Re: [OE-core] [yocto] QA notification for completed autobuilder build (yocto-3.1.25.rc1)

[Jing Hui Tham]

Hi all,
 
Intel and WR YP QA is planning for QA execution for YP build yocto-3.1.25.rc1. 
We are planning to execute following tests for this cycle:
 
OEQA-manual tests for following module:
1. OE-Core
2. BSP-hw
 
Runtime auto test for following platforms:
1. MinnowTurbot 32-bit
2. NUC 7
3. ADL
4. TGL NUC 11
5. Edgerouter
6. Beaglebone
 
ETA for completion Thursday, 11 May 2023.
 
Best regards,
Jing Hui


> -Original Message-
> From: yo...@lists.yoctoproject.org  On
> Behalf Of Pokybuild User
> Sent: Saturday, May 6, 2023 5:33 PM
> To: yo...@lists.yoctoproject.org
> Cc: qa-build-notificat...@lists.yoctoproject.org
> Subject: [yocto] QA notification for completed autobuilder build (yocto-
> 3.1.25.rc1)
> 
> 
> A build flagged for QA (yocto-3.1.25.rc1) was completed on the autobuilder
> and is available at:
> 
> 
> https://autobuilder.yocto.io/pub/releases/yocto-3.1.25.rc1
> 
> 
> Build hash information:
> 
> bitbake: e16a9ca7e9286790ac37a067fdc8fde3a35a1c44
> meta-agl: bb1af1fb2458c495e75400f9ef6e853f654418ca
> meta-arm: b1fe8443a7a72c65fa0fc3371f607c6671b3a882
> meta-aws: baa97b9aa3b9de36369b0ff1bb74e1596828b967
> meta-gplv2: 60b251c25ba87e946a0ca4cdc8d17b1cb09292ac
> meta-intel: 488af577a3f21f038c551612bb0af077fa2b743d
> meta-mingw: 524de686205b5d6736661d4532f5f98fee8589b7
> meta-openembedded: e39b002df9675776cc99dccdcac07607ce783b15
> meta-virtualization: beea119eb529b4a11f266004aee8b548427aea39
> oecore: fd4cc8d7b5156c43d162a1a5a809fae507457ef4
> poky: a631bfc3a38f7d00b2c61a89a758a0af9831
> 
> 
> 
> This is an automated message from the Yocto Project Autobuilder
> Git: git://git.yoctoproject.org/yocto-autobuilder2
> Email: richard.pur...@linuxfoundation.org
> 
> 
> 

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181016): 
https://lists.openembedded.org/g/openembedded-core/message/181016
Mute This Topic: https://lists.openembedded.org/mt/98754358/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [yocto] QA notification for completed autobuilder build (yocto-4.1.4.rc1)

[Jing Hui Tham]

Hi All,
 
QA for yocto-4.1.4.rc1 is completed. This is the full report for this release:  
https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults
 
=== Summary 
No high milestone defects.
 
No new issue found. 
 
Thanks,
Jing Hui


> -Original Message-
> From: yo...@lists.yoctoproject.org  On
> Behalf Of Pokybuild User
> Sent: Sunday, April 30, 2023 3:28 AM
> To: yo...@lists.yoctoproject.org
> Cc: qa-build-notificat...@lists.yoctoproject.org
> Subject: [yocto] QA notification for completed autobuilder build (yocto-
> 4.1.4.rc1)
> 
> 
> A build flagged for QA (yocto-4.1.4.rc1) was completed on the autobuilder
> and is available at:
> 
> 
> https://autobuilder.yocto.io/pub/releases/yocto-4.1.4.rc1
> 
> 
> Build hash information:
> 
> bitbake: 5b105e76dd7de3b9a25b17b397f2c12c80048894
> meta-agl: 09135164a21a216c6e3e75d7decce896b92962f0
> meta-arm: eb41589aa198c5b1967c7fe0305aad3989fc
> meta-aws: 096818eabfe600aa332518e99cb097450ed42614
> meta-intel: 13a03c109aecfe275e7539b74c1ab94db9688d9b
> meta-mingw: b0067202db8573df3d23d199f82987cebe1bee2c
> meta-openembedded: 3d1ec70ed319c1b7f561fcda7b8cd0c2e0b2c262
> meta-virtualization: d1cbc4c9fc44f0c5994a1276e38cdbb7bdb5bbd3
> oecore: 78211cda40eb018a3aa535c75b61e87337236628
> poky: 3e95f268ce04b49ba6731fd4bbc53b1693c21963
> 
> 
> 
> This is an automated message from the Yocto Project Autobuilder
> Git: git://git.yoctoproject.org/yocto-autobuilder2
> Email: richard.pur...@linuxfoundation.org
> 
> 
> 

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181015): 
https://lists.openembedded.org/g/openembedded-core/message/181015
Mute This Topic: https://lists.openembedded.org/mt/98635319/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] elfutils: upgrade 0.188 -> 0.189

[Zang Ruochen]

Refresh the following patch.
0015-config-eu.am-do-not-use-Werror.patch

Remove the following patches as they have been fixed in the new version.
0001-PR29926-debuginfod-Fix-usage-of-deprecated-CURLINFO_.patch
0002-debuginfod-client-Use-CURLOPT_PROTOCOLS_STR-for-libc.patch

changelog:
Version 0.189 "Don't deflate!"

configure: eu-nm, eu-addr2line and eu-stack can provide demangled symbols
   when linked with libstdc++. Use --disable-demangler to disable.

   A new option --enable-sanitize-memory has been added for msan
   sanitizer support.

libelf: elf_compress now supports ELFCOMPRESS_ZSTD when build against
libzstd

libdwfl: dwfl_module_return_value_location now returns 0 (no return type)
 for DIEs that point to a DW_TAG_unspecified_type.

elfcompress: -t, --type= now support zstd if libelf has been build with
 ELFCOMPRESS_ZSTD support.

backends: Add support for LoongArch and Synopsys ARCv2 processors.

Signed-off-by: Zang Ruochen 
---
 .../{elfutils_0.188.bb => elfutils_0.189.bb}  |  5 +-
 ...od-Fix-usage-of-deprecated-CURLINFO_.patch | 49 ---
 ...t-Use-CURLOPT_PROTOCOLS_STR-for-libc.patch | 34 ---
 .../0015-config-eu.am-do-not-use-Werror.patch | 10 +--
 .../handle_DW_TAG_unspecified_type.patch  | 88 ---
 5 files changed, 6 insertions(+), 180 deletions(-)
 rename meta/recipes-devtools/elfutils/{elfutils_0.188.bb => elfutils_0.189.bb} 
(96%)
 delete mode 100644 
meta/recipes-devtools/elfutils/files/0001-PR29926-debuginfod-Fix-usage-of-deprecated-CURLINFO_.patch
 delete mode 100644 
meta/recipes-devtools/elfutils/files/0002-debuginfod-client-Use-CURLOPT_PROTOCOLS_STR-for-libc.patch
 delete mode 100644 
meta/recipes-devtools/elfutils/files/handle_DW_TAG_unspecified_type.patch

diff --git a/meta/recipes-devtools/elfutils/elfutils_0.188.bb 
b/meta/recipes-devtools/elfutils/elfutils_0.189.bb
similarity index 96%
rename from meta/recipes-devtools/elfutils/elfutils_0.188.bb
rename to meta/recipes-devtools/elfutils/elfutils_0.189.bb
index 74271b2411..236f8cef92 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.188.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.189.bb
@@ -21,15 +21,12 @@ SRC_URI = 
"https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
file://0001-skip-the-test-when-gcc-not-deployed.patch \
file://ptest.patch \

file://0001-tests-Makefile.am-compile-test_nlist-with-standard-C.patch \
-   
file://0001-PR29926-debuginfod-Fix-usage-of-deprecated-CURLINFO_.patch \
-   
file://0002-debuginfod-client-Use-CURLOPT_PROTOCOLS_STR-for-libc.patch \
-   file://handle_DW_TAG_unspecified_type.patch \
"
 SRC_URI:append:libc-musl = " \
file://0003-musl-utils.patch \
file://0015-config-eu.am-do-not-use-Werror.patch \
"
-SRC_URI[sha256sum] = 
"fb8b0e8d0802005b9a309c60c1d8de32dd2951b56f0c3a3cb56d21ce01595dff"
+SRC_URI[sha256sum] = 
"39bd8f1a338e2b7cd4abc3ff11a0eddc6e690f69578a57478d8179b4148708c8"
 
 inherit autotools gettext ptest pkgconfig
 
diff --git 
a/meta/recipes-devtools/elfutils/files/0001-PR29926-debuginfod-Fix-usage-of-deprecated-CURLINFO_.patch
 
b/meta/recipes-devtools/elfutils/files/0001-PR29926-debuginfod-Fix-usage-of-deprecated-CURLINFO_.patch
deleted file mode 100644
index ee192e3581..00
--- 
a/meta/recipes-devtools/elfutils/files/0001-PR29926-debuginfod-Fix-usage-of-deprecated-CURLINFO_.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From d2bf497b12fbd49b4996ccf0744303ffd67735b1 Mon Sep 17 00:00:00 2001
-From: Andrew Paprocki 
-Date: Wed, 21 Dec 2022 11:15:00 -0500
-Subject: [PATCH] PR29926: debuginfod: Fix usage of deprecated CURLINFO_*
-
-The `CURLINFO_SIZE_DOWNLOAD_T` and `CURLINFO_CONTENT_LENGTH_DOWNLOAD_T`
-identifiers are `enum`s, not pre-processor definitions, so the current
-`#ifdef` logic is not selecting the newer API.  This results in the
-older identifiers being used and they now generate errors when compiled
-against Curl 7.87, which has silently deprecated them, causing GCC to
-emit `-Werror=deprecated-declarations`.
-
-Instead, the newer identifiers were added in Curl 7.55, so explicitly
-check for `CURL_AT_LEAST_VERSION(7, 55, 0)` instead of the current
-logic.  This eliminates the error when compiling against Curl 7.87.
-
-Ref: https://github.com/curl/curl/pull/1511
-
-Upstream-Status: Backport 
[https://sourceware.org/git/?p=elfutils.git;a=commit;h=d2bf497b12fbd49b4996ccf0744303ffd67735b1]
-Signed-off-by: Andrew Paprocki 

- debuginfod/debuginfod-client.c | 4 ++--
- 2 files changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/debuginfod/debuginfod-client.c b/debuginfod/debuginfod-client.c
-index 8873fcc8..692aecce 100644
 a/debuginfod/debuginfod-client.c
-+++ b/debuginfod/debuginfod-client.c
-@@ -1456,7 +1456,7 @@ debuginfod_query_server (debuginfod_client *c,
-  deflate-compressing proxies, this number is likely to be
-  unavailable, so -1 may 

[OE-core][PATCH] linux-yocto: fix missing pahole and elfutils when CONFIG_DEBUG_INFO_BTF enabled in devshell

[Xiangyu Chen]

From: Xiangyu Chen 

after enable the kernel CONFIG_DEBUG_INFO_BTF in devshell, the make would 
report some
errors due to pahole and elfuitls is missing, since this is a debug option, so 
conditionally
add an option named "btf" in KERNEL_DEBUG_OPTIONS, if someone need enable 
CONFIG_DEBUG_INFO_BTF
option in devshell, they can add KERNEL_DEBUG_OPTIONS += "btf" in local.conf to 
solve the pahole
and elfutils dependency.

Signed-off-by: Xiangyu Chen 
---
 meta/recipes-kernel/linux/linux-yocto.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-kernel/linux/linux-yocto.inc 
b/meta/recipes-kernel/linux/linux-yocto.inc
index 934591ff1c..67d72c8c21 100644
--- a/meta/recipes-kernel/linux/linux-yocto.inc
+++ b/meta/recipes-kernel/linux/linux-yocto.inc
@@ -61,6 +61,8 @@ KERNEL_FEATURES:append:qemuall=" 
features/kernel-sample/kernel-sample.scc"
 
 KERNEL_DEBUG_OPTIONS ?= "stack"
 KERNEL_EXTRA_ARGS:append:x86-64 = " 
${@bb.utils.contains('KERNEL_DEBUG_OPTIONS', 'stack', 
'HOST_LIBELF_LIBS="-L${RECIPE_SYSROOT_NATIVE}/usr/lib/pkgconfig/../../../usr/lib/
 -lelf"', '', d)}"
+DEPENDS += "${@bb.utils.contains('KERNEL_DEBUG_OPTIONS', 'btf', 
'pahole-native', '', d)}"
+DEPENDS += "${@bb.utils.contains('KERNEL_DEBUG_OPTIONS', 'btf', 
'elfutils-native', '', d)}"
 
 do_devshell:prepend() {
 # setup native pkg-config variables (kconfig scripts call pkg-config 
directly, cannot generically be overriden to pkg-config-native)
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181013): 
https://lists.openembedded.org/g/openembedded-core/message/181013
Mute This Topic: https://lists.openembedded.org/mt/98753313/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH][kirkstone] linux-yocto: Exclude 121 CVEs already fixed upstream

[Yoann Congal]

Exclude CVEs that are fixed in both current linux-yocto version
v5.10.175 and v5.15.108.

To get the commit fixing a CVE, I used the Debian kernel-sec repo [1].

[1]: 
https://salsa.debian.org/kernel-team/kernel-sec/-/commit/86d5040aee9275f9555458fcaf9cb43710dff398

Signed-off-by: Yoann Congal 
---
 meta/recipes-kernel/linux/cve-exclusion.inc | 875 
 meta/recipes-kernel/linux/linux-yocto.inc   |   3 +
 2 files changed, 878 insertions(+)
 create mode 100644 meta/recipes-kernel/linux/cve-exclusion.inc

diff --git a/meta/recipes-kernel/linux/cve-exclusion.inc 
b/meta/recipes-kernel/linux/cve-exclusion.inc
new file mode 100644
index 00..7fd362881a
--- /dev/null
+++ b/meta/recipes-kernel/linux/cve-exclusion.inc
@@ -0,0 +1,875 @@
+# Kernel CVE exclusion file
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3759
+# Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f
+# Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92
+# Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196
+CVE_CHECK_IGNORE += "CVE-2021-3759"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-4135
+# Patched in kernel since v5.16 481221775d53d6215a6e5e9ce1cce6d2b4ab9a46
+# Backported in version v5.4.168 699e794c12a3cd79045ff135bc87a53b97024e43
+# Backported in version v5.10.88 1a34fb9e2bf3029f7c0882069d67ff69cbd645d8
+# Backported in version v5.15.11 27358aa81a7d60e6bd36f0bb1db65cd084c2cad0
+CVE_CHECK_IGNORE += "CVE-2021-4135"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-4155
+# Patched in kernel since v5.16 983d8e60f50806f90534cc5373d0ce867e5aaf79
+# Backported in version v5.4.171 102af6edfd3a372db6e229177762a91f552e5f5e
+# Backported in version v5.10.91 16d8568378f9ee2d1e69216d39961aa72710209f
+# Backported in version v5.15.14 b0e72ba9e520b95346e68800afff0db65e766ca8
+CVE_CHECK_IGNORE += "CVE-2021-4155"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-0168
+# Patched in kernel since v5.18 b92e358757b91c2827af112cae9af513f26a3f34
+# Backported in version v5.10.110 9963ccea6087268e1275b992dca5d0dd4b938765
+# Backported in version v5.15.33 f143f8334fb9eb2f6c7c15b9da1472d9c965fd84
+CVE_CHECK_IGNORE += "CVE-2022-0168"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-0171
+# Patched in kernel since v5.18 683412ccf61294d727ead4a73d97397396e69a6b
+# Backported in version v5.10.146 a60babeb60ff276963d4756c7fd2e7bf242bb777
+# Backported in version v5.15.70 39b0235284c7aa33a64e07b825add7a2c108094a
+CVE_CHECK_IGNORE += "CVE-2022-0171"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1016
+# Patched in kernel since v5.18 4c905f6740a365464e91467aa50916555b28213d
+# Backported in version v5.4.188 06f0ff82c70241a766a811ae1acf07d6e2734dcb
+# Backported in version v5.10.109 2c74374c2e88c7b7992bf808d9f9391f7452f9d9
+# Backported in version v5.15.32 fafb904156fbb8f1dd34970cd5223e00b47c33be
+CVE_CHECK_IGNORE += "CVE-2022-1016"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1184
+# Patched in kernel since v6.1 61a1d87a324ad5e3ed27c6699dfc93218fcf3201
+# Backported in version v5.10.150 483831ad0440f62c10d1707c97ce824bd82d98ae
+# Backported in version v5.15.75 dd366295d1eca557e7a9000407ec3952f691d27b
+# Backported in version v5.19.17 edb71f055684f9023fd97e2f85c6f31380d163c1
+CVE_CHECK_IGNORE += "CVE-2022-1184"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1198
+# Patched in kernel since v5.17 efe4186e6a1b54bf38b9e05450d43b0da1fd7739
+# Backported in version v5.4.189 28c8fd84bea13cbf238d7b19d392de2fcc31331c
+# Backported in version v5.10.110 f67a1400788f550d201c71aeaf56706afe57f0da
+# Backported in version v5.15.33 3eb18f8a1d02a9462a0e4903efc674ca3d0406d1
+CVE_CHECK_IGNORE += "CVE-2022-1198"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1199
+# Patched in kernel since v5.17 71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac
+# Backported in version v5.4.185 0a64aea5fe023cf1e4973676b11f49038b1f045b
+# Backported in version v5.10.106 e2201ef32f933944ee02e59205adb566bafcdf91
+# Backported in version v5.15.29 46ad629e58ce3a88c924ff3c5a7e9129b0df5659
+CVE_CHECK_IGNORE += "CVE-2022-1199"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1462
+# Patched in kernel since v5.19 a501ab75e7624d133a5a3c7ec010687c8b961d23
+# Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
+# Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
+# Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
+CVE_CHECK_IGNORE += "CVE-2022-1462"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1734
+# Patched in kernel since v5.18 d270453a0d9ec10bb8a802a142fb1b3601a83098
+# Backported in version v5.4.193 33d3e76fc7a7037f402246c824d750542e2eb37f
+# Backported in version v5.10.115 1961c5a688edb53fe3bc25cbda57f47adf12563c
+# Backported in version v5.15.39 b8f2b836e7d0a553b886654e8b3925a85862d2eb
+CVE_CHECK_IGNORE += "CVE-2022-1734"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1852
+# Patched in kernel since v5.19 fee060cd52d69c114b62d1a2948ea9648b5131f9
+# Backported in version 

Re: [OE-core][PATCH] kernel-devicetree: allow specification of dtb directory

[Martin Jansa]

or
if "${@'true' if oe.types.boolean(d.getVar('KERNEL_DTBVENDORED')) else
'false'}"; then
to avoid test as well (like systemd recipes is using) and I did here as
well in:
https://git.openembedded.org/openembedded-core-contrib/commit/?h=jansa/master=e2a6da5202a6671113758f9746ddbd8141a75757

On Sun, May 7, 2023 at 10:49 PM Peter Kjellerstedt <
peter.kjellerst...@axis.com> wrote:

> [ Outlook does not support commenting inline for HTML mails, thus I’m top
> posting…]
>
>
>
> The problem is `==`, which is a bashism. POSIX shells (like dash) only
> support `=`. When it comes to quoting, you typically want to quote shell
> variables in tests in case they are empty. OTOH, static strings without
> whitespace or other special characters do not need quoting. So the correct
> way to write the if statements is:
>
>
>
>if [ "${KERNEL_DTBVENDORED}" = false ]; then
>
>
>
> (In this case it is actually a bitbake variable being quoted, but unless
> you can guarantee it is not empty, the same rule applies.)
>
>
>
> //Peter
>
>
>
> *From:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org> *On Behalf Of *Martin Jansa
> *Sent:* den 6 maj 2023 11:10
> *To:* r...@ti.com
> *Cc:* a...@ti.com; detheri...@ti.com; reat...@ti.com; de...@denix.org;
> alexandre.bell...@bootlin.com; openembedded-core@lists.openembedded.org
> *Subject:* Re: [OE-core][PATCH] kernel-devicetree: allow specification of
> dtb directory
>
>
>
> On Fri, May 5, 2023 at 6:38 PM Randolph Sapp via lists.openembedded.org
>  wrote:
>
> From: Randolph Sapp 
>
> Fedora/Redhat and Arch are somewhat standardized on their dtb directory
> structure. Let's add some flags to configure yocto to mimic that
> behavior.
>
> Add the following variables to the kernel class:
> - KERNEL_DTBDEST (controls the destination directory for dtbs)
> - KERNEL_DTBVENDORED (controls if vendor subdirectories are to
>   be respected)
>
> Currently KERNEL_DTBDEST is expected to be a subdir of KERNEL_IMAGEDEST
> and KERNEL_DTBVENDORED is expected to be "true"/"false". This only
> applies to the package directory structure. The deploydir structure is
> purposely left untouched for compatibility with existing recipes.
>
> By default this is configured to behave the same as the current recipe
> and produce a flat dtb directory at KERNEL_IMAGEDEST.
>
> Signed-off-by: Randolph Sapp 
> ---
>
> Well, suppose I was breaking things by submitting this to kirkstone
> first. This is just the master version of the following patchset:
> https://lists.openembedded.org/g/openembedded-core/message/180754
>
> I'd love to get that series merged as well if this patch is acceptable.
>
>  meta/classes-recipe/kernel-devicetree.bbclass | 22 ++-
>  meta/classes-recipe/kernel.bbclass|  2 ++
>  2 files changed, 19 insertions(+), 5 deletions(-)
>
> diff --git a/meta/classes-recipe/kernel-devicetree.bbclass
> b/meta/classes-recipe/kernel-devicetree.bbclass
> index 4d0ecb1032..a6c6c5f227 100644
> --- a/meta/classes-recipe/kernel-devicetree.bbclass
> +++ b/meta/classes-recipe/kernel-devicetree.bbclass
> ...
>
>
>
> -   dtb_base_name=`basename $dtb .$dtb_ext`
> dtb_path=`get_real_dtb_path_in_kernel "$dtb"`
> -   install -m 0644 $dtb_path
> ${D}/${KERNEL_IMAGEDEST}/$dtb_base_name.$dtb_ext
> +   if [ ${KERNEL_DTBVENDORED} == "false" ]; then
>
>
>
> dash doesn't like this:
>
>
>
>  /bin/dash -c "if [ false == "false" ]; then echo foo; fi"
>
>
>
> add quotes or use single '='.
>
>
>
> +   dtb_ext=${dtb##*.}
> +   dtb_base_name=`basename $dtb .$dtb_ext`
> +   dtb=$dtb_base_name.$dtb_ext
> +   fi
> +   install -Dm 0644 $dtb_path ${D}/${KERNEL_DTBDEST}/$dtb
> done
>  }
>
> @@ -88,7 +97,10 @@ do_deploy:append() {
> dtb_ext=${dtb##*.}
> dtb_base_name=`basename $dtb .$dtb_ext`
> install -d $deployDir
> -   install -m 0644
> ${D}/${KERNEL_IMAGEDEST}/$dtb_base_name.$dtb_ext
> $deployDir/$dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext
> +   if [ ${KERNEL_DTBVENDORED} == "false" ]; then
>
>
>
> Same here
>
>
>
> +   dtb=$dtb_base_name.$dtb_ext
> +   fi
> +   install -m 0644 ${D}/${KERNEL_DTBDEST}/$dtb
> $deployDir/$dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext
> if [ "${KERNEL_IMAGETYPE_SYMLINK}" = "1" ] ; then
> ln -sf $dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext
> $deployDir/$dtb_base_name.$dtb_ext
> fi
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181011): 
https://lists.openembedded.org/g/openembedded-core/message/181011
Mute This Topic: https://lists.openembedded.org/mt/98709532/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: 

[OE-core][kirkstone][PATCH] libxml2: patch CVE-2023-28484 and CVE-2023-29469

[Peter Marko via lists.openembedded.org]

Backports from:
* 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68
* 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df

Signed-off-by: Peter Marko 
---
 .../libxml/libxml2/CVE-2023-28484.patch   | 79 +++
 .../libxml/libxml2/CVE-2023-29469.patch   | 42 ++
 meta/recipes-core/libxml/libxml2_2.9.14.bb|  2 +
 3 files changed, 123 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
new file mode 100644
index 00..907f2c4d47
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
@@ -0,0 +1,79 @@
+From e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Fri, 7 Apr 2023 11:46:35 +0200
+Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
+
+Fix a null pointer dereference when parsing (invalid) XML schemas.
+
+Thanks to Robby Simpson for the report!
+
+Fixes #491.
+
+CVE: CVE-2023-28484
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68]
+
+Signed-off-by: Peter Marko 
+---
+ result/schemas/issue491_0_0.err |  1 +
+ test/schemas/issue491_0.xml |  1 +
+ test/schemas/issue491_0.xsd | 18 ++
+ xmlschemas.c|  2 +-
+ 4 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 result/schemas/issue491_0_0.err
+ create mode 100644 test/schemas/issue491_0.xml
+ create mode 100644 test/schemas/issue491_0.xsd
+
+diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
+new file mode 100644
+index ..9b2bb969
+--- /dev/null
 b/result/schemas/issue491_0_0.err
+@@ -0,0 +1 @@
++./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : 
complex type 'ChildType': The content type of both, the type and its base type, 
must either 'mixed' or 'element-only'.
+diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
+new file mode 100644
+index ..e2b2fc2e
+--- /dev/null
 b/test/schemas/issue491_0.xml
+@@ -0,0 +1 @@
++http://www.test.com;>5
+diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
+new file mode 100644
+index ..81702649
+--- /dev/null
 b/test/schemas/issue491_0.xsd
+@@ -0,0 +1,18 @@
++
++http://www.w3.org/2001/XMLSchema; 
xmlns="http://www.test.com; targetNamespace="http://www.test.com; 
elementFormDefault="qualified" attributeFormDefault="unqualified">
++  
++
++  
++
++  
++  
++
++  
++
++  
++
++  
++
++  
++  
++
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 6a353858..a4eaf591 100644
+--- a/xmlschemas.c
 b/xmlschemas.c
+@@ -18632,7 +18632,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
+   "allowed to appear inside other model groups",
+   NULL, NULL);
+ 
+-  } else if (! dummySequence) {
++  } else if ((!dummySequence) && (baseType->subtypes != NULL)) {
+   xmlSchemaTreeItemPtr effectiveContent =
+   (xmlSchemaTreeItemPtr) type->subtypes;
+   /*
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
new file mode 100644
index 00..f60d160c49
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
@@ -0,0 +1,42 @@
+From 547edbf1cbdccd46b2e8ff322a456eaa5931c5df Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Fri, 7 Apr 2023 11:49:27 +0200
+Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
+ deterministic
+
+When hashing empty strings which aren't null-terminated,
+xmlDictComputeFastKey could produce inconsistent results. This could
+lead to various logic or memory errors, including double frees.
+
+For consistency the seed is also taken into account, but this shouldn't
+have an impact on security.
+
+Found by OSS-Fuzz.
+
+Fixes #510.
+
+CVE: CVE-2023-29469
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df]
+
+Signed-off-by: Peter Marko 
+---
+ dict.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/dict.c b/dict.c
+index 86c3f6d7..d7fd1a06 100644
+--- a/dict.c
 b/dict.c
+@@ -433,7 +433,8 @@ static unsigned long
+ xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
+ unsigned long value = seed;
+ 
+-if (name == NULL) return(0);
++if ((name == NULL) || (namelen <= 0))
++return(value);
+ value += *name;
+ value <<= 5;
+ if (namelen > 10) {
+-- 
+GitLab
+
diff --git 

[OE-core][dunfell][PATCH] libxml2: patch CVE-2023-28484 and CVE-2023-29469

[Peter Marko via lists.openembedded.org]

Backports from:
* 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68
* 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df

Signed-off-by: Peter Marko 
---
 .../libxml/libxml2/CVE-2023-28484.patch   | 79 +++
 .../libxml/libxml2/CVE-2023-29469.patch   | 42 ++
 meta/recipes-core/libxml/libxml2_2.9.10.bb|  2 +
 3 files changed, 123 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
new file mode 100644
index 00..907f2c4d47
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
@@ -0,0 +1,79 @@
+From e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Fri, 7 Apr 2023 11:46:35 +0200
+Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
+
+Fix a null pointer dereference when parsing (invalid) XML schemas.
+
+Thanks to Robby Simpson for the report!
+
+Fixes #491.
+
+CVE: CVE-2023-28484
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68]
+
+Signed-off-by: Peter Marko 
+---
+ result/schemas/issue491_0_0.err |  1 +
+ test/schemas/issue491_0.xml |  1 +
+ test/schemas/issue491_0.xsd | 18 ++
+ xmlschemas.c|  2 +-
+ 4 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 result/schemas/issue491_0_0.err
+ create mode 100644 test/schemas/issue491_0.xml
+ create mode 100644 test/schemas/issue491_0.xsd
+
+diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
+new file mode 100644
+index ..9b2bb969
+--- /dev/null
 b/result/schemas/issue491_0_0.err
+@@ -0,0 +1 @@
++./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : 
complex type 'ChildType': The content type of both, the type and its base type, 
must either 'mixed' or 'element-only'.
+diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
+new file mode 100644
+index ..e2b2fc2e
+--- /dev/null
 b/test/schemas/issue491_0.xml
+@@ -0,0 +1 @@
++http://www.test.com;>5
+diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
+new file mode 100644
+index ..81702649
+--- /dev/null
 b/test/schemas/issue491_0.xsd
+@@ -0,0 +1,18 @@
++
++http://www.w3.org/2001/XMLSchema; 
xmlns="http://www.test.com; targetNamespace="http://www.test.com; 
elementFormDefault="qualified" attributeFormDefault="unqualified">
++  
++
++  
++
++  
++  
++
++  
++
++  
++
++  
++
++  
++  
++
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 6a353858..a4eaf591 100644
+--- a/xmlschemas.c
 b/xmlschemas.c
+@@ -18632,7 +18632,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
+   "allowed to appear inside other model groups",
+   NULL, NULL);
+ 
+-  } else if (! dummySequence) {
++  } else if ((!dummySequence) && (baseType->subtypes != NULL)) {
+   xmlSchemaTreeItemPtr effectiveContent =
+   (xmlSchemaTreeItemPtr) type->subtypes;
+   /*
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
new file mode 100644
index 00..1252668577
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
@@ -0,0 +1,42 @@
+From 547edbf1cbdccd46b2e8ff322a456eaa5931c5df Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Fri, 7 Apr 2023 11:49:27 +0200
+Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
+ deterministic
+
+When hashing empty strings which aren't null-terminated,
+xmlDictComputeFastKey could produce inconsistent results. This could
+lead to various logic or memory errors, including double frees.
+
+For consistency the seed is also taken into account, but this shouldn't
+have an impact on security.
+
+Found by OSS-Fuzz.
+
+Fixes #510.
+
+CVE: CVE-2023-29469
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df]
+
+Signed-off-by: Peter Marko 
+---
+ dict.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/dict.c b/dict.c
+index 86c3f6d7..d7fd1a06 100644
+--- a/dict.c
 b/dict.c
+@@ -451,7 +451,8 @@ static unsigned long
+ xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
+ unsigned long value = seed;
+ 
+-if (name == NULL) return(0);
++if ((name == NULL) || (namelen <= 0))
++return(value);
+ value = *name;
+ value <<= 5;
+ if (namelen > 10) {
+-- 
+GitLab
+
diff --git 

Re: [OE-core][PATCH] kernel-devicetree: allow specification of dtb directory

[Peter Kjellerstedt]

[ Outlook does not support commenting inline for HTML mails, thus I’m top 
posting…]

The problem is `==`, which is a bashism. POSIX shells (like dash) only support 
`=`. When it comes to quoting, you typically want to quote shell variables in 
tests in case they are empty. OTOH, static strings without whitespace or other 
special characters do not need quoting. So the correct way to write the if 
statements is:

   if [ "${KERNEL_DTBVENDORED}" = false ]; then

(In this case it is actually a bitbake variable being quoted, but unless you 
can guarantee it is not empty, the same rule applies.)

//Peter

From: openembedded-core@lists.openembedded.org 
 On Behalf Of Martin Jansa
Sent: den 6 maj 2023 11:10
To: r...@ti.com
Cc: a...@ti.com; detheri...@ti.com; reat...@ti.com; de...@denix.org; 
alexandre.bell...@bootlin.com; openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH] kernel-devicetree: allow specification of dtb 
directory

On Fri, May 5, 2023 at 6:38 PM Randolph Sapp via 
lists.openembedded.org 
mailto:ti@lists.openembedded.org>> wrote:
From: Randolph Sapp mailto:r...@ti.com>>

Fedora/Redhat and Arch are somewhat standardized on their dtb directory
structure. Let's add some flags to configure yocto to mimic that
behavior.

Add the following variables to the kernel class:
- KERNEL_DTBDEST (controls the destination directory for dtbs)
- KERNEL_DTBVENDORED (controls if vendor subdirectories are to
  be respected)

Currently KERNEL_DTBDEST is expected to be a subdir of KERNEL_IMAGEDEST
and KERNEL_DTBVENDORED is expected to be "true"/"false". This only
applies to the package directory structure. The deploydir structure is
purposely left untouched for compatibility with existing recipes.

By default this is configured to behave the same as the current recipe
and produce a flat dtb directory at KERNEL_IMAGEDEST.

Signed-off-by: Randolph Sapp mailto:r...@ti.com>>
---

Well, suppose I was breaking things by submitting this to kirkstone
first. This is just the master version of the following patchset:
https://lists.openembedded.org/g/openembedded-core/message/180754

I'd love to get that series merged as well if this patch is acceptable.

 meta/classes-recipe/kernel-devicetree.bbclass | 22 ++-
 meta/classes-recipe/kernel.bbclass|  2 ++
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/meta/classes-recipe/kernel-devicetree.bbclass 
b/meta/classes-recipe/kernel-devicetree.bbclass
index 4d0ecb1032..a6c6c5f227 100644
--- a/meta/classes-recipe/kernel-devicetree.bbclass
+++ b/meta/classes-recipe/kernel-devicetree.bbclass
...

-   dtb_base_name=`basename $dtb .$dtb_ext`
dtb_path=`get_real_dtb_path_in_kernel "$dtb"`
-   install -m 0644 $dtb_path 
${D}/${KERNEL_IMAGEDEST}/$dtb_base_name.$dtb_ext
+   if [ ${KERNEL_DTBVENDORED} == "false" ]; then

dash doesn't like this:

 /bin/dash -c "if [ false == "false" ]; then echo foo; fi"

add quotes or use single '='.

+   dtb_ext=${dtb##*.}
+   dtb_base_name=`basename $dtb .$dtb_ext`
+   dtb=$dtb_base_name.$dtb_ext
+   fi
+   install -Dm 0644 $dtb_path ${D}/${KERNEL_DTBDEST}/$dtb
done
 }

@@ -88,7 +97,10 @@ do_deploy:append() {
dtb_ext=${dtb##*.}
dtb_base_name=`basename $dtb .$dtb_ext`
install -d $deployDir
-   install -m 0644 
${D}/${KERNEL_IMAGEDEST}/$dtb_base_name.$dtb_ext 
$deployDir/$dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext
+   if [ ${KERNEL_DTBVENDORED} == "false" ]; then

Same here

+   dtb=$dtb_base_name.$dtb_ext
+   fi
+   install -m 0644 ${D}/${KERNEL_DTBDEST}/$dtb 
$deployDir/$dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext
if [ "${KERNEL_IMAGETYPE_SYMLINK}" = "1" ] ; then
ln -sf $dtb_base_name-${KERNEL_DTB_NAME}.$dtb_ext 
$deployDir/$dtb_base_name.$dtb_ext
fi

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181008): 
https://lists.openembedded.org/g/openembedded-core/message/181008
Mute This Topic: https://lists.openembedded.org/mt/98709532/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] OE-core CVE metrics for langdale on Sun 07 May 2023 04:00:01 AM HST

[Steve Sakoman]

Branch: langdale

New this week: 5 CVEs
CVE-2023-1255 (CVSS3: 5.9 MEDIUM): openssl:openssl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1255 *
CVE-2023-25652 (CVSS3: 7.5 HIGH): git 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25652 *
CVE-2023-28484 (CVSS3: 6.5 MEDIUM): libxml2:libxml2-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28484 *
CVE-2023-29007 (CVSS3: 7.8 HIGH): git 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29007 *
CVE-2023-29469 (CVSS3: 6.5 MEDIUM): libxml2:libxml2-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29469 *

Removed this week: 0 CVEs

Full list:  Found 50 unpatched CVEs
CVE-2020-10735 (CVSS3: 7.5 HIGH): python3:python3-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10735 *
CVE-2022-3219 (CVSS3: 5.5 MEDIUM): gnupg:gnupg-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 *
CVE-2022-3515 (CVSS3: 9.8 CRITICAL): gnupg:gnupg-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3515 *
CVE-2022-37454 (CVSS3: 9.8 CRITICAL): python3:python3-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37454 *
CVE-2022-3872 (CVSS3: 8.6 HIGH): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3872 *
CVE-2022-3964 (CVSS3: 8.1 HIGH): ffmpeg 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3964 *
CVE-2022-3965 (CVSS3: 8.1 HIGH): ffmpeg 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3965 *
CVE-2022-42919 (CVSS3: 7.8 HIGH): python3:python3-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42919 *
CVE-2022-44370 (CVSS3: 7.8 HIGH): nasm:nasm-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-44370 *
CVE-2022-44617 (CVSS3: 7.5 HIGH): libxpm 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-44617 *
CVE-2022-45061 (CVSS3: 7.5 HIGH): python3:python3-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-45061 *
CVE-2022-46285 (CVSS3: 7.5 HIGH): libxpm 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46285 *
CVE-2022-4645 (CVSS3: 5.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4645 *
CVE-2022-46908 (CVSS3: 7.3 HIGH): sqlite3:sqlite3-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46908 *
CVE-2022-4743 (CVSS3: 7.5 HIGH): libsdl2:libsdl2-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4743 *
CVE-2022-4883 (CVSS3: 8.8 HIGH): libxpm 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4883 *
CVE-2023-0664 (CVSS3: 7.8 HIGH): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0664 *
CVE-2023-1255 (CVSS3: 5.9 MEDIUM): openssl:openssl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1255 *
CVE-2023-1544 (CVSS3: 6.3 MEDIUM): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1544 *
CVE-2023-1579 (CVSS3: 7.8 HIGH): 
binutils:binutils-cross-testsuite:binutils-cross-x86_64 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1579 *
CVE-2023-1916 (CVSS3: 6.1 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1916 *
CVE-2023-2004 (CVSS3: 7.5 HIGH): freetype:freetype-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2004 *
CVE-2023-23914 (CVSS3: 9.1 CRITICAL): curl:curl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23914 *
CVE-2023-23915 (CVSS3: 6.5 MEDIUM): curl:curl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23915 *
CVE-2023-23916 (CVSS3: 6.5 MEDIUM): curl:curl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23916 *
CVE-2023-24329 (CVSS3: 7.5 HIGH): python3:python3-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24329 *
CVE-2023-24534 (CVSS3: 7.5 HIGH): go 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24534 *
CVE-2023-24536 (CVSS3: 7.5 HIGH): go 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24536 *
CVE-2023-24537 (CVSS3: 7.5 HIGH): go 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24537 *
CVE-2023-24538 (CVSS3: 9.8 CRITICAL): go 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24538 *
CVE-2023-25358 (CVSS3: 8.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25358 *
CVE-2023-25360 (CVSS3: 8.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25360 *
CVE-2023-25361 (CVSS3: 8.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25361 *
CVE-2023-25362 (CVSS3: 8.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25362 *
CVE-2023-25363 (CVSS3: 8.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25363 *
CVE-2023-25652 (CVSS3: 7.5 HIGH): git 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25652 *
CVE-2023-27043 (CVSS3: 5.3 MEDIUM): python3:python3-native 

[OE-core] OE-core CVE metrics for kirkstone on Sun 07 May 2023 03:00:01 AM HST

[Steve Sakoman]

Branch: kirkstone

New this week: 5 CVEs
CVE-2023-1255 (CVSS3: 5.9 MEDIUM): openssl:openssl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1255 *
CVE-2023-25652 (CVSS3: 7.5 HIGH): git 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25652 *
CVE-2023-28484 (CVSS3: 6.5 MEDIUM): libxml2:libxml2-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28484 *
CVE-2023-29007 (CVSS3: 7.8 HIGH): git 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29007 *
CVE-2023-29469 (CVSS3: 6.5 MEDIUM): libxml2:libxml2-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29469 *

Removed this week: 7 CVEs
CVE-2022-44370 (CVSS3: 7.8 HIGH): nasm:nasm-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-44370 *
CVE-2022-44617 (CVSS3: 7.5 HIGH): libxpm 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-44617 *
CVE-2022-46285 (CVSS3: 7.5 HIGH): libxpm 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46285 *
CVE-2022-4883 (CVSS3: 8.8 HIGH): libxpm 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4883 *
CVE-2023-0664 (CVSS3: 7.8 HIGH): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0664 *
CVE-2023-1393 (CVSS3: 7.8 HIGH): xserver-xorg 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1393 *
CVE-2023-28879 (CVSS3: 9.8 CRITICAL): ghostscript:ghostscript-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28879 *

Full list:  Found 33 unpatched CVEs
CVE-2021-35937 (CVSS3: 6.4 MEDIUM): rpm:rpm-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35937 *
CVE-2021-35938 (CVSS3: 6.7 MEDIUM): rpm:rpm-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35938 *
CVE-2021-35939 (CVSS3: 6.7 MEDIUM): rpm:rpm-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35939 *
CVE-2022-3219 (CVSS3: 5.5 MEDIUM): gnupg:gnupg-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 *
CVE-2022-3515 (CVSS3: 9.8 CRITICAL): gnupg:gnupg-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3515 *
CVE-2022-3553 (CVSS3: 6.5 MEDIUM): xserver-xorg 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3553 *
CVE-2022-3872 (CVSS3: 8.6 HIGH): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3872 *
CVE-2022-3964 (CVSS3: 8.1 HIGH): ffmpeg 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3964 *
CVE-2022-3965 (CVSS3: 8.1 HIGH): ffmpeg 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3965 *
CVE-2022-4055 (CVSS3: 7.4 HIGH): xdg-utils 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4055 *
CVE-2022-48434 (CVSS3: 8.1 HIGH): ffmpeg 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-48434 *
CVE-2023-0795 (CVSS3: 5.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0795 *
CVE-2023-0796 (CVSS3: 5.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0796 *
CVE-2023-0797 (CVSS3: 5.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0797 *
CVE-2023-0798 (CVSS3: 5.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0798 *
CVE-2023-0799 (CVSS3: 5.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0799 *
CVE-2023-1255 (CVSS3: 5.9 MEDIUM): openssl:openssl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1255 *
CVE-2023-1544 (CVSS3: 6.3 MEDIUM): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1544 *
CVE-2023-1916 (CVSS3: 6.1 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1916 *
CVE-2023-2004 (CVSS3: 7.5 HIGH): freetype:freetype-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2004 *
CVE-2023-24532 (CVSS3: 5.3 MEDIUM): go 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24532 *
CVE-2023-24534 (CVSS3: 7.5 HIGH): go 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24534 *
CVE-2023-24536 (CVSS3: 7.5 HIGH): go 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24536 *
CVE-2023-24538 (CVSS3: 9.8 CRITICAL): go 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24538 *
CVE-2023-25652 (CVSS3: 7.5 HIGH): git 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25652 *
CVE-2023-27043 (CVSS3: 5.3 MEDIUM): python3:python3-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-27043 *
CVE-2023-28484 (CVSS3: 6.5 MEDIUM): libxml2:libxml2-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28484 *
CVE-2023-28488 (CVSS3: 6.5 MEDIUM): connman 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28488 *
CVE-2023-28531 (CVSS3: 9.8 CRITICAL): openssh 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28531 *
CVE-2023-29007 (CVSS3: 7.8 HIGH): git 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29007 *
CVE-2023-29469 (CVSS3: 6.5 MEDIUM): libxml2:libxml2-native 

[OE-core] OE-core CVE metrics for dunfell on Sun 07 May 2023 02:00:01 AM HST

[Steve Sakoman]

Branch: dunfell

New this week: 4 CVEs
CVE-2023-25652 (CVSS3: 7.5 HIGH): git 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25652 *
CVE-2023-28484 (CVSS3: 6.5 MEDIUM): libxml2:libxml2-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28484 *
CVE-2023-29007 (CVSS3: 7.8 HIGH): git 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29007 *
CVE-2023-29469 (CVSS3: 6.5 MEDIUM): libxml2:libxml2-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29469 *

Removed this week: 11 CVEs
CVE-2022-1705 (CVSS3: 6.5 MEDIUM): go:go-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1705 *
CVE-2023-0464 (CVSS3: 7.5 HIGH): openssl:openssl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0464 *
CVE-2023-0465 (CVSS3: 5.3 MEDIUM): openssl:openssl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0465 *
CVE-2023-0466 (CVSS3: 5.3 MEDIUM): openssl:openssl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0466 *
CVE-2023-0664 (CVSS3: 7.8 HIGH): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0664 *
CVE-2023-24534 (CVSS3: 7.5 HIGH): go:go-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24534 *
CVE-2023-27533 (CVSS3: 8.8 HIGH): curl:curl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-27533 *
CVE-2023-27535 (CVSS3: 7.5 HIGH): curl:curl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-27535 *
CVE-2023-27536 (CVSS3: 9.8 CRITICAL): curl:curl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-27536 *
CVE-2023-28486 (CVSS3: 5.3 MEDIUM): sudo 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28486 *
CVE-2023-28487 (CVSS3: 5.3 MEDIUM): sudo 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28487 *

Full list:  Found 91 unpatched CVEs
CVE-2020-15705 (CVSS3: 6.4 MEDIUM): grub:grub-efi:grub-efi-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15705 *
CVE-2020-25742 (CVSS3: 3.2 LOW): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25742 *
CVE-2020-25743 (CVSS3: 3.2 LOW): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25743 *
CVE-2020-27749 (CVSS3: 6.7 MEDIUM): grub:grub-efi:grub-efi-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27749 *
CVE-2020-27918 (CVSS3: 7.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27918 *
CVE-2020-29623 (CVSS3: 3.3 LOW): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29623 *
CVE-2020-35503 (CVSS3: 6.0 MEDIUM): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35503 *
CVE-2020-35506 (CVSS3: 6.7 MEDIUM): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35506 *
CVE-2020-9948 (CVSS3: 8.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9948 *
CVE-2020-9951 (CVSS3: 8.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9951 *
CVE-2020-9952 (CVSS3: 7.1 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9952 *
CVE-2021-1765 (CVSS3: 6.5 MEDIUM): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1765 *
CVE-2021-1789 (CVSS3: 8.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1789 *
CVE-2021-1799 (CVSS3: 6.5 MEDIUM): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1799 *
CVE-2021-1801 (CVSS3: 6.5 MEDIUM): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1801 *
CVE-2021-1870 (CVSS3: 9.8 CRITICAL): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1870 *
CVE-2021-20225 (CVSS3: 6.7 MEDIUM): grub:grub-efi:grub-efi-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20225 *
CVE-2021-20233 (CVSS3: 8.2 HIGH): grub:grub-efi:grub-efi-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20233 *
CVE-2021-20269 (CVSS3: 5.5 MEDIUM): kexec-tools 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20269 *
CVE-2021-20295 (CVSS3: 6.5 MEDIUM): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20295 *
CVE-2021-27097 (CVSS3: 7.8 HIGH): u-boot 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27097 *
CVE-2021-27138 (CVSS3: 7.8 HIGH): u-boot 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27138 *
CVE-2021-31879 (CVSS3: 6.1 MEDIUM): wget 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31879 *
CVE-2021-3418 (CVSS3: 6.4 MEDIUM): grub:grub-efi:grub-efi-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3418 *
CVE-2021-3445 (CVSS3: 7.5 HIGH): libdnf 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3445 *
CVE-2021-35937 (CVSS3: 6.4 MEDIUM): rpm:rpm-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35937 *

[OE-core] OE-core CVE metrics for master on Sun 07 May 2023 01:00:01 AM HST

[Steve Sakoman]

Branch: master

New this week: 7 CVEs
CVE-2023-1255 (CVSS3: 5.9 MEDIUM): openssl:openssl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1255 *
CVE-2023-1998 (CVSS3: 5.6 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1998 *
CVE-2023-2235 (CVSS3: 7.8 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2235 *
CVE-2023-2248 (CVSS3: 7.8 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2248 *
CVE-2023-25652 (CVSS3: 7.5 HIGH): git 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25652 *
CVE-2023-29007 (CVSS3: 7.8 HIGH): git 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29007 *
CVE-2023-31436 (CVSS3: 7.8 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-31436 *

Removed this week: 6 CVEs
CVE-2023-0330 (CVSS3: 6.0 MEDIUM): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0330 *
CVE-2023-0664 (CVSS3: 7.8 HIGH): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0664 *
CVE-2023-1544 (CVSS3: 6.3 MEDIUM): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1544 *
CVE-2023-28488 (CVSS3: 6.5 MEDIUM): connman 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28488 *
CVE-2023-28879 (CVSS3: 9.8 CRITICAL): ghostscript:ghostscript-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28879 *
CVE-2023-30630 (CVSS3: 7.8 HIGH): dmidecode 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-30630 *

Full list:  Found 42 unpatched CVEs
CVE-2021-3714 (CVSS3: 7.5 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 *
CVE-2021-3864 (CVSS3: 7.0 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 *
CVE-2022-0400 (CVSS3: 7.5 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 *
CVE-2022-1247 (CVSS3: 7.0 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 *
CVE-2022-3219 (CVSS3: 5.5 MEDIUM): gnupg:gnupg-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 *
CVE-2022-3533 (CVSS3: 5.7 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3533 *
CVE-2022-3606 (CVSS3: 5.5 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3606 *
CVE-2022-36402 (CVSS3: 5.5 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36402 *
CVE-2022-38096 (CVSS3: 5.5 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 *
CVE-2022-44370 (CVSS3: 7.8 HIGH): nasm:nasm-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-44370 *
CVE-2022-4543 (CVSS3: 5.5 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 *
CVE-2022-46456 (CVSS3: 6.1 MEDIUM): nasm:nasm-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 *
CVE-2022-48425 (CVSS3: 7.8 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-48425 *
CVE-2023-0465 (CVSS3: 5.3 MEDIUM): openssl:openssl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0465 *
CVE-2023-0466 (CVSS3: 5.3 MEDIUM): openssl:openssl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0466 *
CVE-2023-0615 (CVSS3: 5.5 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0615 *
CVE-2023-1255 (CVSS3: 5.9 MEDIUM): openssl:openssl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1255 *
CVE-2023-1380 (CVSS3: 7.1 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1380 *
CVE-2023-1611 (CVSS3: 6.3 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1611 *
CVE-2023-1855 (CVSS3: 6.3 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1855 *
CVE-2023-1916 (CVSS3: 6.1 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1916 *
CVE-2023-1989 (CVSS3: 7.0 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1989 *
CVE-2023-1990 (CVSS3: 4.7 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1990 *
CVE-2023-1998 (CVSS3: 5.6 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1998 *
CVE-2023-2162 (CVSS3: 5.5 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2162 *
CVE-2023-2194 (CVSS3: 6.7 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2194 *
CVE-2023-2235 (CVSS3: 7.8 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2235 *
CVE-2023-2248 (CVSS3: 7.8 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2248 *
CVE-2023-23039 (CVSS3: 5.7 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23039 *
CVE-2023-24532 (CVSS3: 5.3 MEDIUM): 

[OE-core] [PATCH] qemu: Update ppc instruction fix to match revised upstream version

[Richard Purdie]

Upstream asked for some changes, this updates our patch to match. The 
differences
likely don't change our real world use.

Signed-off-by: Richard Purdie 
---
 meta/recipes-devtools/qemu/qemu/ppc.patch | 127 +-
 1 file changed, 102 insertions(+), 25 deletions(-)

diff --git a/meta/recipes-devtools/qemu/qemu/ppc.patch 
b/meta/recipes-devtools/qemu/qemu/ppc.patch
index ade1daf61ff..1fe6a3b4139 100644
--- a/meta/recipes-devtools/qemu/qemu/ppc.patch
+++ b/meta/recipes-devtools/qemu/qemu/ppc.patch
@@ -1,70 +1,147 @@
-target/ppc: Fix fallback to MFSS for MFFSCRN, MFFSCRNI, MFFSCE and MFFSL
+From d92b63b7d15d4fd202c5802dfe444a96f5d8109c Mon Sep 17 00:00:00 2001
+From: Richard Purdie 
+Date: Sat, 6 May 2023 07:42:35 +0100
+Cc: Víctor Colombo 
+Cc: Matheus Ferst 
+Cc: Daniel Henrique Barboza 
+Cc: Richard Henderson 
+Subject: [PATCH v2] target/ppc: Fix fallback to MFSS for MFFS* instructions on
+ pre 3.0 ISAs
 
-The following commits changed the code such that these instructions became 
invalid
-on pre 3.0 ISAs:
+The following commits changed the code such that the fallback to MFSS for 
MFFSCRN,
+MFFSCRNI, MFFSCE and MFFSL on pre 3.0 ISAs was removed and became an illegal 
instruction:
 
-  bf8adfd88b547680aa857c46098f3a1e94373160 - target/ppc: Move mffscrn[i] to 
decodetree 
+  bf8adfd88b547680aa857c46098f3a1e94373160 - target/ppc: Move mffscrn[i] to 
decodetree
   394c2e2fda70da722f20fb60412d6c0ca4bfaa03 - target/ppc: Move mffsce to 
decodetree
-  3e5bce70efe6bd1f684efbb21fd2a316cbf0657e - target/ppc: Move mffsl to 
decodetree 
+  3e5bce70efe6bd1f684efbb21fd2a316cbf0657e - target/ppc: Move mffsl to 
decodetree
 
 The hardware will handle them as a MFFS instruction as the code did previously.
-Restore that behaviour. This means applications that were segfaulting under 
qemu 
-when encountering these instructions now operate correctly. The instruction
-is used in glibc libm functions for example.
+This means applications that were segfaulting under qemu when encountering 
these
+instructions which is used in glibc libm functions for example.
 
-Upstream-Status: Submitted 
[https://lore.kernel.org/qemu-devel/20230504110150.3044402-1-richard.pur...@linuxfoundation.org/]
+The fallback for MFFSCDRN and MFFSCDRNI added in a later patch was also 
missing.
+
+This patch restores the fallback to MFSS for these instructions on pre 3.0s 
ISAs
+as the hardware decoder would, fixing the segfaulting libm code. It and also 
ensures
+the MFSS instruction is used for currently reserved bits to handle other 
potential
+ISA additions more correctly.
+
+Upstream-Status: Submitted 
[https://lore.kernel.org/qemu-devel/20230506065240.3177798-1-richard.pur...@linuxfoundation.org/]
 
 Signed-off-by: Richard Purdie 
+---
+ target/ppc/insn32.decode   | 19 ---
+ target/ppc/translate/fp-impl.c.inc | 30 --
+ 2 files changed, 36 insertions(+), 13 deletions(-)
 
-Index: qemu-8.0.0/target/ppc/translate/fp-impl.c.inc
-===
 qemu-8.0.0.orig/target/ppc/translate/fp-impl.c.inc
-+++ qemu-8.0.0/target/ppc/translate/fp-impl.c.inc
-@@ -584,7 +584,10 @@ static bool trans_MFFSCE(DisasContext *c
+v2 - switch to use decodetree pattern groups per feedback
+
+diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode
+index f8f589e9fd..3c4e2c2fc2 100644
+--- a/target/ppc/insn32.decode
 b/target/ppc/insn32.decode
+@@ -390,13 +390,18 @@ SETNBCR 01 . . - 00 -   
@X_bi
+ 
+ ### Move To/From FPSCR
+ 
+-MFFS11 . 0 - 1001000111 .   @X_t_rc
+-MFFSCE  11 . 1 - 1001000111 -   @X_t
+-MFFSCRN 11 . 10110 . 1001000111 -   @X_tb
+-MFFSCDRN11 . 10100 . 1001000111 -   @X_tb
+-MFFSCRNI11 . 10111 ---.. 1001000111 -   @X_imm2
+-MFFSCDRNI   11 . 10101 --... 1001000111 -   @X_imm3
+-MFFSL   11 . 11000 - 1001000111 -   @X_t
++{ 
++  # Before Power ISA v3.0, MFFS bits 11~15 were reserved and should be ignored
++  [
++MFFSCE  11 . 1 - 1001000111 -   @X_t
++MFFSCRN 11 . 10110 . 1001000111 -   @X_tb
++MFFSCDRN11 . 10100 . 1001000111 -   @X_tb
++MFFSCRNI11 . 10111 ---.. 1001000111 -   @X_imm2
++MFFSCDRNI   11 . 10101 --... 1001000111 -   @X_imm3
++MFFSL   11 . 11000 - 1001000111 -   @X_t
++  ]
++  MFFS11 . - - 1001000111 .   @X_t_rc
++}
+ 
+ ### Decimal Floating-Point Arithmetic Instructions
+ 
+diff --git a/target/ppc/translate/fp-impl.c.inc 
b/target/ppc/translate/fp-impl.c.inc
+index 57d8437851..10dfd91aa4 100644
+--- a/target/ppc/translate/fp-impl.c.inc
 b/target/ppc/translate/fp-impl.c.inc
+@@ -584,7 +584,10 @@ static bool trans_MFFSCE(DisasContext *ctx, arg_X_t *a)
  {
  TCGv_i64 fpscr;
  
 -

[oe-core][kirkstone][PATCH 1/1] git: fix CVE-2023-25652

[Polampalli, Archana via lists.openembedded.org]

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7,
2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding
specially crafted input to `git apply --reject`, a path outside the working
tree can be overwritten with partially controlled contents (corresponding to
the rejected hunk(s) from the given patch). A fix is available in versions
2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3,
and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when 
applying
patches from an untrusted source. Use `git apply --stat` to inspect a patch 
before
applying; avoid applying one that create a conflict where a link corresponding 
to
the `*.rej` file exists.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-25652

Upstream patches:
https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b

Signed-off-by: Archana Polampalli 
---
 .../git/git/CVE-2023-25652.patch  | 94 +++
 meta/recipes-devtools/git/git_2.35.7.bb   |  1 +
 2 files changed, 95 insertions(+)
 create mode 100644 meta/recipes-devtools/git/git/CVE-2023-25652.patch

diff --git a/meta/recipes-devtools/git/git/CVE-2023-25652.patch 
b/meta/recipes-devtools/git/git/CVE-2023-25652.patch
new file mode 100644
index 00..825701eaff
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2023-25652.patch
@@ -0,0 +1,94 @@
+From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin 
+Date: Thu Mar 9 16:02:54 2023 +0100
+Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it
+ exists
+
+   The `git apply --reject` is expected to write out `.rej` files in case
+   one or more hunks fail to apply cleanly. Historically, the command
+   overwrites any existing `.rej` files. The idea being that
+   apply/reject/edit cycles are relatively common, and the generated `.rej`
+   files are not considered precious.
+
+But the command does not overwrite existing `.rej` symbolic links, and
+instead follows them. This is unsafe because the same patch could
+potentially create such a symbolic link and point at arbitrary paths
+outside the current worktree, and `git apply` would write the contents
+of the `.rej` file into that location.
+
+Therefore, let's make sure that any existing `.rej` file or symbolic
+link is removed before writing it.
+
+Reported-by: RyotaK 
+Helped-by: Taylor Blau 
+Helped-by: Junio C Hamano 
+Helped-by: Linus Torvalds 
+Signed-off-by: Johannes Schindelin 
+
+CVE: CVE-2023-25652
+Upstream-Status: Backport 
[https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b]
+
+Signed-off-by: Archana Polampalli 
+---
+ apply.c  | 14 --
+ t/t4115-apply-symlink.sh | 15 +++
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/apply.c b/apply.c
+index fc6f484..47f2686 100644
+--- a/apply.c
 b/apply.c
+@@ -4584,7 +4584,7 @@ static int write_out_one_reject(struct apply_state 
*state, struct patch *patch)
+   FILE *rej;
+   char namebuf[PATH_MAX];
+   struct fragment *frag;
+-  int cnt = 0;
++  int fd, cnt = 0;
+   struct strbuf sb = STRBUF_INIT;
+
+   for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
+@@ -4624,7 +4624,17 @@ static int write_out_one_reject(struct apply_state 
*state, struct patch *patch)
+   memcpy(namebuf, patch->new_name, cnt);
+   memcpy(namebuf + cnt, ".rej", 5);
+
+-  rej = fopen(namebuf, "w");
++  fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++  if (fd < 0) {
++  if (errno != EEXIST)
++  return error_errno(_("cannot open %s"), namebuf);
++  if (unlink(namebuf))
++  return error_errno(_("cannot unlink '%s'"), namebuf);
++  fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++  if (fd < 0)
++  return error_errno(_("cannot open %s"), namebuf);
++  }
++  rej = fdopen(fd, "w");
+   if (!rej)
+   return error_errno(_("cannot open %s"), namebuf);
+
+diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
+index 65ac7df..e95e6d4 100755
+--- a/t/t4115-apply-symlink.sh
 b/t/t4115-apply-symlink.sh
+@@ -126,4 +126,19 @@ test_expect_success SYMLINKS 'symlink escape when 
deleting file' '
+   test_path_is_file .git/delete-me
+ '
+
++test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' '
++  test_when_finished "git reset --hard && git clean -dfx" &&
++
++  test_commit file &&
++  echo modified >file.t &&
++  git diff -- file.t >patch &&
++  echo modified-again >file.t &&
++
++  ln -s foo file.t.rej &&
++  test_must_fail git apply patch --reject 2>err &&
++  test_i18ngrep "Rejected hunk" err &&
++  test_path_is_missing foo &&
++  test_path_is_file file.t.rej
++'
++
+ 

[oe-core][kirkstone][PATCH 1/1] git: fix CVE-2023-29007

[Polampalli, Archana via lists.openembedded.org]

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 
2.33.8,
2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted
`.gitmodules` file with submodule URLs that are longer than 1024 characters can 
used
to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. 
This bug
can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` 
when
attempting to remove the configuration section associated with that submodule. 
When the
attacker injects configuration values which specify executables to run (such as
`core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote 
code
execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 
2.34.8,
2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid 
running
`git submodule deinit` on untrusted repositories or without prior inspection of 
any
submodule sections in `$GIT_DIR/config`.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29007

Upstream patches:
https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
https://github.com/git/git/commit/29198213c9163c1d552ee2bdbf78d2b09ccc98b8
https://github.com/git/git/commit/a5bb10fd5e74101e7c07da93e7c32bbe60f6173a
https://github.com/git/git/commit/e91cfe6085c4a61372d1f800b473b73b8d225d0d
https://github.com/git/git/commit/3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a

Signed-off-by: Archana Polampalli 
---
 .../git/git/CVE-2023-29007.patch  | 162 ++
 meta/recipes-devtools/git/git_2.35.7.bb   |   1 +
 2 files changed, 163 insertions(+)
 create mode 100644 meta/recipes-devtools/git/git/CVE-2023-29007.patch

diff --git a/meta/recipes-devtools/git/git/CVE-2023-29007.patch 
b/meta/recipes-devtools/git/git/CVE-2023-29007.patch
new file mode 100644
index 00..472f4022b2
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2023-29007.patch
@@ -0,0 +1,162 @@
+From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001
+From: Taylor Blau 
+Date: Fri, 14 Apr 2023 11:46:59 -0400
+Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection'
+
+Avoids issues with renaming or deleting sections with long lines, where
+configuration values may be interpreted as sections, leading to
+configuration injection. Addresses CVE-2023-29007.
+
+* tb/config-copy-or-rename-in-file-injection:
+  config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
+  config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
+  config: avoid fixed-sized buffer when renaming/deleting a section
+  t1300: demonstrate failure when renaming sections with long lines
+
+Signed-off-by: Taylor Blau 
+
+Upstream-Status: Backport
+CVE: CVE-2023-29007
+
+Reference to upstream patch:
+https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
+
+Signed-off-by: Archana Polampalli 
+---
+ config.c  | 36 +---
+ t/t1300-config.sh | 30 ++
+ 2 files changed, 55 insertions(+), 11 deletions(-)
+
+diff --git a/config.c b/config.c
+index 2bffa8d..6a01938 100644
+--- a/config.c
 b/config.c
+@@ -3192,9 +3192,10 @@ void git_config_set_multivar(const char *key, const 
char *value,
+   flags);
+ }
+
+-static int section_name_match (const char *buf, const char *name)
++static size_t section_name_match (const char *buf, const char *name)
+ {
+-  int i = 0, j = 0, dot = 0;
++  size_t i = 0, j = 0;
++  int dot = 0;
+   if (buf[i] != '[')
+   return 0;
+   for (i = 1; buf[i] && buf[i] != ']'; i++) {
+@@ -3247,6 +3248,8 @@ static int section_name_is_ok(const char *name)
+   return 1;
+ }
+
++#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024)
++
+ /* if new_name == NULL, the section is removed instead */
+ static int git_config_copy_or_rename_section_in_file(const char 
*config_filename,
+ const char *old_name,
+@@ -3256,11 +3259,12 @@ static int 
git_config_copy_or_rename_section_in_file(const char *config_filename
+   char *filename_buf = NULL;
+   struct lock_file lock = LOCK_INIT;
+   int out_fd;
+-  char buf[1024];
++  struct strbuf buf = STRBUF_INIT;
+   FILE *config_file = NULL;
+   struct stat st;
+   struct strbuf copystr = STRBUF_INIT;
+   struct config_store_data store;
++  uint32_t line_nr = 0;
+
+   memset(, 0, sizeof(store));
+
+@@ -3297,16 +3301,25 @@ static int 
git_config_copy_or_rename_section_in_file(const char *config_filename
+   goto out;
+   }
+
+-  while (fgets(buf, sizeof(buf), config_file)) {
+-  unsigned i;
+-  int length;
++  while (!strbuf_getwholeline(, config_file, '\n')) {
++  size_t i, length;
+   int is_section = 0;
+-  char *output = buf;
+-  for (i = 0; buf[i] && isspace(buf[i]); i++)