't believe we should be setting this
value explicitly.

[1] early_vmalloc(), 
https://elixir.bootlin.com/linux/latest/source/arch/arm/mm/mmu.c#L1170
Signed-off-by: Ross Burton 
---
 meta/conf/machine/qemuarm.conf   | 2 --
 meta/conf/machine/qemuarmv5.conf | 1 -
 2 files changed, 3 deletions(-)

diff --git a/meta/conf/machine/qemuarm.conf b/meta/conf/machine/qemuarm.conf
index c5234231e2e..aa9ce882035 100644
--- a/meta/conf/machine/qemuarm.conf
+++ b/meta/conf/machine/qemuarm.conf
@@ -17,8 +17,6 @@ QB_SYSTEM_NAME = "qemu-system-arm"
 QB_MACHINE = "-machine virt,highmem=off"
 QB_CPU = "-cpu cortex-a15"
 QB_SMP ?= "-smp 4"
-# Standard Serial console
-QB_KERNEL_CMDLINE_APPEND = "vmalloc=256"
 # For graphics to work we need to define the VGA device as well as the 
necessary USB devices
 QB_GRAPHICS = "-device virtio-gpu-pci"
 QB_OPT_APPEND = "-device qemu-xhci -device usb-tablet -device usb-kbd"
diff --git a/meta/conf/machine/qemuarmv5.conf b/meta/conf/machine/qemuarmv5.conf
index 6e59e42c3ab..ef1b4ece230 100644
--- a/meta/conf/machine/qemuarmv5.conf
+++ b/meta/conf/machine/qemuarmv5.conf
@@ -12,7 +12,6 @@ SERIAL_CONSOLES ?= "115200;ttyAMA0 115200;ttyAMA1"
 # For runqemu
 QB_SYSTEM_NAME = "qemu-system-arm"
 QB_MACHINE = "-machine versatilepb"
-QB_KERNEL_CMDLINE_APPEND = "vmalloc=256"
 QB_GRAPHICS = "-device virtio-gpu-pci"
 QB_OPT_APPEND = "-device qemu-xhci -device usb-tablet -device usb-kbd"
 QB_DTB = "${@oe.utils.version_less_or_equal('PREFERRED_VERSION_linux-yocto', 
'4.7', '', 'zImage-versatile-pb.dtb', d)}"
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180195): 
https://lists.openembedded.org/g/openembedded-core/message/180195
Mute This Topic: https://lists.openembedded.org/mt/98347317/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][kirkstone][PATCH] shadow: backport patch to fix CVE-2023-29383

[Steve Sakoman]

I encountered a couple of issues with this patch.

1. The patch file for a CVE fix should have the CVE number in the
filename, i.e. CVE-2023-29383.patch rather than
0001-Added-control-character-check.patch
2. Applying the patch resulted in many errors of the type:

example 1

TOPDIR/tmp/work/core2-32-poky-linux/cronie/1.6.1-r0/recipe-sysroot-native/usr/sbin/useradd
Running groupadd commands...
NOTE: cronie: Performing groupadd with [--root
TOPDIR/tmp/work/core2-32-poky-linux/cronie/1.6.1-r0/recipe-sysroot
--system crontab]
configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator)
configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator)
groupadd: failure while writing changes to /etc/group
ERROR: cronie: groupadd command did not succeed.
WARNING: exit code 1 from a shell command.

example 2

TOPDIR/tmp/work/core2-64-poky-linux/dbus/1.14.6-r0/recipe-sysroot-native/usr/sbin/useradd
Running useradd commands...
NOTE: dbus: Performing useradd with [--root
TOPDIR/tmp/work/core2-64-poky-linux/dbus/1.14.6-r0/recipe-sysroot
--system --home /var/lib/dbus
--no-create-home --shell /bin/false
--user-group messagebus]
configuration error - unknown item 'SYSLOG_SU_ENAB' (notify administrator)
configuration error - unknown item 'SYSLOG_SG_ENAB' (notify administrator)
useradd: Warning: missing or non-executable shell '/bin/false'
useradd: failure while writing changes to /etc/passwd
ERROR: dbus: useradd command did not succeed.
WARNING: 
TOPDIR/tmp/work/core2-64-poky-linux/dbus/1.14.6-r0/temp/run.useradd_sysroot.3937179:345
exit 1 from 'exit 1'
WARNING: Backtrace (BB generated script):
#1: bbfatal, 
TOPDIR/tmp/work/core2-64-poky-linux/dbus/1.14.6-r0/temp/run.useradd_sysroot.3937179,
line 345
#2: perform_useradd,
TOPDIR/tmp/work/core2-64-poky-linux/dbus/1.14.6-r0/temp/run.useradd_sysroot.3937179,
line 331
#3: useradd_preinst,
TOPDIR/tmp/work/core2-64-poky-linux/dbus/1.14.6-r0/temp/run.useradd_sysroot.3937179,
line 256
#4: useradd_sysroot,
TOPDIR/tmp/work/core2-64-poky-linux/dbus/1.14.6-r0/temp/run.useradd_sysroot.3937179,
line 186
#5: main, 
TOPDIR/tmp/work/core2-64-poky-linux/dbus/1.14.6-r0/temp/run.useradd_sysroot.3937179,
line 357

I see that the two items are set in
meta/recipes-extended/shadow/files/login.defs_shadow-sysroot

Not sure how your patch triggers this, but it will need to be resolved
before I can take the patch.

Thanks for helping fix CVEs!

Steve

On Mon, Apr 17, 2023 at 8:09 PM Xiangyu Chen
 wrote:
>
> From: Xiangyu Chen 
>
> Signed-off-by: Xiangyu Chen 
> ---
>  .../0001-Added-control-character-check.patch  | 53 +++
>  meta/recipes-extended/shadow/shadow.inc   |  1 +
>  2 files changed, 54 insertions(+)
>  create mode 100644 
> meta/recipes-extended/shadow/files/0001-Added-control-character-check.patch
>
> diff --git 
> a/meta/recipes-extended/shadow/files/0001-Added-control-character-check.patch 
> b/meta/recipes-extended/shadow/files/0001-Added-control-character-check.patch
> new file mode 100644
> index 00..f53341d3fc
> --- /dev/null
> +++ 
> b/meta/recipes-extended/shadow/files/0001-Added-control-character-check.patch
> @@ -0,0 +1,53 @@
> +From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
> +From: tomspiderlabs <128755403+tomspiderl...@users.noreply.github.com>
> +Date: Thu, 23 Mar 2023 23:39:38 +
> +Subject: [PATCH] Added control character check
> +
> +Added control character check, returning -1 (to "err") if control characters 
> are present.
> +
> +CVE: CVE-2023-29383
> +Upstream-Status: Backport
> +
> +Reference to upstream:
> +https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
> +
> +Signed-off-by: Xiangyu Chen 
> +---
> + lib/fields.c | 11 +++
> + 1 file changed, 7 insertions(+), 4 deletions(-)
> +
> +diff --git a/lib/fields.c b/lib/fields.c
> +index 640be931..fb51b582 100644
> +--- a/lib/fields.c
>  b/lib/fields.c
> +@@ -21,9 +21,9 @@
> +  *
> +  * The supplied field is scanned for non-printable and other illegal
> +  * characters.
> +- *  + -1 is returned if an illegal character is present.
> +- *  +  1 is returned if no illegal characters are present, but the field
> +- *   contains a non-printable character.
> ++ *  + -1 is returned if an illegal or control character is present.
> ++ *  +  1 is returned if no illegal or control characters are present,
> ++ *   but the field contains a non-printable character.
> +  *  +  0 is returned otherwise.
> +  */
> + int valid_field (const char *field, const char *illegal)
> +@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
> +   }
> +
> +   if (0 == err) {
> +-  /* Search if there are some non-printable characters */
> ++  /* Search if there are non-printable or control characters */
> +   for (cp = field; '\0' != *cp; cp++) {
> +   if (!isprint (*cp)) {
> +   err = 1;
> ++  

[OE-core] Yocto Project Status 18 April 2023 (WW16)

[Neal Caidin]

Current Dev Position: YP 4.3 M1

Next Deadline: 28th April 2023 YP 4.2 Release

Next Team Meetings:

   -

   Bug Triage meeting Thursday April 20th 7:30 am PDT (
   https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5aVpHVVZ6dz09)
   -

   Weekly Project Engineering Sync Tuesday April 18th at 8 am PDT (
   https://zoom.us/j/990892712?pwd=cHU1MjhoM2x6ck81bkcrYjRrcmJsUT09)
   
   -

   Twitch -  See https://www.twitch.tv/theyoctojester


Key Status/Updates:

   -

   YP 4.2 rc2 has passed QA and is likely to be released once we have TSC
   approval and the release notes and migration guide are ready.
   -

   YP 4.0.9 passed QA and is also due to be released imminently.
   -

   Patches have started to land in master for 4.3 and the branch is open
   for development
   -

   The OE TSC has been discussing some focused work on improving the patch
   submission and new user documentation. There are currently multiple out of
   date documents in various wikis and READMEs which contain good information
   but also things which are obsolete. The aim is to identify the documents
   which should be merged and turn them into one comprehensive document,
   likely in the Yocto Project documentation set. This new document would also
   address some of the changes in developer background we’re seeing, such as
   being unfamiliar with mailing lists.
   -

   We have a growing number of bugs in bugzilla, any help with them is
   appreciated.


Ways to contribute:

   -

   As people are likely aware, the project has a number of components which
   are either unmaintained, or have people with little to no time trying to
   keep them alive. These components include: patchtest, layerindex, devtool,
   toaster, wic, oeqa, autobuilder, CROPs containers, pseudo and more. Many
   have open bugs. Help is welcome in trying to better look after these
   components!
   -

   There are bugs identified as possible for newcomers to the project:
   https://wiki.yoctoproject.org/wiki/Newcomers
   -

   There are bugs that are currently unassigned for YP 4.2. See:
   
https://wiki.yoctoproject.org/wiki/Bug_Triage#Medium.2B_4.2_Unassigned_Enhancements.2FBugs
   

   -

   We’d welcome new maintainers for recipes in OE-Core. Please see the list
   at:
   
http://git.yoctoproject.org/cgit.cgi/poky/tree/meta/conf/distro/include/maintainers.inc
   and discuss with the existing maintainer, or ask on the OE-Core mailing
   list. We will likely move a chunk of these to “Unassigned” soon to help
   facilitate this.
   -

   Help is very much welcome in trying to resolve our autobuilder
   intermittent issues. You can see the list of failures we’re continuing to
   see by searching for the “AB-INT” tag in bugzilla:
   https://bugzilla.yoctoproject.org/buglist.cgi?quicksearch=AB-INT.
   -

   Help us resolve CVE issues: CVE metrics
   


YP 4.2 Milestone Dates:

   -

   P 4.2 M4 Release date 2023/04/28


YP 4.3 Milestone Dates:

   -

   YP 4.2 M4 build date 2023/04/03
   -

   YP 4.2 M4 Release date 2023/04/28
   -

   YP 4.3 M1 build date  2023/06/05
   -

   YP 4.3 M1 Release date 2023/06/16
   -

   YP 4.3 M2 build date  2023/07/17
   -

   YP 4.3 M2 Release date 2023/07/28
   -

   YP 4.3 M3 build date  2023/08/28
   -

   YP 4.3 M3 Release date 2023/09/08
   -

   YP 4.3 M4 build date  2023/10/02
   -

   YP 4.3 M4 Release date 2023/10/27


Upcoming dot releases:

   -

   YP 4.0.9 building
   -

   YP 4.0.9 Release date 2023/04/21
   -

   YP 4.1.4 build date 2023/05/01
   -

   YP 4.1.4 Release date 2023/05/13
   -

   YP 3.1.25 build date 2023/05/08
   -

   YP 3.1.25 Release date 2023/05/19
   -

   YP 4.0.10 build date 2023/05/15
   -

   YP 4.0.10 Release date 2023/05/26
   -

   YP 4.2.1 build date 2023/05/22
   -

   YP 4.2.1 Release date 2023/06/02
   -

   YP 3.1.26 build date 2023/06/19
   -

   YP 3.1.26 Release date 2023/06/30
   -

   YP 4.0.11 build date 2023/06/26
   -

   YP 4.0.11 Release date 2023/07/07
   -

   YP 4.2.2 build date 2023/07/10
   -

   YP 4.2.2 Release date 2023/07/21
   -

   YP 3.1.27 build date 2023/07/31
   -

   YP 3.1.27 Release date 2023/08/11
   -

   YP 4.0.12 build date 2023/08/07
   -

   YP 4.0.12 Release date 2023/08/18
   -

   YP 4.2.3 build date 2023/08/28
   -

   YP 4.2.3 Release date 2023/09/08
   -

   YP 3.1.28 build date 2023/09/18
   -

   YP 3.1.28 Release date 2023/09/29
   -

   YP 4.0.13 build date 2023/09/25
   -

   YP 4.0.13 Release date 2023/10/06
   -

   YP 3.1.29 build date 2023/10/30
   -

   YP 3.1.29 Release date 2023/11/10
   -

   YP 4.0.14 build date 2023/11/06
   -

   YP 4.0.14 Release date 2023/11/17
   -

   YP 4.2.4 build date 2023/11/13
   -

   YP 4.2.4 Release date 2023/11/24
   -

   YP 3.1.30 build date 2023/12/11
   -

   YP 3.1.30 Release date 2023/12/22
   -

   YP 4.0.15 build

Re: [OE-core][kirkstone][PATCH] go-runtime: Security fix for CVE-2022-41722

[Steve Sakoman]

There were a couple of issues with this patch.  I've fixed both so no
need to resubmit, but in the future please be sure to check the
following:

1. Patch should be based on the latest kirkstone head -- you were
using an earlier state which was missing "go: fix CVE-2022-41724,
41725" so the patch didn't apply.
2. CVE patch files should have a CVE: tag in addition to the
Upstream-status: and Signed-off-by: tags

Thanks for helping fix CVEs!

Steve

On Tue, Apr 18, 2023 at 1:54 AM Shubham Kulkarni  wrote:
>
> From: Shubham Kulkarni 
>
> path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
>
> Backport from 
> https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c
>
> Signed-off-by: Shubham Kulkarni 
> ---
>  meta/recipes-devtools/go/go-1.17.13.inc   |   1 +
>  .../go/go-1.18/CVE-2022-41722.patch   | 102 ++
>  2 files changed, 103 insertions(+)
>  create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
>
> diff --git a/meta/recipes-devtools/go/go-1.17.13.inc 
> b/meta/recipes-devtools/go/go-1.17.13.inc
> index 14d58932dc..d104e34408 100644
> --- a/meta/recipes-devtools/go/go-1.17.13.inc
> +++ b/meta/recipes-devtools/go/go-1.17.13.inc
> @@ -23,6 +23,7 @@ SRC_URI += "\
>  file://CVE-2022-2879.patch \
>  file://CVE-2022-41720.patch \
>  file://CVE-2022-41723.patch \
> +file://CVE-2022-41722.patch \
>  "
>  SRC_URI[main.sha256sum] = 
> "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
>
> diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch 
> b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
> new file mode 100644
> index 00..447c3d45bd
> --- /dev/null
> +++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
> @@ -0,0 +1,102 @@
> +From a826b19625caebed6dd0f3fbd9d0111f6c83737c Mon Sep 17 00:00:00 2001
> +From: Damien Neil 
> +Date: Mon, 12 Dec 2022 16:43:37 -0800
> +Subject: [PATCH] path/filepath: do not Clean("a/../c:/b") into c:\b on 
> Windows
> +
> +Do not permit Clean to convert a relative path into one starting
> +with a drive reference. This change causes Clean to insert a .
> +path element at the start of a path when the original path does not
> +start with a volume name, and the first path element would contain
> +a colon.
> +
> +This may introduce a spurious but harmless . path element under
> +some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`.
> +
> +This reverts CL 401595, since the change here supersedes the one
> +in that CL.
> +
> +Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
> +
> +Updates #57274
> +Fixes #57276
> +Fixes CVE-2022-41722
> +
> +Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17
> +Reviewed-on: 
> https://team-review.git.corp.google.com/c/golang/go-private/+/1675249
> +Reviewed-by: Roland Shoemaker 
> +Run-TryBot: Damien Neil 
> +Reviewed-by: Julie Qiu 
> +TryBot-Result: Security TryBots 
> 
> +(cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5)
> +Reviewed-on: 
> https://team-review.git.corp.google.com/c/golang/go-private/+/1728944
> +Run-TryBot: Roland Shoemaker 
> +Reviewed-by: Tatiana Bradley 
> +Reviewed-by: Damien Neil 
> +Reviewed-on: https://go-review.googlesource.com/c/go/+/468119
> +Reviewed-by: Than McIntosh 
> +Run-TryBot: Michael Pratt 
> +TryBot-Result: Gopher Robot 
> +Auto-Submit: Michael Pratt 
> +
> +Upstream-Status: Backport from 
> https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18
> +Signed-off-by: Shubham Kulkarni 
> +---
> + src/path/filepath/path.go | 27 ++-
> + 1 file changed, 14 insertions(+), 13 deletions(-)
> +
> +diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
> +index 8300a32..94621a0 100644
> +--- a/src/path/filepath/path.go
>  b/src/path/filepath/path.go
> +@@ -15,6 +15,7 @@ import (
> +   "errors"
> +   "io/fs"
> +   "os"
> ++  "runtime"
> +   "sort"
> +   "strings"
> + )
> +@@ -117,21 +118,9 @@ func Clean(path string) string {
> +   case os.IsPathSeparator(path[r]):
> +   // empty path element
> +   r++
> +-  case path[r] == '.' && r+1 == n:
> ++  case path[r] == '.' && (r+1 == n || 
> os.IsPathSeparator(path[r+1])):
> +   // . element
> +   r++
> +-  case path[r] == '.' && os.IsPathSeparator(path[r+1]):
> +-  // ./ element
> +-  r++
> +-
> +-  for r < len(path) && os.IsPathSeparator(path[r]) {
> +-  r++
> +-  }
> +-  if out.w == 0 && volumeNameLen(path[r:]) > 0 {
> +-  // When joining prefix "." and an absolute 
> path on Windows,
> +-  // the prefix should not be removed.
> +-  out.append('.')
> +-   

Re: [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list

[Steve Sakoman]

On Tue, Apr 18, 2023 at 1:46 AM Kokkonda, Sundeep
 wrote:
>
> Hello Steve,
>
> When this patch is planned to take into Kirkstone?

It is in the set of patches being tested today.  So if all goes well
it should hit the kirkstone branch later this week.

Steve

> 
> From: openembedded-core@lists.openembedded.org 
>  on behalf of Sundeep KOKKONDA via 
> lists.openembedded.org 
> Sent: 02 April 2023 20:58
> To: openembedded-core@lists.openembedded.org 
> 
> Cc: rwmacl...@gmail.com ; umesh.kalap...@gmail.com 
> ; pgowda@gmail.com ; 
> shiv...@gmail.com 
> Subject: [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 
> added to excluded list
>
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and 
> know the content is safe.
>
> This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security 
> vulnirability when using cargo ssh.
> Kirkstone doesn't support rust on-target images and the bitbake using the 
> 'wget' (which uses 'https') for fetching the sources instead of ssh.
> So, cargo-native also not vulnerable to this cve and so added to excluded 
> list.
>
> Signed-off-by: Sundeep KOKKONDA 
> ---
>  meta/conf/distro/include/cve-extra-exclusions.inc | 5 +
>  1 file changed, 5 insertions(+)
>
> diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc 
> b/meta/conf/distro/include/cve-extra-exclusions.inc
> index 8b5f8d49b8..cb2d920441 100644
> --- a/meta/conf/distro/include/cve-extra-exclusions.inc
> +++ b/meta/conf/distro/include/cve-extra-exclusions.inc
> @@ -15,6 +15,11 @@
>  # the aim of sharing that work and ensuring we don't duplicate it.
>  #
>
> +#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176
> +#cargo security advisor 
> https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
> +#This CVE is a security issue when using cargo ssh. In kirkstone, rust 
> 1.59.0 is used and the rust on-target is not supported, so the target images 
> are not vulnerable to the cve.
> +#The bitbake using the 'wget' (which uses 'https') for fetching the sources 
> instead of ssh. So, the cargo-native are also not vulnerable to this cve and 
> so added to excluded list.
> +CVE_CHECK_IGNORE += "CVE-2022-46176"
>
>  # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
>  # CVE is more than 20 years old with no resolution evident
> --
> 2.34.1
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180191): 
https://lists.openembedded.org/g/openembedded-core/message/180191
Mute This Topic: https://lists.openembedded.org/mt/98015597/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH v2] scripts/runqemu: Add possibility to disable network

[Mikko Rapeli]

Hi,

On Tue, Apr 18, 2023 at 03:33:25PM +0200, Pavel Zhukov wrote:
> Default network configuration requires tun/tap module and while being
> usable it conflicts with tap devices created by VPN clients sometimes
> and requires root permissions to use . While it's possible to work
> this around it's not always feasible if network is not required
> Add nonetwork option which can be specified if the network connectivity is
> not needed and SDL/serial is enough to communicate with the image.

Using slirp networking is also handy. Only needs localhost to be up.

But having option for no networking at all is useful too.

Cheers,

-Mikko

> Signed-off-by: Pavel Zhukov 
> ---
>  scripts/runqemu | 7 ++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/scripts/runqemu b/scripts/runqemu
> index 4c06cefbff..56715c3e1e 100755
> --- a/scripts/runqemu
> +++ b/scripts/runqemu
> @@ -66,6 +66,7 @@ of the following environment variables (in any order):
>MACHINE - the machine name (optional, autodetected from KERNEL filename if 
> unspecified)
>Simplified QEMU command-line options can be passed with:
>  nographic - disable video console
> +nonetwork - disable network connectivity
>  novga - Disable VGA emulation completely
>  sdl - choose the SDL UI frontend
>  gtk - choose the Gtk UI frontend
> @@ -178,6 +179,7 @@ class BaseConfig(object):
>  self.serialconsole = False
>  self.serialstdio = False
>  self.nographic = False
> +self.nonetwork = False
>  self.sdl = False
>  self.gtk = False
>  self.gl = False
> @@ -495,6 +497,8 @@ to your build configuration.
>  self.check_arg_fstype(arg)
>  elif arg == 'nographic':
>  self.nographic = True
> +elif arg == "nonetwork":
> +self.nonetwork = True
>  elif arg == 'sdl':
>  self.sdl = True
>  elif arg == 'gtk':
> @@ -1224,7 +1228,8 @@ to your build configuration.
>  self.set('NETWORK_CMD', '%s %s' % 
> (self.network_device.replace('@MAC@', mac), qemu_tap_opt))
>  
>  def setup_network(self):
> -if self.get('QB_NET') == 'none':
> +if self.nonetwork or self.get('QB_NET') == 'none':
> +self.set('NETWORK_CMD', '-nic none')
>  return
>  if sys.stdin.isatty():
>  self.saved_stty = subprocess.check_output(("stty", 
> "-g")).decode('utf-8').strip()
> -- 
> 2.39.2
> 

> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180190): 
https://lists.openembedded.org/g/openembedded-core/message/180190
Mute This Topic: https://lists.openembedded.org/mt/98343907/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH v2] scripts/runqemu: Add possibility to disable network

[Pavel Zhukov]

Default network configuration requires tun/tap module and while being
usable it conflicts with tap devices created by VPN clients sometimes
and requires root permissions to use . While it's possible to work
this around it's not always feasible if network is not required
Add nonetwork option which can be specified if the network connectivity is
not needed and SDL/serial is enough to communicate with the image.

Signed-off-by: Pavel Zhukov 
---
 scripts/runqemu | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/scripts/runqemu b/scripts/runqemu
index 4c06cefbff..56715c3e1e 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -66,6 +66,7 @@ of the following environment variables (in any order):
   MACHINE - the machine name (optional, autodetected from KERNEL filename if 
unspecified)
   Simplified QEMU command-line options can be passed with:
 nographic - disable video console
+nonetwork - disable network connectivity
 novga - Disable VGA emulation completely
 sdl - choose the SDL UI frontend
 gtk - choose the Gtk UI frontend
@@ -178,6 +179,7 @@ class BaseConfig(object):
 self.serialconsole = False
 self.serialstdio = False
 self.nographic = False
+self.nonetwork = False
 self.sdl = False
 self.gtk = False
 self.gl = False
@@ -495,6 +497,8 @@ to your build configuration.
 self.check_arg_fstype(arg)
 elif arg == 'nographic':
 self.nographic = True
+elif arg == "nonetwork":
+self.nonetwork = True
 elif arg == 'sdl':
 self.sdl = True
 elif arg == 'gtk':
@@ -1224,7 +1228,8 @@ to your build configuration.
 self.set('NETWORK_CMD', '%s %s' % 
(self.network_device.replace('@MAC@', mac), qemu_tap_opt))
 
 def setup_network(self):
-if self.get('QB_NET') == 'none':
+if self.nonetwork or self.get('QB_NET') == 'none':
+self.set('NETWORK_CMD', '-nic none')
 return
 if sys.stdin.isatty():
 self.saved_stty = subprocess.check_output(("stty", 
"-g")).decode('utf-8').strip()
-- 
2.39.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180189): 
https://lists.openembedded.org/g/openembedded-core/message/180189
Mute This Topic: https://lists.openembedded.org/mt/98343907/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] scripts/runqemu: Add possibility to disable network

[Pavel Zhukov]

Default network configuration requires tun/tap module and while being
usable it conflicts with tap devices created by VPN clients sometimes
and requires root permissions to use . While it's possible to work
this around it's not always feasible if network is not required
Add nonetwork option which can be specified if the network connectivity is
not needed and SDL/serial is enough to communicate with the image.

Signed-off-by: Pavel Zhukov 
---
 scripts/runqemu | 13 -
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/scripts/runqemu b/scripts/runqemu
index 4c06cefbff..f953891c9d 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -66,6 +66,7 @@ of the following environment variables (in any order):
   MACHINE - the machine name (optional, autodetected from KERNEL filename if 
unspecified)
   Simplified QEMU command-line options can be passed with:
 nographic - disable video console
+nonetwork - disable network connectivity
 novga - Disable VGA emulation completely
 sdl - choose the SDL UI frontend
 gtk - choose the Gtk UI frontend
@@ -178,6 +179,7 @@ class BaseConfig(object):
 self.serialconsole = False
 self.serialstdio = False
 self.nographic = False
+self.nonetwork = False
 self.sdl = False
 self.gtk = False
 self.gl = False
@@ -495,6 +497,8 @@ to your build configuration.
 self.check_arg_fstype(arg)
 elif arg == 'nographic':
 self.nographic = True
+elif arg == "nonetwork":
+self.nonetwork = True
 elif arg == 'sdl':
 self.sdl = True
 elif arg == 'gtk':
@@ -1223,6 +1227,10 @@ to your build configuration.
 
 self.set('NETWORK_CMD', '%s %s' % 
(self.network_device.replace('@MAC@', mac), qemu_tap_opt))
 
+def setup_nonetwork(self):
+self.set('NETWORK_CMD', '-nic none')
+return
+
 def setup_network(self):
 if self.get('QB_NET') == 'none':
 return
@@ -1717,7 +1725,10 @@ def main():
 # Check whether the combos is valid or not
 config.validate_combos()
 config.print_config()
-config.setup_network()
+if config.nonetwork:
+config.setup_nonetwork()
+else:
+config.setup_network()
 config.setup_rootfs()
 config.setup_final()
 config.setup_cmd()
-- 
2.39.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180188): 
https://lists.openembedded.org/g/openembedded-core/message/180188
Mute This Topic: https://lists.openembedded.org/mt/98343820/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] go-runtime: Security fix for CVE-2022-41722

[Shubham Kulkarni]

From: Shubham Kulkarni 

path/filepath: do not Clean("a/../c:/b") into c:\b on Windows

Backport from 
https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c

Signed-off-by: Shubham Kulkarni 
---
 meta/recipes-devtools/go/go-1.17.13.inc   |   1 +
 .../go/go-1.18/CVE-2022-41722.patch   | 102 ++
 2 files changed, 103 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc 
b/meta/recipes-devtools/go/go-1.17.13.inc
index 14d58932dc..d104e34408 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -23,6 +23,7 @@ SRC_URI += "\
 file://CVE-2022-2879.patch \
 file://CVE-2022-41720.patch \
 file://CVE-2022-41723.patch \
+file://CVE-2022-41722.patch \
 "
 SRC_URI[main.sha256sum] = 
"a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch 
b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
new file mode 100644
index 00..447c3d45bd
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
@@ -0,0 +1,102 @@
+From a826b19625caebed6dd0f3fbd9d0111f6c83737c Mon Sep 17 00:00:00 2001
+From: Damien Neil 
+Date: Mon, 12 Dec 2022 16:43:37 -0800
+Subject: [PATCH] path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
+
+Do not permit Clean to convert a relative path into one starting
+with a drive reference. This change causes Clean to insert a .
+path element at the start of a path when the original path does not
+start with a volume name, and the first path element would contain
+a colon.
+
+This may introduce a spurious but harmless . path element under
+some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`.
+
+This reverts CL 401595, since the change here supersedes the one
+in that CL.
+
+Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
+
+Updates #57274
+Fixes #57276
+Fixes CVE-2022-41722
+
+Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/1675249
+Reviewed-by: Roland Shoemaker 
+Run-TryBot: Damien Neil 
+Reviewed-by: Julie Qiu 
+TryBot-Result: Security TryBots 

+(cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5)
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/1728944
+Run-TryBot: Roland Shoemaker 
+Reviewed-by: Tatiana Bradley 
+Reviewed-by: Damien Neil 
+Reviewed-on: https://go-review.googlesource.com/c/go/+/468119
+Reviewed-by: Than McIntosh 
+Run-TryBot: Michael Pratt 
+TryBot-Result: Gopher Robot 
+Auto-Submit: Michael Pratt 
+
+Upstream-Status: Backport from 
https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18
+Signed-off-by: Shubham Kulkarni 
+---
+ src/path/filepath/path.go | 27 ++-
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
+index 8300a32..94621a0 100644
+--- a/src/path/filepath/path.go
 b/src/path/filepath/path.go
+@@ -15,6 +15,7 @@ import (
+   "errors"
+   "io/fs"
+   "os"
++  "runtime"
+   "sort"
+   "strings"
+ )
+@@ -117,21 +118,9 @@ func Clean(path string) string {
+   case os.IsPathSeparator(path[r]):
+   // empty path element
+   r++
+-  case path[r] == '.' && r+1 == n:
++  case path[r] == '.' && (r+1 == n || 
os.IsPathSeparator(path[r+1])):
+   // . element
+   r++
+-  case path[r] == '.' && os.IsPathSeparator(path[r+1]):
+-  // ./ element
+-  r++
+-
+-  for r < len(path) && os.IsPathSeparator(path[r]) {
+-  r++
+-  }
+-  if out.w == 0 && volumeNameLen(path[r:]) > 0 {
+-  // When joining prefix "." and an absolute path 
on Windows,
+-  // the prefix should not be removed.
+-  out.append('.')
+-  }
+   case path[r] == '.' && path[r+1] == '.' && (r+2 == n || 
os.IsPathSeparator(path[r+2])):
+   // .. element: remove to last separator
+   r += 2
+@@ -157,6 +146,18 @@ func Clean(path string) string {
+   if rooted && out.w != 1 || !rooted && out.w != 0 {
+   out.append(Separator)
+   }
++  // If a ':' appears in the path element at the start of 
a Windows path,
++  // insert a .\ at the beginning to avoid converting 
relative paths
++  // like a/../c: into c:.
++  if runtime.GOOS == "windows" && out.w == 0 && 
out.volLen == 0 && r !

Re: [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list

[Sundeep KOKKONDA via lists.openembedded.org]

Hello Steve,

When this patch is planned to take into Kirkstone?



Thanks,
Sundeep K.

From: openembedded-core@lists.openembedded.org 
 on behalf of Sundeep KOKKONDA via 
lists.openembedded.org 
Sent: 02 April 2023 20:58
To: openembedded-core@lists.openembedded.org 

Cc: rwmacl...@gmail.com ; umesh.kalap...@gmail.com 
; pgowda@gmail.com ; 
shiv...@gmail.com 
Subject: [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 
added to excluded list

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security 
vulnirability when using cargo ssh.
Kirkstone doesn't support rust on-target images and the bitbake using the 
'wget' (which uses 'https') for fetching the sources instead of ssh.
So, cargo-native also not vulnerable to this cve and so added to excluded list.

Signed-off-by: Sundeep KOKKONDA 
---
 meta/conf/distro/include/cve-extra-exclusions.inc | 5 +
 1 file changed, 5 insertions(+)

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc 
b/meta/conf/distro/include/cve-extra-exclusions.inc
index 8b5f8d49b8..cb2d920441 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -15,6 +15,11 @@
 # the aim of sharing that work and ensuring we don't duplicate it.
 #

+#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176
+#cargo security advisor 
https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
+#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 
is used and the rust on-target is not supported, so the target images are not 
vulnerable to the cve.
+#The bitbake using the 'wget' (which uses 'https') for fetching the sources 
instead of ssh. So, the cargo-native are also not vulnerable to this cve and so 
added to excluded list.
+CVE_CHECK_IGNORE += "CVE-2022-46176"

 # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
 # CVE is more than 20 years old with no resolution evident
--
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180186): 
https://lists.openembedded.org/g/openembedded-core/message/180186
Mute This Topic: https://lists.openembedded.org/mt/98015597/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] time64.inc

[Ola x Nilsson]

Hi Alex,

I saw on the chat that you want to enable time64.inc by default.
Did I understand that correctly?
How much testing of 64bit time have you been able to do?

I have been working on fixing rust to use the correct glibc APIs, the
pull request to the rust-lang/libc project to do that is 
https://github.com/rust-lang/libc/pull/3175 .
Unfortunately I have not had any feedback so far.
I have not even tried applying that change to the stdlib-rs recipe yet.
I think there are 3 or 4 instances of the libc crate that have to be
patched in the rustc release.

-- 
Ola x Nilsson

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180185): 
https://lists.openembedded.org/g/openembedded-core/message/180185
Mute This Topic: https://lists.openembedded.org/mt/98341568/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][PATCH] shadow: backport patch to fix CVE-2023-29383

[Luca Ceresoli via lists.openembedded.org]

Hello Xiangyu,

On Tue, 18 Apr 2023 13:49:51 +0800
"Xiangyu Chen"  wrote:

> From: Xiangyu Chen 
> 
> Signed-off-by: Xiangyu Chen 

This patch does not apply on current oe-core master. It is based on an
old commit?

Best regards,
Luca

-- 
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180184): 
https://lists.openembedded.org/g/openembedded-core/message/180184
Mute This Topic: https://lists.openembedded.org/mt/98338269/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] scripts/rpm2cpio.sh: Use bzip2 instead of bunzip2

[Pavel Zhukov]

bzip2 is in HOSTTOOLS already and used in few other places already.
This fixes bin_package class for RPM packages without adding bunzip2 to
HOSTTOOLS.

Signed-off-by: Pavel Zhukov 
---
 scripts/rpm2cpio.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/rpm2cpio.sh b/scripts/rpm2cpio.sh
index 7cd771bbe7..2034373fe4 100755
--- a/scripts/rpm2cpio.sh
+++ b/scripts/rpm2cpio.sh
@@ -47,7 +47,7 @@ calcsize $(($offset + (8 - ($sigsize % 8)) % 8))
 hdrsize=$rsize
 
 case "$(_dd $offset bs=3 count=1)" in
-   "$(printf '\102\132')"*) _dd $offset | bunzip2 ;; # '\x42\x5a'
+   "$(printf '\102\132')"*) _dd $offset | bzip2 -d ;; # '\x42\x5a'
"$(printf '\037\213')"*) _dd $offset | gunzip  ;; # '\x1f\x8b'
"$(printf '\375\067')"*) _dd $offset | xzcat   ;; # '\xfd\x37'
"$(printf '\135\000')"*) _dd $offset | unlzma  ;; # '\x5d\x00'
-- 
2.39.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180183): 
https://lists.openembedded.org/g/openembedded-core/message/180183
Mute This Topic: https://lists.openembedded.org/mt/98340463/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH v13] Rust Oe-Selftest implementation

[Yash Shinde]

The patch implements Rust testing framework similar to other selftest,
specifically the gcc selftest in OE. It uses the client and server
based method to test the binaries for cross-target on the image.
The test framework is a wrapper around the Rust build system as ./x.py
test. It tests many functionalities of Rust distribution like tools,
documentation, libraries, packages, tools, Cargo, Crater etc.
Please refer the following link for detailed description of Rust
testing:-
https://rustc-dev-guide.rust-lang.org/tests/intro.html#tool-tests

To support the rust tests in oe-core, the following functions were
added:-
setup_cargo_environment(): Build bootstrap and some early stage tools.
do_rust_setup_snapshot(): Install the snapshot version of rust binaries.
do_configure(): To generate config.toml
do_compile(): To build "remote-test-server" for qemu target image.

Approximate Number of Tests Run in the Rust Testsuite :- 18000
Approximate Number of Tests that FAIL in bitbake environment :- 100-150
Normally majority of the testcases are present in major folder "test/"
It contributes to more than 80% of the testcases present in Rust test
framework. These tests pass as expected on any Rust versions without
much fuss. The tests that fail are of less important and contribute to
less than 2% of the total testcases. These minor tests are observed to
work on some versions and fail on others. They have to be added, ignored
or excluded for different versions as per the behavior.
These tests have been ignored or excluded in the Rust selftest
environment to generate success of completing the testsuite.

These tests work in parallel mode even in the skipped test mode as
expected. Although the patch to disable tests is large, it is very simple
in that it only disables tests. When updating to a newer version of Rust,
the patch can usually be ported in a day.

Tested for X86, X86-64, ARM, ARM64 and MIPS64 on CentOS release 6.10

Signed-off-by: pgowda 
Signed-off-by: Vinay Kumar 
Signed-off-by: Yash Shinde 
---
 meta/lib/oeqa/selftest/cases/rust.py  |  85 +++
 .../rust/files/rust-oe-selftest.patch | 715 ++
 meta/recipes-devtools/rust/rust-source.inc|   1 +
 meta/recipes-devtools/rust/rust_1.68.2.bb |  18 +
 4 files changed, 819 insertions(+)
 create mode 100644 meta/lib/oeqa/selftest/cases/rust.py
 create mode 100644 meta/recipes-devtools/rust/files/rust-oe-selftest.patch

diff --git a/meta/lib/oeqa/selftest/cases/rust.py 
b/meta/lib/oeqa/selftest/cases/rust.py
new file mode 100644
index 00..f328d2d887
--- /dev/null
+++ b/meta/lib/oeqa/selftest/cases/rust.py
@@ -0,0 +1,85 @@
+# SPDX-License-Identifier: MIT
+import os
+import subprocess
+from oeqa.core.decorator import OETestTag
+from oeqa.core.case import OEPTestResultTestCase
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars, 
runqemu, Command
+from oeqa.utils.sshcontrol import SSHControl
+
+def parse_results(filename):
+tests = []
+with open(filename, "r") as f:
+lines = f.readlines()
+for line in lines:
+if "..." in line and "test [" in line:
+test = line.split("test ")[1].split(" ... ")[0]
+result = line.split(" ... ")[1].strip()
+if result == "ok":
+result = "PASS"
+elif result == "falied":
+result = "FAIL"
+elif result == "ignored":
+result = "SKIP"
+tests.append((test, result))
+return tests
+
+# Total time taken for testing is of about 2hr 20min, with PARALLEL_MAKE set 
to 40 number of jobs.
+class RustSelfTestSystemEmulated(OESelftestTestCase, OEPTestResultTestCase):
+def test_rust(self, *args, **kwargs):
+# build remote-test-server before image build
+recipe = "rust"
+bitbake("{} -c test_compile".format(recipe))
+builddir = get_bb_var("RUSTSRC", "rust")
+# build core-image-minimal with required packages
+default_installed_packages = ["libgcc", "libstdc++", "libatomic", 
"libgomp"]
+features = []
+features.append('IMAGE_FEATURES += "ssh-server-dropbear"')
+features.append('CORE_IMAGE_EXTRA_INSTALL += "{0}"'.format(" 
".join(default_installed_packages)))
+self.write_config("\n".join(features))
+bitbake("core-image-minimal")
+# wrap the execution with a qemu instance.
+# Tests are run with 512 tasks in parallel to execute all tests very 
quickly
+with runqemu("core-image-minimal", runqemuparams = "nographic", 
qemuparams = "-m 512") as qemu:
+# Copy remote-test-server to image through scp
+buildsys = get_bb_var("RUST_BUILD_SYS", "rust")
+ssh = SSHControl(ip=qemu.ip, logfile=qemu.sshlog, user="root")
+ssh.copy_to(builddir + "/" + 
"build/x86_64-unknown-linux-gnu/stage1-tools-bin/remote-test-server

[OE-core] [PATCH v13] Rust Oe-Selftest implementation

[Yash Shinde]

The patch implements Rust testing framework similar to other selftest,
specifically the gcc selftest in OE. It uses the client and server
based method to test the binaries for cross-target on the image.
The test framework is a wrapper around the Rust build system as ./x.py
test. It tests many functionalities of Rust distribution like tools,
documentation, libraries, packages, tools, Cargo, Crater etc.
Please refer the following link for detailed description of Rust
testing:-
https://rustc-dev-guide.rust-lang.org/tests/intro.html#tool-tests

To support the rust tests in oe-core, the following functions were
added:-
setup_cargo_environment(): Build bootstrap and some early stage tools.
do_rust_setup_snapshot(): Install the snapshot version of rust binaries.
do_configure(): To generate config.toml
do_compile(): To build "remote-test-server" for qemu target image.

Approximate Number of Tests Run in the Rust Testsuite :- 18000
Approximate Number of Tests that FAIL in bitbake environment :- 100-150
Normally majority of the testcases are present in major folder "test/"
It contributes to more than 80% of the testcases present in Rust test
framework. These tests pass as expected on any Rust versions without
much fuss. The tests that fail are of less important and contribute to
less than 2% of the total testcases. These minor tests are observed to
work on some versions and fail on others. They have to be added, ignored
or excluded for different versions as per the behavior.
These tests have been ignored or excluded in the Rust selftest
environment to generate success of completing the testsuite.

These tests work in parallel mode even in the skipped test mode as
expected. Although the patch to disable tests is large, it is very simple
in that it only disables tests. When updating to a newer version of Rust,
the patch can usually be ported in a day.

Tested for X86, X86-64, ARM, ARM64 and MIPS64 on CentOS release 6.10

Signed-off-by: pgowda 
Signed-off-by: Vinay Kumar 
Signed-off-by: Yash Shinde 
---
 meta/lib/oeqa/selftest/cases/rust.py  |  85 +++
 .../rust/files/rust-oe-selftest.patch | 715 ++
 meta/recipes-devtools/rust/rust-source.inc|   1 +
 meta/recipes-devtools/rust/rust_1.68.2.bb |  18 +
 4 files changed, 819 insertions(+)
 create mode 100644 meta/lib/oeqa/selftest/cases/rust.py
 create mode 100644 meta/recipes-devtools/rust/files/rust-oe-selftest.patch

diff --git a/meta/lib/oeqa/selftest/cases/rust.py 
b/meta/lib/oeqa/selftest/cases/rust.py
new file mode 100644
index 00..f328d2d887
--- /dev/null
+++ b/meta/lib/oeqa/selftest/cases/rust.py
@@ -0,0 +1,85 @@
+# SPDX-License-Identifier: MIT
+import os
+import subprocess
+from oeqa.core.decorator import OETestTag
+from oeqa.core.case import OEPTestResultTestCase
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars, 
runqemu, Command
+from oeqa.utils.sshcontrol import SSHControl
+
+def parse_results(filename):
+tests = []
+with open(filename, "r") as f:
+lines = f.readlines()
+for line in lines:
+if "..." in line and "test [" in line:
+test = line.split("test ")[1].split(" ... ")[0]
+result = line.split(" ... ")[1].strip()
+if result == "ok":
+result = "PASS"
+elif result == "falied":
+result = "FAIL"
+elif result == "ignored":
+result = "SKIP"
+tests.append((test, result))
+return tests
+
+# Total time taken for testing is of about 2hr 20min, with PARALLEL_MAKE set 
to 40 number of jobs.
+class RustSelfTestSystemEmulated(OESelftestTestCase, OEPTestResultTestCase):
+def test_rust(self, *args, **kwargs):
+# build remote-test-server before image build
+recipe = "rust"
+bitbake("{} -c test_compile".format(recipe))
+builddir = get_bb_var("RUSTSRC", "rust")
+# build core-image-minimal with required packages
+default_installed_packages = ["libgcc", "libstdc++", "libatomic", 
"libgomp"]
+features = []
+features.append('IMAGE_FEATURES += "ssh-server-dropbear"')
+features.append('CORE_IMAGE_EXTRA_INSTALL += "{0}"'.format(" 
".join(default_installed_packages)))
+self.write_config("\n".join(features))
+bitbake("core-image-minimal")
+# wrap the execution with a qemu instance.
+# Tests are run with 512 tasks in parallel to execute all tests very 
quickly
+with runqemu("core-image-minimal", runqemuparams = "nographic", 
qemuparams = "-m 512") as qemu:
+# Copy remote-test-server to image through scp
+buildsys = get_bb_var("RUST_BUILD_SYS", "rust")
+ssh = SSHControl(ip=qemu.ip, logfile=qemu.sshlog, user="root")
+ssh.copy_to(builddir + "/" + 
"build/x86_64-unknown-linux-gnu/stage1-tools-bin/remote-test-server

Re: [OE-core] [PATCH v4 1/2] oeqa/utils/qemurunner: change the serial runner

[Louis Rannou]

Hello Luca,

You are correct, thanks !

Louis

On 12/04/2023 09:57, Luca Ceresoli wrote:

Hello Louis,

On Tue, 11 Apr 2023 17:05:02 +0200
"Louis Rannou"  wrote:


[YOCTO #15021]

Create a new runner run_serial_socket which usage matches the traditional ssh


Nit: I'm not a native English speaker, but I think "whose usage" is the
correct form.


runner. Its return status is 0 when the command succeeded or 0 when it
failed. If an error is encountered, it raises an Exception.


Should be "or a negative error when it fails"?

I'm taking the patch for testing with these two changes, let me know if
I should do otherwise.

Luca


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180180): 
https://lists.openembedded.org/g/openembedded-core/message/180180
Mute This Topic: https://lists.openembedded.org/mt/98199478/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-