[OE-core][kirkstone 8/8] package.bbclass: moving field data process before variable process in process_pkgconfig

[Steve Sakoman]

From: Xiangyu Chen 

Currently, the latest version abseil-cpp contains a new library named 
"absl_log_internal_format", it's
basic package config(.pc file) as below:

prefix=/usr
exec_prefix=${prefix}

..

Requires: absl_config = 20230125, absl_core_headers = 20230125, 
absl_log_internal_append_truncated = 20230125,
absl_log_internal_config = 20230125, absl_log_internal_globals = 20230125, 
absl_log_severity = 20230125,
absl_strings = 20230125, absl_str_format = 20230125, absl_time = 20230125, 
absl_span = 20230125
..

Normally, the process_pkgconfig() would process variable data before field data 
in a .pc file, but in the
absl_log_internal_format, the field data in "Requires" section contains " = 
" format, the
process_pkgconfig() treats them as normal variable and using the setVar() in 
bitbake's data_smart.py
try to process. The absl_log_internal_format field data contains "_append_", 
this hit the setVar() checking
and finally bitbake stop building and reporting an error as below:

"Variable xxx contains an operation using the old override syntax. Please 
convert this layer/metadata before attempting to use with a newer bitbake."

This patch move the field data process before variable process to avoid the 
process_pkgconfig() treat the field
data as variable.

Signed-off-by: Xiangyu Chen 
(cherry picked from commit a73e269d3e591a10bb397b94b82e3fb960112d33)
Signed-off-by: Clément Péron 
Signed-off-by: Steve Sakoman 
---
 meta/classes/package.bbclass | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
index fed2f5531d..67351b2510 100644
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -2178,18 +2178,18 @@ python package_do_pkgconfig () {
 with open(file, 'r') as f:
 lines = f.readlines()
 for l in lines:
-m = var_re.match(l)
-if m:
-name = m.group(1)
-val = m.group(2)
-pd.setVar(name, pd.expand(val))
-continue
 m = field_re.match(l)
 if m:
 hdr = m.group(1)
 exp = pd.expand(m.group(2))
 if hdr == 'Requires':
 pkgconfig_needed[pkg] += exp.replace(',', ' 
').split()
+continue
+m = var_re.match(l)
+if m:
+name = m.group(1)
+val = m.group(2)
+pd.setVar(name, pd.expand(val))
 
 for pkg in packages.split():
 pkgs_file = os.path.join(shlibswork_dir, pkg + ".pclist")
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184777): 
https://lists.openembedded.org/g/openembedded-core/message/184777
Mute This Topic: https://lists.openembedded.org/mt/100322453/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 7/8] gcc-testsuite: Fix ppc cpu specification

[Steve Sakoman]

From: Richard Purdie 

After this change in qemu:

https://gitlab.com/qemu-project/qemu/-/commit/c7e89de13224c1e6409152602ac760ac91f606b4

there is no 'max' cpu model on ppc. Drop it to clean up ppc gcc testsuite 
failures.

In order for this to work we do need to pull in the alternative cpu option from
QEMU_EXTRAOPTIONS on powerpc.

Signed-off-by: Richard Purdie 
(cherry picked from commit c447f2b21b20fb2b1829d540af2cc0bf8242700c)
Signed-off-by: Steve Sakoman 
---
 meta/recipes-devtools/gcc/gcc-testsuite.inc | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-devtools/gcc/gcc-testsuite.inc 
b/meta/recipes-devtools/gcc/gcc-testsuite.inc
index f68fec58ed..64f60c730f 100644
--- a/meta/recipes-devtools/gcc/gcc-testsuite.inc
+++ b/meta/recipes-devtools/gcc/gcc-testsuite.inc
@@ -51,9 +51,10 @@ python check_prepare() {
 # enable all valid instructions, since the test suite itself does not
 # limit itself to the target cpu options.
 #   - valid for x86*, powerpc, arm, arm64
-if qemu_binary.lstrip("qemu-") in ["x86_64", "i386", "ppc", "arm", 
"aarch64"]:
+if qemu_binary.lstrip("qemu-") in ["x86_64", "i386", "arm", "aarch64"]:
 args += ["-cpu", "max"]
-
+elif qemu_binary.lstrip("qemu-") in ["ppc"]:
+args += d.getVar("QEMU_EXTRAOPTIONS_%s" % 
d.getVar('PACKAGE_ARCH')).split()
 sysroot = d.getVar("RECIPE_SYSROOT")
 args += ["-L", sysroot]
 # lib paths are static here instead of using $libdir since this is 
used by a -cross recipe
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184776): 
https://lists.openembedded.org/g/openembedded-core/message/184776
Mute This Topic: https://lists.openembedded.org/mt/100322452/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 6/8] machine/arch-arm64: add -mbranch-protection=standard

[Steve Sakoman]

From: Ross Burton 

Enable branch protection (PAC/BTI) for all aarch64 builds.  This was
previously enabled at a global level in the GCC build, but that breaks
the gcc test suite.

Signed-off-by: Ross Burton 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Richard Purdie 
(cherry picked from commit 8905639d1cdc5ce809cc5ecd9672f5e86bf8a579)
Signed-off-by: Steve Sakoman 
---
 meta/conf/machine/include/arm/arch-arm64.inc | 5 +
 1 file changed, 5 insertions(+)

diff --git a/meta/conf/machine/include/arm/arch-arm64.inc 
b/meta/conf/machine/include/arm/arch-arm64.inc
index 0e2efb5a40..832dac 100644
--- a/meta/conf/machine/include/arm/arch-arm64.inc
+++ b/meta/conf/machine/include/arm/arch-arm64.inc
@@ -37,3 +37,8 @@ TUNE_ARCH = "${@bb.utils.contains('TUNE_FEATURES', 'aarch64', 
'${TUNE_ARCH_64}',
 TUNE_PKGARCH = "${@bb.utils.contains('TUNE_FEATURES', 'aarch64', 
'${TUNE_PKGARCH_64}', '${TUNE_PKGARCH_32}', d)}"
 ABIEXTENSION = "${@bb.utils.contains('TUNE_FEATURES', 'aarch64', 
'${ABIEXTENSION_64}', '${ABIEXTENSION_32}', d)}"
 TARGET_FPU = "${@bb.utils.contains('TUNE_FEATURES', 'aarch64', 
'${TARGET_FPU_64}', '${TARGET_FPU_32}', d)}"
+
+# Emit branch protection (PAC/BTI) instructions.  On hardware that doesn't
+# support these they're meaningless NOP instructions, so there's very little
+# reason not to.
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'aarch64', ' 
-mbranch-protection=standard', '', d)}"
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184775): 
https://lists.openembedded.org/g/openembedded-core/message/184775
Mute This Topic: https://lists.openembedded.org/mt/100322451/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 5/8] gcc: don't pass --enable-standard-branch-protection

[Steve Sakoman]

From: Ross Burton 

By changing the default code generation of GCC we're inadvertently
breaking the GCC test suite, which has ~120K+ more failures when run for
aarch64 compared to x86-64.

This was because the generated code fragments included the BTI
instructions, which the test case wasn't expecting.  We can't tell the
tests globally to run without branch protection, as that will break the
tests which also turn it on.

Remove the enabling of branch protection by standard in GCC, we'll
enable it in the tune files instead.

Signed-off-by: Ross Burton 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Richard Purdie 
(cherry picked from commit bb4b9017db6a893ed054a2d2ad4cc671dec09c42)
Signed-off-by: Steve Sakoman 
---
 meta/recipes-devtools/gcc/gcc-configure-common.inc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/meta/recipes-devtools/gcc/gcc-configure-common.inc 
b/meta/recipes-devtools/gcc/gcc-configure-common.inc
index e4cdb73f0a..dba25eb754 100644
--- a/meta/recipes-devtools/gcc/gcc-configure-common.inc
+++ b/meta/recipes-devtools/gcc/gcc-configure-common.inc
@@ -40,7 +40,6 @@ EXTRA_OECONF = "\
 ${@get_gcc_mips_plt_setting(bb, d)} \
 ${@get_gcc_ppc_plt_settings(bb, d)} \
 ${@get_gcc_multiarch_setting(bb, d)} \
-   --enable-standard-branch-protection \
 "
 
 # glibc version is a minimum controlling whether features are enabled. 
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184774): 
https://lists.openembedded.org/g/openembedded-core/message/184774
Mute This Topic: https://lists.openembedded.org/mt/100322450/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 4/8] linux-yocto/5.15: update to v5.15.120

[Steve Sakoman]

From: Bruce Ashfield 

Updating  to the latest korg -stable release that comprises
the following commits:

d54cfc420586 Linux 5.15.120
c06edf13f4cf nubus: Partially revert proc_create_single_data() conversion
6e65fa33edf5 parisc: Delete redundant register definitions in 

b4d8f8900021 drm/amdgpu: Validate VM ioctl flags.
26eb191bf5a0 scripts/tags.sh: Resolve gtags empty index generation
989b4a753c7e perf symbols: Symbol lookup with kcore can fail if multiple 
segments match stext
87f51cf60e3e Revert "thermal/drivers/mediatek: Use devm_of_iomap to avoid 
resource leak in mtk_thermal_probe"
6a28f3490d3d HID: logitech-hidpp: add HIDPP_QUIRK_DELAYED_INIT for the T651.
67ce7724637c HID: wacom: Use ktime_t rather than int when dealing with 
timestamps
347732317749 bpf: ensure main program has an extable
d874cf9799a9 can: isotp: isotp_sendmsg(): fix return error fix on TX path
27d03d15bb8b x86/smp: Use dedicated cache-line for mwait_play_dead()
d6c745ca4fc5 x86/microcode/AMD: Load late on both threads too
9052349685e9 drm/amdgpu: Set vmbo destroy after pt bo is created
796481bedc3e mm, hwpoison: when copy-on-write hits poison, take page offline
6713b8f11aa0 mm, hwpoison: try to recover from copy-on write faults
b46021ab8304 mptcp: consolidate fallback and non fallback state machine
42ff95b4bd11 mptcp: fix possible divide by zero in recvmsg()

Signed-off-by: Bruce Ashfield 
Signed-off-by: Steve Sakoman 
(cherry picked from commit 51c474534c27ac0739a6373595a49ebbc52c3715)
Signed-off-by: Steve Sakoman 
---
 .../linux/linux-yocto-rt_5.15.bb  |  6 ++---
 .../linux/linux-yocto-tiny_5.15.bb|  6 ++---
 meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +--
 3 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb 
b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
index 5507690d74..8361787bdb 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
@@ -11,13 +11,13 @@ python () {
 raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to 
linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "482797bf5730cf22143afe28d489363ca4bf44a2"
-SRCREV_meta ?= "58ef8845366aea0e1719d00618444be34a765c15"
+SRCREV_machine ?= "0b2e44360ea08b441883f16826c4720546a0886c"
+SRCREV_meta ?= "820b9bdb192ae263be93e609da415c570d5acc79"
 
 SRC_URI = 
"git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \

git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.15.119"
+LINUX_VERSION ?= "5.15.120"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb 
b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
index 2641fe60f8..517aede49c 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
@@ -5,7 +5,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.15.119"
+LINUX_VERSION ?= "5.15.120"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -14,8 +14,8 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine ?= "ded230a888ef81ccedf0044bd8c2236f3b809599"
-SRCREV_meta ?= "58ef8845366aea0e1719d00618444be34a765c15"
+SRCREV_machine ?= "bb0cc3f9542c03fba314f5da44e91556c641706f"
+SRCREV_meta ?= "820b9bdb192ae263be93e609da415c570d5acc79"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.15.bb 
b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
index 9ee7a350d3..dc2cd79f97 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
@@ -13,24 +13,24 @@ KBRANCH:qemux86  ?= "v5.15/standard/base"
 KBRANCH:qemux86-64 ?= "v5.15/standard/base"
 KBRANCH:qemumips64 ?= "v5.15/standard/mti-malta64"
 
-SRCREV_machine:qemuarm ?= "9ae4c8018039201ce683ff26bde47a3e3e6664ef"
-SRCREV_machine:qemuarm64 ?= "58394274da1b4fdf69ca780001bf25eebfd1950f"
-SRCREV_machine:qemumips ?= "bacfb28c9349b36afe3041e57d98551aa723bbc2"
-SRCREV_machine:qemuppc ?= "d9efae0cb3731ab62cb81778c2fa5689594d34b1"
-SRCREV_machine:qemuriscv64 ?= "a05c1b953b7b7dbd195b7f826e8879d79587a4a3"
-SRCREV_machine:qemuriscv32 ?= "a05c1b953b7b7dbd195b7f826e8879d79587a4a3"
-SRCREV_machine:qemux86 ?= "a05c1b953b7b7dbd195b7f826e8879d79587a4a3"
-SRCREV_machine:qemux86-64 ?= "a05c1b953b7b7dbd195b7f826e8879d79587a4a3"
-SRCREV_machine:qemumips64 ?= "2ae09c410d8a5a0ec66d50368579dd3d3616072b"
-SRCREV_machine ?= "a05c1b953b7b7dbd195b7f826e8879d79587a4a3"
-SRCREV_meta ?= "58ef8845366aea0e1719d00618444be34a765c15"

[OE-core][kirkstone 3/8] linux-yocto/5.15: update to v5.15.119

[Steve Sakoman]

From: Bruce Ashfield 

Updating  to the latest korg -stable release that comprises
the following commits:

4af60700a60c Linux 5.15.119
10fbd2e04e40 act_mirred: remove unneded merge conflict markers
2230b3f874d9 i2c: imx-lpi2c: fix type char overflow issue when calculating 
the clock cycle
907a069ec38f x86/apic: Fix kernel panic when booting with intremap=off and 
x2apic_phys
7949f83f7ecc vhost_net: revert upend_idx only on retriable error
fdac0aa4a175 drm/radeon: fix race condition UAF in 
radeon_gem_set_domain_ioctl
f012d3037c15 drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl
a44b4230d2ba drm/exynos: vidi: fix a wrong error return
79b4125bce96 ARM: dts: Fix erroneous ADS touchscreen polarities
9684c4fdeeca s390/purgatory: disable branch profiling
3c4d87e9fa8a ASoC: nau8824: Add quirk to active-high jack-detect
d77eac1b14e0 soundwire: dmi-quirks: add new mapping for HP Spectre x360
53ad4af4ec90 ASoC: simple-card: Add missing of_node_put() in case of error
bb45dc7b67c5 spi: lpspi: disable lpspi module irq in DMA mode
f8d9d8f1727d s390/cio: unregister device when the only path is gone
e10d15fdfced Input: soc_button_array - add invalid acpi_index DMI quirk 
handling
26bde09a1512 nvme: double KA polling frequency to avoid KATO with TBKAS on
e3bbc148377d usb: gadget: udc: fix NULL dereference in remove()
cce681383d34 nfcsim.c: Fix error checking for debugfs_create_dir
8a5ddd1430d4 media: cec: core: don't set last_initiator if tx in progress
01cf989090da arm64: Add missing Set/Way CMO encodings
f97b16c0a538 HID: wacom: Add error check to wacom_parse_and_register()
e8bdb1f88699 scsi: target: iscsi: Prevent login threads from racing between 
each other
1cc379d53b66 gpio: sifive: add missing check for platform_get_irq
497d40140865 gpiolib: Fix GPIO chip IRQ initialization restriction
7973c4b3b97d gpio: Allow per-parent interrupt data
c1a2b52d999e sch_netem: acquire qdisc lock in netem_change()
3138c85031e8 selftests: forwarding: Fix race condition in mirror 
installation
b7db41a86541 bpf/btf: Accept function names that contain dots
0f8d81254fd6 Revert "net: phy: dp83867: perform soft reset and retain 
established link"
57130334da4e netfilter: nfnetlink_osf: fix module autoload
53defc6ecff4 netfilter: nf_tables: disallow updates of anonymous sets
2f2f9eaa6da1 netfilter: nf_tables: reject unbound chain set before commit 
phase
2938e7d582d7 netfilter: nf_tables: reject unbound anonymous set before 
commit phase
baa3ec1b31f5 netfilter: nf_tables: disallow element updates of bound 
anonymous sets
45eb6944d0f5 netfilter: nft_set_pipapo: .walk does not deal with generations
4004f12aaca8 netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with 
bound set/chain
314a8697d080 netfilter: nf_tables: fix chain binding transaction logic
1328e8d4c3ee be2net: Extend xmit workaround to BE3 chip
768f94c5f639 net: dsa: mt7530: fix handling of BPDUs on MT7530 switch
aa528e7d379f net: dsa: mt7530: fix trapping frames on non-MT7621 SoC MT7530 
switch
efea112a87b6 ipvs: align inner_mac_header for encapsulation
24d7d9aee03d mmc: usdhi60rol0: fix deferred probing
d1e08bed0307 mmc: sh_mmcif: fix deferred probing
34c4906b9a06 mmc: sdhci-acpi: fix deferred probing
41f1e8dab08d mmc: owl: fix deferred probing
b86ca9e08ca9 mmc: omap_hsmmc: fix deferred probing
445a9568dec1 mmc: omap: fix deferred probing
840deb8d1418 mmc: mvsdio: fix deferred probing
92f73c4f927c mmc: mtk-sd: fix deferred probing
aedecd013d2c net: qca_spi: Avoid high load if QCA7000 is not available
156dd06fb337 xfrm: Linearize the skb after offloading if needed.
d967bd7ea6cc selftests: net: fcnal-test: check if FIPS mode is enabled
964cfdfd4b4f xfrm: fix inbound ipv4/udp/esp packets to UDPv6 dualstack 
sockets
25e89fa7b5a8 bpf: Fix verifier id tracking of scalars on spill
0b180495f6b0 bpf: track immediate values written to stack by BPF_ST 
instruction
3229a29e95f5 xfrm: Ensure policies always checked on XFRM-I input path
d055ee18cab8 xfrm: interface: rename xfrm_interface.c to 
xfrm_interface_core.c
491ce3c1d98a xfrm: Treat already-verified secpath entries as optional
0ce3d0c068d9 ieee802154: hwsim: Fix possible memory leaks
29672dc47d99 mmc: meson-gx: fix deferred probing
9bac4a2b7326 memfd: check for non-NULL file_seals in memfd_create() syscall
103734b429b9 x86/mm: Avoid using set_pgd() outside of real PGD pages
793d0224bb60 nilfs2: prevent general protection fault in 
nilfs_clear_dirty_page()
96987c383c2b io_uring/net: disable partial retries for recvmsg with cmsg
25a543ca3005 io_uring/net: clear msg_controllen on partial sendmsg retry
34a7e5021a43 io_uring/net: save msghdr->msg_control for retries
b07bb2914ada writeback: fix dereferencing NULL mapping->host on 
writeback_page_template

[OE-core][kirkstone 2/8] ghostscript: fix CVE-2023-36664

[Steve Sakoman]

From: Archana Polampalli 

Artifex Ghostscript through 10.01.2 mishandles permission validation for
pipe devices (with the %pipe% prefix or the | pipe character prefix).

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-36664

Upstream patches:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb342fdb60391073a69147cb71af1ac416a81099

Signed-off-by: Archana Polampalli 
Signed-off-by: Steve Sakoman 
---
 .../ghostscript/CVE-2023-36664-0001.patch | 146 ++
 .../ghostscript/CVE-2023-36664-0002.patch |  60 +++
 .../ghostscript/ghostscript_9.55.0.bb |   2 +
 3 files changed, 208 insertions(+)
 create mode 100644 
meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch
 create mode 100644 
meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0002.patch

diff --git 
a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch 
b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch
new file mode 100644
index 00..99fcc61b9b
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch
@@ -0,0 +1,146 @@
+From ed607fedbcd41f4a0e71df6af4ba5b07dd630209 Mon Sep 17 00:00:00 2001
+From: Chris Liddell 
+Date: Wed, 7 Jun 2023 10:23:06 +0100
+Subject: [PATCH 1/2] Bug 706761: Don't "reduce" %pipe% file names for
+ permission validation
+
+For regular file names, we try to simplfy relative paths before we use them.
+
+Because the %pipe% device can, effectively, accept command line calls, we
+shouldn't be simplifying that string, because the command line syntax can end
+up confusing the path simplifying code. That can result in permitting a pipe
+command which does not match what was originally permitted.
+
+Special case "%pipe" in the validation code so we always deal with the entire
+string.
+
+Upstream-Status: Backport 
[https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea]
+CVE: CVE-2023-36664
+
+Signed-off-by: Archana Polampalli 
+---
+ base/gpmisc.c   | 31 +++
+ base/gslibctx.c | 56 -
+ 2 files changed, 64 insertions(+), 23 deletions(-)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 8b6458a..c61ab3f 100644
+--- a/base/gpmisc.c
 b/base/gpmisc.c
+@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
+  && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
+   prefix_len = 0;
+ }
+-rlen = len+1;
+-bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + 
prefix_len, "gp_validate_path");
+-if (bufferfull == NULL)
+-return gs_error_VMerror;
+-
+-buffer = bufferfull + prefix_len;
+-if (gp_file_name_reduce(path, (uint)len, buffer, ) != 
gp_combine_success)
+-return gs_error_invalidfileaccess;
+-buffer[rlen] = 0;
+
++/* "%pipe%" do not follow the normal rules for path definitions, so we
++   don't "reduce" them to avoid unexpected results
++ */
++if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, 
len + 1, "gp_validate_path");
++if (buffer == NULL)
++return gs_error_VMerror;
++memcpy(buffer, path, len);
++buffer[len] = 0;
++rlen = len;
++}
++else {
++rlen = len+1;
++bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + 
prefix_len, "gp_validate_path");
++if (bufferfull == NULL)
++return gs_error_VMerror;
++
++buffer = bufferfull + prefix_len;
++if (gp_file_name_reduce(path, (uint)len, buffer, ) != 
gp_combine_success)
++return gs_error_invalidfileaccess;
++buffer[rlen] = 0;
++}
+ while (1) {
+ switch (mode[0])
+ {
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 5bf497b..5fdfe25 100644
+--- a/base/gslibctx.c
 b/base/gslibctx.c
+@@ -734,14 +734,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, 
gs_path_control_t type, co
+ return gs_error_rangecheck;
+ }
+
+-rlen = len+1;
+-buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-if (buffer == NULL)
+-return gs_error_VMerror;
++/* "%pipe%" do not follow the normal rules for path definitions, so we
++   don't "reduce" them to avoid unexpected results
++ */
++if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++buffer = (char *)gs_alloc_bytes(core->memory, len + 1, 
"gs_add_control_path_len");
++if (buffer == NULL)
++return gs_error_VMerror;
++memcpy(buffer, path, len);
++buffer[len] = 0;
++rlen = len;
++}
++else {
++rlen = len + 1;
+
+-if (gp_file_name_reduce(path, (uint)len, buffer, ) != 
gp_combine_success)
+-

[OE-core][kirkstone 1/8] qemu: backport Debian patch to fix CVE-2023-0330

[Steve Sakoman]

From: Vijay Anusuri 

import patch from ubuntu to fix
 CVE-2023-0330

Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches?h=ubuntu/jammy-security
Upstream commit 
https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75]

Signed-off-by: Vijay Anusuri 
Signed-off-by: Steve Sakoman 
---
 meta/recipes-devtools/qemu/qemu.inc   |  1 +
 .../qemu/qemu/CVE-2023-0330.patch | 75 +++
 2 files changed, 76 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 7f2b52fa88..c6c6e49ebf 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -93,6 +93,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2022-4144.patch \

file://0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch \

file://0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
+   file://CVE-2023-0330.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
new file mode 100644
index 00..025075fd6d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
@@ -0,0 +1,75 @@
+[Ubuntu note: remove fuzz-lsi53c895a-test.c changes since the file does not
+ exist for this release]
+From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001
+From: Thomas Huth 
+Date: Mon, 22 May 2023 11:10:11 +0200
+Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI
+ controller (CVE-2023-0330)
+
+We cannot use the generic reentrancy guard in the LSI code, so
+we have to manually prevent endless reentrancy here. The problematic
+lsi_execute_script() function has already a way to detect whether
+too many instructions have been executed - we just have to slightly
+change the logic here that it also takes into account if the function
+has been called too often in a reentrant way.
+
+The code in fuzz-lsi53c895a-test.c has been taken from an earlier
+patch by Mauro Matteo Cascella.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563
+Message-Id: <20230522091011.1082574-1-th...@redhat.com>
+Reviewed-by: Stefan Hajnoczi 
+Reviewed-by: Alexander Bulekov 
+Signed-off-by: Thomas Huth 
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2023-0330.patch?h=ubuntu/jammy-security
+Upstream commit 
https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75]
+CVE: CVE-2023-0330
+Signed-off-by: Vijay Anusuri 
+---
+ hw/scsi/lsi53c895a.c   | 23 +++--
+ tests/qtest/fuzz-lsi53c895a-test.c | 33 ++
+ 2 files changed, 50 insertions(+), 6 deletions(-)
+
+--- qemu-6.2+dfsg.orig/hw/scsi/lsi53c895a.c
 qemu-6.2+dfsg/hw/scsi/lsi53c895a.c
+@@ -1135,15 +1135,24 @@ static void lsi_execute_script(LSIState
+ uint32_t addr, addr_high;
+ int opcode;
+ int insn_processed = 0;
++static int reentrancy_level;
++
++reentrancy_level++;
+ 
+ s->istat1 |= LSI_ISTAT1_SRUN;
+ again:
+-if (++insn_processed > LSI_MAX_INSN) {
+-/* Some windows drivers make the device spin waiting for a memory
+-   location to change.  If we have been executed a lot of code then
+-   assume this is the case and force an unexpected device disconnect.
+-   This is apparently sufficient to beat the drivers into submission.
+- */
++/*
++ * Some windows drivers make the device spin waiting for a memory location
++ * to change. If we have executed more than LSI_MAX_INSN instructions then
++ * assume this is the case and force an unexpected device disconnect. This
++ * is apparently sufficient to beat the drivers into submission.
++ *
++ * Another issue (CVE-2023-0330) can occur if the script is programmed to
++ * trigger itself again and again. Avoid this problem by stopping after
++ * being called multiple times in a reentrant way (8 is an arbitrary value
++ * which should be enough for all valid use cases).
++ */
++if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
+ if (!(s->sien0 & LSI_SIST0_UDC)) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+   "lsi_scsi: inf. loop with UDC masked");
+@@ -1597,6 +1606,8 @@ again:
+ }
+ }
+ trace_lsi_execute_script_stop();
++
++reentrancy_level--;
+ }
+ 
+ static uint8_t lsi_reg_readb(LSIState *s, int offset)
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184770): 
https://lists.openembedded.org/g/openembedded-core/message/184770
Mute This Topic: 

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5638

The following changes since commit d877d5f07772ec4a05332068ddc03cf387313036:

  cmake: Fix CMAKE_SYSTEM_PROCESSOR setting for SDK (2023-07-17 04:45:01 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (1):
  ghostscript: fix CVE-2023-36664

Bruce Ashfield (2):
  linux-yocto/5.15: update to v5.15.119
  linux-yocto/5.15: update to v5.15.120

Richard Purdie (1):
  gcc-testsuite: Fix ppc cpu specification

Ross Burton (2):
  gcc: don't pass --enable-standard-branch-protection
  machine/arch-arm64: add -mbranch-protection=standard

Vijay Anusuri (1):
  qemu: backport Debian patch to fix CVE-2023-0330

Xiangyu Chen (1):
  package.bbclass: moving field data process before variable process in
process_pkgconfig

 meta/classes/package.bbclass  |  12 +-
 meta/conf/machine/include/arm/arch-arm64.inc  |   5 +
 .../gcc/gcc-configure-common.inc  |   1 -
 meta/recipes-devtools/gcc/gcc-testsuite.inc   |   5 +-
 meta/recipes-devtools/qemu/qemu.inc   |   1 +
 .../qemu/qemu/CVE-2023-0330.patch |  75 +
 .../ghostscript/CVE-2023-36664-0001.patch | 146 ++
 .../ghostscript/CVE-2023-36664-0002.patch |  60 +++
 .../ghostscript/ghostscript_9.55.0.bb |   2 +
 .../linux/linux-yocto-rt_5.15.bb  |   6 +-
 .../linux/linux-yocto-tiny_5.15.bb|   6 +-
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |  26 ++--
 12 files changed, 317 insertions(+), 28 deletions(-)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
 create mode 100644 
meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch
 create mode 100644 
meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0002.patch

-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184769): 
https://lists.openembedded.org/g/openembedded-core/message/184769
Mute This Topic: https://lists.openembedded.org/mt/100322445/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [qa-build-notification] QA notification for completed autobuilder build (yocto-3.1.27.rc1)

[Jing Hui Tham]

Hi all,
 
Intel and WR YP QA is planning for QA execution for YP build yocto-3.1.27.rc1. 
We are planning to execute following tests for this cycle:
 
OEQA-manual tests for following module:
1. OE-Core
2. BSP-hw
 
Runtime auto test for following platforms:
1. MinnowBoard Turbot - 32bit
2. Kaby Lake (7th Generation Intel(r) Core(tm) Processors)
3. Tiger Lake (11th Generation Intel(r) Core(tm) Processors)
4. Alder Lake-S (12th Generation Intel(r) Core(tm) Processors)
5. Raptor Lake-P (13th Generation Intel(r) Core(tm) Processors)
6. Edgerouter
7. Beaglebone

 
ETA for completion next Tuesday, 1st of August 2023.
 
Best regards,
Jing Hui


> -Original Message-
> From: qa-build-notificat...@lists.yoctoproject.org  notificat...@lists.yoctoproject.org> On Behalf Of Pokybuild User
> Sent: Monday, July 24, 2023 5:55 AM
> To: yo...@lists.yoctoproject.org
> Cc: qa-build-notificat...@lists.yoctoproject.org
> Subject: [qa-build-notification] QA notification for completed autobuilder
> build (yocto-3.1.27.rc1)
> 
> 
> A build flagged for QA (yocto-3.1.27.rc1) was completed on the autobuilder
> and is available at:
> 
> 
> https://autobuilder.yocto.io/pub/releases/yocto-3.1.27.rc1
> 
> 
> Build hash information:
> 
> bitbake: b60c7085ec370473bea9b3b4b65826a17638837f
> meta-agl: 583f80f8e9d085a98f1cbab3a9d8082503ab739e
> meta-arm: b1fe8443a7a72c65fa0fc3371f607c6671b3a882
> meta-aws: 9d29db04581d732313a5b17a84d1df004056e002
> meta-gplv2: 60b251c25ba87e946a0ca4cdc8d17b1cb09292ac
> meta-intel: 488af577a3f21f038c551612bb0af077fa2b743d
> meta-mingw: 524de686205b5d6736661d4532f5f98fee8589b7
> meta-openembedded: b5282ece919f016d91a1043769676efb02b4f0fb
> meta-virtualization: 521459bf588435e847d981657485bae8d6f003b5
> oecore: ab6a0d053d910c3d50fcb06e9c2ca98430b673a4
> poky: df86cc15d0a39d8d85747f7acc2c887cccfd9fa7
> 
> 
> 
> This is an automated message from the Yocto Project Autobuilder
> Git: git://git.yoctoproject.org/yocto-autobuilder2
> Email: richard.pur...@linuxfoundation.org
> 
> 
> 
> 
> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184768): 
https://lists.openembedded.org/g/openembedded-core/message/184768
Mute This Topic: https://lists.openembedded.org/mt/100321858/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

ODP: ODP: ODP: [OE-Core][PATCH v8][master-next 1/5] package_ipk.bbclass: add support for ACLs and xattr

[Piotr Łobacz]

Hi, on your advice I have taken the first package and run diffoscope which has 
given me such result:

plobacz@latitude:~/workspace/reproducible$ diffoscope 
A/a52dec-doc_0.7.4-r4_core2-64.ipk B/a52dec-doc_0.7.4-r4_core2-64.ipk
--- A/a52dec-doc_0.7.4-r4_core2-64.ipk
+++ B/a52dec-doc_0.7.4-r4_core2-64.ipk
├── file list
│ @@ -1,3 +1,3 @@
│  ?rw-r--r--   0004 1970-01-01 00:00:00.00 
debian-binary
│ -?rw-r--r--   000  504 1970-01-01 00:00:00.00 
control.tar.gz
│ -?rw-r--r--   000 1236 1970-01-01 00:00:00.00 
data.tar.xz
│ +?rw-r--r--   000  503 1970-01-01 00:00:00.00 
control.tar.gz
│ +?rw-r--r--   000 1240 1970-01-01 00:00:00.00 
data.tar.xz
├── control.tar.gz
│ ├── control.tar
│ │┄ Format-specific differences are supported for tape archives (.tar) but no 
file-specific differences were detected; falling back to a binary diff. file(1) 
reports: POSIX tar archive
│ │ @@ -26,18 +26,18 @@
│ │  0190:          
│ │  01a0:          
│ │  01b0:          
│ │  01c0:          
│ │  01d0:          
│ │  01e0:          
│ │  01f0:          
│ │ -0200: 3330 2061 7469 6d65 3d31 3639 3030 3733  30 atime=1690073
│ │ -0210: 3231 352e 3839 3835 3637 3730 310a 3330  215.898567701.30
│ │ -0220: 2063 7469 6d65 3d31 3639 3030 3733 3231   ctime=169007321
│ │ -0230: 352e 3631 3735 3635 3337 350a    5.617565375.
│ │ +0200: 3330 2061 7469 6d65 3d31 3639 3030 3831  30 atime=1690081
│ │ +0210: 3433 312e 3335 3033 3137 3933 340a 3330  431.350317934.30
│ │ +0220: 2063 7469 6d65 3d31 3639 3030 3831 3433   ctime=169008143
│ │ +0230: 312e 3133 3633 3136 3136 350a    1.136316165.
│ │  0240:          
│ │  0250:          
│ │  0260:          
│ │  0270:          
│ │  0280:          
│ │  0290:          
│ │  02a0:          
├── data.tar.xz
│ ├── data.tar
│ │┄ Format-specific differences are supported for this file format but no 
file-specific differences were detected; falling back to a binary diff. file(1) 
reports: POSIX tar archive
│ │ @@ -26,18 +26,18 @@
│ │  0190:          
│ │  01a0:          
│ │  01b0:          
│ │  01c0:          
│ │  01d0:          
│ │  01e0:          
│ │  01f0:          
│ │ -0200: 3330 2061 7469 6d65 3d31 3639 3030 3732  30 atime=1690072
│ │ -0210: 3132 332e 3039 3835 3135 3131 330a 3330  123.098515113.30
│ │ -0220: 2063 7469 6d65 3d31 3639 3030 3730 3136   ctime=169007016
│ │ -0230: 322e 3634 3134 3832 3935 380a    2.641482958.
│ │ +0200: 3330 2061 7469 6d65 3d31 3639 3030 3737  30 atime=1690077
│ │ +0210: 3336 362e 3735 3039  3932 310a 3330  366.750933921.30
│ │ +0220: 2063 7469 6d65 3d31 3639 3030 3737 3336   ctime=169007736
│ │ +0230: 362e 3639 3139  3433 330a    6.691933433.
│ │  0240:          
│ │  0250:          
│ │  0260:          
│ │  0270:          
│ │  0280:          
│ │  0290:          
│ │  02a0:          
│ │ @@ -122,18 +122,18 @@
│ │  0790:          
│ │  07a0:          
│ │  07b0:          
│ │  07c0:          
│ │  07d0:          
│ │  07e0:          
│ │  07f0:          

Re: ODP: ODP: [OE-Core][PATCH v8][master-next 1/5] package_ipk.bbclass: add support for ACLs and xattr

[Alexandre Belloni via lists.openembedded.org]

On 23/07/2023 16:32:55+, Piotr Łobacz wrote:
> OK, I got it, but correct me if I'm wrong, namely packages differs between 
> builds?
> 
> I have found this link 
> https://docs.yoctoproject.org/dev/test-manual/reproducible-builds.html for it 
> with instructions
> on how to reproduce it. I'll give it a try and In case of problems will try 
> to ask.
> 

You will find the packages that differ in reproducibleA and
reproducibleB so you can compare them yourself.

> Cheers,
> Piotr
> 
> Od: openembedded-core@lists.openembedded.org 
>  w imieniu użytkownika Piotr Łobacz 
> via lists.openembedded.org 
> Wysłane: niedziela, 23 lipca 2023 17:53
> Do: Alexandre Belloni 
> DW: openembedded-core@lists.openembedded.org 
> 
> Temat: ODP: ODP: [OE-Core][PATCH v8][master-next 1/5] package_ipk.bbclass: 
> add support for ACLs and xattr
> 
> Hi,
> 
> > Hello,
> >
> > On 22/07/2023 21:03:43+, Piotr Łobacz wrote:
> > > Hello Alexadre,
> > > this time everything should be fixed and working :D I have tested it 
> > > thrice:P
> > >
> > > Additionally I've discovered that somehow, during all these patchsets, an 
> > > extra param "--numeric-owner" has gone from opkg-build script,
> > > which is important to store uid(s)/gid(s) as numbers instead of names in 
> > > tar archive. An updated patch has been already pushed to opkg-utils
> > > upstream.
> > >
> > > You can run it and tell if everything is OK.
> > >
> >
> > This ran and mostly worked. The remaining issue is the reproducibility
> > issue:
> 
> I'm glad that we went further in this problem, but
> > https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20230722-1a1a_7s6/
> 
> > Unfortunately, diffoscope is not running on that large set.
> 
> unfortunately I don't have knowledge what's this link about. Can you explain 
> me a little bit and how is this being run from cli?
> 
> > BR
> > Piotr
> >
> >
> > Od: openembedded-core@lists.openembedded.org 
> >  w imieniu użytkownika Piotr 
> > Łobacz via lists.openembedded.org 
> > 
> > Wysłane: sobota, 22 lipca 2023 22:55
> > Do: openembedded-core@lists.openembedded.org 
> > 
> > DW: Piotr Łobacz 
> > Temat: [OE-Core][PATCH v8][master-next 1/5] package_ipk.bbclass: add 
> > support for ACLs and xattr
> >
> > Extend OPKGBUILDCMD variable, with additional parameters, depending
> > on target distro features, in order to support ACLs and xattr.
> >
> > With fix pushed to the opkg-devel:
> > https://groups.google.com/g/opkg-devel/c/dYNHrLjDwg8
> > opkg-build is able to create tar archives with ACLs and xattr.
> >
> > Signed-off-by: Piotr Łobacz 
> > ---
> >  meta/classes-global/package_ipk.bbclass | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/meta/classes-global/package_ipk.bbclass 
> > b/meta/classes-global/package_ipk.bbclass
> > index b4b7bc9ac2..a0f106e4ad 100644
> > --- a/meta/classes-global/package_ipk.bbclass
> > +++ b/meta/classes-global/package_ipk.bbclass
> > @@ -15,7 +15,7 @@ IPKGCONF_SDK_TARGET = "${WORKDIR}/opkg-sdk-target.conf"
> >  PKGWRITEDIRIPK = "${WORKDIR}/deploy-ipks"
> >
> >  # Program to be used to build opkg packages
> > -OPKGBUILDCMD ??= 'opkg-build -Z xz -a "${XZ_DEFAULTS}"'
> > +OPKGBUILDCMD ??= 'opkg-build -Z xz -a "${XZ_DEFAULTS}" 
> > ${@bb.utils.contains('DISTRO_FEATURES', 'acl', '-A', '', d)} 
> > ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', '-X', '', d)}'
> >
> >  OPKG_ARGS += "--force_postinstall --prefer-arch-to-version"
> >  OPKG_ARGS += "${@['', 
> > '--no-install-recommends'][d.getVar("NO_RECOMMENDATIONS") == "1"]}"
> > --
> > 2.34.1
> 
> >
> >
> >
> 
> 
> --
> Alexandre Belloni, co-owner and COO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com/

> 
> 
> 


-- 
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184766): 
https://lists.openembedded.org/g/openembedded-core/message/184766
Mute This Topic: https://lists.openembedded.org/mt/100313731/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [kirkstone][PATCH] python3: upgrade 3.10.9 -> 3.10.12

[Tim Orling]

Security and bugfix updates.

* Drop cve-2023-24329.patch as it is merged in 3.10.12

CVE: CVE-2023-24329

Includes openssl 1.1.1u which addresses:
CVE: CVE-2023-0286
CVE: CVE-2022-4304
CVE: CVE-2022-4203

https://docs.python.org/release/3.10.12/whatsnew/changelog.html#python-3-10-12-final
https://docs.python.org/release/3.10.12/whatsnew/changelog.html#python-3-10-11-final
https://docs.python.org/release/3.10.12/whatsnew/changelog.html#python-3-10-10-final

License-Update: Update Copyright years to include 2023

Signed-off-by: Tim Orling 
---
 .../python/python3/cve-2023-24329.patch   | 50 ---
 .../{python3_3.10.9.bb => python3_3.10.12.bb} |  5 +-
 2 files changed, 2 insertions(+), 53 deletions(-)
 delete mode 100644 meta/recipes-devtools/python/python3/cve-2023-24329.patch
 rename meta/recipes-devtools/python/{python3_3.10.9.bb => python3_3.10.12.bb} 
(98%)

diff --git a/meta/recipes-devtools/python/python3/cve-2023-24329.patch 
b/meta/recipes-devtools/python/python3/cve-2023-24329.patch
deleted file mode 100644
index d47425d239..00
--- a/meta/recipes-devtools/python/python3/cve-2023-24329.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-isling...@users.noreply.github.com>
-Date: Sun, 13 Nov 2022 11:00:25 -0800
-Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme
- must begin with an alphabetical ASCII character. (GH-99421)
-
-Prevent urllib.parse.urlparse from accepting schemes that don't begin with an 
alphabetical ASCII character.
-
-RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / 
"-" / "." )`
-RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
-
-The WHATWG URL spec defines a scheme like this:
-`"A URL-scheme string must be one ASCII alpha, followed by zero or more of 
ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
-(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7)
-
-Co-authored-by: Ben Kallus <49924171+kenbal...@users.noreply.github.com>
 end original header ---
-
-CVE: CVE-2023-24329
-
-Upstream-Status: Backport [see below]
-
-Taken from https://github.com/python/cpython.git
-commit 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9
-
-CVE fix extracted; test case and update to NEWS abandoned.
-Defuzzed.
-
-Signed-off-by: Joe Slater 

- Lib/urllib/parse.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
-index 26ddf30..1c53acb 100644
 a/Lib/urllib/parse.py
-+++ b/Lib/urllib/parse.py
-@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
- clear_cache()
- netloc = query = fragment = ''
- i = url.find(':')
--if i > 0:
-+if i > 0 and url[0].isascii() and url[0].isalpha():
- for c in url[:i]:
- if c not in scheme_chars:
- break
--- 
-2.25.1
-
diff --git a/meta/recipes-devtools/python/python3_3.10.9.bb 
b/meta/recipes-devtools/python/python3_3.10.12.bb
similarity index 98%
rename from meta/recipes-devtools/python/python3_3.10.9.bb
rename to meta/recipes-devtools/python/python3_3.10.12.bb
index 867958c0fb..8bf1b6f816 100644
--- a/meta/recipes-devtools/python/python3_3.10.9.bb
+++ b/meta/recipes-devtools/python/python3_3.10.12.bb
@@ -4,7 +4,7 @@ DESCRIPTION = "Python is a programming language that lets you 
work more quickly
 LICENSE = "PSF-2.0"
 SECTION = "devel/python"
 
-LIC_FILES_CHKSUM = "file://LICENSE;md5=a1822df8d0f068628ca6090aedc5bfc8"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=fcf6b249c2641540219a727f35d8d2c2"
 
 SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://run-ptest \
@@ -35,7 +35,6 @@ SRC_URI = 
"http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \

file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \
file://deterministic_imports.patch \
file://0001-Avoid-shebang-overflow-on-python-config.py.patch \
-   file://cve-2023-24329.patch \
"
 
 SRC_URI:append:class-native = " \
@@ -44,7 +43,7 @@ SRC_URI:append:class-native = " \
file://12-distutils-prefix-is-inside-staging-area.patch \
file://0001-Don-t-search-system-for-headers-libraries.patch \
"
-SRC_URI[sha256sum] = 
"5ae03e308260164baba39921fdb4dbf8e6d03d8235a939d4582b33f0b5e46a83"
+SRC_URI[sha256sum] = 
"afb74bf19130e7a47d10312c8f5e784f24e0527981eab68e20546cfb865830b8"
 
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P\d+(\.\d+)+).tar"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184765): 
https://lists.openembedded.org/g/openembedded-core/message/184765
Mute This Topic: https://lists.openembedded.org/mt/100319198/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: 

Re: [OE-core] OE-core CVE metrics for master on Sun 23 Jul 2023

[Peter Marko via lists.openembedded.org]

Sorry that I missed that during my review.
I have sent a patch for this now.

Peter

> -Original Message-
> From: openembedded-core@lists.openembedded.org 
>  On Behalf Of Steve Sakoman via 
> lists.openembedded.org
> Sent: Sunday, July 23, 2023 16:29
> To: Patches and discussions about the oe-core layer 
> ; 
> yocto-secur...@lists.yoctoproject.org
> Subject: [OE-core] OE-core CVE metrics for master on Sun 23 Jul 2023
>
> CVE check script failed this week with the following error:
>
> ERROR: Unable to parse
> /home/steve/builds/cve/poky/bitbake/lib/bb/parse/parse_py/ConfHandler.py
> Traceback (most recent call last):
>   File 
> "/home/steve/builds/cve/poky/bitbake/lib/bb/parse/parse_py/ConfHandler.py",
> line 200, in feeder(lineno=125, s='CVE_STATUS[CVE-2020-18974] =
> "upstream-wontfix: It is a fuzzing related buffer overflow. It is of low 
> impact since most devices', 
> fn='conf/distro/include/cve-extra-exclusions.inc', statements=[
>
> >raise ParseError("unparsed line: '%s'" % s, fn, lineno);
>
> bb.parse.ParseError: ParseError at
> conf/distro/include/cve-extra-exclusions.inc:125: unparsed line:
> 'CVE_STATUS[CVE-2020-18974] = "upstream-wontfix: It is a fuzzing related 
> buffer overflow. It is of low impact since most devices'
>
> This seems to be due to the lack of terminating "\" characters on the 
> multiline entry for this CVE in the following commit:
>
> https://git.openembedded.org/openembedded-core/commit/?id=1634ed4048cf56788cd5c2c1bdc979b70afcdcd7

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184764): 
https://lists.openembedded.org/g/openembedded-core/message/184764
Mute This Topic: https://lists.openembedded.org/mt/100311685/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] cve-extra-exclusions: fix syntax error

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

CVE_STATUS conversion for CVE-2020-18974 dad a syntax error
by not adding continuation backslash.

Signed-off-by: Peter Marko 
---
 meta/conf/distro/include/cve-extra-exclusions.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc 
b/meta/conf/distro/include/cve-extra-exclusions.inc
index 61fb08dbeb..9d4422bc0f 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -122,6 +122,6 @@ We'll pick up any fix when upstream accepts one."
 
 # nasm:nasm-native https://nvd.nist.gov/vuln/detail/CVE-2020-18974
 CVE_STATUS[CVE-2020-18974] = "upstream-wontfix: \
-It is a fuzzing related buffer overflow. It is of low impact since most devices
-wouldn't expose an assembler. The upstream is inactive and there is little to 
be
+It is a fuzzing related buffer overflow. It is of low impact since most 
devices \
+wouldn't expose an assembler. The upstream is inactive and there is little to 
be \
 done about the bug, ignore from an OE perspective."
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184763): 
https://lists.openembedded.org/g/openembedded-core/message/184763
Mute This Topic: https://lists.openembedded.org/mt/100314503/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] python_setuptools3_rust: inherit ...build_meta

[Tim Orling]

Rather than inheriting the aging `setuptools3` bbclass, inherit
`python_setuptools_build_meta` which is one of the PEP 517 build
backends (for proper wheels using pyproject.toml).

Since python_setuptools_build_meta does not have a do_configure,
call the parent python_pep517_do_configure().

Signed-off-by: Tim Orling 
---
* All python3-cryptography ptests pass on core-image-base qemux86_64
* All python3-bcrypt ptests pass on core-image-base qemux86_64
* Basic python3-pyruvate Hello World example works
  (needs python3-logging) on core-image-base qemux86_64

 meta/classes-recipe/python_setuptools3_rust.bbclass | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/classes-recipe/python_setuptools3_rust.bbclass 
b/meta/classes-recipe/python_setuptools3_rust.bbclass
index d6ce2edb963..d3d7590cbeb 100644
--- a/meta/classes-recipe/python_setuptools3_rust.bbclass
+++ b/meta/classes-recipe/python_setuptools3_rust.bbclass
@@ -4,14 +4,14 @@
 # SPDX-License-Identifier: MIT
 #
 
-inherit python_pyo3 setuptools3
+inherit python_pyo3 python_setuptools_build_meta
 
 DEPENDS += "python3-setuptools-rust-native"
 
 python_setuptools3_rust_do_configure() {
 python_pyo3_do_configure
 cargo_common_do_configure
-setuptools3_do_configure
+python_pep517_do_configure
 }
 
 EXPORT_FUNCTIONS do_configure
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184762): 
https://lists.openembedded.org/g/openembedded-core/message/184762
Mute This Topic: https://lists.openembedded.org/mt/100314078/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

ODP: ODP: [OE-Core][PATCH v8][master-next 1/5] package_ipk.bbclass: add support for ACLs and xattr

[Piotr Łobacz]

OK, I got it, but correct me if I'm wrong, namely packages differs between 
builds?

I have found this link 
https://docs.yoctoproject.org/dev/test-manual/reproducible-builds.html for it 
with instructions
on how to reproduce it. I'll give it a try and In case of problems will try to 
ask.

Cheers,
Piotr

Od: openembedded-core@lists.openembedded.org 
 w imieniu użytkownika Piotr Łobacz 
via lists.openembedded.org 
Wysłane: niedziela, 23 lipca 2023 17:53
Do: Alexandre Belloni 
DW: openembedded-core@lists.openembedded.org 

Temat: ODP: ODP: [OE-Core][PATCH v8][master-next 1/5] package_ipk.bbclass: add 
support for ACLs and xattr

Hi,

> Hello,
>
> On 22/07/2023 21:03:43+, Piotr Łobacz wrote:
> > Hello Alexadre,
> > this time everything should be fixed and working :D I have tested it 
> > thrice:P
> >
> > Additionally I've discovered that somehow, during all these patchsets, an 
> > extra param "--numeric-owner" has gone from opkg-build script,
> > which is important to store uid(s)/gid(s) as numbers instead of names in 
> > tar archive. An updated patch has been already pushed to opkg-utils
> > upstream.
> >
> > You can run it and tell if everything is OK.
> >
>
> This ran and mostly worked. The remaining issue is the reproducibility
> issue:

I'm glad that we went further in this problem, but
> https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20230722-1a1a_7s6/

> Unfortunately, diffoscope is not running on that large set.

unfortunately I don't have knowledge what's this link about. Can you explain me 
a little bit and how is this being run from cli?

> BR
> Piotr
>
>
> Od: openembedded-core@lists.openembedded.org 
>  w imieniu użytkownika Piotr Łobacz 
> via lists.openembedded.org 
> Wysłane: sobota, 22 lipca 2023 22:55
> Do: openembedded-core@lists.openembedded.org 
> 
> DW: Piotr Łobacz 
> Temat: [OE-Core][PATCH v8][master-next 1/5] package_ipk.bbclass: add support 
> for ACLs and xattr
>
> Extend OPKGBUILDCMD variable, with additional parameters, depending
> on target distro features, in order to support ACLs and xattr.
>
> With fix pushed to the opkg-devel:
> https://groups.google.com/g/opkg-devel/c/dYNHrLjDwg8
> opkg-build is able to create tar archives with ACLs and xattr.
>
> Signed-off-by: Piotr Łobacz 
> ---
>  meta/classes-global/package_ipk.bbclass | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/classes-global/package_ipk.bbclass 
> b/meta/classes-global/package_ipk.bbclass
> index b4b7bc9ac2..a0f106e4ad 100644
> --- a/meta/classes-global/package_ipk.bbclass
> +++ b/meta/classes-global/package_ipk.bbclass
> @@ -15,7 +15,7 @@ IPKGCONF_SDK_TARGET = "${WORKDIR}/opkg-sdk-target.conf"
>  PKGWRITEDIRIPK = "${WORKDIR}/deploy-ipks"
>
>  # Program to be used to build opkg packages
> -OPKGBUILDCMD ??= 'opkg-build -Z xz -a "${XZ_DEFAULTS}"'
> +OPKGBUILDCMD ??= 'opkg-build -Z xz -a "${XZ_DEFAULTS}" 
> ${@bb.utils.contains('DISTRO_FEATURES', 'acl', '-A', '', d)} 
> ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', '-X', '', d)}'
>
>  OPKG_ARGS += "--force_postinstall --prefer-arch-to-version"
>  OPKG_ARGS += "${@['', 
> '--no-install-recommends'][d.getVar("NO_RECOMMENDATIONS") == "1"]}"
> --
> 2.34.1

>
>
>


--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com/

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184761): 
https://lists.openembedded.org/g/openembedded-core/message/184761
Mute This Topic: https://lists.openembedded.org/mt/100313731/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

ODP: ODP: [OE-Core][PATCH v8][master-next 1/5] package_ipk.bbclass: add support for ACLs and xattr

[Piotr Łobacz]

Hi,

> Hello,
>
> On 22/07/2023 21:03:43+, Piotr Łobacz wrote:
> > Hello Alexadre,
> > this time everything should be fixed and working :D I have tested it 
> > thrice:P
> >
> > Additionally I've discovered that somehow, during all these patchsets, an 
> > extra param "--numeric-owner" has gone from opkg-build script,
> > which is important to store uid(s)/gid(s) as numbers instead of names in 
> > tar archive. An updated patch has been already pushed to opkg-utils
> > upstream.
> >
> > You can run it and tell if everything is OK.
> >
>
> This ran and mostly worked. The remaining issue is the reproducibility
> issue:

I'm glad that we went further in this problem, but
> https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20230722-1a1a_7s6/

> Unfortunately, diffoscope is not running on that large set.

unfortunately I don't have knowledge what's this link about. Can you explain me 
a little bit and how is this being run from cli?

> BR
> Piotr
>
>
> Od: openembedded-core@lists.openembedded.org 
>  w imieniu użytkownika Piotr Łobacz 
> via lists.openembedded.org 
> Wysłane: sobota, 22 lipca 2023 22:55
> Do: openembedded-core@lists.openembedded.org 
> 
> DW: Piotr Łobacz 
> Temat: [OE-Core][PATCH v8][master-next 1/5] package_ipk.bbclass: add support 
> for ACLs and xattr
>
> Extend OPKGBUILDCMD variable, with additional parameters, depending
> on target distro features, in order to support ACLs and xattr.
>
> With fix pushed to the opkg-devel:
> https://groups.google.com/g/opkg-devel/c/dYNHrLjDwg8
> opkg-build is able to create tar archives with ACLs and xattr.
>
> Signed-off-by: Piotr Łobacz 
> ---
>  meta/classes-global/package_ipk.bbclass | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/classes-global/package_ipk.bbclass 
> b/meta/classes-global/package_ipk.bbclass
> index b4b7bc9ac2..a0f106e4ad 100644
> --- a/meta/classes-global/package_ipk.bbclass
> +++ b/meta/classes-global/package_ipk.bbclass
> @@ -15,7 +15,7 @@ IPKGCONF_SDK_TARGET = "${WORKDIR}/opkg-sdk-target.conf"
>  PKGWRITEDIRIPK = "${WORKDIR}/deploy-ipks"
>
>  # Program to be used to build opkg packages
> -OPKGBUILDCMD ??= 'opkg-build -Z xz -a "${XZ_DEFAULTS}"'
> +OPKGBUILDCMD ??= 'opkg-build -Z xz -a "${XZ_DEFAULTS}" 
> ${@bb.utils.contains('DISTRO_FEATURES', 'acl', '-A', '', d)} 
> ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', '-X', '', d)}'
>
>  OPKG_ARGS += "--force_postinstall --prefer-arch-to-version"
>  OPKG_ARGS += "${@['', 
> '--no-install-recommends'][d.getVar("NO_RECOMMENDATIONS") == "1"]}"
> --
> 2.34.1

>
> 
>


--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com/

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184760): 
https://lists.openembedded.org/g/openembedded-core/message/184760
Mute This Topic: https://lists.openembedded.org/mt/100313063/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] python3-pyyaml: upgrade 6.0 -> 6.0.1

[Tim Orling]

No changelog provided; new commits are:

c42fa3b (tag: 6.0.1, origin/release/6.0) 6.0.1 release
ae08bdc block Cython 3.0+ as a build dep (#702)
f873cfe Add python 3.11 support (#663)

https://github.com/yaml/pyyaml/compare/6.0...6.0.1

Signed-off-by: Tim Orling 
---
 .../python/{python3-pyyaml_6.0.bb => python3-pyyaml_6.0.1.bb}   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-devtools/python/{python3-pyyaml_6.0.bb => 
python3-pyyaml_6.0.1.bb} (81%)

diff --git a/meta/recipes-devtools/python/python3-pyyaml_6.0.bb 
b/meta/recipes-devtools/python/python3-pyyaml_6.0.1.bb
similarity index 81%
rename from meta/recipes-devtools/python/python3-pyyaml_6.0.bb
rename to meta/recipes-devtools/python/python3-pyyaml_6.0.1.bb
index d142a0fc3e..4ab8f038f4 100644
--- a/meta/recipes-devtools/python/python3-pyyaml_6.0.bb
+++ b/meta/recipes-devtools/python/python3-pyyaml_6.0.1.bb
@@ -9,7 +9,7 @@ PYPI_PACKAGE = "PyYAML"
 
 inherit pypi python_setuptools_build_meta
 
-SRC_URI[sha256sum] = 
"68fb519c14306fec9720a2a5b45bc9f0c8d1b9c72adf45c37baedfcd949c35a2"
+SRC_URI[sha256sum] = 
"bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43"
 
 RDEPENDS:${PN} += "\
 ${PYTHON_PN}-datetime \
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184759): 
https://lists.openembedded.org/g/openembedded-core/message/184759
Mute This Topic: https://lists.openembedded.org/mt/100312964/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] python3-hypothesis: upgrade 6.81.2 -> 6.82.0

[Tim Orling]

https://hypothesis.readthedocs.io/en/latest/changes.html#v6-82-0

6.82.0 - 2023-07-20
* from_regex() now supports the atomic grouping ((?>...)) and possessive
  quantifier (*+, ++, ?+, {m,n}+) syntax added in Python 3.11.

  Thanks to Cheuk Ting Ho for implementing this!

Signed-off-by: Tim Orling 
---
All ptests pass on qemux86_64 core-image-ptest-python3-hypothesis

 ...ython3-hypothesis_6.81.2.bb => python3-hypothesis_6.82.0.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-devtools/python/{python3-hypothesis_6.81.2.bb => 
python3-hypothesis_6.82.0.bb} (91%)

diff --git a/meta/recipes-devtools/python/python3-hypothesis_6.81.2.bb 
b/meta/recipes-devtools/python/python3-hypothesis_6.82.0.bb
similarity index 91%
rename from meta/recipes-devtools/python/python3-hypothesis_6.81.2.bb
rename to meta/recipes-devtools/python/python3-hypothesis_6.82.0.bb
index 93bf638759..0aeeae1019 100644
--- a/meta/recipes-devtools/python/python3-hypothesis_6.81.2.bb
+++ b/meta/recipes-devtools/python/python3-hypothesis_6.82.0.bb
@@ -13,7 +13,7 @@ SRC_URI += " \
 file://test_rle.py \
 "
 
-SRC_URI[sha256sum] = 
"e35165a73064370d30d476d7218f600d2bf861ff218192c9e994cb36aa190ae7"
+SRC_URI[sha256sum] = 
"ffece8e40a34329e7112f7408f2c45fe587761978fdbc6f4f91bf0d683a7d4d9"
 
 RDEPENDS:${PN} += " \
 python3-attrs \
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184758): 
https://lists.openembedded.org/g/openembedded-core/message/184758
Mute This Topic: https://lists.openembedded.org/mt/100312959/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] python3-urllib3: upgrade 2.0.3 -> 2.0.4

[Tim Orling]

https://github.com/urllib3/urllib3/blob/main/CHANGES.rst#204-2023-07-19

2.0.4 (2023-07-19)
* Added support for union operators to HTTPHeaderDict (#2254)
* Added BaseHTTPResponse to urllib3.__all__ (#3078)
* Fixed urllib3.connection.HTTPConnection to raise the http.client.connect
  audit event to have the same behavior as the standard library HTTP client
  (#2757)
* Relied on the standard library for checking hostnames in supported PyPy
  releases (#3087)

Signed-off-by: Tim Orling 
---
 .../{python3-urllib3_2.0.3.bb => python3-urllib3_2.0.4.bb}  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-devtools/python/{python3-urllib3_2.0.3.bb => 
python3-urllib3_2.0.4.bb} (87%)

diff --git a/meta/recipes-devtools/python/python3-urllib3_2.0.3.bb 
b/meta/recipes-devtools/python/python3-urllib3_2.0.4.bb
similarity index 87%
rename from meta/recipes-devtools/python/python3-urllib3_2.0.3.bb
rename to meta/recipes-devtools/python/python3-urllib3_2.0.4.bb
index 64b21db86d..0abd2adf65 100644
--- a/meta/recipes-devtools/python/python3-urllib3_2.0.3.bb
+++ b/meta/recipes-devtools/python/python3-urllib3_2.0.4.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/shazow/urllib3;
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=52d273a3054ced561275d4d15260ecda"
 
-SRC_URI[sha256sum] = 
"bee28b5e56addb8226c96f7f13ac28cb4c301dd5ea8a6ca179c0b9835e032825"
+SRC_URI[sha256sum] = 
"8d22f86aae8ef5e410d4f539fde9ce6b2113a001bb4d189e0aed70642d602b11"
 
 inherit pypi python_hatchling
 
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184757): 
https://lists.openembedded.org/g/openembedded-core/message/184757
Mute This Topic: https://lists.openembedded.org/mt/100312946/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: ODP: [OE-Core][PATCH v8][master-next 1/5] package_ipk.bbclass: add support for ACLs and xattr

[Alexandre Belloni via lists.openembedded.org]

Hello,

On 22/07/2023 21:03:43+, Piotr Łobacz wrote:
> Hello Alexadre,
> this time everything should be fixed and working :D I have tested it thrice:P
> 
> Additionally I've discovered that somehow, during all these patchsets, an 
> extra param "--numeric-owner" has gone from opkg-build script,
> which is important to store uid(s)/gid(s) as numbers instead of names in tar 
> archive. An updated patch has been already pushed to opkg-utils
> upstream.
> 
> You can run it and tell if everything is OK.
> 

This ran and mostly worked. The remaining issue is the reproducibility
issue:

https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20230722-1a1a_7s6/

Unfortunately, diffoscope is not running on that large set.

> BR
> Piotr
> 
> 
> Od: openembedded-core@lists.openembedded.org 
>  w imieniu użytkownika Piotr Łobacz 
> via lists.openembedded.org 
> Wysłane: sobota, 22 lipca 2023 22:55
> Do: openembedded-core@lists.openembedded.org 
> 
> DW: Piotr Łobacz 
> Temat: [OE-Core][PATCH v8][master-next 1/5] package_ipk.bbclass: add support 
> for ACLs and xattr
> 
> Extend OPKGBUILDCMD variable, with additional parameters, depending
> on target distro features, in order to support ACLs and xattr.
> 
> With fix pushed to the opkg-devel:
> https://groups.google.com/g/opkg-devel/c/dYNHrLjDwg8
> opkg-build is able to create tar archives with ACLs and xattr.
> 
> Signed-off-by: Piotr Łobacz 
> ---
>  meta/classes-global/package_ipk.bbclass | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta/classes-global/package_ipk.bbclass 
> b/meta/classes-global/package_ipk.bbclass
> index b4b7bc9ac2..a0f106e4ad 100644
> --- a/meta/classes-global/package_ipk.bbclass
> +++ b/meta/classes-global/package_ipk.bbclass
> @@ -15,7 +15,7 @@ IPKGCONF_SDK_TARGET = "${WORKDIR}/opkg-sdk-target.conf"
>  PKGWRITEDIRIPK = "${WORKDIR}/deploy-ipks"
> 
>  # Program to be used to build opkg packages
> -OPKGBUILDCMD ??= 'opkg-build -Z xz -a "${XZ_DEFAULTS}"'
> +OPKGBUILDCMD ??= 'opkg-build -Z xz -a "${XZ_DEFAULTS}" 
> ${@bb.utils.contains('DISTRO_FEATURES', 'acl', '-A', '', d)} 
> ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', '-X', '', d)}'
> 
>  OPKG_ARGS += "--force_postinstall --prefer-arch-to-version"
>  OPKG_ARGS += "${@['', 
> '--no-install-recommends'][d.getVar("NO_RECOMMENDATIONS") == "1"]}"
> --
> 2.34.1

> 
> 
> 


-- 
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184756): 
https://lists.openembedded.org/g/openembedded-core/message/184756
Mute This Topic: https://lists.openembedded.org/mt/100301979/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] mdadm: add util-linux-blockdev ptest dependency

[Ovidiu Panait via lists.openembedded.org]

On 7/23/23 15:08, Alexander Kanavin wrote:

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

Can you please check why the test doesn't fail with the dependency absent?

The testcase fails intermittently:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=15159

But it is not clear if it's related to the missing blockdev dependency, 
as I was unable to reproduce the failure manually and we can't get the 
logs from the autobuilder.


blockdev not being available doesn't make the testcase fail directly, 
but it affects some calculations, so I think it should be added as a 
dependency:

...
+++ /sbin/blockdev --getsize /dev/md0
/usr/lib/mdadm/ptest/tests/func.sh: line 334: /sbin/blockdev: No such 
file or directory

++ '[' -eq 0 ']'
/usr/lib/mdadm/ptest/tests/func.sh: line 334: [: -eq: unary operator 
expected

+++ /sbin/blockdev --getsize /dev/md0
/usr/lib/mdadm/ptest/tests/func.sh: line 335: /sbin/blockdev: No such 
file or directory

++ _sz=
++ '[' 119808 -lt -o 95846 -gt ']'
/usr/lib/mdadm/ptest/tests/func.sh: line 336: [: -o: integer expression 
expected


Ovidiu

Alex

On Fri, 21 Jul 2023 at 12:58, Ovidiu Panait via lists.openembedded.org
 wrote:

From: Ovidiu Panait 

07revert-inplace test logs contain the following:
func.sh: line 335: /sbin/blockdev: No such file or directory

Add the missing util-linux-blockdev dependency.

Signed-off-by: Ovidiu Panait 
---
  meta/recipes-extended/mdadm/mdadm_4.2.bb | 9 -
  1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-extended/mdadm/mdadm_4.2.bb 
b/meta/recipes-extended/mdadm/mdadm_4.2.bb
index 50d9548747..fa50325f1f 100644
--- a/meta/recipes-extended/mdadm/mdadm_4.2.bb
+++ b/meta/recipes-extended/mdadm/mdadm_4.2.bb
@@ -107,7 +107,14 @@ do_install_ptest() {
  }

  RDEPENDS:${PN} += "bash"
-RDEPENDS:${PN}-ptest += "bash e2fsprogs-mke2fs util-linux-lsblk util-linux-losetup 
strace"
+RDEPENDS:${PN}-ptest += " \
+bash \
+e2fsprogs-mke2fs \
+util-linux-lsblk \
+util-linux-losetup \
+util-linux-blockdev \
+strace \
+"
  RRECOMMENDS:${PN}-ptest += " \
  coreutils \
  kernel-module-loop \
--
2.39.1





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184755): 
https://lists.openembedded.org/g/openembedded-core/message/184755
Mute This Topic: https://lists.openembedded.org/mt/100274537/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] OE-core CVE metrics for master on Sun 23 Jul 2023

[Steve Sakoman]

CVE check script failed this week with the following error:

ERROR: Unable to parse
/home/steve/builds/cve/poky/bitbake/lib/bb/parse/parse_py/ConfHandler.py
Traceback (most recent call last):
  File 
"/home/steve/builds/cve/poky/bitbake/lib/bb/parse/parse_py/ConfHandler.py",
line 200, in feeder(lineno=125, s='CVE_STATUS[CVE-2020-18974] =
"upstream-wontfix: It is a fuzzing related buffer overflow. It is of
low impact since most devices',
fn='conf/distro/include/cve-extra-exclusions.inc', statements=[

>raise ParseError("unparsed line: '%s'" % s, fn, lineno);

bb.parse.ParseError: ParseError at
conf/distro/include/cve-extra-exclusions.inc:125: unparsed line:
'CVE_STATUS[CVE-2020-18974] = "upstream-wontfix: It is a fuzzing
related buffer overflow. It is of low impact since most devices'

This seems to be due to the lack of terminating "\" characters on the
multiline entry for this CVE in the following commit:

https://git.openembedded.org/openembedded-core/commit/?id=1634ed4048cf56788cd5c2c1bdc979b70afcdcd7

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184754): 
https://lists.openembedded.org/g/openembedded-core/message/184754
Mute This Topic: https://lists.openembedded.org/mt/100311685/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] OE-core CVE metrics for mickledore on Sun 23 Jul 2023 04:00:01 AM HST

[Steve Sakoman]

Branch: mickledore

New this week: 9 CVEs
CVE-2020-11935 (CVSS3: 5.5 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11935 *
CVE-2023-1206 (CVSS3: 5.7 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1206 *
CVE-2023-24329 (CVSS3: 7.5 HIGH): python3:python3-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24329 *
CVE-2023-29406 (CVSS3: 6.5 MEDIUM): 
go:go-binary-native:go-cross-core2-64:go-runtime 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29406 *
CVE-2023-32250 (CVSS3: 8.1 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32250 *
CVE-2023-32254 (CVSS3: 8.1 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32254 *
CVE-2023-3269 (CVSS3: 7.8 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3269 *
CVE-2023-3354 (CVSS3: 7.5 HIGH): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3354 *
CVE-2023-3618 (CVSS3: 6.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3618 *

Removed this week: 8 CVEs
CVE-2023-1380 (CVSS3: 7.1 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1380 *
CVE-2023-1611 (CVSS3: 6.3 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1611 *
CVE-2023-30630 (CVSS3: 7.8 HIGH): dmidecode 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-30630 *
CVE-2023-3138 (CVSS3: 7.5 HIGH): libx11:libx11-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3138 *
CVE-2023-32681 (CVSS3: 6.1 MEDIUM): python3-requests 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32681 *
CVE-2023-3312 (CVSS3: 7.5 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3312 *
CVE-2023-3317 (CVSS3: 7.1 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3317 *
CVE-2023-36664 (CVSS3: 7.8 HIGH): ghostscript:ghostscript-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-36664 *

Full list:  Found 86 unpatched CVEs
CVE-2020-11935 (CVSS3: 5.5 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11935 *
CVE-2021-3714 (CVSS3: 7.5 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 *
CVE-2021-3864 (CVSS3: 7.0 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3864 *
CVE-2022-0400 (CVSS3: 7.5 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0400 *
CVE-2022-1247 (CVSS3: 7.0 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1247 *
CVE-2022-3219 (CVSS3: 3.3 LOW): gnupg:gnupg-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 *
CVE-2022-3533 (CVSS3: 5.7 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3533 *
CVE-2022-3606 (CVSS3: 5.5 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3606 *
CVE-2022-36402 (CVSS3: 5.5 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36402 *
CVE-2022-38096 (CVSS3: 5.5 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38096 *
CVE-2022-3964 (CVSS3: 8.1 HIGH): ffmpeg 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3964 *
CVE-2022-3965 (CVSS3: 8.1 HIGH): ffmpeg 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3965 *
CVE-2022-4543 (CVSS3: 5.5 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4543 *
CVE-2022-46456 (CVSS3: 6.1 MEDIUM): nasm:nasm-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46456 *
CVE-2022-48425 (CVSS3: 7.8 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-48425 *
CVE-2022-48502 (CVSS3: 7.1 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-48502 *
CVE-2023-0330 (CVSS3: 6.0 MEDIUM): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0330 *
CVE-2023-0615 (CVSS3: 5.5 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0615 *
CVE-2023-1206 (CVSS3: 5.7 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1206 *
CVE-2023-1544 (CVSS3: 6.3 MEDIUM): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1544 *
CVE-2023-1855 (CVSS3: 6.3 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1855 *
CVE-2023-1859 (CVSS3: 4.7 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1859 *
CVE-2023-1916 (CVSS3: 6.1 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1916 *
CVE-2023-1989 (CVSS3: 7.0 HIGH): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1989 *
CVE-2023-1990 (CVSS3: 4.7 MEDIUM): linux-yocto 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1990 *
CVE-2023-1998 (CVSS3: 

[OE-core] OE-core CVE metrics for kirkstone on Sun 23 Jul 2023 03:00:01 AM HST

[Steve Sakoman]

Branch: kirkstone

New this week: 4 CVEs
CVE-2022-3515 (CVSS3: 9.8 CRITICAL): gnupg:gnupg-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3515 *
CVE-2023-29406 (CVSS3: 6.5 MEDIUM): go 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29406 *
CVE-2023-3354 (CVSS3: 7.5 HIGH): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3354 *
CVE-2023-3618 (CVSS3: 6.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3618 *

Removed this week: 6 CVEs
CVE-2023-1999 (CVSS3: 7.5 HIGH): libwebp 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1999 *
CVE-2023-2609 (CVSS3: 7.8 HIGH): vim 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2609 *
CVE-2023-2610 (CVSS3: 7.8 HIGH): vim 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2610 *
CVE-2023-2828 (CVSS3: 7.5 HIGH): bind 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2828 *
CVE-2023-2911 (CVSS3: 7.5 HIGH): bind 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2911 *
CVE-2023-3138 (CVSS3: 7.5 HIGH): libx11:libx11-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3138 *

Full list:  Found 35 unpatched CVEs
CVE-2021-35937 (CVSS3: 6.4 MEDIUM): rpm:rpm-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35937 *
CVE-2021-35938 (CVSS3: 6.7 MEDIUM): rpm:rpm-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35938 *
CVE-2021-35939 (CVSS3: 6.7 MEDIUM): rpm:rpm-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35939 *
CVE-2022-3219 (CVSS3: 3.3 LOW): gnupg:gnupg-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3219 *
CVE-2022-3515 (CVSS3: 9.8 CRITICAL): gnupg:gnupg-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3515 *
CVE-2022-3553 (CVSS3: 6.5 MEDIUM): xserver-xorg 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3553 *
CVE-2022-3872 (CVSS3: 8.6 HIGH): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3872 *
CVE-2022-3964 (CVSS3: 8.1 HIGH): ffmpeg 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3964 *
CVE-2022-3965 (CVSS3: 8.1 HIGH): ffmpeg 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3965 *
CVE-2022-4055 (CVSS3: 7.4 HIGH): xdg-utils 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4055 *
CVE-2023-0795 (CVSS3: 5.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0795 *
CVE-2023-0796 (CVSS3: 5.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0796 *
CVE-2023-0797 (CVSS3: 5.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0797 *
CVE-2023-0798 (CVSS3: 5.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0798 *
CVE-2023-0799 (CVSS3: 5.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0799 *
CVE-2023-1544 (CVSS3: 6.3 MEDIUM): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1544 *
CVE-2023-1916 (CVSS3: 6.1 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1916 *
CVE-2023-24532 (CVSS3: 5.3 MEDIUM): go 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24532 *
CVE-2023-24536 (CVSS3: 7.5 HIGH): go 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24536 *
CVE-2023-26965 (CVSS3: 5.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-26965 *
CVE-2023-27043 (CVSS3: 5.3 MEDIUM): python3:python3-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-27043 *
CVE-2023-2731 (CVSS3: 5.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2731 *
CVE-2023-2804 (CVSS3: 6.5 MEDIUM): libjpeg-turbo:libjpeg-turbo-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2804 *
CVE-2023-2829 (CVSS3: 7.5 HIGH): bind 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2829 *
CVE-2023-2908 (CVSS3: 5.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2908 *
CVE-2023-29403 (CVSS3: 7.8 HIGH): go 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29403 *
CVE-2023-29406 (CVSS3: 6.5 MEDIUM): go 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29406 *
CVE-2023-29491 (CVSS3: 7.8 HIGH): ncurses:ncurses-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29491 *
CVE-2023-30571 (CVSS3: 5.3 MEDIUM): libarchive:libarchive-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-30571 *
CVE-2023-30630 (CVSS3: 7.8 HIGH): dmidecode 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-30630 *
CVE-2023-3316 (CVSS3: 6.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3316 *
CVE-2023-3354 (CVSS3: 7.5 HIGH): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3354 *
CVE-2023-3618 (CVSS3: 6.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3618 *
CVE-2023-36632 (CVSS3: 7.5 

[OE-core] OE-core CVE metrics for dunfell on Sun 23 Jul 2023 02:00:01 AM HST

[Steve Sakoman]

Branch: dunfell

New this week: 18 CVEs
CVE-2020-27918 (CVSS3: 7.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27918 *
CVE-2020-29623 (CVSS3: 3.3 LOW): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29623 *
CVE-2020-9948 (CVSS3: 8.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9948 *
CVE-2020-9951 (CVSS3: 8.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9951 *
CVE-2020-9952 (CVSS3: 7.1 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9952 *
CVE-2021-1765 (CVSS3: 6.5 MEDIUM): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1765 *
CVE-2021-1789 (CVSS3: 8.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1789 *
CVE-2021-1799 (CVSS3: 6.5 MEDIUM): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1799 *
CVE-2021-1801 (CVSS3: 6.5 MEDIUM): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1801 *
CVE-2021-1870 (CVSS3: 9.8 CRITICAL): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1870 *
CVE-2021-33621 (CVSS3: 8.8 HIGH): ruby:ruby-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33621 *
CVE-2022-2294 (CVSS3: 8.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2294 *
CVE-2022-32893 (CVSS3: 8.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32893 *
CVE-2022-3515 (CVSS3: 9.8 CRITICAL): gnupg:gnupg-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3515 *
CVE-2023-29406 (CVSS3: 6.5 MEDIUM): go:go-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29406 *
CVE-2023-31486 (CVSS3: 8.1 HIGH): perl:perl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-31486 *
CVE-2023-3354 (CVSS3: 7.5 HIGH): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3354 *
CVE-2023-3618 (CVSS3: 6.5 MEDIUM): tiff 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3618 *

Removed this week: 6 CVEs
CVE-2023-24329 (CVSS3: 7.5 HIGH): python3:python3-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24329 *
CVE-2023-2609 (CVSS3: 7.8 HIGH): vim 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2609 *
CVE-2023-2610 (CVSS3: 7.8 HIGH): vim 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2610 *
CVE-2023-28320 (CVSS3: 5.9 MEDIUM): curl:curl-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28320 *
CVE-2023-29400 (CVSS3: 7.3 HIGH): go:go-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29400 *
CVE-2023-3138 (CVSS3: 7.5 HIGH): libx11:libx11-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3138 *

Full list:  Found 94 unpatched CVEs
CVE-2020-15705 (CVSS3: 6.4 MEDIUM): grub:grub-efi:grub-efi-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15705 *
CVE-2020-25742 (CVSS3: 3.2 LOW): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25742 *
CVE-2020-25743 (CVSS3: 3.2 LOW): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25743 *
CVE-2020-27918 (CVSS3: 7.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27918 *
CVE-2020-29623 (CVSS3: 3.3 LOW): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29623 *
CVE-2020-35503 (CVSS3: 6.0 MEDIUM): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35503 *
CVE-2020-35506 (CVSS3: 6.7 MEDIUM): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35506 *
CVE-2020-9948 (CVSS3: 8.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9948 *
CVE-2020-9951 (CVSS3: 8.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9951 *
CVE-2020-9952 (CVSS3: 7.1 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9952 *
CVE-2021-1765 (CVSS3: 6.5 MEDIUM): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1765 *
CVE-2021-1789 (CVSS3: 8.8 HIGH): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1789 *
CVE-2021-1799 (CVSS3: 6.5 MEDIUM): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1799 *
CVE-2021-1801 (CVSS3: 6.5 MEDIUM): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1801 *
CVE-2021-1870 (CVSS3: 9.8 CRITICAL): webkitgtk 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1870 *
CVE-2021-20269 (CVSS3: 5.5 MEDIUM): kexec-tools 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20269 *
CVE-2021-20295 (CVSS3: 6.5 MEDIUM): qemu:qemu-native:qemu-system-native 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20295 *
CVE-2021-27097 (CVSS3: 7.8 HIGH): u-boot 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27097 *
CVE-2021-27138 (CVSS3: 

Re: [OE-core] [RFC v2 0/2] Add bblock helper script

[Alexander Kanavin]

Thanks for working on this. Should we think about how this could be tested?

Alex

On Fri, 21 Jul 2023 at 16:25, Julien Stephan  wrote:
>
> Hi all,
>
> This is the v2 of bblock script.
>
> Improvement from V1:
> * Signatures are now package architecture specific meaning that if you
>   switch MACHINE, the lock sig will not be taken into account
> * I added the -r option to unlock recipes
> * I added a -d option to display the current bblock.conf
> * Added an include directive for conf/bblock.conf inside bitbake.conf
> * Added -t option to specify the tasks to lock/unlock
>
> Limitations:
> * I may be still missing some checks on user input
> * I need to find a way to get the list of tasks ( by default still lock
>   only the do_compile for now, unless -t is specified)
> * Do not check if a particular recipe/task is already locked when trying
>   to add lock. So entries may appear multiple times
> * We still need the signature of the tasks to be already computed before
>   locking. Need to find a way to generate it if missing
>
> I did some tests using qemux86-64 and qemuarm but I may be missing some
> corner cases.
>
> I force pushed my branch on poky-contrib [1]
>
> Any feedback are welcome!
>
> Cheers
> Julien
>
> V1:
> I am currently working on bug #13425 and I would like to post my wip
> script as an RFC to get feedback on it, before going further in the
> development.
>
> The script `script/bblock` can be used with the following command:
>
> bblock [list of recipes to lock]
>
> Here is a summary of what is currently implemented:
> * can lock several recipes at once
> * on first execution bblock will append `require bblock.inc` in
>   `build/conf/auto.conf` (creates `auto.conf` if it doesn't exist)
> * on first execution creates the file `build/conf/bblock.inc` with a
>   dedicated header and:
>  - adds SIGGEN_LOCKEDSIGS_TYPES += "t-bblock"
>  - adds SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn" to display warning 
> but
>do not stop the build
> * loops over all recipes to lock and adds entry with latest "do_compile"
>   signature in `conf/bblock.inc`, such as: SIGGEN_LOCKEDSIGS_t-bblock += 
> "bc:do_compile:e233cd793137a92dd575a417a2877e324ce526c4dc4a7db652abb9512f406f1f"
>
> Limitations:
> * only gets do_compile signature for now as a POC
> * `bblock reset [list of recipes]` not yet implemented
> * no check if a recipe is already locked
>
> Steps to test the script:
> bitbake bc --> generate a signature for bc's tasks
> bblock bc
> # modify do_compile in bc recipe to force signature change
> bitbake bc --> throws the following warning: `WARNING: The bc:do_compile sig 
> is computed to be 
> 680bd6c291bf88e379e0c405a773cf5f81851e1a52570398cefd0196000ac1ef, but the sig 
> is locked to e233cd793137a92dd575a417a2877e324ce526c4dc4a7db652abb9512f406f1f 
> in SIGGEN_LOCKEDSIGS_t-bblock`
>
> I also have a point I would like to discuss: I only get signature for
> do_compile for the POC but wondering what should I do here:
> * have a set of predefined task to lock, in that case how to choose the
>   tasks?
> * compute the list of all available tasks for a given recipe and get
>   signature for all? Is there a way to get such list without using
>   `infoil.build_targets(pn, "listtasks", handle_events=True)` as this
>   will start bitbake, takes some time and requires some processing of
>   the output
> * add an option for the user to specify the task he wants to lock? (this
>   may be useful to add anyway)
>
> My branch is available here [1]
>
> Am I going into the right direction?
>
> Cheers
> Julien
>
> [1]: https://git.yoctoproject.org/poky-contrib/commit/?h=jstephan/bblock
> Julien Stephan (2):
>   bitbake.conf: include bblock.conf
>   scripts/bblock: add a script to lock/unlock recipes
>
>  meta/conf/bitbake.conf |   1 +
>  scripts/bblock | 184 +
>  2 files changed, 185 insertions(+)
>  create mode 100755 scripts/bblock
>
> --
> 2.41.0
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184750): 
https://lists.openembedded.org/g/openembedded-core/message/184750
Mute This Topic: https://lists.openembedded.org/mt/100277504/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] mdadm: add util-linux-blockdev ptest dependency

[Alexander Kanavin]

Can you please check why the test doesn't fail with the dependency absent?

Alex

On Fri, 21 Jul 2023 at 12:58, Ovidiu Panait via lists.openembedded.org
 wrote:
>
> From: Ovidiu Panait 
>
> 07revert-inplace test logs contain the following:
> func.sh: line 335: /sbin/blockdev: No such file or directory
>
> Add the missing util-linux-blockdev dependency.
>
> Signed-off-by: Ovidiu Panait 
> ---
>  meta/recipes-extended/mdadm/mdadm_4.2.bb | 9 -
>  1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/meta/recipes-extended/mdadm/mdadm_4.2.bb 
> b/meta/recipes-extended/mdadm/mdadm_4.2.bb
> index 50d9548747..fa50325f1f 100644
> --- a/meta/recipes-extended/mdadm/mdadm_4.2.bb
> +++ b/meta/recipes-extended/mdadm/mdadm_4.2.bb
> @@ -107,7 +107,14 @@ do_install_ptest() {
>  }
>
>  RDEPENDS:${PN} += "bash"
> -RDEPENDS:${PN}-ptest += "bash e2fsprogs-mke2fs util-linux-lsblk 
> util-linux-losetup strace"
> +RDEPENDS:${PN}-ptest += " \
> +bash \
> +e2fsprogs-mke2fs \
> +util-linux-lsblk \
> +util-linux-losetup \
> +util-linux-blockdev \
> +strace \
> +"
>  RRECOMMENDS:${PN}-ptest += " \
>  coreutils \
>  kernel-module-loop \
> --
> 2.39.1
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184749): 
https://lists.openembedded.org/g/openembedded-core/message/184749
Mute This Topic: https://lists.openembedded.org/mt/100274537/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH v2] libjpeg-turbo: patch CVE-2023-2804

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Relevant links:
* linked fronm NVD:
  * 
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1492586118
* follow-up analysis:
  * 
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1496473989
  * picked commits fix all issues mentioned in this analysis

Signed-off-by: Peter Marko 
---
 .../jpeg/files/CVE-2023-2804-1.patch  | 97 +++
 .../jpeg/files/CVE-2023-2804-2.patch  | 75 ++
 .../jpeg/libjpeg-turbo_2.0.4.bb   |  2 +
 3 files changed, 174 insertions(+)
 create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
 create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch

diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch 
b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
new file mode 100644
index 00..6668f6e41d
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
@@ -0,0 +1,97 @@
+From 9679473547874c472569d54fecce32b463999a9d Mon Sep 17 00:00:00 2001
+From: DRC 
+Date: Tue, 4 Apr 2023 19:06:20 -0500
+Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565
+
+The 2-pass color quantization algorithm assumes 3-sample pixels.  RGB565
+is the only 3-component colorspace that doesn't have 3-sample pixels, so
+we need to treat it as a special case when determining whether to enable
+2-pass color quantization.  Otherwise, attempting to initialize 2-pass
+color quantization with an RGB565 output buffer could cause
+prescan_quantize() to read from uninitialized memory and subsequently
+underflow/overflow the histogram array.
+
+djpeg is supposed to fail gracefully if both -rgb565 and -colors are
+specified, because none of its destination managers (image writers)
+support color quantization with RGB565.  However, prescan_quantize() was
+called before that could occur.  It is possible but very unlikely that
+these issues could have been reproduced in applications other than
+djpeg.  The issues involve the use of two features (12-bit precision and
+RGB565) that are incompatible, and they also involve the use of two
+rarely-used legacy features (RGB565 and color quantization) that don't
+make much sense when combined.
+
+Fixes #668
+Fixes #671
+Fixes #680
+
+CVE: CVE-2023-2804
+Upstream-Status: Backport 
[https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9679473547874c472569d54fecce32b463999a9d]
+
+Signed-off-by: Peter Marko 
+---
+ ChangeLog.md | 6 ++
+ jdmaster.c   | 5 +++--
+ jquant2.c| 5 +++--
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/ChangeLog.md b/ChangeLog.md
+index e605abe73..de0c4d0dd 100644
+--- a/ChangeLog.md
 b/ChangeLog.md
+@@ -1,3 +1,9 @@ quality values.
++9. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer
++overruns when attempting to decompress various specially-crafted malformed
++12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg
++(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
++enabled.
++
+ 2.0.4
+ =
+ 
+diff --git a/jdmaster.c b/jdmaster.c
+index b20906438..8d8ef9956 100644
+--- a/jdmaster.c
 b/jdmaster.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1991-1997, Thomas G. Lane.
+  * Modified 2002-2009 by Guido Vollbeding.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2009-2011, 2016, D. R. Commander.
++ * Copyright (C) 2009-2011, 2016, 2023, D. R. Commander.
+  * Copyright (C) 2013, Linaro Limited.
+  * Copyright (C) 2015, Google, Inc.
+  * For conditions of distribution and use, see the accompanying README.ijg
+@@ -492,7 +492,8 @@ master_selection(j_decompress_ptr cinfo)
+ if (cinfo->raw_data_out)
+   ERREXIT(cinfo, JERR_NOTIMPL);
+ /* 2-pass quantizer only works in 3-component color space. */
+-if (cinfo->out_color_components != 3) {
++if (cinfo->out_color_components != 3 ||
++cinfo->out_color_space == JCS_RGB565) {
+   cinfo->enable_1pass_quant = TRUE;
+   cinfo->enable_external_quant = FALSE;
+   cinfo->enable_2pass_quant = FALSE;
+diff --git a/jquant2.c b/jquant2.c
+index 6570613bb..c760380fb 100644
+--- a/jquant2.c
 b/jquant2.c
+@@ -4,7 +4,7 @@
+  * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1991-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2009, 2014-2015, D. R. Commander.
++ * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -1230,7 +1230,8 @@ jinit_2pass_quantizer(j_decompress_ptr cinfo)
+   cquantize->error_limiter = NULL;
+ 
+   /* Make sure jdmaster didn't give me a case I can't handle */
+-  if (cinfo->out_color_components != 3)
++  if (cinfo->out_color_components != 3 ||
++  cinfo->out_color_space == JCS_RGB565)
+ ERREXIT(cinfo, JERR_NOTIMPL);
+ 
+   /* Allocate the histogram/inverse colormap storage */
diff --git 

Re: [OE-core][dunfell][PATCH] libjpeg-turbo: patch CVE-2023-2804

[Peter Marko via lists.openembedded.org]

Please ignore this dunfell patch, I'll send a v2.
Peter

-Original Message-
From: openembedded-core@lists.openembedded.org 
 On Behalf Of Peter Marko via 
lists.openembedded.org
Sent: Sunday, July 23, 2023 13:07
To: openembedded-core@lists.openembedded.org
Cc: Marko, Peter (ADV D EU SK BFS1) 
Subject: [OE-core][dunfell][PATCH] libjpeg-turbo: patch CVE-2023-2804

From: Peter Marko 

Relevant links:
* linked fronm NVD:
  * 
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1492586118
* follow-up analysis:
  * 
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1496473989
  * picked commits fix all issues mentioned in this analysis

Signed-off-by: Peter Marko 
---
 .../jpeg/files/CVE-2023-2804-1.patch  | 100 ++
 .../jpeg/files/CVE-2023-2804-2.patch  |  75 +
 .../jpeg/libjpeg-turbo_2.0.4.bb   |   2 +
 3 files changed, 177 insertions(+)
 create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
 create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch

diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch 
b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
new file mode 100644
index 00..b708392d6c
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
@@ -0,0 +1,100 @@
+From 9679473547874c472569d54fecce32b463999a9d Mon Sep 17 00:00:00 2001
+From: DRC 
+Date: Tue, 4 Apr 2023 19:06:20 -0500
+Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565
+
+The 2-pass color quantization algorithm assumes 3-sample pixels.  
+RGB565 is the only 3-component colorspace that doesn't have 3-sample 
+pixels, so we need to treat it as a special case when determining 
+whether to enable 2-pass color quantization.  Otherwise, attempting to 
+initialize 2-pass color quantization with an RGB565 output buffer could 
+cause
+prescan_quantize() to read from uninitialized memory and subsequently 
+underflow/overflow the histogram array.
+
+djpeg is supposed to fail gracefully if both -rgb565 and -colors are 
+specified, because none of its destination managers (image writers) 
+support color quantization with RGB565.  However, prescan_quantize() 
+was called before that could occur.  It is possible but very unlikely 
+that these issues could have been reproduced in applications other than 
+djpeg.  The issues involve the use of two features (12-bit precision 
+and
+RGB565) that are incompatible, and they also involve the use of two 
+rarely-used legacy features (RGB565 and color quantization) that don't 
+make much sense when combined.
+
+Fixes #668
+Fixes #671
+Fixes #680
+
+CVE: CVE-2023-2804
+Upstream-Status: Backport 
+[https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9679473547874c47
+2569d54fecce32b463999a9d]
+
+Signed-off-by: Peter Marko 
+---
+ ChangeLog.md | 6 ++
+ jdmaster.c   | 5 +++--
+ jquant2.c| 5 +++--
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/ChangeLog.md b/ChangeLog.md index e605abe73..de0c4d0dd 
+100644
+--- a/ChangeLog.md
 b/ChangeLog.md
+@@ -48,6 +48,12 @@ quality values.
+ input image was not transformed into a progressive JPEG image prior to  
+decompression.
+ 
++9. Fixed an oversight in 1.4 beta1[8] that caused various segfaults 
++and buffer overruns when attempting to decompress various 
++specially-crafted malformed 12-bit-per-component JPEG images using a 
++12-bit-per-component build of djpeg
++(`-DWITH_12BIT=1`) with both color quantization and RGB565 color 
++conversion enabled.
++
+ 
+ 2.0.8 ESR
+ =
+diff --git a/jdmaster.c b/jdmaster.c
+index b20906438..8d8ef9956 100644
+--- a/jdmaster.c
 b/jdmaster.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1991-1997, Thomas G. Lane.
+  * Modified 2002-2009 by Guido Vollbeding.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2009-2011, 2016, D. R. Commander.
++ * Copyright (C) 2009-2011, 2016, 2023, D. R. Commander.
+  * Copyright (C) 2013, Linaro Limited.
+  * Copyright (C) 2015, Google, Inc.
+  * For conditions of distribution and use, see the accompanying 
+README.ijg @@ -492,7 +492,8 @@ master_selection(j_decompress_ptr cinfo)
+ if (cinfo->raw_data_out)
+   ERREXIT(cinfo, JERR_NOTIMPL);
+ /* 2-pass quantizer only works in 3-component color space. */
+-if (cinfo->out_color_components != 3) {
++if (cinfo->out_color_components != 3 ||
++cinfo->out_color_space == JCS_RGB565) {
+   cinfo->enable_1pass_quant = TRUE;
+   cinfo->enable_external_quant = FALSE;
+   cinfo->enable_2pass_quant = FALSE; diff --git a/jquant2.c 
+b/jquant2.c index 6570613bb..c760380fb 100644
+--- a/jquant2.c
 b/jquant2.c
+@@ -4,7 +4,7 @@
+  * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1991-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2009, 2014-2015, 2020, D. R. Commander.
++ * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander.
+  * 

[OE-core][kirkstone][mickledore][PATCH] libjpeg-turbo: patch CVE-2023-2804

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Relevant links:
* linked fronm NVD:
  * 
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1492586118
* follow-up analysis:
  * 
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1496473989
  * picked commits fix all issues mentioned in this analysis

Signed-off-by: Peter Marko 
---
 .../jpeg/files/CVE-2023-2804-1.patch  | 103 ++
 .../jpeg/files/CVE-2023-2804-2.patch  |  75 +
 .../jpeg/libjpeg-turbo_2.1.5.1.bb |   2 +
 3 files changed, 180 insertions(+)
 create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
 create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch

diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch 
b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
new file mode 100644
index 00..fd8a66bca7
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
@@ -0,0 +1,103 @@
+From 42ce199c9cfe129e5e21afd48dfe757a6acf87c4 Mon Sep 17 00:00:00 2001
+From: DRC 
+Date: Tue, 4 Apr 2023 19:06:20 -0500
+Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565
+
+The 2-pass color quantization algorithm assumes 3-sample pixels.  RGB565
+is the only 3-component colorspace that doesn't have 3-sample pixels, so
+we need to treat it as a special case when determining whether to enable
+2-pass color quantization.  Otherwise, attempting to initialize 2-pass
+color quantization with an RGB565 output buffer could cause
+prescan_quantize() to read from uninitialized memory and subsequently
+underflow/overflow the histogram array.
+
+djpeg is supposed to fail gracefully if both -rgb565 and -colors are
+specified, because none of its destination managers (image writers)
+support color quantization with RGB565.  However, prescan_quantize() was
+called before that could occur.  It is possible but very unlikely that
+these issues could have been reproduced in applications other than
+djpeg.  The issues involve the use of two features (12-bit precision and
+RGB565) that are incompatible, and they also involve the use of two
+rarely-used legacy features (RGB565 and color quantization) that don't
+make much sense when combined.
+
+Fixes #668
+Fixes #671
+Fixes #680
+
+CVE: CVE-2023-2804
+Upstream-Status: Backport 
[https://github.com/libjpeg-turbo/libjpeg-turbo/commit/42ce199c9cfe129e5e21afd48dfe757a6acf87c4]
+
+Signed-off-by: Peter Marko 
+---
+ ChangeLog.md | 12 
+ jdmaster.c   |  5 +++--
+ jquant2.c|  5 +++--
+ 3 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/ChangeLog.md b/ChangeLog.md
+index 1c1e6538a..f1bfb3d87 100644
+--- a/ChangeLog.md
 b/ChangeLog.md
+@@ -1,3 +1,15 @@
++2.1.6
++=
++
++### Significant changes relative to 2.1.5.1:
++
++1. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer
++overruns when attempting to decompress various specially-crafted malformed
++12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg
++(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
++enabled.
++
++
+ 2.1.5.1
+ ===
+ 
+diff --git a/jdmaster.c b/jdmaster.c
+index a3690bf56..a9446adfd 100644
+--- a/jdmaster.c
 b/jdmaster.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1991-1997, Thomas G. Lane.
+  * Modified 2002-2009 by Guido Vollbeding.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2009-2011, 2016, 2019, 2022, D. R. Commander.
++ * Copyright (C) 2009-2011, 2016, 2019, 2022-2023, D. R. Commander.
+  * Copyright (C) 2013, Linaro Limited.
+  * Copyright (C) 2015, Google, Inc.
+  * For conditions of distribution and use, see the accompanying README.ijg
+@@ -480,7 +480,8 @@ master_selection(j_decompress_ptr cinfo)
+ if (cinfo->raw_data_out)
+   ERREXIT(cinfo, JERR_NOTIMPL);
+ /* 2-pass quantizer only works in 3-component color space. */
+-if (cinfo->out_color_components != 3) {
++if (cinfo->out_color_components != 3 ||
++cinfo->out_color_space == JCS_RGB565) {
+   cinfo->enable_1pass_quant = TRUE;
+   cinfo->enable_external_quant = FALSE;
+   cinfo->enable_2pass_quant = FALSE;
+diff --git a/jquant2.c b/jquant2.c
+index 44efb18ca..1c14ef763 100644
+--- a/jquant2.c
 b/jquant2.c
+@@ -4,7 +4,7 @@
+  * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1991-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2009, 2014-2015, 2020, D. R. Commander.
++ * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -1230,7 +1230,8 @@ jinit_2pass_quantizer(j_decompress_ptr cinfo)
+   cquantize->error_limiter = NULL;
+ 
+   /* Make sure jdmaster didn't give me a case I can't handle */
+-  if (cinfo->out_color_components != 3)
++  if (cinfo->out_color_components != 3 ||
++  cinfo->out_color_space == JCS_RGB565)
+ 

[OE-core][dunfell][PATCH] libjpeg-turbo: patch CVE-2023-2804

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Relevant links:
* linked fronm NVD:
  * 
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1492586118
* follow-up analysis:
  * 
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1496473989
  * picked commits fix all issues mentioned in this analysis

Signed-off-by: Peter Marko 
---
 .../jpeg/files/CVE-2023-2804-1.patch  | 100 ++
 .../jpeg/files/CVE-2023-2804-2.patch  |  75 +
 .../jpeg/libjpeg-turbo_2.0.4.bb   |   2 +
 3 files changed, 177 insertions(+)
 create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
 create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch

diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch 
b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
new file mode 100644
index 00..b708392d6c
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
@@ -0,0 +1,100 @@
+From 9679473547874c472569d54fecce32b463999a9d Mon Sep 17 00:00:00 2001
+From: DRC 
+Date: Tue, 4 Apr 2023 19:06:20 -0500
+Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565
+
+The 2-pass color quantization algorithm assumes 3-sample pixels.  RGB565
+is the only 3-component colorspace that doesn't have 3-sample pixels, so
+we need to treat it as a special case when determining whether to enable
+2-pass color quantization.  Otherwise, attempting to initialize 2-pass
+color quantization with an RGB565 output buffer could cause
+prescan_quantize() to read from uninitialized memory and subsequently
+underflow/overflow the histogram array.
+
+djpeg is supposed to fail gracefully if both -rgb565 and -colors are
+specified, because none of its destination managers (image writers)
+support color quantization with RGB565.  However, prescan_quantize() was
+called before that could occur.  It is possible but very unlikely that
+these issues could have been reproduced in applications other than
+djpeg.  The issues involve the use of two features (12-bit precision and
+RGB565) that are incompatible, and they also involve the use of two
+rarely-used legacy features (RGB565 and color quantization) that don't
+make much sense when combined.
+
+Fixes #668
+Fixes #671
+Fixes #680
+
+CVE: CVE-2023-2804
+Upstream-Status: Backport 
[https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9679473547874c472569d54fecce32b463999a9d]
+
+Signed-off-by: Peter Marko 
+---
+ ChangeLog.md | 6 ++
+ jdmaster.c   | 5 +++--
+ jquant2.c| 5 +++--
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/ChangeLog.md b/ChangeLog.md
+index e605abe73..de0c4d0dd 100644
+--- a/ChangeLog.md
 b/ChangeLog.md
+@@ -48,6 +48,12 @@ quality values.
+ input image was not transformed into a progressive JPEG image prior to
+ decompression.
+ 
++9. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer
++overruns when attempting to decompress various specially-crafted malformed
++12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg
++(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
++enabled.
++
+ 
+ 2.0.8 ESR
+ =
+diff --git a/jdmaster.c b/jdmaster.c
+index b20906438..8d8ef9956 100644
+--- a/jdmaster.c
 b/jdmaster.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1991-1997, Thomas G. Lane.
+  * Modified 2002-2009 by Guido Vollbeding.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2009-2011, 2016, D. R. Commander.
++ * Copyright (C) 2009-2011, 2016, 2023, D. R. Commander.
+  * Copyright (C) 2013, Linaro Limited.
+  * Copyright (C) 2015, Google, Inc.
+  * For conditions of distribution and use, see the accompanying README.ijg
+@@ -492,7 +492,8 @@ master_selection(j_decompress_ptr cinfo)
+ if (cinfo->raw_data_out)
+   ERREXIT(cinfo, JERR_NOTIMPL);
+ /* 2-pass quantizer only works in 3-component color space. */
+-if (cinfo->out_color_components != 3) {
++if (cinfo->out_color_components != 3 ||
++cinfo->out_color_space == JCS_RGB565) {
+   cinfo->enable_1pass_quant = TRUE;
+   cinfo->enable_external_quant = FALSE;
+   cinfo->enable_2pass_quant = FALSE;
+diff --git a/jquant2.c b/jquant2.c
+index 6570613bb..c760380fb 100644
+--- a/jquant2.c
 b/jquant2.c
+@@ -4,7 +4,7 @@
+  * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1991-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2009, 2014-2015, 2020, D. R. Commander.
++ * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -1230,7 +1230,8 @@ jinit_2pass_quantizer(j_decompress_ptr cinfo)
+   cquantize->error_limiter = NULL;
+ 
+   /* Make sure jdmaster didn't give me a case I can't handle */
+-  if (cinfo->out_color_components != 3)
++  if (cinfo->out_color_components != 3 ||
++  cinfo->out_color_space == JCS_RGB565)
+ 

[OE-core][mickledore][PATCH] python3: ignore CVE-2023-36632

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

This CVE shouldn't have been filed as the "exploit" is described in the
documentation as how the library behaves.

Signed-off-by: Ross Burton 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Richard Purdie 
(cherry picked from commit c652f094d86c4efb7ff99accba63b8169493ab18)
Signed-off-by: Peter Marko 
---
 meta/recipes-devtools/python/python3_3.11.2.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-devtools/python/python3_3.11.2.bb 
b/meta/recipes-devtools/python/python3_3.11.2.bb
index 5bd8d32b14..f3be9768bf 100644
--- a/meta/recipes-devtools/python/python3_3.11.2.bb
+++ b/meta/recipes-devtools/python/python3_3.11.2.bb
@@ -56,6 +56,8 @@ CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488"
 # The mailcap module is insecure by design, so this can't be fixed in a 
meaningful way.
 # The module will be removed in the future and flaws documented.
 CVE_CHECK_IGNORE += "CVE-2015-20107"
+# Not an issue, in fact expected behaviour
+CVE_CHECK_IGNORE += "CVE-2023-36632"
 
 PYTHON_MAJMIN = "3.11"
 
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184744): 
https://lists.openembedded.org/g/openembedded-core/message/184744
Mute This Topic: https://lists.openembedded.org/mt/100308718/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] python3: ignore CVE-2023-36632

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

This CVE shouldn't have been filed as the "exploit" is described in the
documentation as how the library behaves.

Signed-off-by: Ross Burton 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Richard Purdie 
(cherry picked from commit c652f094d86c4efb7ff99accba63b8169493ab18)
Signed-off-by: Peter Marko 
---
 meta/recipes-devtools/python/python3_3.10.9.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-devtools/python/python3_3.10.9.bb 
b/meta/recipes-devtools/python/python3_3.10.9.bb
index 867958c0fb..4ecc7614bb 100644
--- a/meta/recipes-devtools/python/python3_3.10.9.bb
+++ b/meta/recipes-devtools/python/python3_3.10.9.bb
@@ -61,6 +61,8 @@ CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488"
 # The mailcap module is insecure by design, so this can't be fixed in a 
meaningful way.
 # The module will be removed in the future and flaws documented.
 CVE_CHECK_IGNORE += "CVE-2015-20107"
+# Not an issue, in fact expected behaviour
+CVE_CHECK_IGNORE += "CVE-2023-36632"
 
 PYTHON_MAJMIN = "3.10"
 
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184743): 
https://lists.openembedded.org/g/openembedded-core/message/184743
Mute This Topic: https://lists.openembedded.org/mt/100308708/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] python3: ignore CVE-2023-36632

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

This CVE shouldn't have been filed as the "exploit" is described in the
documentation as how the library behaves.

Signed-off-by: Ross Burton 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Richard Purdie 
(cherry picked from commit c652f094d86c4efb7ff99accba63b8169493ab18)
Signed-off-by: Peter Marko 
---
 meta/recipes-devtools/python/python3_3.8.17.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-devtools/python/python3_3.8.17.bb 
b/meta/recipes-devtools/python/python3_3.8.17.bb
index 8c00d65794..00c4ff497a 100644
--- a/meta/recipes-devtools/python/python3_3.8.17.bb
+++ b/meta/recipes-devtools/python/python3_3.8.17.bb
@@ -61,6 +61,8 @@ CVE_CHECK_WHITELIST += "CVE-2020-15523 CVE-2022-26488"
 # The mailcap module is insecure by design, so this can't be fixed in a 
meaningful way.
 # The module will be removed in the future and flaws documented.
 CVE_CHECK_WHITELIST += "CVE-2015-20107"
+# Not an issue, in fact expected behaviour
+CVE_CHECK_WHITELIST += "CVE-2023-36632"
 
 PYTHON_MAJMIN = "3.8"
 
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184742): 
https://lists.openembedded.org/g/openembedded-core/message/184742
Mute This Topic: https://lists.openembedded.org/mt/100308689/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-