Re: [OE-core][PATCH] ncurses: upgrade to 6.4+20230625
Thanks for the info. I thought it was a stable version. The upgrade was
intended for resolving CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-29491.
But now it's clear that such version is a development version, I'll just send
out patch to fix the CVE.
Regards,
Qi
-Original Message-
From: Alexander Kanavin
Sent: Thursday, July 27, 2023 12:25 PM
To: Chen, Qi
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH] ncurses: upgrade to 6.4+20230625
6.4+20230625 is a development snapshot, and not an actual stable release. We
used to take them but that was due to misunderstanding about ncurses version
policy. Is there a particular reason to move to it?
Alex
On Thu, 27 Jul 2023 at 04:25, Chen Qi via lists.openembedded.org
wrote:
>
> From: Chen Qi
>
> The license checksum is updated because of the year change, the
> license itself remains the same.
>
> The exit_prototype.patch is refreshed to avoid patch fuzz error.
>
> The repo is switched back to salsa.debian.org. It was switch from
> salsa.debian.org to github mirror because, according to the commit
> message, the github mirror was updated on a daily basis. But things
> have changed and the github mirror hasn't been updated for months.
> So switch back to use salsa.debian.org.
>
> Signed-off-by: Chen Qi
> ---
> meta/recipes-core/ncurses/files/exit_prototype.patch | 10 +-
> meta/recipes-core/ncurses/ncurses.inc| 4 ++--
> meta/recipes-core/ncurses/ncurses_6.4.bb | 3 ++-
> 3 files changed, 9 insertions(+), 8 deletions(-)
>
> diff --git a/meta/recipes-core/ncurses/files/exit_prototype.patch
> b/meta/recipes-core/ncurses/files/exit_prototype.patch
> index fd961512e0..9dddbbccf4 100644
> --- a/meta/recipes-core/ncurses/files/exit_prototype.patch
> +++ b/meta/recipes-core/ncurses/files/exit_prototype.patch
> @@ -1,4 +1,4 @@
> -From 4a769a441d7e57a23017c3037cde3e53fb9f35fe Mon Sep 17 00:00:00
> 2001
> +From bc917b9bae0b11b02aa0ddd9ed62d9cd78ffc4f7 Mon Sep 17 00:00:00
> +2001
> From: Khem Raj
> Date: Tue, 30 Aug 2022 15:58:32 -0700
> Subject: [PATCH] Add needed headers for including mbstate_t and
> exit() @@ -11,18 +11,18 @@ Signed-off-by: Khem Raj
> 1 file changed, 2 insertions(+)
>
> diff --git a/configure b/configure
> -index f377f551..163f8899 100755
> +index c2462f7f..33668cf0 100755
> --- a/configure
> +++ b/configure
> -@@ -3423,6 +3423,7 @@ rm -f "conftest.$ac_objext" "conftest.$ac_ext"
> +@@ -3458,6 +3458,7 @@ rm -f "conftest.$ac_objext" "conftest.$ac_ext"
> cat >"conftest.$ac_ext" <<_ACEOF
> - #line 3424 "configure"
> + #line 3459 "configure"
> #include "confdefs.h"
> +#include
> $ac_declaration
> int
> main (void)
> -@@ -13111,6 +13112,7 @@ cat >"conftest.$ac_ext" <<_ACEOF
> +@@ -13526,6 +13527,7 @@ cat >"conftest.$ac_ext" <<_ACEOF
> #include
> #include
> #include
> diff --git a/meta/recipes-core/ncurses/ncurses.inc
> b/meta/recipes-core/ncurses/ncurses.inc
> index 367f3b19f4..78d6f2619c 100644
> --- a/meta/recipes-core/ncurses/ncurses.inc
> +++ b/meta/recipes-core/ncurses/ncurses.inc
> @@ -2,7 +2,7 @@ SUMMARY = "The New Curses library"
> DESCRIPTION = "SVr4 and XSI-Curses compatible curses library and terminfo
> tools including tic, infocmp, captoinfo. Supports color, multiple highlights,
> forms-drawing characters, and automatic recognition of keypad and
> function-key sequences. Extensions include resizable windows and mouse
> support on both xterm and Linux console using the gpm library."
> HOMEPAGE = "http://www.gnu.org/software/ncurses/ncurses.html;
> LICENSE = "MIT"
> -LIC_FILES_CHKSUM =
> "file://COPYING;md5=c5a4600fdef86384c41ca33ecc70a4b8;endline=27"
> +LIC_FILES_CHKSUM =
> "file://COPYING;md5=8f2e5b99d5b6c0e6ee7cb39b992733b6;endline=27"
> SECTION = "libs"
> DEPENDS = "ncurses-native"
> DEPENDS:class-native = ""
> @@ -13,7 +13,7 @@ BINCONFIG = "${bindir}/ncurses5-config
> ${bindir}/ncursesw5-config \ inherit autotools binconfig-disabled
> multilib_header pkgconfig
>
> # Upstream has useful patches at times at
> ftp://invisible-island.net/ncurses/
> -SRC_URI = "git://github.com/mirror/ncurses.git;protocol=https;branch=master"
> +SRC_URI =
> "git://salsa.debian.org/debian/ncurses.git;protocol=https;branch=master"
>
> EXTRA_AUTORECONF = "-I m4"
>
> diff --git a/meta/recipes-core/ncurses/ncurses_6.4.bb
> b/meta/recipes-core/ncurses/ncurses_6.4.bb
> index 1eb15673d1..b875aee250 100644
> --- a/meta/recipes-core/ncurses/ncurses_6.4.bb
> +++ b/meta/recipes-core/ncurses/ncurses_6.4.bb
> @@ -6,7 +6,8 @@ SRC_URI += "file://0001-tic-hang.patch \
> file://exit_prototype.patch \
> "
> # commit id corresponds to the revision in package version -SRCREV =
> "79b9071f2be20a24c7be031655a5638f6032f29f"
> +SRCREV = "964ec9f9c6e3ac3aaa1a9161c6fb75f6d7f589b5"
> +PV = "6.4+20230625"
> S = "${WORKDIR}/git"
> EXTRA_OECONF += "--with-abi-version=5"
> UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+(\.\d+)+)$"
> --
Re: [OE-core] [PATCH v4] qemu: Add qemu-common package
Ping.
Thanks,
On 7/17/23 15:11, Yu, Mingli wrote:
From: Mingli Yu
We split the qemu package [1] to add support to make user can install
one qemu arch emulation rpm to ease the concerns who care much about
the rpm size in embedded device.
But for the user who only install the qemu-*.rpm can't do anything
except they install the qemu emulation rpm like qemu-system-x86-64-*.rpm
explicitly.
So add qemu-common package to package all thing into qemu-common when
not split the package, and package only the basic into qemu-common and
other arch related to each qemu arch emulation rpm when split the package
to fix the backward compatibility.
qenu-*.rpm which is meta package rdepends on qemu-common and the available
qemu arch emulation rpm like qemu-system-x86-64-*.rpm and etc.
[1]
https://git.openembedded.org/openembedded-core/commit/?id=893846ead7ee54d53e9076150cd655e0c8bca5db
Signed-off-by: Mingli Yu
---
v3->v4: remove the added native-sdk dependency.
meta/recipes-devtools/qemu/qemu.inc | 23 ---
meta/recipes-devtools/qemu/qemu_8.0.3.bb | 2 +-
2 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/meta/recipes-devtools/qemu/qemu.inc
b/meta/recipes-devtools/qemu/qemu.inc
index 16581db69d..76560f454d 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -225,15 +225,18 @@ PACKAGECONFIG[brlapi] = "--enable-brlapi,--disable-brlapi"
PACKAGECONFIG[jack] = "--enable-jack,--disable-jack,jack,"
PACKAGECONFIG[debuginfo] = "--enable-libdw,--disable-libdw,elfutils"
-INSANE_SKIP:${PN} = "arch"
+INSANE_SKIP:${PN}-common = "arch"
FILES:${PN} += "${datadir}/icons"
# For user who want to install all arch packages
-PACKAGES =+ "${PN}-system-all ${PN}-user-all"
+PACKAGES =+ "${PN}-common"
+RDEPENDS:${PN} += "${PN}-common"
-ALLOW_EMPTY:${PN}-system-all = "1"
-ALLOW_EMPTY:${PN}-user-all = "1"
+ALLOW_EMPTY:${PN} = "1"
+FILES:${PN} = ""
+
+FILES:${PN}-common = "${bindir}/* ${includedir}/* ${libexecdir}/* ${datadir}/*
${localstatedir}"
PACKAGES_DYNAMIC += "^${PN}-user-.* ^${PN}-system-.*"
@@ -241,15 +244,13 @@ PACKAGESPLITFUNCS =+ "split_qemu_packages"
python split_qemu_packages () {
archdir = d.expand('${bindir}/')
-syspackages = do_split_packages(d, archdir, r'^qemu-system-(.*)$',
'${PN}-system-%s', 'QEMU full system emulation binaries(%s)' , prepend=True)
-if syspackages:
-d.setVar('RDEPENDS:' + d.getVar('PN') + '-system-all', '
'.join(syspackages))
+subpackages = do_split_packages(d, archdir, r'^qemu-system-(.*)$',
'${PN}-system-%s', 'QEMU full system emulation binaries(%s)' , prepend=True,
extra_depends='${PN}-common')
-userpackages = do_split_packages(d, archdir, r'^qemu-((?!system|edid|ga|img|io|nbd|pr-helper|storage-daemon).*)$', '${PN}-user-%s', 'QEMU full user emulation binaries(%s)' , prepend=True)
-if userpackages:
-d.setVar('RDEPENDS:' + d.getVar('PN') + '-user-all', '
'.join(userpackages))
+subpackages += do_split_packages(d, archdir,
r'^qemu-((?!system|edid|ga|img|io|nbd|pr-helper|storage-daemon).*)$',
'${PN}-user-%s', 'QEMU full user emulation binaries(%s)' , prepend=True,
extra_depends='${PN}-common')
+if subpackages:
+d.appendVar('RDEPENDS:' + d.getVar('PN'), ' ' + ' '.join(subpackages))
mipspackage = d.getVar('PN') + "-user-mips"
-if mipspackage in ' '.join(userpackages):
+if mipspackage in ' '.join(subpackages):
d.appendVar('RDEPENDS:' + mipspackage, ' ' + d.getVar("MLPREFIX") +
'bash')
}
diff --git a/meta/recipes-devtools/qemu/qemu_8.0.3.bb b/meta/recipes-devtools/qemu/qemu_8.0.3.bb
index 42e133967e..5d3c47c3b0 100644
--- a/meta/recipes-devtools/qemu/qemu_8.0.3.bb
+++ b/meta/recipes-devtools/qemu/qemu_8.0.3.bb
@@ -8,7 +8,7 @@ DEPENDS:append:libc-musl = " libucontext"
CFLAGS += "${@bb.utils.contains('DISTRO_FEATURES', 'x11', '', '-DEGL_NO_X11=1', d)}"
-RDEPENDS:${PN}:class-target += "bash"
+RDEPENDS:${PN}-common:class-target += "bash"
EXTRA_OECONF:append:class-target = " --target-list=${@get_qemu_target_list(d)}"
EXTRA_OECONF:append:class-target:mipsarcho32 =
"${@bb.utils.contains('BBEXTENDCURR', 'multilib', ' --disable-capstone', '',
d)}"
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184908):
https://lists.openembedded.org/g/openembedded-core/message/184908
Mute This Topic: https://lists.openembedded.org/mt/100190357/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH] ncurses: upgrade to 6.4+20230625
6.4+20230625 is a development snapshot, and not an actual stable
release. We used to take them but that was due to misunderstanding
about ncurses version policy. Is there a particular reason to move to
it?
Alex
On Thu, 27 Jul 2023 at 04:25, Chen Qi via lists.openembedded.org
wrote:
>
> From: Chen Qi
>
> The license checksum is updated because of the year change, the license
> itself remains the same.
>
> The exit_prototype.patch is refreshed to avoid patch fuzz error.
>
> The repo is switched back to salsa.debian.org. It was switch from
> salsa.debian.org to github mirror because, according to the commit
> message, the github mirror was updated on a daily basis. But things
> have changed and the github mirror hasn't been updated for months.
> So switch back to use salsa.debian.org.
>
> Signed-off-by: Chen Qi
> ---
> meta/recipes-core/ncurses/files/exit_prototype.patch | 10 +-
> meta/recipes-core/ncurses/ncurses.inc| 4 ++--
> meta/recipes-core/ncurses/ncurses_6.4.bb | 3 ++-
> 3 files changed, 9 insertions(+), 8 deletions(-)
>
> diff --git a/meta/recipes-core/ncurses/files/exit_prototype.patch
> b/meta/recipes-core/ncurses/files/exit_prototype.patch
> index fd961512e0..9dddbbccf4 100644
> --- a/meta/recipes-core/ncurses/files/exit_prototype.patch
> +++ b/meta/recipes-core/ncurses/files/exit_prototype.patch
> @@ -1,4 +1,4 @@
> -From 4a769a441d7e57a23017c3037cde3e53fb9f35fe Mon Sep 17 00:00:00 2001
> +From bc917b9bae0b11b02aa0ddd9ed62d9cd78ffc4f7 Mon Sep 17 00:00:00 2001
> From: Khem Raj
> Date: Tue, 30 Aug 2022 15:58:32 -0700
> Subject: [PATCH] Add needed headers for including mbstate_t and exit()
> @@ -11,18 +11,18 @@ Signed-off-by: Khem Raj
> 1 file changed, 2 insertions(+)
>
> diff --git a/configure b/configure
> -index f377f551..163f8899 100755
> +index c2462f7f..33668cf0 100755
> --- a/configure
> +++ b/configure
> -@@ -3423,6 +3423,7 @@ rm -f "conftest.$ac_objext" "conftest.$ac_ext"
> +@@ -3458,6 +3458,7 @@ rm -f "conftest.$ac_objext" "conftest.$ac_ext"
> cat >"conftest.$ac_ext" <<_ACEOF
> - #line 3424 "configure"
> + #line 3459 "configure"
> #include "confdefs.h"
> +#include
> $ac_declaration
> int
> main (void)
> -@@ -13111,6 +13112,7 @@ cat >"conftest.$ac_ext" <<_ACEOF
> +@@ -13526,6 +13527,7 @@ cat >"conftest.$ac_ext" <<_ACEOF
> #include
> #include
> #include
> diff --git a/meta/recipes-core/ncurses/ncurses.inc
> b/meta/recipes-core/ncurses/ncurses.inc
> index 367f3b19f4..78d6f2619c 100644
> --- a/meta/recipes-core/ncurses/ncurses.inc
> +++ b/meta/recipes-core/ncurses/ncurses.inc
> @@ -2,7 +2,7 @@ SUMMARY = "The New Curses library"
> DESCRIPTION = "SVr4 and XSI-Curses compatible curses library and terminfo
> tools including tic, infocmp, captoinfo. Supports color, multiple highlights,
> forms-drawing characters, and automatic recognition of keypad and
> function-key sequences. Extensions include resizable windows and mouse
> support on both xterm and Linux console using the gpm library."
> HOMEPAGE = "http://www.gnu.org/software/ncurses/ncurses.html;
> LICENSE = "MIT"
> -LIC_FILES_CHKSUM =
> "file://COPYING;md5=c5a4600fdef86384c41ca33ecc70a4b8;endline=27"
> +LIC_FILES_CHKSUM =
> "file://COPYING;md5=8f2e5b99d5b6c0e6ee7cb39b992733b6;endline=27"
> SECTION = "libs"
> DEPENDS = "ncurses-native"
> DEPENDS:class-native = ""
> @@ -13,7 +13,7 @@ BINCONFIG = "${bindir}/ncurses5-config
> ${bindir}/ncursesw5-config \
> inherit autotools binconfig-disabled multilib_header pkgconfig
>
> # Upstream has useful patches at times at ftp://invisible-island.net/ncurses/
> -SRC_URI = "git://github.com/mirror/ncurses.git;protocol=https;branch=master"
> +SRC_URI =
> "git://salsa.debian.org/debian/ncurses.git;protocol=https;branch=master"
>
> EXTRA_AUTORECONF = "-I m4"
>
> diff --git a/meta/recipes-core/ncurses/ncurses_6.4.bb
> b/meta/recipes-core/ncurses/ncurses_6.4.bb
> index 1eb15673d1..b875aee250 100644
> --- a/meta/recipes-core/ncurses/ncurses_6.4.bb
> +++ b/meta/recipes-core/ncurses/ncurses_6.4.bb
> @@ -6,7 +6,8 @@ SRC_URI += "file://0001-tic-hang.patch \
> file://exit_prototype.patch \
> "
> # commit id corresponds to the revision in package version
> -SRCREV = "79b9071f2be20a24c7be031655a5638f6032f29f"
> +SRCREV = "964ec9f9c6e3ac3aaa1a9161c6fb75f6d7f589b5"
> +PV = "6.4+20230625"
> S = "${WORKDIR}/git"
> EXTRA_OECONF += "--with-abi-version=5"
> UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+(\.\d+)+)$"
> --
> 2.40.0
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184907):
https://lists.openembedded.org/g/openembedded-core/message/184907
Mute This Topic: https://lists.openembedded.org/mt/100383999/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCHv2] tiff: fix multiple CVEs
Backport fixes for:
* CVE-2023-2908 - Upstream-Status: Backport from
https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f
* CVE-2023-3316 - Upstream-Status: Backport from
https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536
* CVE-2023-3618 - Upstream-Status: Backport from
https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37
&&
https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e0ac16b5cfb11acaaeaa493334f8
Signed-off-by: Hitendra Prajapati
---
.../libtiff/tiff/CVE-2023-2908.patch | 33 +++
.../libtiff/tiff/CVE-2023-3316.patch | 59 +++
.../libtiff/tiff/CVE-2023-3618-1.patch| 34 +++
.../libtiff/tiff/CVE-2023-3618-2.patch| 47 +++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 4 ++
5 files changed, 177 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-2908.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-3316.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-2.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-2908.patch
b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-2908.patch
new file mode 100644
index 00..cf94fd23d8
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-2908.patch
@@ -0,0 +1,33 @@
+From 8c0859a80444c90b8dfb862a9f16de74e16f0a9e Mon Sep 17 00:00:00 2001
+From: xiaoxiaoafeifei
+Date: Fri, 21 Apr 2023 13:01:34 +
+Subject: [PATCH] countInkNamesString(): fix `UndefinedBehaviorSanitizer`:
+ applying zero offset to null pointer
+
+Upstream-Status: Backport
[https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f]
+CVE: CVE-2023-2908
+Signed-off-by: Hitendra Prajapati
+---
+ libtiff/tif_dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 349dfe4..1402c8e 100644
+--- a/libtiff/tif_dir.c
b/libtiff/tif_dir.c
+@@ -145,10 +145,10 @@ static uint16_t
+ countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
+ {
+ uint16_t i = 0;
+- const char *ep = s + slen;
+- const char *cp = s;
+
+ if (slen > 0) {
++ const char *ep = s + slen;
++ const char *cp = s;
+ do {
+ for (; cp < ep && *cp != '\0'; cp++) {}
+ if (cp >= ep)
+--
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3316.patch
b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3316.patch
new file mode 100644
index 00..1aa4ba45ac
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3316.patch
@@ -0,0 +1,59 @@
+From d63de61b1ec3385f6383ef9a1f453e4b8b11d536 Mon Sep 17 00:00:00 2001
+From: Su_Laus
+Date: Fri, 3 Feb 2023 17:38:55 +0100
+Subject: [PATCH] TIFFClose() avoid NULL pointer dereferencing. fix#515
+
+Closes #515
+
+Upstream-Status: Backport
[https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536]
+CVE: CVE-2023-3316
+Signed-off-by: Hitendra Prajapati
+---
+ libtiff/tif_close.c | 11 +++
+ tools/tiffcrop.c| 5 -
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c
+index 674518a..0fe7af4 100644
+--- a/libtiff/tif_close.c
b/libtiff/tif_close.c
+@@ -118,13 +118,16 @@ TIFFCleanup(TIFF* tif)
+ */
+
+ void
+-TIFFClose(TIFF* tif)
++TIFFClose(TIFF *tif)
+ {
+- TIFFCloseProc closeproc = tif->tif_closeproc;
+- thandle_t fd = tif->tif_clientdata;
++if (tif != NULL)
++{
++TIFFCloseProc closeproc = tif->tif_closeproc;
++thandle_t fd = tif->tif_clientdata;
+
+ TIFFCleanup(tif);
+- (void) (*closeproc)(fd);
++(void)(*closeproc)(fd);
++}
+ }
+
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index ce77c74..cd49660 100644
+--- a/tools/tiffcrop.c
b/tools/tiffcrop.c
+@@ -2548,7 +2548,10 @@ main(int argc, char* argv[])
+ }
+ }
+
+- TIFFClose(out);
++if (out != NULL)
++{
++TIFFClose(out);
++}
+
+ return (0);
+ } /* end main */
+--
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch
b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch
new file mode 100644
index 00..8f55d2b496
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch
@@ -0,0 +1,34 @@
+From 881a070194783561fd209b7c789a4e75566f7f37 Mon Sep 17 00:00:00 2001
+From: zhailiangliang
+Date: Tue, 7 Mar 2023 15:02:08 +0800
+Subject: [PATCH] Fix memory leak in tiffcrop.c
+
+Upstream-Status: Backport
[https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
+CVE: CVE-2023-3618
+Signed-off-by: Hitendra Prajapati
+---
+
Re: [OE-core] [qa-build-notification] QA notification for completed autobuilder build (yocto-4.3_M2.rc2)
Hi all, Intel and WR YP QA is planning for QA execution for YP build yocto-4.3_M2.rc2. We are planning to execute following tests for this cycle: OEQA-manual tests for following module: 1. OE-Core 2. BSP-hw Runtime auto test for following platforms: 1. MinnowBoard Turbot - 32bit 2. Kaby Lake (7th Generation Intel(r) Core(tm) Processors) 3. Tiger Lake (11th Generation Intel(r) Core(tm) Processors) 4. Alder Lake-S (12th Generation Intel(r) Core(tm) Processors) 5. Raptor Lake-P (13th Generation Intel(r) Core(tm) Processors) 6. Beaglebone ETA for completion Monday, 7 Aug 2023. Best regards, Jing Hui > -Original Message- > From: qa-build-notificat...@lists.yoctoproject.org notificat...@lists.yoctoproject.org> On Behalf Of Pokybuild User > Sent: Thursday, July 27, 2023 8:40 AM > To: yo...@lists.yoctoproject.org > Cc: qa-build-notificat...@lists.yoctoproject.org > Subject: [qa-build-notification] QA notification for completed autobuilder > build (yocto-4.3_M2.rc2) > > > A build flagged for QA (yocto-4.3_M2.rc2) was completed on the > autobuilder and is available at: > > > https://autobuilder.yocto.io/pub/releases/yocto-4.3_M2.rc2 > > > Build hash information: > > bitbake: 64bc00a46d1aacc23fe7e8d9a46a126f3a4bc318 > meta-agl: 25410a640b879405d4f93585f3d74c328f487cad > meta-arm: cfcc8a4d13c26793ecab2d8da9274eb98b8cb4ce > meta-aws: 86966086b2dfabd7113253bc5647f87fd6d42423 > meta-intel: f2bcad2943b11b8c9d9ecdd25551a841ba98eda0 > meta-mingw: 92258028e1b5664a9f832541d5c4f6de0bd05e07 > meta-openembedded: 74e70284acb2eb2f2a47a1ab1aa5ee0928d46344 > meta-virtualization: c5079557091b215663458807a8f617752614a6bd > oecore: 6ac110c8954e5fdb71d5495e3eebc1ca3958dc19 > poky: 3eff0eb5ea77de20d85a2ffc64652579cbd7755c > > > > This is an automated message from the Yocto Project Autobuilder > Git: git://git.yoctoproject.org/yocto-autobuilder2 > Email: richard.pur...@linuxfoundation.org > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184905): https://lists.openembedded.org/g/openembedded-core/message/184905 Mute This Topic: https://lists.openembedded.org/mt/100384647/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH] ncurses: upgrade to 6.4+20230625
From: Chen Qi
The license checksum is updated because of the year change, the license
itself remains the same.
The exit_prototype.patch is refreshed to avoid patch fuzz error.
The repo is switched back to salsa.debian.org. It was switch from
salsa.debian.org to github mirror because, according to the commit
message, the github mirror was updated on a daily basis. But things
have changed and the github mirror hasn't been updated for months.
So switch back to use salsa.debian.org.
Signed-off-by: Chen Qi
---
meta/recipes-core/ncurses/files/exit_prototype.patch | 10 +-
meta/recipes-core/ncurses/ncurses.inc| 4 ++--
meta/recipes-core/ncurses/ncurses_6.4.bb | 3 ++-
3 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/meta/recipes-core/ncurses/files/exit_prototype.patch
b/meta/recipes-core/ncurses/files/exit_prototype.patch
index fd961512e0..9dddbbccf4 100644
--- a/meta/recipes-core/ncurses/files/exit_prototype.patch
+++ b/meta/recipes-core/ncurses/files/exit_prototype.patch
@@ -1,4 +1,4 @@
-From 4a769a441d7e57a23017c3037cde3e53fb9f35fe Mon Sep 17 00:00:00 2001
+From bc917b9bae0b11b02aa0ddd9ed62d9cd78ffc4f7 Mon Sep 17 00:00:00 2001
From: Khem Raj
Date: Tue, 30 Aug 2022 15:58:32 -0700
Subject: [PATCH] Add needed headers for including mbstate_t and exit()
@@ -11,18 +11,18 @@ Signed-off-by: Khem Raj
1 file changed, 2 insertions(+)
diff --git a/configure b/configure
-index f377f551..163f8899 100755
+index c2462f7f..33668cf0 100755
--- a/configure
+++ b/configure
-@@ -3423,6 +3423,7 @@ rm -f "conftest.$ac_objext" "conftest.$ac_ext"
+@@ -3458,6 +3458,7 @@ rm -f "conftest.$ac_objext" "conftest.$ac_ext"
cat >"conftest.$ac_ext" <<_ACEOF
- #line 3424 "configure"
+ #line 3459 "configure"
#include "confdefs.h"
+#include
$ac_declaration
int
main (void)
-@@ -13111,6 +13112,7 @@ cat >"conftest.$ac_ext" <<_ACEOF
+@@ -13526,6 +13527,7 @@ cat >"conftest.$ac_ext" <<_ACEOF
#include
#include
#include
diff --git a/meta/recipes-core/ncurses/ncurses.inc
b/meta/recipes-core/ncurses/ncurses.inc
index 367f3b19f4..78d6f2619c 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -2,7 +2,7 @@ SUMMARY = "The New Curses library"
DESCRIPTION = "SVr4 and XSI-Curses compatible curses library and terminfo
tools including tic, infocmp, captoinfo. Supports color, multiple highlights,
forms-drawing characters, and automatic recognition of keypad and function-key
sequences. Extensions include resizable windows and mouse support on both xterm
and Linux console using the gpm library."
HOMEPAGE = "http://www.gnu.org/software/ncurses/ncurses.html;
LICENSE = "MIT"
-LIC_FILES_CHKSUM =
"file://COPYING;md5=c5a4600fdef86384c41ca33ecc70a4b8;endline=27"
+LIC_FILES_CHKSUM =
"file://COPYING;md5=8f2e5b99d5b6c0e6ee7cb39b992733b6;endline=27"
SECTION = "libs"
DEPENDS = "ncurses-native"
DEPENDS:class-native = ""
@@ -13,7 +13,7 @@ BINCONFIG = "${bindir}/ncurses5-config
${bindir}/ncursesw5-config \
inherit autotools binconfig-disabled multilib_header pkgconfig
# Upstream has useful patches at times at ftp://invisible-island.net/ncurses/
-SRC_URI = "git://github.com/mirror/ncurses.git;protocol=https;branch=master"
+SRC_URI =
"git://salsa.debian.org/debian/ncurses.git;protocol=https;branch=master"
EXTRA_AUTORECONF = "-I m4"
diff --git a/meta/recipes-core/ncurses/ncurses_6.4.bb
b/meta/recipes-core/ncurses/ncurses_6.4.bb
index 1eb15673d1..b875aee250 100644
--- a/meta/recipes-core/ncurses/ncurses_6.4.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.4.bb
@@ -6,7 +6,8 @@ SRC_URI += "file://0001-tic-hang.patch \
file://exit_prototype.patch \
"
# commit id corresponds to the revision in package version
-SRCREV = "79b9071f2be20a24c7be031655a5638f6032f29f"
+SRCREV = "964ec9f9c6e3ac3aaa1a9161c6fb75f6d7f589b5"
+PV = "6.4+20230625"
S = "${WORKDIR}/git"
EXTRA_OECONF += "--with-abi-version=5"
UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+(\.\d+)+)$"
--
2.40.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184904):
https://lists.openembedded.org/g/openembedded-core/message/184904
Mute This Topic: https://lists.openembedded.org/mt/100383999/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] rust: Add failed test cases to exclude list for Rust Oe-selftest
I don't see this in master or master-next yet so see comments below and
send a slightly updated v2.
On 2023-07-26 12:25, Yash Shinde wrote:
Failed test cases are added to exclude list.
Drop meta/recipes-devtools/rust/files/rust-oe-selftest.patch file.
Signed-off-by: Yash Shinde
---
meta/lib/oeqa/selftest/cases/rust.py | 209 +-
.../rust/files/rust-oe-selftest.patch | 2324 -
meta/recipes-devtools/rust/rust-source.inc|1 -
3 files changed, 208 insertions(+), 2326 deletions(-)
delete mode 100644 meta/recipes-devtools/rust/files/rust-oe-selftest.patch
It's good to see the large patch be replaced with a 10x smaller rust.py
change.
If this change is acceptable to others, I'd like the commit log to be
amended to explain
how to (automatically?) update the exclude list when rust is updated.
Alternatively
we could add that to meta/recipes-devtools/rust/README-rust.md
https://github.com/yoctoproject/poky/blob/master/meta/recipes-devtools/rust/README-rust.md
Is this a manual process now? Could it be mostly automated?
Please sort the exclude list alphabetically in v2 so that it's
easier for people to see what tests are being excluded (see below (*))
I assume that this commit doesn't change the tests that are run but only
moves the skipping from being a patch to the exclude list. Please confirm
and in your v2 commit log, mention that as well as what the current
number of
passed and skipped tests.
diff --git a/meta/lib/oeqa/selftest/cases/rust.py
b/meta/lib/oeqa/selftest/cases/rust.py
index 7a0fd7033d..abd3ef8314 100644
--- a/meta/lib/oeqa/selftest/cases/rust.py
+++ b/meta/lib/oeqa/selftest/cases/rust.py
@@ -70,7 +70,214 @@ class RustSelfTestSystemEmulated(OESelftestTestCase,
OEPTestResultTestCase):
# no-fail-fast: Run all tests regardless of failure.
# bless: First runs rustfmt to format the codebase,
# then runs tidy checks.
-testargs = "--exclude tests/rustdoc --exclude src/tools/rust-analyzer
--exclude tests/rustdoc-json --exclude tests/run-make-fulldeps --exclude src/tools/tidy
--exclude src/tools/rustdoc-themes --exclude src/rustdoc-json-types --exclude
src/librustdoc --exclude src/doc/unstable-book --exclude src/doc/rustdoc --exclude
src/doc/rustc --exclude compiler/rustc --exclude library/panic_abort --exclude
library/panic_unwind --exclude src/tools/lint-docs --exclude tests/rustdoc-js-std --doc
--no-fail-fast --bless"
I think you're doing two things in the 2 lines above and the list below:
1. splitting up the testargs into one per line
2. adding an exclude list of tests that are know to fail.
Is that true?
If so can you use two seperate variables/lists to reflect the different
intended purpose of each list?
This should also help in maintaining each list and hopefully the tests
that are exluded will all have a:
tests/foo/bar.rs
format rather than somewhat worrying prefixes like:
compiler/rustc
and
library/panic_abort
+exclude_list = """ --exclude tests/run-make
If python will let you, please split this line like this:
+exclude_list = """
+ --exclude tests/run-make
to separate the variables from the list name to make future updates a bit
easier.
+--exclude tests/run-make/pgo-branch-weights/
+--exclude
tests/ui/macros/restricted-shadowing-legacy.rs
+--exclude tests/ui-fulldeps/issue-14021.rs
>< -- the middle bits of the long unsorted list.
+--exclude library/panic_unwind
+--exclude src/tools/lint-docs
+--exclude tests/rustdoc-js-std"""
Similarly, if python will let you, put the terminating triple quote on a
new line with proper identation of course.
These last two comments are "nice-to-have" so just call me a python
newbie if that's not possible or is not pythonic!
+
+exclude_fail_tests = exclude_list.split("\n")
+exclude_fail_tests = " ".join(exclude_fail_tests)
+
+# Add exclude_fail_tests with other test arguments
+testargs = exclude_fail_tests + " --doc --no-fail-fast --bless"
# Set path for target-poky-linux-gcc, RUST_TARGET_PATH and hosttools.
cmd = " export PATH=%s/recipe-sysroot-native/usr/bin:$PATH;" %
rustlibpath
diff --git a/meta/recipes-devtools/rust/files/rust-oe-selftest.patch
b/meta/recipes-devtools/rust/files/rust-oe-selftest.patch
>< -- giant 10x bigger than it needs to be patch
-diff --git a/tests/run-make/pointer-auth-link-with-c/Makefile
b/tests/run-make/pointer-auth-link-with-c/Makefile
-index dffbd303582..5347d0a90f1 100644
a/tests/run-make/pointer-auth-link-with-c/Makefile
-+++ b/tests/run-make/pointer-auth-link-with-c/Makefile
-@@ -1,3 +1,4 @@
-+# ignore-stage1
- include
Re: [OE-core] [PATCH] createrepo-c: Fix 32 bit architecture segfaults with 64 bit time
On Wed, Jul 26, 2023 at 12:50 PM Richard Purdie
wrote:
>
> After including time64.inc, createrepo-c was segfaulting on 32 bit
> architectures
> when creating repo indexes (even for an empty repo).
>
> Add a patch from Khem to fix this and some other compiler warnings related to
> 64
> bit time on 32 bit.
>
> [YOCTO #15170]
>
> Signed-off-by: Richard Purdie
> ---
> .../createrepo-c/createrepo-c/time64fix.patch | 69 +++
> .../createrepo-c/createrepo-c_0.21.1.bb | 1 +
> 2 files changed, 70 insertions(+)
> create mode 100644
> meta/recipes-devtools/createrepo-c/createrepo-c/time64fix.patch
>
> diff --git a/meta/recipes-devtools/createrepo-c/createrepo-c/time64fix.patch
> b/meta/recipes-devtools/createrepo-c/createrepo-c/time64fix.patch
> new file mode 100644
> index 000..d022d95b703
> --- /dev/null
> +++ b/meta/recipes-devtools/createrepo-c/createrepo-c/time64fix.patch
> @@ -0,0 +1,69 @@
> +From 89e1c9415fb8438310036d5810cdb7da75ee3a7f Mon Sep 17 00:00:00 2001
> +From: Khem Raj
> +Date: Wed, 26 Jul 2023 12:27:14 -0700
> +Subject: [PATCH] Adjust printf formats for 64bit time_t on 32bit systems
> +
> +Fixes format specifier mismatch warnings as well while here
> +
> +e.g.
> +warning: format '%ld' expects argument of type 'long int', but argument 2
> has type 'time_t'
> +
> +Upstream-Status: Pending
Its also submitted upstream now so you may want to change the status
to Submitted [https://github.com/rpm-software-management/createrepo_c/pull/376]
> +
> +Signed-off-by: Khem Raj
> +---
> + src/createrepo_c.c| 4 ++--
> + src/misc.c| 4 ++--
> + src/xml_dump_repomd.c | 2 +-
> + 3 files changed, 5 insertions(+), 5 deletions(-)
> +
> +diff --git a/src/createrepo_c.c b/src/createrepo_c.c
> +index 8681419..0f9048a 100644
> +--- a/src/createrepo_c.c
> b/src/createrepo_c.c
> +@@ -582,9 +582,9 @@ duplicates_warning(const char *nevra, GArray *locations,
> CmdDupNevra option)
> + for (size_t i=0; ilen; i++) {
> + struct DuplicateLocation location = g_array_index(locations, struct
> + DuplicateLocation,
> i);
> +- g_warning("Sourced from location: \'%s\', build timestamp: %ld%s",
> ++ g_warning("Sourced from location: \'%s\', build timestamp: %jd%s",
> + location.location,
> +-location.pkg->time_build,
> ++(intmax_t) location.pkg->time_build,
> + location.pkg->skip_dump ? skip_reason : "");
> +
> + }
> +diff --git a/src/misc.c b/src/misc.c
> +index 8511ca2..7866c7b 100644
> +--- a/src/misc.c
> b/src/misc.c
> +@@ -1512,11 +1512,11 @@ cr_append_pid_and_datetime(const char *str, const
> char *suffix)
> + gettimeofday(, NULL);
> + timeinfo = localtime (&(tv.tv_sec));
> + strftime(datetime, 80, "%Y%m%d%H%M%S", timeinfo);
> +-gchar *result = g_strdup_printf("%s%jd.%s.%ld%s",
> ++gchar *result = g_strdup_printf("%s%jd.%s.%jd%s",
> + str ? str : "",
> + (intmax_t) getpid(),
> + datetime,
> +-tv.tv_usec,
> ++(intmax_t) tv.tv_usec,
> + suffix ? suffix : "");
> + return result;
> + }
> +diff --git a/src/xml_dump_repomd.c b/src/xml_dump_repomd.c
> +index 33b0e09..9d24249 100644
> +--- a/src/xml_dump_repomd.c
> b/src/xml_dump_repomd.c
> +@@ -143,7 +143,7 @@ cr_xml_dump_repomd_body(xmlNodePtr root, cr_Repomd
> *repomd)
> +BAD_CAST repomd->revision);
> + } else {
> + // Use the current time if no revision was explicitly specified
> +-gchar *rev = g_strdup_printf("%ld", time(NULL));
> ++gchar *rev = g_strdup_printf("%jd", (intmax_t) time(NULL));
> + xmlNewChild(root, NULL, BAD_CAST "revision", BAD_CAST rev);
> + g_free(rev);
> + }
> +--
> +2.41.0
> +
> diff --git a/meta/recipes-devtools/createrepo-c/createrepo-c_0.21.1.bb
> b/meta/recipes-devtools/createrepo-c/createrepo-c_0.21.1.bb
> index 5080131dc1e..57f23b8dfdb 100644
> --- a/meta/recipes-devtools/createrepo-c/createrepo-c_0.21.1.bb
> +++ b/meta/recipes-devtools/createrepo-c/createrepo-c_0.21.1.bb
> @@ -8,6 +8,7 @@ SRC_URI =
> "git://github.com/rpm-software-management/createrepo_c;branch=master;p
> file://0001-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch
> \
> file://0001-include-rpm-rpmstring.h.patch \
> file://0001-src-cmd_parser.c-add-a-missing-parameter-name.patch \
> + file://time64fix.patch \
> "
>
> SRCREV = "0652d7303ce236e596c83c29ccc9bee7868fce6e"
> --
> 2.39.2
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184902):
https://lists.openembedded.org/g/openembedded-core/message/184902
Mute This Topic:
[OE-core] [PATCH] createrepo-c: Fix 32 bit architecture segfaults with 64 bit time
After including time64.inc, createrepo-c was segfaulting on 32 bit architectures
when creating repo indexes (even for an empty repo).
Add a patch from Khem to fix this and some other compiler warnings related to 64
bit time on 32 bit.
[YOCTO #15170]
Signed-off-by: Richard Purdie
---
.../createrepo-c/createrepo-c/time64fix.patch | 69 +++
.../createrepo-c/createrepo-c_0.21.1.bb | 1 +
2 files changed, 70 insertions(+)
create mode 100644
meta/recipes-devtools/createrepo-c/createrepo-c/time64fix.patch
diff --git a/meta/recipes-devtools/createrepo-c/createrepo-c/time64fix.patch
b/meta/recipes-devtools/createrepo-c/createrepo-c/time64fix.patch
new file mode 100644
index 000..d022d95b703
--- /dev/null
+++ b/meta/recipes-devtools/createrepo-c/createrepo-c/time64fix.patch
@@ -0,0 +1,69 @@
+From 89e1c9415fb8438310036d5810cdb7da75ee3a7f Mon Sep 17 00:00:00 2001
+From: Khem Raj
+Date: Wed, 26 Jul 2023 12:27:14 -0700
+Subject: [PATCH] Adjust printf formats for 64bit time_t on 32bit systems
+
+Fixes format specifier mismatch warnings as well while here
+
+e.g.
+warning: format '%ld' expects argument of type 'long int', but argument 2 has
type 'time_t'
+
+Upstream-Status: Pending
+
+Signed-off-by: Khem Raj
+---
+ src/createrepo_c.c| 4 ++--
+ src/misc.c| 4 ++--
+ src/xml_dump_repomd.c | 2 +-
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/createrepo_c.c b/src/createrepo_c.c
+index 8681419..0f9048a 100644
+--- a/src/createrepo_c.c
b/src/createrepo_c.c
+@@ -582,9 +582,9 @@ duplicates_warning(const char *nevra, GArray *locations,
CmdDupNevra option)
+ for (size_t i=0; ilen; i++) {
+ struct DuplicateLocation location = g_array_index(locations, struct
+ DuplicateLocation, i);
+- g_warning("Sourced from location: \'%s\', build timestamp: %ld%s",
++ g_warning("Sourced from location: \'%s\', build timestamp: %jd%s",
+ location.location,
+-location.pkg->time_build,
++(intmax_t) location.pkg->time_build,
+ location.pkg->skip_dump ? skip_reason : "");
+
+ }
+diff --git a/src/misc.c b/src/misc.c
+index 8511ca2..7866c7b 100644
+--- a/src/misc.c
b/src/misc.c
+@@ -1512,11 +1512,11 @@ cr_append_pid_and_datetime(const char *str, const char
*suffix)
+ gettimeofday(, NULL);
+ timeinfo = localtime (&(tv.tv_sec));
+ strftime(datetime, 80, "%Y%m%d%H%M%S", timeinfo);
+-gchar *result = g_strdup_printf("%s%jd.%s.%ld%s",
++gchar *result = g_strdup_printf("%s%jd.%s.%jd%s",
+ str ? str : "",
+ (intmax_t) getpid(),
+ datetime,
+-tv.tv_usec,
++(intmax_t) tv.tv_usec,
+ suffix ? suffix : "");
+ return result;
+ }
+diff --git a/src/xml_dump_repomd.c b/src/xml_dump_repomd.c
+index 33b0e09..9d24249 100644
+--- a/src/xml_dump_repomd.c
b/src/xml_dump_repomd.c
+@@ -143,7 +143,7 @@ cr_xml_dump_repomd_body(xmlNodePtr root, cr_Repomd *repomd)
+BAD_CAST repomd->revision);
+ } else {
+ // Use the current time if no revision was explicitly specified
+-gchar *rev = g_strdup_printf("%ld", time(NULL));
++gchar *rev = g_strdup_printf("%jd", (intmax_t) time(NULL));
+ xmlNewChild(root, NULL, BAD_CAST "revision", BAD_CAST rev);
+ g_free(rev);
+ }
+--
+2.41.0
+
diff --git a/meta/recipes-devtools/createrepo-c/createrepo-c_0.21.1.bb
b/meta/recipes-devtools/createrepo-c/createrepo-c_0.21.1.bb
index 5080131dc1e..57f23b8dfdb 100644
--- a/meta/recipes-devtools/createrepo-c/createrepo-c_0.21.1.bb
+++ b/meta/recipes-devtools/createrepo-c/createrepo-c_0.21.1.bb
@@ -8,6 +8,7 @@ SRC_URI =
"git://github.com/rpm-software-management/createrepo_c;branch=master;p
file://0001-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \
file://0001-include-rpm-rpmstring.h.patch \
file://0001-src-cmd_parser.c-add-a-missing-parameter-name.patch \
+ file://time64fix.patch \
"
SRCREV = "0652d7303ce236e596c83c29ccc9bee7868fce6e"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184901):
https://lists.openembedded.org/g/openembedded-core/message/184901
Mute This Topic: https://lists.openembedded.org/mt/100378249/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] rust: Fix BOOTSTRAP_CARGO failure during Rust Oe-selftest
Please take this patch(to be patched first) along with https://lists.openembedded.org/g/openembedded-core/message/184896 ( https://lists.openembedded.org/g/openembedded-core/message/184896 ) to avoid merge failures. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184900): https://lists.openembedded.org/g/openembedded-core/message/184900 Mute This Topic: https://lists.openembedded.org/mt/100373873/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] rust: Add failed test cases to exclude list for Rust Oe-selftest
Please take this patch(to be patched after # 184890 ( https://lists.openembedded.org/g/openembedded-core/message/184890 ) ) along with https://lists.openembedded.org/g/openembedded-core/message/184890 to avoid merge failure. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184899): https://lists.openembedded.org/g/openembedded-core/message/184899 Mute This Topic: https://lists.openembedded.org/mt/100374212/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] rust: Add failed test cases to exclude list for Rust Oe-selftest
On Wed, Jul 26, 2023 at 09:55 PM, Shinde, Yash wrote:
>
> file://rust-oe-selftest.patch;patchdir=${RUSTSRC} \
Please take this patch(to be patched after # 184890 (
https://lists.openembedded.org/g/openembedded-core/message/184890 ) ) along
with https://lists.openembedded.org/g/openembedded-core/message/184890 to avoid
merge failure.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184898):
https://lists.openembedded.org/g/openembedded-core/message/184898
Mute This Topic: https://lists.openembedded.org/mt/100374212/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] rust: Fix BOOTSTRAP_CARGO failure during Rust Oe-selftest
Please take this patch(to be patched first) along with https://lists.openembedded.org/g/openembedded-core/message/184896 ( https://lists.openembedded.org/g/openembedded-core/message/184896 ) to avoid merge failures. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184897): https://lists.openembedded.org/g/openembedded-core/message/184897 Mute This Topic: https://lists.openembedded.org/mt/100373873/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] rust: Add failed test cases to exclude list for Rust Oe-selftest
Failed test cases are added to exclude list. Drop meta/recipes-devtools/rust/files/rust-oe-selftest.patch file. Signed-off-by: Yash Shinde --- meta/lib/oeqa/selftest/cases/rust.py | 209 +- .../rust/files/rust-oe-selftest.patch | 2324 - meta/recipes-devtools/rust/rust-source.inc|1 - 3 files changed, 208 insertions(+), 2326 deletions(-) delete mode 100644 meta/recipes-devtools/rust/files/rust-oe-selftest.patch diff --git a/meta/lib/oeqa/selftest/cases/rust.py b/meta/lib/oeqa/selftest/cases/rust.py index 7a0fd7033d..abd3ef8314 100644 --- a/meta/lib/oeqa/selftest/cases/rust.py +++ b/meta/lib/oeqa/selftest/cases/rust.py @@ -70,7 +70,214 @@ class RustSelfTestSystemEmulated(OESelftestTestCase, OEPTestResultTestCase): # no-fail-fast: Run all tests regardless of failure. # bless: First runs rustfmt to format the codebase, # then runs tidy checks. -testargs = "--exclude tests/rustdoc --exclude src/tools/rust-analyzer --exclude tests/rustdoc-json --exclude tests/run-make-fulldeps --exclude src/tools/tidy --exclude src/tools/rustdoc-themes --exclude src/rustdoc-json-types --exclude src/librustdoc --exclude src/doc/unstable-book --exclude src/doc/rustdoc --exclude src/doc/rustc --exclude compiler/rustc --exclude library/panic_abort --exclude library/panic_unwind --exclude src/tools/lint-docs --exclude tests/rustdoc-js-std --doc --no-fail-fast --bless" +exclude_list = """ --exclude tests/run-make +--exclude tests/run-make/pgo-branch-weights/ +--exclude tests/ui/macros/restricted-shadowing-legacy.rs +--exclude tests/ui-fulldeps/issue-14021.rs +--exclude tests/rustdoc/intra-doc/issue-103463.rs +--exclude tests/run-make/pgo-indirect-call-promotion/ +--exclude tests/rustdoc/async-move-doctest.rs +--exclude tests/ui-fulldeps/internal-lints/diagnostics.rs +--exclude tests/ui-fulldeps/internal-lints/qualified_ty_ty_ctxt.rs +--exclude tests/rustdoc/issue-73061-cross-crate-opaque-assoc-type.rs +--exclude tests/codegen/abi-repr-ext.rs +--exclude tests/codegen/repr-transparent-aggregates-3.rs +--exclude tests/rustdoc/intra-doc/extern-inherent-impl.rs +--exclude tests/rustdoc/test_option_check/test.rs +--exclude tests/rustdoc-ui/display-output.rs +--exclude tests/ui-fulldeps/rustc_encodable_hygiene.rs +--exclude tests/ui/process/process-sigpipe.rs +--exclude tests/ui-fulldeps/deriving-global.rs +--exclude tests/codegen/noalias-rwlockreadguard.rs +--exclude tests/rustdoc/normalize-assoc-item.rs +--exclude tests/ui-fulldeps/deriving-hygiene.rs +--exclude tests/ui/structs-enums/multiple-reprs.rs +--exclude tests/run-make/profile/ +--exclude tests/ui/functions-closures/fn-help-with-err.rs +--exclude tests/ui-fulldeps/lint-group-denied-lint-allowed.rs +--exclude tests/ui/process/nofile-limit.rs +--exclude tests/rustdoc/issue-43153.rs +--exclude tests/rustdoc/intra-doc/cross-crate/submodule-inner.rs +--exclude tests/codegen/abi-x86-interrupt.rs +--exclude tests/ui-fulldeps/internal-lints/bad_opt_access.rs +--exclude tests/ui-fulldeps/lint-group-forbid-always-trumps-cli.rs +--exclude tests/rustdoc/issue-40936.rs +--exclude tests/rustdoc/issue-57180.rs +--exclude tests/ui/array-slice-vec/subslice-patterns-const-eval-match.rs +--exclude tests/rustdoc/reexports-priv.rs +--exclude tests/rustdoc/intra-doc/cross-crate/traits.rs +--exclude tests/codegen/cf-protection.rs +--exclude tests/rustdoc/intra-doc/issue-104145.rs +--exclude tests/rustdoc-ui/nocapture.rs +--exclude tests/rustdoc/pub-extern-crate.rs +--exclude tests/ui/associated-type-bounds/fn-wrap-apit.rs +--exclude tests/rustdoc/issue-23106.rs +
[OE-core] [PATCH 4/4] selftest/cases/glibc.py: switch to using NFS over TCP
This provides a more reliable test execution when running tests that
write a large buffer/file and significantly reduces the localedata test
failures.
Signed-off-by: Anuj Mittal
---
meta/lib/oeqa/selftest/cases/glibc.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/glibc.py
b/meta/lib/oeqa/selftest/cases/glibc.py
index c300aef913..924df6c5a6 100644
--- a/meta/lib/oeqa/selftest/cases/glibc.py
+++ b/meta/lib/oeqa/selftest/cases/glibc.py
@@ -45,7 +45,7 @@ class GlibcSelfTestBase(OESelftestTestCase,
OEPTestResultTestCase):
with contextlib.ExitStack() as s:
# use the base work dir, as the nfs mount, since the recipe
directory may not exist
tmpdir = get_bb_var("BASE_WORKDIR")
-nfsport, mountport = s.enter_context(unfs_server(tmpdir))
+nfsport, mountport = s.enter_context(unfs_server(tmpdir, udp =
False))
# build core-image-minimal with required packages
default_installed_packages = [
@@ -74,7 +74,7 @@ class GlibcSelfTestBase(OESelftestTestCase,
OEPTestResultTestCase):
# setup nfs mount
if qemu.run("mkdir -p \"{0}\"".format(tmpdir))[0] != 0:
raise Exception("Failed to setup NFS mount directory on
target")
-mountcmd = "mount -o noac,nfsvers=3,port={0},udp,mountport={1}
\"{2}:{3}\" \"{3}\"".format(nfsport, mountport, qemu.server_ip, tmpdir)
+mountcmd = "mount -o noac,nfsvers=3,port={0},mountport={1}
\"{2}:{3}\" \"{3}\"".format(nfsport, mountport, qemu.server_ip, tmpdir)
status, output = qemu.run(mountcmd)
if status != 0:
raise Exception("Failed to setup NFS mount on target
({})".format(repr(output)))
--
2.41.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184895):
https://lists.openembedded.org/g/openembedded-core/message/184895
Mute This Topic: https://lists.openembedded.org/mt/100374117/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 3/4] oeqa/utils/nfs: allow requesting non-udp ports
Allows setting up NFS over TCP as well.
Signed-off-by: Anuj Mittal
---
meta/lib/oeqa/utils/nfs.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/lib/oeqa/utils/nfs.py b/meta/lib/oeqa/utils/nfs.py
index b66ed42a58..903469bfee 100644
--- a/meta/lib/oeqa/utils/nfs.py
+++ b/meta/lib/oeqa/utils/nfs.py
@@ -12,7 +12,7 @@ from oeqa.utils.commands import bitbake, get_bb_var, Command
from oeqa.utils.network import get_free_port
@contextlib.contextmanager
-def unfs_server(directory, logger = None):
+def unfs_server(directory, logger = None, udp = True):
unfs_sysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "unfs3-native")
if not os.path.exists(os.path.join(unfs_sysroot, "usr", "bin", "unfsd")):
# build native tool
@@ -26,7 +26,7 @@ def unfs_server(directory, logger = None):
exports.write("{0}
(rw,no_root_squash,no_all_squash,insecure)\n".format(directory).encode())
# find some ports for the server
-nfsport, mountport = get_free_port(udp = True), get_free_port(udp =
True)
+nfsport, mountport = get_free_port(udp), get_free_port(udp)
nenv = dict(os.environ)
nenv['PATH'] =
"{0}/sbin:{0}/usr/sbin:{0}/usr/bin:".format(unfs_sysroot) + nenv.get('PATH', '')
--
2.41.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184894):
https://lists.openembedded.org/g/openembedded-core/message/184894
Mute This Topic: https://lists.openembedded.org/mt/100374116/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 2/4] selftest/cases/glibc.py: increase the memory for testing
Some of the tests trigger OOM and fail. Increase the amount of memory
available so we dont run into these issues.
Signed-off-by: Anuj Mittal
---
meta/lib/oeqa/selftest/cases/glibc.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/lib/oeqa/selftest/cases/glibc.py
b/meta/lib/oeqa/selftest/cases/glibc.py
index 4ec4b85d67..c300aef913 100644
--- a/meta/lib/oeqa/selftest/cases/glibc.py
+++ b/meta/lib/oeqa/selftest/cases/glibc.py
@@ -65,7 +65,7 @@ class GlibcSelfTestBase(OESelftestTestCase,
OEPTestResultTestCase):
bitbake("core-image-minimal")
# start runqemu
-qemu = s.enter_context(runqemu("core-image-minimal", runqemuparams
= "nographic"))
+qemu = s.enter_context(runqemu("core-image-minimal", runqemuparams
= "nographic", qemuparams = "-m 1024"))
# validate that SSH is working
status, _ = qemu.run("uname")
--
2.41.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184893):
https://lists.openembedded.org/g/openembedded-core/message/184893
Mute This Topic: https://lists.openembedded.org/mt/100374115/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 1/4] glibc/check-test-wrapper: don't emit warnings from ssh
Dont fill up the test log with ssh warning about having added the host
to list of known hosts.
Also helps fix a test case failure where stderr log was being compared
to a known value.
Signed-off-by: Anuj Mittal
---
meta/recipes-core/glibc/glibc/check-test-wrapper | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-core/glibc/glibc/check-test-wrapper
b/meta/recipes-core/glibc/glibc/check-test-wrapper
index 6ec9b9b29e..5cc993f718 100644
--- a/meta/recipes-core/glibc/glibc/check-test-wrapper
+++ b/meta/recipes-core/glibc/glibc/check-test-wrapper
@@ -58,7 +58,7 @@ elif targettype == "ssh":
user = os.environ.get("SSH_HOST_USER", None)
port = os.environ.get("SSH_HOST_PORT", None)
-command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o",
"StrictHostKeyChecking=no"]
+command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o",
"StrictHostKeyChecking=no", "-o", "LogLevel=quiet"]
if port:
command += ["-p", str(port)]
if not host:
--
2.41.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184892):
https://lists.openembedded.org/g/openembedded-core/message/184892
Mute This Topic: https://lists.openembedded.org/mt/100374114/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 0/4] Fix glibc test failures when running through qemu
After applying these changes, the number of tests failing for glibc come down to 69 on autobuilder. Result summary for qemux86-64: --- --- Recipe | Passed | Failed | Skipped | Time(s) --- --- binutils | 289 | 0| 8 | - binutils-gas | 1582 | 4| 1 | - binutils-ld | 1622 | 6| 111 | - gcc | 149696 | 28 | 27599 | - gcc-g++ | 219260 | 30 | 21108 | - gcc-libatomic| 27 | 1| 27 | - gcc-libgomp | 3426 | 1| 1962| - gcc-libitm | 24 | 1| 24 | - gcc-libstdc++-v3 | 9695 | 32 | 5459| - glibc| 4984 | 69 | 147 | - rust | 15768| 0| 554 | - --- --- Some of the remaining failing tests (~8) need python/gdb or gprof to be installed. Some (~8) seem to be still triggering out of memory errors. Some others (~26) fail while trying to setup test container with error: error: test-container.c:844: Cannot create testroot lock Anuj Mittal (4): glibc/check-test-wrapper: don't emit warnings from ssh selftest/cases/glibc.py: increase the memory for testing oeqa/utils/nfs: allow requesting non-udp ports selftest/cases/glibc.py: switch to using NFS over TCP meta/lib/oeqa/selftest/cases/glibc.py| 6 +++--- meta/lib/oeqa/utils/nfs.py | 4 ++-- meta/recipes-core/glibc/glibc/check-test-wrapper | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) -- 2.41.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184891): https://lists.openembedded.org/g/openembedded-core/message/184891 Mute This Topic: https://lists.openembedded.org/mt/100374113/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] rust: Fix BOOTSTRAP_CARGO failure during Rust Oe-selftest
BOOTSTRAP_CARGO command fails due to codegen flags like `-Cpanic` were
prevented from being reflected in the current target configuration which
leads to Rust build(rust version 1.70) failure in Oe-selftest.
Upstream-Status: Backport
[https://github.com/rust-lang/rust/commit/9dffb52738e0b2ccd15af36d4607a709b21e020c]
Signed-off-by: Yash Shinde
---
.../rust/files/bootstrap_fail.patch | 127 ++
meta/recipes-devtools/rust/rust-source.inc| 1 +
2 files changed, 128 insertions(+)
create mode 100644 meta/recipes-devtools/rust/files/bootstrap_fail.patch
diff --git a/meta/recipes-devtools/rust/files/bootstrap_fail.patch
b/meta/recipes-devtools/rust/files/bootstrap_fail.patch
new file mode 100644
index 00..1f44b6eaf6
--- /dev/null
+++ b/meta/recipes-devtools/rust/files/bootstrap_fail.patch
@@ -0,0 +1,127 @@
+rust: Fix BOOTSTRAP_CARGO failure during Rust Oe-selftest
+
+BOOTSTRAP_CARGO command fails due to codegen flags like `-Cpanic` were
+prevented from being reflected in the current target configuration which
+leads to Rust build(rust version 1.70) failure in Oe-selftest.
+
+Upstream-Status: Backport
[https://github.com/rust-lang/rust/commit/9dffb52738e0b2ccd15af36d4607a709b21e020c]
+
+Signed-off-by: Yash Shinde
+---
+diff --git a/src/tools/compiletest/src/common.rs
b/src/tools/compiletest/src/common.rs
+--- a/src/tools/compiletest/src/common.rs
b/src/tools/compiletest/src/common.rs
+@@ -431,7 +431,6 @@
+ .unwrap()
+ };
+
+-let mut current = None;
+ let mut all_targets = HashSet::new();
+ let mut all_archs = HashSet::new();
+ let mut all_oses = HashSet::new();
+@@ -452,14 +451,11 @@
+ }
+ all_pointer_widths.insert(format!("{}bit", cfg.pointer_width));
+
+-if target == config.target {
+-current = Some(cfg);
+-}
+ all_targets.insert(target.into());
+ }
+
+ Self {
+-current: current.expect("current target not found"),
++current: Self::get_current_target_config(config),
+ all_targets,
+ all_archs,
+ all_oses,
+@@ -471,6 +467,89 @@
+ }
+ }
+
++fn get_current_target_config(config: ) -> TargetCfg {
++let mut arch = None;
++let mut os = None;
++let mut env = None;
++let mut abi = None;
++let mut families = Vec::new();
++let mut pointer_width = None;
++let mut endian = None;
++let mut panic = None;
++
++for config in
++rustc_output(config, &["--print=cfg", "--target",
]).trim().lines()
++{
++let (name, value) = config
++.split_once("=\"")
++.map(|(name, value)| {
++(
++name,
++Some(
++value
++.strip_suffix("\"")
++.expect("key-value pair should be properly
quoted"),
++),
++)
++})
++.unwrap_or_else(|| (config, None));
++
++match name {
++"target_arch" => {
++arch = Some(value.expect("target_arch should be a
key-value pair").to_string());
++}
++"target_os" => {
++os = Some(value.expect("target_os sould be a key-value
pair").to_string());
++}
++"target_env" => {
++env = Some(value.expect("target_env should be a key-value
pair").to_string());
++}
++"target_abi" => {
++abi = Some(value.expect("target_abi should be a key-value
pair").to_string());
++}
++"target_family" => {
++families
++.push(value.expect("target_family should be a
key-value pair").to_string());
++}
++"target_pointer_width" => {
++pointer_width = Some(
++value
++.expect("target_pointer_width should be a
key-value pair")
++.parse::()
++.expect("target_pointer_width should be a valid
u32"),
++);
++}
++"target_endian" => {
++endian = Some(match value.expect("target_endian should be
a key-value pair") {
++"big" => Endian::Big,
++"little" => Endian::Little,
++_ => panic!("target_endian should be either 'big' or
'little'"),
++});
++}
++"panic" => {
++panic = Some(match value.expect("panic should be a
key-value pair") {
++"abort" => PanicStrategy::Abort,
[OE-core] [PATCH] rust: Fix BOOTSTRAP_CARGO failure during Rust Oe-selftest
BOOTSTRAP_CARGO command fails due to codegen flags like `-Cpanic` were
prevented from being reflected in the current target configuration which
leads to Rust build(rust version 1.70) failure in Oe-selftest.
Upstream-Status: Backport
[https://github.com/rust-lang/rust/commit/9dffb52738e0b2ccd15af36d4607a709b21e020c]
Signed-off-by: Yash Shinde
---
.../rust/files/bootstrap_fail.patch | 127 ++
meta/recipes-devtools/rust/rust-source.inc| 1 +
2 files changed, 128 insertions(+)
create mode 100644 meta/recipes-devtools/rust/files/bootstrap_fail.patch
diff --git a/meta/recipes-devtools/rust/files/bootstrap_fail.patch
b/meta/recipes-devtools/rust/files/bootstrap_fail.patch
new file mode 100644
index 00..1f44b6eaf6
--- /dev/null
+++ b/meta/recipes-devtools/rust/files/bootstrap_fail.patch
@@ -0,0 +1,127 @@
+rust: Fix BOOTSTRAP_CARGO failure during Rust Oe-selftest
+
+BOOTSTRAP_CARGO command fails due to codegen flags like `-Cpanic` were
+prevented from being reflected in the current target configuration which
+leads to Rust build(rust version 1.70) failure in Oe-selftest.
+
+Upstream-Status: Backport
[https://github.com/rust-lang/rust/commit/9dffb52738e0b2ccd15af36d4607a709b21e020c]
+
+Signed-off-by: Yash Shinde
+---
+diff --git a/src/tools/compiletest/src/common.rs
b/src/tools/compiletest/src/common.rs
+--- a/src/tools/compiletest/src/common.rs
b/src/tools/compiletest/src/common.rs
+@@ -431,7 +431,6 @@
+ .unwrap()
+ };
+
+-let mut current = None;
+ let mut all_targets = HashSet::new();
+ let mut all_archs = HashSet::new();
+ let mut all_oses = HashSet::new();
+@@ -452,14 +451,11 @@
+ }
+ all_pointer_widths.insert(format!("{}bit", cfg.pointer_width));
+
+-if target == config.target {
+-current = Some(cfg);
+-}
+ all_targets.insert(target.into());
+ }
+
+ Self {
+-current: current.expect("current target not found"),
++current: Self::get_current_target_config(config),
+ all_targets,
+ all_archs,
+ all_oses,
+@@ -471,6 +467,89 @@
+ }
+ }
+
++fn get_current_target_config(config: ) -> TargetCfg {
++let mut arch = None;
++let mut os = None;
++let mut env = None;
++let mut abi = None;
++let mut families = Vec::new();
++let mut pointer_width = None;
++let mut endian = None;
++let mut panic = None;
++
++for config in
++rustc_output(config, &["--print=cfg", "--target",
]).trim().lines()
++{
++let (name, value) = config
++.split_once("=\"")
++.map(|(name, value)| {
++(
++name,
++Some(
++value
++.strip_suffix("\"")
++.expect("key-value pair should be properly
quoted"),
++),
++)
++})
++.unwrap_or_else(|| (config, None));
++
++match name {
++"target_arch" => {
++arch = Some(value.expect("target_arch should be a
key-value pair").to_string());
++}
++"target_os" => {
++os = Some(value.expect("target_os sould be a key-value
pair").to_string());
++}
++"target_env" => {
++env = Some(value.expect("target_env should be a key-value
pair").to_string());
++}
++"target_abi" => {
++abi = Some(value.expect("target_abi should be a key-value
pair").to_string());
++}
++"target_family" => {
++families
++.push(value.expect("target_family should be a
key-value pair").to_string());
++}
++"target_pointer_width" => {
++pointer_width = Some(
++value
++.expect("target_pointer_width should be a
key-value pair")
++.parse::()
++.expect("target_pointer_width should be a valid
u32"),
++);
++}
++"target_endian" => {
++endian = Some(match value.expect("target_endian should be
a key-value pair") {
++"big" => Endian::Big,
++"little" => Endian::Little,
++_ => panic!("target_endian should be either 'big' or
'little'"),
++});
++}
++"panic" => {
++panic = Some(match value.expect("panic should be a
key-value pair") {
++"abort" => PanicStrategy::Abort,
[OE-core] [PATCH] rust: Fix BOOTSTRAP_CARGO failure during Rust Oe-selftest
BOOTSTRAP_CARGO command fails due to codegen flags like `-Cpanic` were
prevented from being reflected in the current target configuration which
leads to Rust build(rust version 1.70) failure in Oe-selftest.
Upstream-Status: Backport
[https://github.com/rust-lang/rust/commit/9dffb52738e0b2ccd15af36d4607a709b21e020c]
Signed-off-by: Yash Shinde
---
.../rust/files/bootstrap_fail.patch | 127 ++
meta/recipes-devtools/rust/rust-source.inc| 1 +
2 files changed, 128 insertions(+)
create mode 100644 meta/recipes-devtools/rust/files/bootstrap_fail.patch
diff --git a/meta/recipes-devtools/rust/files/bootstrap_fail.patch
b/meta/recipes-devtools/rust/files/bootstrap_fail.patch
new file mode 100644
index 00..1f44b6eaf6
--- /dev/null
+++ b/meta/recipes-devtools/rust/files/bootstrap_fail.patch
@@ -0,0 +1,127 @@
+rust: Fix BOOTSTRAP_CARGO failure during Rust Oe-selftest
+
+BOOTSTRAP_CARGO command fails due to codegen flags like `-Cpanic` were
+prevented from being reflected in the current target configuration which
+leads to Rust build(rust version 1.70) failure in Oe-selftest.
+
+Upstream-Status: Backport
[https://github.com/rust-lang/rust/commit/9dffb52738e0b2ccd15af36d4607a709b21e020c]
+
+Signed-off-by: Yash Shinde
+---
+diff --git a/src/tools/compiletest/src/common.rs
b/src/tools/compiletest/src/common.rs
+--- a/src/tools/compiletest/src/common.rs
b/src/tools/compiletest/src/common.rs
+@@ -431,7 +431,6 @@
+ .unwrap()
+ };
+
+-let mut current = None;
+ let mut all_targets = HashSet::new();
+ let mut all_archs = HashSet::new();
+ let mut all_oses = HashSet::new();
+@@ -452,14 +451,11 @@
+ }
+ all_pointer_widths.insert(format!("{}bit", cfg.pointer_width));
+
+-if target == config.target {
+-current = Some(cfg);
+-}
+ all_targets.insert(target.into());
+ }
+
+ Self {
+-current: current.expect("current target not found"),
++current: Self::get_current_target_config(config),
+ all_targets,
+ all_archs,
+ all_oses,
+@@ -471,6 +467,89 @@
+ }
+ }
+
++fn get_current_target_config(config: ) -> TargetCfg {
++let mut arch = None;
++let mut os = None;
++let mut env = None;
++let mut abi = None;
++let mut families = Vec::new();
++let mut pointer_width = None;
++let mut endian = None;
++let mut panic = None;
++
++for config in
++rustc_output(config, &["--print=cfg", "--target",
]).trim().lines()
++{
++let (name, value) = config
++.split_once("=\"")
++.map(|(name, value)| {
++(
++name,
++Some(
++value
++.strip_suffix("\"")
++.expect("key-value pair should be properly
quoted"),
++),
++)
++})
++.unwrap_or_else(|| (config, None));
++
++match name {
++"target_arch" => {
++arch = Some(value.expect("target_arch should be a
key-value pair").to_string());
++}
++"target_os" => {
++os = Some(value.expect("target_os sould be a key-value
pair").to_string());
++}
++"target_env" => {
++env = Some(value.expect("target_env should be a key-value
pair").to_string());
++}
++"target_abi" => {
++abi = Some(value.expect("target_abi should be a key-value
pair").to_string());
++}
++"target_family" => {
++families
++.push(value.expect("target_family should be a
key-value pair").to_string());
++}
++"target_pointer_width" => {
++pointer_width = Some(
++value
++.expect("target_pointer_width should be a
key-value pair")
++.parse::()
++.expect("target_pointer_width should be a valid
u32"),
++);
++}
++"target_endian" => {
++endian = Some(match value.expect("target_endian should be
a key-value pair") {
++"big" => Endian::Big,
++"little" => Endian::Little,
++_ => panic!("target_endian should be either 'big' or
'little'"),
++});
++}
++"panic" => {
++panic = Some(match value.expect("panic should be a
key-value pair") {
++"abort" => PanicStrategy::Abort,
Re: [OE-core] [kirkstone][PATCH] tiff: fix multiple CVEs
It would be quite helpful to me if in the future you would send multiple
patches to the same recipe as a patch series rather than individually.
That way I won't have to try to figure out which order you intended them to
be applied!
Steve
On Tue, Jul 25, 2023 at 8:09 PM Hitendra Prajapati
wrote:
> Backport fixes for:
> * CVE-2023-25433 - Upstream-Status: Backport from
> https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678
> &&
> https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44
> * CVE-2023-25434 & CVE-2023-25435 - Upstream-Status: Backport from
> https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38
>
> Signed-off-by: Hitendra Prajapati
> ---
> .../libtiff/tiff/CVE-2023-25433.patch | 195 ++
> .../tiff/CVE-2023-25434-CVE-2023-25435.patch | 94 +
> meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 2 +
> 3 files changed, 291 insertions(+)
> create mode 100644
> meta/recipes-multimedia/libtiff/tiff/CVE-2023-25433.patch
> create mode 100644
> meta/recipes-multimedia/libtiff/tiff/CVE-2023-25434-CVE-2023-25435.patch
>
> diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25433.patch
> b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25433.patch
> new file mode 100644
> index 00..285aa3d1c4
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25433.patch
> @@ -0,0 +1,195 @@
> +From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001
> +From: Su_Laus
> +Date: Fri, 3 Feb 2023 15:31:31 +0100
> +Subject: [PATCH] CVE-2023-25433
> +
> +tiffcrop correctly update buffersize after rotateImage()
> +fix#520 rotateImage() set up a new buffer and calculates its size
> +individually. Therefore, seg_buffs[] size needs to be updated accordingly.
> +Before this fix, the seg_buffs buffer size was calculated with a different
> +formula than within rotateImage().
> +
> +Closes #520.
> +
> +Upstream-Status: Backport [
> https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678
> &&
> https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44
> ]
> +CVE: CVE-2023-25433
> +Signed-off-by: Hitendra Prajapati
> +---
> + tools/tiffcrop.c | 78 +---
> + 1 file changed, 60 insertions(+), 18 deletions(-)
> +
> +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
> +index eee26bf..cbd24cc 100644
> +--- a/tools/tiffcrop.c
> b/tools/tiffcrop.c
> +@@ -523,7 +523,7 @@ static int rotateContigSamples24bits(uint16_t,
> uint16_t, uint16_t, uint32_t,
> + static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t,
> uint32_t,
> + uint32_t, uint32_t, uint8_t *,
> uint8_t *);
> + static int rotateImage(uint16_t, struct image_data *, uint32_t *,
> uint32_t *,
> +- unsigned char **, int);
> ++ unsigned char **, size_t *);
> + static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
> +unsigned char *);
> + static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
> +@@ -6515,7 +6515,7 @@ static int correct_orientation(struct image_data
> *image, unsigned char **work_b
> +* but switch xres, yres there. */
> + uint32_t width = image->width;
> + uint32_t length = image->length;
> +- if (rotateImage(rotation, image, , , work_buff_ptr,
> TRUE))
> ++ if (rotateImage(rotation, image, , , work_buff_ptr,
> NULL))
> + {
> + TIFFError ("correct_orientation", "Unable to rotate image");
> + return (-1);
> +@@ -7695,16 +7695,19 @@ processCropSelections(struct image_data *image,
> struct crop_mask *crop,
> +
> + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it
> can reallocate the buffer */
> + {
> ++/* rotateImage() set up a new buffer and calculates its size
> ++ * individually. Therefore, seg_buffs size needs to be updated
> ++ * accordingly. */
> ++ size_t rot_buf_size = 0;
> + if (rotateImage(crop->rotation, image, >combined_width,
> +- >combined_length, _buff, FALSE))
> ++ >combined_length, _buff, _buf_size))
> + {
> + TIFFError("processCropSelections",
> + "Failed to rotate composite regions by %"PRIu32"
> degrees", crop->rotation);
> + return (-1);
> + }
> + seg_buffs[0].buffer = crop_buff;
> +- seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8)
> +-* image->spp) * crop->combined_length;
> ++ seg_buffs[0].size = rot_buf_size;
> + }
> + }
> + else /* Separated Images */
> +@@ -7804,9 +7807,13 @@ processCropSelections(struct image_data *image,
> struct crop_mask *crop,
> + {
> + /* rotateImage() changes image->width, ->length, ->xres and
> ->yres, what
Re: [OE-core] [kirkstone][PATCH] tiff: fix multiple CVEs
On Wed, 2023-07-26 at 17:20 +0530, Hitendra Prajapati wrote:
> +Upstream-Status: Backport
> [https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e0ac16b5cfb1
> 1acaaeaa493334f8]
> +CVE: CVE-2023-3618
> +Signed-off-by: Hitendra Prajapati
> +---
> + tools/tiffcrop.c | 18 +++---
> + 1 file changed, 15 insertions(+), 3 deletions(-)
> +
> +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
> +index ce77c74..2c553e3 100644
> +--- a/tools/tiffcrop.c
> b/tools/tiffcrop.c
> +@@ -2459,9 +2459,15 @@ main(int argc, char* argv[])
> + { /* Whole image or sections not based on output page size
> */
> + if (crop.selections > 0)
> + {
> +- writeSelections(in, , , , , seg_buffs,
> +- mp, argv[argc - 1], _page,
> total_pages);
> +- }
> ++ if (writeSelections(in, , , , ,
> ++ seg_buffs, mp, argv[argc - 1],
> ++ _page, total_pages))
> ++ {
> ++ TIFFError("main",
> ++ "Unable to write new image selections");
> ++ exit(EXIT_FAILURE);
> ++ }
> ++ }
> + else /* One file all images and sections */
> + {
> + if (update_output_file (, mp, crop.exp_mode, argv[argc
> - 1],
> +@@ -7836,6 +7842,12 @@ createCroppedImage(struct image_data *image,
> struct crop_mask *crop,
> +
> + read_buff = *read_buff_ptr;
> +
> ++ /* Memory is freed before crop_buff_ptr is overwritten */
> ++ if (*crop_buff_ptr != NULL)
> ++ {
> ++ _TIFFfree(*crop_buff_ptr);
> ++ }
> ++
This doesn't seem to be part of the commit mentioned above in Upstream-
Status. This change is coming from:
https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37
Please backport it as a separate patch.
> + /* process full image, no crop buffer needed */
> + crop_buff = read_buff;
The commit 881a070194 actually removes this assignment but your patch
doesn't seem to be doing that ...
Thanks,
Anuj
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184886):
https://lists.openembedded.org/g/openembedded-core/message/184886
Mute This Topic: https://lists.openembedded.org/mt/100345399/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH] go: fix CVE-2023-29406 net/http: insufficient sanitization of Host header
Signed-off-by: Vivek Kumbhar
---
meta/recipes-devtools/go/go-1.14.inc | 1 +
.../go/go-1.14/CVE-2023-29406.patch | 212 ++
2 files changed, 213 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29406.patch
diff --git a/meta/recipes-devtools/go/go-1.14.inc
b/meta/recipes-devtools/go/go-1.14.inc
index 33b53b1a34..b2cf805d2d 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -68,6 +68,7 @@ SRC_URI += "\
file://CVE-2023-29402.patch \
file://CVE-2023-29404.patch \
file://CVE-2023-29400.patch \
+file://CVE-2023-29406.patch \
"
SRC_URI_append_libc-musl = "
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29406.patch
b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406.patch
new file mode 100644
index 00..080def4682
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406.patch
@@ -0,0 +1,212 @@
+From 5fa6923b1ea891400153d04ddf1545e23b40041b Mon Sep 17 00:00:00 2001
+From: Damien Neil
+Date: Wed, 28 Jun 2023 13:20:08 -0700
+Subject: [PATCH] [release-branch.go1.19] net/http: validate Host header before
+ sending
+
+Verify that the Host header we send is valid.
+Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
+adding an X-Evil header to HTTP/1 requests.
+
+Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
+header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
+the header and will go into a retry loop when the server rejects it.
+CL 506995 adds the necessary validation to x/net/http2.
+
+Updates #60374
+Fixes #61075
+For CVE-2023-29406
+
+Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
+Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
+Reviewed-by: Tatiana Bradley
+TryBot-Result: Gopher Robot
+Run-TryBot: Damien Neil
+(cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/507358
+Run-TryBot: Tatiana Bradley
+Reviewed-by: Roland Shoemaker
+
+Upstream-Status: Backport
[https://github.com/golang/go/commit/5fa6923b1ea891400153d04ddf1545e23b40041b]
+CVE: CVE-2023-29406
+Signed-off-by: Vivek Kumbhar
+---
+ src/net/http/http_test.go | 29 -
+ src/net/http/request.go| 47 --
+ src/net/http/request_test.go | 11 ++--
+ src/net/http/transport_test.go | 18 +
+ 4 files changed, 31 insertions(+), 74 deletions(-)
+
+diff --git a/src/net/http/http_test.go b/src/net/http/http_test.go
+index f4ea52d..ea38cb4 100644
+--- a/src/net/http/http_test.go
b/src/net/http/http_test.go
+@@ -49,35 +49,6 @@ func TestForeachHeaderElement(t *testing.T) {
+ }
+ }
+
+-func TestCleanHost(t *testing.T) {
+- tests := []struct {
+- in, want string
+- }{
+- {"www.google.com", "www.google.com"},
+- {"www.google.com foo", "www.google.com"},
+- {"www.google.com/foo", "www.google.com"},
+- {" first character is a space", ""},
+- {"[1::6]:8080", "[1::6]:8080"},
+-
+- // Punycode:
+- {"гофер.рф/foo", "xn--c1ae0ajs.xn--p1ai"},
+- {"bücher.de", "xn--bcher-kva.de"},
+- {"bücher.de:8080", "xn--bcher-kva.de:8080"},
+- // Verify we convert to lowercase before punycode:
+- {"BÜCHER.de", "xn--bcher-kva.de"},
+- {"BÜCHER.de:8080", "xn--bcher-kva.de:8080"},
+- // Verify we normalize to NFC before punycode:
+- {"gophér.nfc", "xn--gophr-esa.nfc"},// NFC input;
no work needed
+- {"goph\u0065\u0301r.nfd", "xn--gophr-esa.nfd"}, // NFD input
+- }
+- for _, tt := range tests {
+- got := cleanHost(tt.in)
+- if tt.want != got {
+- t.Errorf("cleanHost(%q) = %q, want %q", tt.in, got,
tt.want)
+- }
+- }
+-}
+-
+ // Test that cmd/go doesn't link in the HTTP server.
+ //
+ // This catches accidental dependencies between the HTTP transport and
+diff --git a/src/net/http/request.go b/src/net/http/request.go
+index cb2edd2..2706300 100644
+--- a/src/net/http/request.go
b/src/net/http/request.go
+@@ -18,7 +18,6 @@ import (
+ "io/ioutil"
+ "mime"
+ "mime/multipart"
+- "net"
+ "net/http/httptrace"
+ "net/textproto"
+ "net/url"
+@@ -26,7 +25,8 @@ import (
+ "strconv"
+ "strings"
+ "sync"
+-
++
++ "golang.org/x/net/http/httpguts"
+ "golang.org/x/net/idna"
+ )
+
+@@ -557,12 +557,19 @@ func (r *Request) write(w io.Writer, usingProxy bool,
extraHeaders Header, waitF
+ // is not given, use the host from the request URL.
+ //
+ // Clean the host, in case it arrives with unexpected stuff in it.
+- host := cleanHost(r.Host)
++ host := r.Host
[OE-core] [kirkstone][PATCH] libxcrypt: fix build with perl-5.38 and use master branch
* fixes do_configure failure:
checking whether all ucontext.h functions are available... yes
when is deprecated at
libxcrypt/4.4.30-r0/git/build-aux/scripts/BuildCommon.pm line 522.
Compilation failed in require at
../git/build-aux/scripts/expand-selected-hashes line 28.
BEGIN failed--compilation aborted at
../git/build-aux/scripts/expand-selected-hashes line 28.
configure: error: bad value 'all' for --enable-hashes
NOTE: The following config.log files may provide further information.
* with this patch backported it works OK:
libxcrypt/4.4.30-r0/git $ perl build-aux/scripts/expand-selected-hashes
usage: expand-selected-hashes hashes.conf names,of,selected,hashes
* similarly do_compile failure:
../git/build-aux/scripts/move-if-change crypt-hashes.h.T crypt-hashes.h
../git/build-aux/scripts/move-if-change crypt-symbol-vers.h.T
crypt-symbol-vers.h
given is deprecated at ../git/build-aux/scripts/gen-crypt-h line 41.
Makefile:3818: Makefile.deps: No such file or directory
make: *** [Makefile:3715: crypt.h.stamp] Error 255
* also use master branch instead of develop, the SRCREV exists in both
but stable metadata branches should track stable component branches
libxcrypt/4.4.30-r0/git $ git branch -a --contains
d7fe1ac04c326dba7e0440868889d1dccb41a175 | tee
* develop
remotes/origin/HEAD -> origin/develop
remotes/origin/develop
remotes/origin/master
and oe-core master also uses master SRCBRANCH since:
https://git.openembedded.org/openembedded-core/commit/?id=d18e89bd2b46c6e266cc39dbe9fdb6c032f5f1fe
Signed-off-by: Martin Jansa
---
...ommon.pm-compatible-with-latest-perl.patch | 50 +++
...ve-smartmatch-usage-from-gen-crypt-h.patch | 62 +++
meta/recipes-core/libxcrypt/libxcrypt.inc | 7 ++-
3 files changed, 117 insertions(+), 2 deletions(-)
create mode 100644
meta/recipes-core/libxcrypt/files/0001-Make-BuildCommon.pm-compatible-with-latest-perl.patch
create mode 100644
meta/recipes-core/libxcrypt/files/0002-Remove-smartmatch-usage-from-gen-crypt-h.patch
diff --git
a/meta/recipes-core/libxcrypt/files/0001-Make-BuildCommon.pm-compatible-with-latest-perl.patch
b/meta/recipes-core/libxcrypt/files/0001-Make-BuildCommon.pm-compatible-with-latest-perl.patch
new file mode 100644
index 00..b3e43d5815
--- /dev/null
+++
b/meta/recipes-core/libxcrypt/files/0001-Make-BuildCommon.pm-compatible-with-latest-perl.patch
@@ -0,0 +1,50 @@
+From c3ec04f1aee68970b82e4b033bee1477e76798f9 Mon Sep 17 00:00:00 2001
+From: Leon Timmermans
+Date: Tue, 6 Jun 2023 17:03:57 +0200
+Subject: [PATCH] Make BuildCommon.pm compatible with latest perl
+
+It was previously using an experimental feature that has since been dropped.
+This removes the use of that feature.
+
+Signed-off-by: Martin Jansa
+Upstream-Status: Backport [v4.4.35
https://github.com/besser82/libxcrypt/commit/ce562f4d33dc090fcd8f6ea1af3ba32cdc2b3c9c]
+---
+ build-aux/scripts/BuildCommon.pm | 9 -
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/build-aux/scripts/BuildCommon.pm
b/build-aux/scripts/BuildCommon.pm
+index 0e6f2a3..c38ba21 100644
+--- a/build-aux/scripts/BuildCommon.pm
b/build-aux/scripts/BuildCommon.pm
+@@ -11,7 +11,6 @@ use v5.14;# implicit use strict, use feature ':5.14'
+ use warnings FATAL => 'all';
+ use utf8;
+ use open qw(:utf8);
+-no if $] >= 5.018, warnings => 'experimental::smartmatch';
+ no if $] >= 5.022, warnings => 'experimental::re_strict';
+ use if $] >= 5.022, re => 'strict';
+
+@@ -519,19 +518,19 @@ sub parse_symver_args {
+ my $COMPAT_ABI;
+ local $_;
+ for (@args) {
+-when (/^SYMVER_MIN=(.+)$/) {
++if (/^SYMVER_MIN=(.+)$/) {
+ $usage_error->() if defined $SYMVER_MIN;
+ $SYMVER_MIN = $1;
+ }
+-when (/^SYMVER_FLOOR=(.+)$/) {
++elsif (/^SYMVER_FLOOR=(.+)$/) {
+ $usage_error->() if defined $SYMVER_FLOOR;
+ $SYMVER_FLOOR = $1;
+ }
+-when (/^COMPAT_ABI=(.+)$/) {
++elsif (/^COMPAT_ABI=(.+)$/) {
+ $usage_error->() if defined $COMPAT_ABI;
+ $COMPAT_ABI = $1;
+ }
+-default {
++else {
+ $usage_error->() if defined $map_in;
+ $map_in = $_;
+ }
diff --git
a/meta/recipes-core/libxcrypt/files/0002-Remove-smartmatch-usage-from-gen-crypt-h.patch
b/meta/recipes-core/libxcrypt/files/0002-Remove-smartmatch-usage-from-gen-crypt-h.patch
new file mode 100644
index 00..603f52f792
--- /dev/null
+++
b/meta/recipes-core/libxcrypt/files/0002-Remove-smartmatch-usage-from-gen-crypt-h.patch
@@ -0,0 +1,62 @@
+From 95d6e03ae37f4ec948474d05bbdd2938aba2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andreas=20K=2E=20H=C3=BCttel?=
+Date: Sun, 25 Jun 2023 01:35:08 +0200
+Subject: [PATCH] Remove smartmatch usage from gen-crypt-h
+
+Needed for Perl 5.38
+
+Signed-off-by: Martin Jansa
+Upstream-Status: Backport [v4.4.36
Re: [OE-core] [PATCH] rpm: Allow setting platform macro settings externally
2023. 07. 25. 18:30 keltezéssel, Alexander Kanavin írta:
I would want to hold this until we have a reaction from upstream.
Now we have reaction. Both PRs were closed because they were not
against master, my bad. Now reopened against master as
https://github.com/rpm-software-management/rpm/pull/2585
But there was some real comment here:
https://github.com/rpm-software-management/rpm/pull/2580#issuecomment-1651647277
The discussion may/should be taken to the issue at
https://github.com/rpm-software-management/rpm/issues/2578
RPM_CUSTOM_* exports should go to specific tasks where they are needed.
Alex
On Tue, 25 Jul 2023 at 15:57, Zoltán Böszörményi wrote:
Feed platform settings to installplatform externally. Based on the patch
submitted under https://github.com/rpm-software-management/rpm/pull/2579
Signed-off-by: Zoltán Böszörményi
---
...ng-plaform-macro-settings-externally.patch | 56 +++
meta/recipes-devtools/rpm/rpm_4.18.1.bb | 17 ++
2 files changed, 73 insertions(+)
create mode 100644
meta/recipes-devtools/rpm/files/0001-Allow-setting-plaform-macro-settings-externally.patch
diff --git
a/meta/recipes-devtools/rpm/files/0001-Allow-setting-plaform-macro-settings-externally.patch
b/meta/recipes-devtools/rpm/files/0001-Allow-setting-plaform-macro-settings-externally.patch
new file mode 100644
index 00..8b3220f114
--- /dev/null
+++
b/meta/recipes-devtools/rpm/files/0001-Allow-setting-plaform-macro-settings-externally.patch
@@ -0,0 +1,56 @@
+From 320f4f3861dad70342f065004311eac143d6522d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zolt=C3=A1n=20B=C3=B6sz=C3=B6rm=C3=A9nyi?=
+
+Date: Tue, 25 Jul 2023 10:56:44 +0200
+Subject: [PATCH] Allow setting plaform macro settings externally
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Yocto has their own way to set the platform names via BSPs
+(Board Support Packages). These names are more specific than
+basic CPU architectures, and such a platform name ends up in
+/etc/rpm/platform but the corresponding subdirectory under
+/usr/lib/rpm/platform does not exist.
+
+Allow creating such custom platform subdirectory with feeding
+the necessary data using external variables: RPM_CUSTOM_ARCH,
+RPM_CUSTOM_ISANAME, RPM_CUSTOM_ISABITS, RPM_CUSTOM_CANONARCH
+and RPM_CUSTOM_CANONCOLOR
+
+Signed-off-by: Zoltán Böszörményi
+Upstream-Status: Submitted
[https://github.com/rpm-software-management/rpm/pull/2579]
+---
+ installplatform | 9 -
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/installplatform b/installplatform
+index a5ad7c5b8..59f57697b 100755
+--- a/installplatform
b/installplatform
+@@ -11,7 +11,7 @@ VENDOR="${4}"
+ OS="${5}"
+ RPMRC_GNU="${6}"
+
+-for ARCH in noarch `grep ^arch_canon $RPMRC | cut -d: -f2`; do
++for ARCH in noarch `grep ^arch_canon $RPMRC | cut -d: -f2`
${RPM_CUSTOM_ARCH:+custom}; do
+ RPMRC_OPTFLAGS="`sed -n 's/^optflags: '$ARCH' //p' $RPMRC`"
+ RPMRC_OPTFLAGS="`echo $RPMRC_OPTFLAGS | sed -e 's, ,\ ,g'`"
+ case $RPMRC_OPTFLAGS in
+@@ -30,6 +30,13 @@ for ARCH in noarch `grep ^arch_canon $RPMRC | cut -d: -f2`;
do
+ CANONCOLOR=
+ FILTER=cat
+ case "${ARCH}" in
++custom)
++ ARCH=$RPM_CUSTOM_ARCH
++ ISANAME=$RPM_CUSTOM_ISANAME
++ ISABITS=$RPM_CUSTOM_ISABITS
++ CANONARCH=$RPM_CUSTOM_CANONARCH
++ CANONCOLOR=$RPM_CUSTOM_CANONCOLOR
++;;
+ sparc64*)
+ ISANAME=sparc
+ ISABITS=64
+--
+2.41.0
+
diff --git a/meta/recipes-devtools/rpm/rpm_4.18.1.bb
b/meta/recipes-devtools/rpm/rpm_4.18.1.bb
index 95a9e92f96..bc036fc843 100644
--- a/meta/recipes-devtools/rpm/rpm_4.18.1.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.18.1.bb
@@ -40,6 +40,7 @@ SRC_URI =
"git://github.com/rpm-software-management/rpm;branch=rpm-4.18.x;protoc
file://0001-python-Use-Py_hash_t-instead-of-long-in-hdr_hash.patch
\
file://fix-declaration.patch \
file://ea3187cfcf9cac87e5bc5e7db79b0338da9e355e.patch \
+ file://0001-Allow-setting-plaform-macro-settings-externally.patch \
"
PE = "1"
@@ -103,6 +104,21 @@ WRAPPER_TOOLS = " \
${libdir}/rpm/rpmdeps \
"
+def rpm_isaname(d):
+import re
+arch = d.getVar('TARGET_ARCH')
+if re.match("^i.86$", arch) or re.match("^x86.*64$", arch):
+return "x86"
+# Add more platform tweaks for ISANAME as needed
+return arch
+
+export RPM_CUSTOM_ARCH = "${MACHINE_ARCH}"
+export RPM_CUSTOM_ISANAME = "${@rpm_isaname(d)}"
+export RPM_CUSTOM_ISABITS = "${SITEINFO_BITS}"
+export RPM_CUSTOM_CANONARCH = "${TARGET_ARCH}"
+# CANONCOLOR determines whether /usr/lib or /usr/lib64 is used for a 64-bit
platform
+export RPM_CUSTOM_CANONCOLOR = "${@bb.utils.contains('DISTRO_FEATURES', 'multilib',
'3', '0', d)}"
+
do_configure:prepend() {
mkdir -p ${S}/build-aux
}
@@ -132,6 +148,7 @@ do_install:append:class-nativesdk() {
do_install:append:class-target() {
rm -rf ${D}/var
}
+
Re: [OE-core] [PATCH] oe.data: allow to mask out secret variables
On Wed, 2023-07-26 at 14:02 +0200, Enrico Scholz via lists.openembedded.org wrote: > Alexander Kanavin writes: > > > > Else, there are sometimes not many ways to work without them. > > > E.g. SSTATE_MIRRORS has contain the secret token because it is > > > used directly by bitbake; perhaps I could use a wget wrapper and > > > write a custom curl python class... > > > > Yes, the secret needs to be in a file (or other access-controlled > > facility), and read from it by the process that needs it, and only > > directly prior to using it. Having it in a bitbake variable which gets > > passed through a million tasks and components > > Where is the problem? I known only one component > (rootfs-postcommands.bbclass) which dumps the whole environment and > leaks it. > > Else, when there is a malicious component that wants to steal secrets > from a bitbake variable, what would stop it from reading the secret from > a file? > > Your suggestion (write secrets in files instead of bitbake variables) > does not improve security but causes only extra work. It does improve security since there is an extra step to get the data and you can more easily audit when that data is accessed or present. I'd also note that there are patches under review to change rootfs- postcommands to only export a known list of variables for other reasons so this problem should go away when we get that patch merged. Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184882): https://lists.openembedded.org/g/openembedded-core/message/184882 Mute This Topic: https://lists.openembedded.org/mt/100368202/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] oe.data: allow to mask out secret variables
Alexander Kanavin writes: >> Else, there are sometimes not many ways to work without them. >> E.g. SSTATE_MIRRORS has contain the secret token because it is >> used directly by bitbake; perhaps I could use a wget wrapper and >> write a custom curl python class... > > Yes, the secret needs to be in a file (or other access-controlled > facility), and read from it by the process that needs it, and only > directly prior to using it. Having it in a bitbake variable which gets > passed through a million tasks and components Where is the problem? I known only one component (rootfs-postcommands.bbclass) which dumps the whole environment and leaks it. Else, when there is a malicious component that wants to steal secrets from a bitbake variable, what would stop it from reading the secret from a file? Your suggestion (write secrets in files instead of bitbake variables) does not improve security but causes only extra work. Enrico -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184881): https://lists.openembedded.org/g/openembedded-core/message/184881 Mute This Topic: https://lists.openembedded.org/mt/100368202/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] oe.data: allow to mask out secret variables
On Wed, 26 Jul 2023 at 13:42, Enrico Scholz wrote:> > it's better to just scrub them prior to publishing with a post-script.> > Else, there are sometimes not many ways to work without them. > E.g. SSTATE_MIRRORS has contain the secret token because it is used > directly by bitbake; perhaps I could use a wget wrapper and write a > custom curl python class... Yes, the secret needs to be in a file (or other access-controlled facility), and read from it by the process that needs it, and only directly prior to using it. Having it in a bitbake variable which gets passed through a million tasks and components is a terrible idea, and I do not want to validate it by having a 'secret' flag. Sorry, still no. Alex -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184880): https://lists.openembedded.org/g/openembedded-core/message/184880 Mute This Topic: https://lists.openembedded.org/mt/100368202/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH] tiff: fix multiple CVEs
Backport fixes for:
* CVE-2023-2908 - Upstream-Status: Backport from
https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f
* CVE-2023-3316 - Upstream-Status: Backport from
https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536
* CVE-2023-3618 - Upstream-Status: Backport from
ttps://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e0ac16b5cfb11acaaeaa493334f8
Signed-off-by: Hitendra Prajapati
---
.../libtiff/tiff/CVE-2023-2908.patch | 33 +++
.../libtiff/tiff/CVE-2023-3316.patch | 59 +++
.../libtiff/tiff/CVE-2023-3618.patch | 51
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 3 +
4 files changed, 146 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-2908.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-3316.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-2908.patch
b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-2908.patch
new file mode 100644
index 00..cf94fd23d8
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-2908.patch
@@ -0,0 +1,33 @@
+From 8c0859a80444c90b8dfb862a9f16de74e16f0a9e Mon Sep 17 00:00:00 2001
+From: xiaoxiaoafeifei
+Date: Fri, 21 Apr 2023 13:01:34 +
+Subject: [PATCH] countInkNamesString(): fix `UndefinedBehaviorSanitizer`:
+ applying zero offset to null pointer
+
+Upstream-Status: Backport
[https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f]
+CVE: CVE-2023-2908
+Signed-off-by: Hitendra Prajapati
+---
+ libtiff/tif_dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 349dfe4..1402c8e 100644
+--- a/libtiff/tif_dir.c
b/libtiff/tif_dir.c
+@@ -145,10 +145,10 @@ static uint16_t
+ countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
+ {
+ uint16_t i = 0;
+- const char *ep = s + slen;
+- const char *cp = s;
+
+ if (slen > 0) {
++ const char *ep = s + slen;
++ const char *cp = s;
+ do {
+ for (; cp < ep && *cp != '\0'; cp++) {}
+ if (cp >= ep)
+--
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3316.patch
b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3316.patch
new file mode 100644
index 00..1aa4ba45ac
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3316.patch
@@ -0,0 +1,59 @@
+From d63de61b1ec3385f6383ef9a1f453e4b8b11d536 Mon Sep 17 00:00:00 2001
+From: Su_Laus
+Date: Fri, 3 Feb 2023 17:38:55 +0100
+Subject: [PATCH] TIFFClose() avoid NULL pointer dereferencing. fix#515
+
+Closes #515
+
+Upstream-Status: Backport
[https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536]
+CVE: CVE-2023-3316
+Signed-off-by: Hitendra Prajapati
+---
+ libtiff/tif_close.c | 11 +++
+ tools/tiffcrop.c| 5 -
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c
+index 674518a..0fe7af4 100644
+--- a/libtiff/tif_close.c
b/libtiff/tif_close.c
+@@ -118,13 +118,16 @@ TIFFCleanup(TIFF* tif)
+ */
+
+ void
+-TIFFClose(TIFF* tif)
++TIFFClose(TIFF *tif)
+ {
+- TIFFCloseProc closeproc = tif->tif_closeproc;
+- thandle_t fd = tif->tif_clientdata;
++if (tif != NULL)
++{
++TIFFCloseProc closeproc = tif->tif_closeproc;
++thandle_t fd = tif->tif_clientdata;
+
+ TIFFCleanup(tif);
+- (void) (*closeproc)(fd);
++(void)(*closeproc)(fd);
++}
+ }
+
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index ce77c74..cd49660 100644
+--- a/tools/tiffcrop.c
b/tools/tiffcrop.c
+@@ -2548,7 +2548,10 @@ main(int argc, char* argv[])
+ }
+ }
+
+- TIFFClose(out);
++if (out != NULL)
++{
++TIFFClose(out);
++}
+
+ return (0);
+ } /* end main */
+--
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618.patch
b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618.patch
new file mode 100644
index 00..46c55afffd
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618.patch
@@ -0,0 +1,51 @@
+From b5c7d4c4e0ac16b5cfb11acaaeaa493334f8 Mon Sep 17 00:00:00 2001
+From: Su_Laus
+Date: Fri, 5 May 2023 19:43:46 +0200
+Subject: [PATCH] Consider error return of writeSelections(). Fixes #553
+
+Upstream-Status: Backport
[https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e0ac16b5cfb11acaaeaa493334f8]
+CVE: CVE-2023-3618
+Signed-off-by: Hitendra Prajapati
+---
+ tools/tiffcrop.c | 18 +++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index ce77c74..2c553e3 100644
+--- a/tools/tiffcrop.c
b/tools/tiffcrop.c
+@@ -2459,9
Re: [OE-core] [PATCH] oe.data: allow to mask out secret variables
Alexander Kanavin writes: > Please no. These things can leak out in a million other ways no; that is very unlikely. The parts which are dealing with secrets usually take care about not leaking them. All major CI systems have the same problem (need secret variables) and at least gitlab solves it in the same way (mark it as to be masked and replace it in logs). > (e.g. if you publish logs), Secrets do not appear in the usual 'bitbake ...' output only in the deep .../temp/log.do_* files. I do not think that people are really publishing these files. > it's better to just scrub them prior to publishing with a post-script. Sounds unergonomic; you have to know which variables are secret. You have to read and interpret the testdata.json file, substitute values and write it back. It is much better to do it in the first place. The classes which are dealing with secrets can mark them as such. > Having secrets in bitbake variables is a bad idea to begin with. Yes; because they are exported in testdata.json ;) Else, there are sometimes not many ways to work without them. E.g. SSTATE_MIRRORS has contain the secret token because it is used directly by bitbake; perhaps I could use a wget wrapper and write a custom curl python class... Enrico -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184878): https://lists.openembedded.org/g/openembedded-core/message/184878 Mute This Topic: https://lists.openembedded.org/mt/100368202/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] oe.data: allow to mask out secret variables
Please no. These things can leak out in a million other ways (e.g. if
you publish logs), it's better to just scrub them prior to publishing
with a post-script. Having secrets in bitbake variables is a bad idea
to begin with.
Alex
On Wed, 26 Jul 2023 at 13:10, Enrico Scholz via lists.openembedded.org
wrote:
>
> From: Enrico Scholz
>
> Some integrations require that passwords or secret tokens are
> assigned to bitbake variables. E.g. the meta-dependencytrack
> layer has a 'DEPENDENCYTRACK_API_KEY' or my sstate-server requires
> a 'SSTATE_SERVER_SESSION' token.
>
> These secrets will appear in testdata.json which can easily leak them
> when the deploy directory is published publicly.
>
> Patch adds a special 'secrets' flag for variables. When a variable is
> marked with it, its content will be replaced by '**masked**'.
>
> E.g. formerly
>
> |"SSTATE_SERVER_PATH": "HKBOZ8C279S4iwBA",
> |"SSTATE_MIRRORS": "...
> https://sstate/api/v1/download/HKBOZ8C279S4iwBA/sstate/...
>
> and now
>
> |"SSTATE_SERVER_PATH": "**masked**",
> |"SSTATE_MIRRORS": "...
> https://sstate/api/v1/download/**masked**/sstate
>
> Corresponding bbclass contains
>
> | SSTATE_SERVER_PATH ??= "-"
> | SSTATE_SERVER_PATH[secret] = "true"
>
> Signed-off-by: Enrico Scholz
> ---
> meta/lib/oe/data.py | 29 +++--
> 1 file changed, 27 insertions(+), 2 deletions(-)
>
> diff --git a/meta/lib/oe/data.py b/meta/lib/oe/data.py
> index 37121cfad2b7..57a8e5b5e049 100644
> --- a/meta/lib/oe/data.py
> +++ b/meta/lib/oe/data.py
> @@ -5,7 +5,9 @@
> #
>
> import json
> +import re
> import oe.maketype
> +import oe.types
>
> def typed_value(key, d):
> """Construct a value for the specified metadata variable, using its flags
> @@ -23,9 +25,10 @@ def typed_value(key, d):
> except (TypeError, ValueError) as exc:
> bb.msg.fatal("Data", "%s: %s" % (key, str(exc)))
>
> -def export2json(d, json_file, expand=True, searchString="",replaceString=""):
> +def export2json(d, json_file, expand=True, searchString="",replaceString="",
> mask_secrets=True):
> data2export = {}
> keys2export = []
> +secrets = []
>
> for key in d.keys():
> if key.startswith("_"):
> @@ -38,12 +41,34 @@ def export2json(d, json_file, expand=True,
> searchString="",replaceString=""):
> continue
> elif d.getVarFlag(key, "func"):
> continue
> +elif mask_secrets and oe.types.boolean(d.getVarFlag(key, "secret")
> or "false"):
> +var = d.getVar(key)
> +
> +## When secret variable contains a placeholder (is empty
> +## or single character), show it. When it is too short
> +## emit a warning and exclude it completely from output
> +## but do not mask out its value in other places.
> +if var is None or len(var) < 2:
> +bb.debug(1, "variable '%s' is marked as secret but seems to
> contain some placeholder; showing it" % key)
> +elif len(var) < 8:
> +bb.warn("variable '%s' is marked as secret but content is
> too short; skipping it" % key)
> +continue
> +else:
> +secrets.append(re.escape(var))
>
> keys2export.append(key)
>
> +if len(secrets) == 0:
> +secrets = None
> +else:
> +secrets = re.compile('|'.join(secrets))
> +
> for key in keys2export:
> try:
> -data2export[key] = d.getVar(key,
> expand).replace(searchString,replaceString)
> +var = d.getVar(key, expand).replace(searchString,replaceString)
> +if secrets:
> +var = secrets.sub("**masked**", var)
> +data2export[key] = var
> except bb.data_smart.ExpansionError:
> data2export[key] = ''
> except AttributeError:
> --
> 2.41.0
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184877):
https://lists.openembedded.org/g/openembedded-core/message/184877
Mute This Topic: https://lists.openembedded.org/mt/100368202/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] oe.data: allow to mask out secret variables
From: Enrico Scholz
Some integrations require that passwords or secret tokens are
assigned to bitbake variables. E.g. the meta-dependencytrack
layer has a 'DEPENDENCYTRACK_API_KEY' or my sstate-server requires
a 'SSTATE_SERVER_SESSION' token.
These secrets will appear in testdata.json which can easily leak them
when the deploy directory is published publicly.
Patch adds a special 'secrets' flag for variables. When a variable is
marked with it, its content will be replaced by '**masked**'.
E.g. formerly
|"SSTATE_SERVER_PATH": "HKBOZ8C279S4iwBA",
|"SSTATE_MIRRORS": "...
https://sstate/api/v1/download/HKBOZ8C279S4iwBA/sstate/...
and now
|"SSTATE_SERVER_PATH": "**masked**",
|"SSTATE_MIRRORS": "...
https://sstate/api/v1/download/**masked**/sstate
Corresponding bbclass contains
| SSTATE_SERVER_PATH ??= "-"
| SSTATE_SERVER_PATH[secret] = "true"
Signed-off-by: Enrico Scholz
---
meta/lib/oe/data.py | 29 +++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/meta/lib/oe/data.py b/meta/lib/oe/data.py
index 37121cfad2b7..57a8e5b5e049 100644
--- a/meta/lib/oe/data.py
+++ b/meta/lib/oe/data.py
@@ -5,7 +5,9 @@
#
import json
+import re
import oe.maketype
+import oe.types
def typed_value(key, d):
"""Construct a value for the specified metadata variable, using its flags
@@ -23,9 +25,10 @@ def typed_value(key, d):
except (TypeError, ValueError) as exc:
bb.msg.fatal("Data", "%s: %s" % (key, str(exc)))
-def export2json(d, json_file, expand=True, searchString="",replaceString=""):
+def export2json(d, json_file, expand=True, searchString="",replaceString="",
mask_secrets=True):
data2export = {}
keys2export = []
+secrets = []
for key in d.keys():
if key.startswith("_"):
@@ -38,12 +41,34 @@ def export2json(d, json_file, expand=True,
searchString="",replaceString=""):
continue
elif d.getVarFlag(key, "func"):
continue
+elif mask_secrets and oe.types.boolean(d.getVarFlag(key, "secret") or
"false"):
+var = d.getVar(key)
+
+## When secret variable contains a placeholder (is empty
+## or single character), show it. When it is too short
+## emit a warning and exclude it completely from output
+## but do not mask out its value in other places.
+if var is None or len(var) < 2:
+bb.debug(1, "variable '%s' is marked as secret but seems to
contain some placeholder; showing it" % key)
+elif len(var) < 8:
+bb.warn("variable '%s' is marked as secret but content is too
short; skipping it" % key)
+continue
+else:
+secrets.append(re.escape(var))
keys2export.append(key)
+if len(secrets) == 0:
+secrets = None
+else:
+secrets = re.compile('|'.join(secrets))
+
for key in keys2export:
try:
-data2export[key] = d.getVar(key,
expand).replace(searchString,replaceString)
+var = d.getVar(key, expand).replace(searchString,replaceString)
+if secrets:
+var = secrets.sub("**masked**", var)
+data2export[key] = var
except bb.data_smart.ExpansionError:
data2export[key] = ''
except AttributeError:
--
2.41.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184876):
https://lists.openembedded.org/g/openembedded-core/message/184876
Mute This Topic: https://lists.openembedded.org/mt/100368202/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
ODP: [OE-Core][PATCH v11][master-next 1/5] package_ipk.bbclass: add support for ACLs and xattr
Hi Alexandre, Alex,
Thx for supporting me, I have finally discovered the issue regarding this
packages differences.
It occurred that I was badly comparing two strings for tarformat comparison.
Now it is fixed and should finally work.
This has been additionally tested with oe-selftest -r reproducible.
BR
Piotr
Od: Piotr Łobacz
Wysłane: środa, 26 lipca 2023 11:22
Do: openembedded-core@lists.openembedded.org
DW: Piotr Łobacz
Temat: [OE-Core][PATCH v11][master-next 1/5] package_ipk.bbclass: add support
for ACLs and xattr
Extend OPKGBUILDCMD variable, with additional parameters, depending
on target distro features, in order to support ACLs and xattr.
With fix pushed to the opkg-devel:
https://groups.google.com/g/opkg-devel/c/dYNHrLjDwg8
opkg-build is able to create tar archives with ACLs and xattr.
Signed-off-by: Piotr Łobacz
---
meta/classes-global/package_ipk.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes-global/package_ipk.bbclass
b/meta/classes-global/package_ipk.bbclass
index b4b7bc9ac2..a0f106e4ad 100644
--- a/meta/classes-global/package_ipk.bbclass
+++ b/meta/classes-global/package_ipk.bbclass
@@ -15,7 +15,7 @@ IPKGCONF_SDK_TARGET = "${WORKDIR}/opkg-sdk-target.conf"
PKGWRITEDIRIPK = "${WORKDIR}/deploy-ipks"
# Program to be used to build opkg packages
-OPKGBUILDCMD ??= 'opkg-build -Z xz -a "${XZ_DEFAULTS}"'
+OPKGBUILDCMD ??= 'opkg-build -Z xz -a "${XZ_DEFAULTS}"
${@bb.utils.contains('DISTRO_FEATURES', 'acl', '-A', '', d)}
${@bb.utils.contains('DISTRO_FEATURES', 'xattr', '-X', '', d)}'
OPKG_ARGS += "--force_postinstall --prefer-arch-to-version"
OPKG_ARGS += "${@['',
'--no-install-recommends'][d.getVar("NO_RECOMMENDATIONS") == "1"]}"
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184875):
https://lists.openembedded.org/g/openembedded-core/message/184875
Mute This Topic: https://lists.openembedded.org/mt/100367408/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-Core][PATCH v11][master-next 2/5] package.bbclass: add support for ACLs and xattr
Extend `tar` command, with additional parameters, depending
on choosen package class and target distro features, in order
to support ACLs and xattr.
Currently only `package_ipk` supports fully ACLs and xattr.
Signed-off-by: Piotr Łobacz
---
meta/classes-global/package.bbclass | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/meta/classes-global/package.bbclass
b/meta/classes-global/package.bbclass
index e8055a9cdc..6e5d0dd4dc 100644
--- a/meta/classes-global/package.bbclass
+++ b/meta/classes-global/package.bbclass
@@ -342,8 +342,13 @@ python perform_packagecopy () {
# Start by package population by taking a copy of the installed
# files to operate on
-# Preserve sparse files and hard links
-cmd = 'tar --exclude=./sysroot-only -cf - -C %s -p -S . | tar -xf - -C %s'
% (dest, dvar)
+# Preserve sparse files, hard links, ACLs and extended attributes
+# TODO: for the moment only ipk packages are supporting ACLs and extended
attributes
+# we need to add support for other package systems as well, but that
doesn't bother
+# tar from creating archives with acl and/or xattr support
+acl = bb.utils.contains('DISTRO_FEATURES', 'acl', '--acls', '', d)
+xattr = bb.utils.contains('DISTRO_FEATURES', 'xattr', '--xattrs', '', d)
+cmd = f'tar {acl} {xattr} --numeric-owner --exclude=./sysroot-only -cf -
-C {dest} -p -S . | tar {acl} {xattr} -xf - -C {dvar}'
subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
# replace RPATHs for the nativesdk binaries, to make them relocatable
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184871):
https://lists.openembedded.org/g/openembedded-core/message/184871
Mute This Topic: https://lists.openembedded.org/mt/100367375/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-Core][PATCH v11][master-next 3/5] opkg-utils: add acl and xattr support
Add support for tar archives created with --acls and/or --xattrs options,
PAX header format.
GNU tar and libarchive already supports ACLs and extended attributes.
We can now add this support as well to opkg-build script in order to use
fsetattr or setcap inside do_install command and end up with a file in
an image with the relevant ACLs and xattrs.
Signed-off-by: Piotr Łobacz
---
...kg-build-Add-acls-and-xattrs-support.patch | 164 ++
.../opkg-utils/opkg-utils_0.6.2.bb| 1 +
2 files changed, 165 insertions(+)
create mode 100644
meta/recipes-devtools/opkg-utils/opkg-utils/0002-opkg-build-Add-acls-and-xattrs-support.patch
diff --git
a/meta/recipes-devtools/opkg-utils/opkg-utils/0002-opkg-build-Add-acls-and-xattrs-support.patch
b/meta/recipes-devtools/opkg-utils/opkg-utils/0002-opkg-build-Add-acls-and-xattrs-support.patch
new file mode 100644
index 00..7e88c1754c
--- /dev/null
+++
b/meta/recipes-devtools/opkg-utils/opkg-utils/0002-opkg-build-Add-acls-and-xattrs-support.patch
@@ -0,0 +1,164 @@
+From 03931040018a0e3cc34e4c93a625f3671ff1a980 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Piotr=20=C5=81obacz?=
+Date: Wed, 5 Jul 2023 10:31:13 +0200
+Subject: [PATCH] opkg-build: Add acls and xattrs support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add support for tar archives created with --acls and/or --xattrs options,
+PAX header format.
+
+GNU tar and libarchive already supports ACLs and extended attributes.
+We can now add this support as well to opkg-build script in order to use
+fsetattr or setcap inside do_install command and end up with a file in
+an image with the relevant ACLs and xattrs.
+
+Upstream-Status: Submitted
[https://groups.google.com/g/opkg-devel/c/dYNHrLjDwg8]
+
+[1] https://bugzilla.yoctoproject.org/show_bug.cgi?id=15097
+[2] https://groups.google.com/g/opkg-devel/c/aEGL7XRXfaA
+
+Signed-off-by: Piotr Łobacz
+---
+ opkg-build | 76 +++---
+ 1 file changed, 50 insertions(+), 26 deletions(-)
+
+diff --git a/opkg-build b/opkg-build
+index a9e45d4..47ac1a8 100755
+--- a/opkg-build
b/opkg-build
+@@ -145,6 +145,7 @@ You probably want to chown these to a system user: " >&2
+ ###
+ # opkg-build "main"
+ ###
++attributesargs=""
+ ogargs=""
+ outer=ar
+ noclean=0
+@@ -153,22 +154,6 @@ compressor=gzip
+ zipargs="-9n"
+ compressorargs=""
+
+-# Determine if tar supports the --format argument by checking the help output.
+-#
+-# This is needed because:
+-#- Busybox tar doesn't support '--format'
+-#- On some Linux distros, tar now defaults to posix format if '--format'
+-# isn't explicitly specified
+-#- Opkg doesn't currently support posix format archives
+-#
+-# It's easier to check for mention of the '--format' option than to detect the
+-# tar implementation and maintain a list of which support '--format'.
+-tarformat=""
+-if tar --help 2>&1 | grep -- "--format" > /dev/null;
+-then
+-tarformat="--format=gnu"
+-fi
+-
+ compressor_ext() {
+ case $1 in
+ gzip|pigz)
+@@ -197,13 +182,17 @@ compressor_ext() {
+ : <<=cut
+ =head1 SYNOPSIS
+
+-B [B<-c>] [B<-C>] [B<-Z> I] [B<-a>] [B<-O>] [B<-o>
I] [B<-g> I] I [I]
++B [B<-A>] [B<-X>] [B<-c>] [B<-C>] [B<-Z> I] [B<-a>]
[B<-O>] [B<-o> I] [B<-g> I] I
[I]
+
+ =cut
+
+-usage="Usage: $0 [-c] [-C] [-Z compressor] [-a compressor_args] [-O] [-o
owner] [-g group] []"
+-while getopts "a:cCg:ho:vOZ:" opt; do
++usage="Usage: $0 [-A] [-X] [-c] [-C] [-Z compressor] [-a compressor_args]
[-O] [-o owner] [-g group] []"
++while getopts "Aa:cCg:ho:vOXZ:" opt; do
+ case $opt in
++A ) attributesargs="--acls"
++;;
++X ) attributesargs="$attributesargs --xattrs"
++;;
+ o ) owner=$OPTARG
+ ogargs="--owner=$owner"
+ ;;
+@@ -232,6 +221,31 @@ while getopts "a:cCg:ho:vOZ:" opt; do
+ esac
+ done
+
++# Determine if tar supports the --format argument by checking the help output.
++#
++# This is needed because:
++#- Busybox tar doesn't support '--format'
++#- On some Linux distros, tar now defaults to posix format if '--format'
++# isn't explicitly specified
++#- Opkg doesn't currently support posix format archives
++#
++# It's easier to check for mention of the '--format' option than to detect the
++# tar implementation and maintain a list of which support '--format'.
++tarformat=""
++if tar --help 2>&1 | grep -- "--format" > /dev/null;
++then
++# For ACLs or xattr support, gnu format will not work
++# we need to set posix format instead
++if [ ! -z "$attributesargs" ] ; then
++ tarformat="--format=posix"
++else
++ tarformat="--format=gnu"
++fi
++elif [ ! -z "$attributesargs" ] ; then
++ echo "*** Error: Attributes: $attributesargs, doesn't' work, without
posix format, which is not supported by tar command." >&2
++ exit 1
++fi
++
+ cext=$(compressor_ext
[OE-Core][PATCH v11][master-next 5/5] opkg: set locale from system environment variables
A C program inherits its locale environment variables when it starts up.
This happens automatically. However, these variables do not automatically
control the locale used by the library functions, because ISO C says that
all programs start by default in the standard ‘C’ locale.
Fixes warnings:
Warning when reading ar archive header: Pathname can't be converted from UTF-8
to current locale. (errno=84)
Signed-off-by: Piotr Łobacz
---
...le-from-system-environment-variables.patch | 48 +++
meta/recipes-devtools/opkg/opkg_0.6.2.bb | 1 +
2 files changed, 49 insertions(+)
create mode 100644
meta/recipes-devtools/opkg/opkg/0003-opkg-set-locale-from-system-environment-variables.patch
diff --git
a/meta/recipes-devtools/opkg/opkg/0003-opkg-set-locale-from-system-environment-variables.patch
b/meta/recipes-devtools/opkg/opkg/0003-opkg-set-locale-from-system-environment-variables.patch
new file mode 100644
index 00..71240ec8fd
--- /dev/null
+++
b/meta/recipes-devtools/opkg/opkg/0003-opkg-set-locale-from-system-environment-variables.patch
@@ -0,0 +1,48 @@
+From 712895b1914bf63ee4d669863bfd106814329076 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Piotr=20=C5=81obacz?=
+Date: Wed, 19 Jul 2023 21:26:09 +0200
+Subject: [PATCH] opkg: set locale from system environment variables
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A C program inherits its locale environment variables when it starts up.
+This happens automatically. However, these variables do not automatically
+control the locale used by the library functions, because ISO C says that
+all programs start by default in the standard ‘C’ locale.
+
+Fixes warnings:
+Warning when reading ar archive header: Pathname can't be converted from UTF-8
to current locale. (errno=84)
+
+Upstream-Status: Submitted
[https://groups.google.com/g/opkg-devel/c/16kgZfJ26mQ]
+
+[1] https://www.gnu.org/software/libc/manual/html_node/Setting-the-Locale.html
+
+Signed-off-by: Piotr Łobacz
+---
+ src/opkg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/opkg.c b/src/opkg.c
+index 544c58a..0c729ff 100644
+--- a/src/opkg.c
b/src/opkg.c
+@@ -27,6 +27,7 @@
+ #include
+ #include
+ #include
++#include
+
+ #include "opkg_conf.h"
+ #include "opkg_cmd.h"
+@@ -408,6 +409,7 @@ int main(int argc, char *argv[])
+ if (opkg_conf_init())
+ goto err0;
+
++setlocale(LC_ALL, "");
+ opkg_config->verbosity = NOTICE;
+
+ opts = args_parse(argc, argv);
+--
+2.34.1
+
diff --git a/meta/recipes-devtools/opkg/opkg_0.6.2.bb
b/meta/recipes-devtools/opkg/opkg_0.6.2.bb
index d7dc6ab715..3b5d51d74a 100644
--- a/meta/recipes-devtools/opkg/opkg_0.6.2.bb
+++ b/meta/recipes-devtools/opkg/opkg_0.6.2.bb
@@ -16,6 +16,7 @@ SRC_URI =
"http://downloads.yoctoproject.org/releases/${BPN}/${BPN}-${PV}.tar.gz
file://opkg.conf \
file://0001-opkg_conf-create-opkg.lock-in-run-instead-of-var-run.patch \
file://0002-Add-options-to-enable-support-for-acl-and-xattr.patch \
+ file://0003-opkg-set-locale-from-system-environment-variables.patch
\
file://run-ptest \
"
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184874):
https://lists.openembedded.org/g/openembedded-core/message/184874
Mute This Topic: https://lists.openembedded.org/mt/100367378/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-Core][PATCH v11][master-next 4/5] opkg: add options to enable support for acl and xattr
The libarchive library, which is being used by opkg, supports ACLs
and xattr already.
More informations can be read at this link:
https://github.com/libarchive/libarchive/pull/691
Signed-off-by: Piotr Łobacz
---
...-to-enable-support-for-acl-and-xattr.patch | 70 +++
meta/recipes-devtools/opkg/opkg_0.6.2.bb | 5 +-
2 files changed, 74 insertions(+), 1 deletion(-)
create mode 100644
meta/recipes-devtools/opkg/opkg/0002-Add-options-to-enable-support-for-acl-and-xattr.patch
diff --git
a/meta/recipes-devtools/opkg/opkg/0002-Add-options-to-enable-support-for-acl-and-xattr.patch
b/meta/recipes-devtools/opkg/opkg/0002-Add-options-to-enable-support-for-acl-and-xattr.patch
new file mode 100644
index 00..d6cb1d79fb
--- /dev/null
+++
b/meta/recipes-devtools/opkg/opkg/0002-Add-options-to-enable-support-for-acl-and-xattr.patch
@@ -0,0 +1,70 @@
+From 1c935e994bd572d9fff436f660ac1a060a434df0 Mon Sep 17 00:00:00 2001
+From: Maciej Liszewski
+Date: Tue, 4 Jul 2023 22:01:58 +0200
+Subject: [PATCH] Add options to enable support for acl and xattr
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The libarchive library, which is being used by opkg, supports ACLs
+and xattr already.
+
+More informations can be read at this link:
+https://github.com/libarchive/libarchive/pull/691
+
+Upstream-Status: Accepted
[https://groups.google.com/g/opkg-devel/c/aEGL7XRXfaA]
+
+[1] https://bugzilla.yoctoproject.org/show_bug.cgi?id=15097
+
+Signed-off-by: Maciej Liszewski
+Signed-off-by: Piotr Łobacz
+---
+ configure.ac | 12
+ libopkg/opkg_archive.c | 8
+ 2 files changed, 20 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 389a818..46949cd 100644
+--- a/configure.ac
b/configure.ac
+@@ -158,6 +158,18 @@ return OPENSSL_VERSION_NUMBER; ],
+ AC_SUBST(OPENSSL_LIBS)
+ fi
+
++# check for ACL support
++AC_ARG_WITH([acl], [AS_HELP_STRING([--with-acl], [Enable ACL support])])
++if test "x$with_acl" = "xyes"; then
++ AC_DEFINE([ENABLE_ACL], [1], [Enable ACL support])
++fi
++
++# check for xattr support
++AC_ARG_WITH([xattr], [AS_HELP_STRING([--with-xattr], [Enable xattr support])])
++if test "x$with_xattr" = "xyes"; then
++ AC_DEFINE([ENABLE_XATTR], [1], [Enable xattr support])
++fi
++
+ # check for libsolv solver
+ AC_ARG_WITH(libsolv, AC_HELP_STRING([--with-libsolv], [Use libsolv solver
support.
+ ]), [], [with_libsolv="no"])
+diff --git a/libopkg/opkg_archive.c b/libopkg/opkg_archive.c
+index 03a4afb..8dd902d 100644
+--- a/libopkg/opkg_archive.c
b/libopkg/opkg_archive.c
+@@ -912,6 +912,14 @@ struct opkg_ar *ar_open_pkg_data_archive(const char
*filename)
+ ar->extract_flags = ARCHIVE_EXTRACT_OWNER | ARCHIVE_EXTRACT_PERM |
+ ARCHIVE_EXTRACT_TIME | ARCHIVE_EXTRACT_UNLINK |
ARCHIVE_EXTRACT_NO_OVERWRITE;
+
++#ifdef ENABLE_ACL
++ar->extract_flags |= ARCHIVE_EXTRACT_ACL;
++#endif
++
++#ifdef ENABLE_XATTR
++ar->extract_flags |= ARCHIVE_EXTRACT_FFLAGS | ARCHIVE_EXTRACT_XATTR;
++#endif
++
+ if (opkg_config->ignore_uid)
+ ar->extract_flags &= ~ARCHIVE_EXTRACT_OWNER;
+
+--
+2.34.1
+
diff --git a/meta/recipes-devtools/opkg/opkg_0.6.2.bb
b/meta/recipes-devtools/opkg/opkg_0.6.2.bb
index 46be137354..d7dc6ab715 100644
--- a/meta/recipes-devtools/opkg/opkg_0.6.2.bb
+++ b/meta/recipes-devtools/opkg/opkg_0.6.2.bb
@@ -15,6 +15,7 @@ PE = "1"
SRC_URI =
"http://downloads.yoctoproject.org/releases/${BPN}/${BPN}-${PV}.tar.gz \
file://opkg.conf \
file://0001-opkg_conf-create-opkg.lock-in-run-instead-of-var-run.patch \
+ file://0002-Add-options-to-enable-support-for-acl-and-xattr.patch \
file://run-ptest \
"
@@ -30,8 +31,10 @@ inherit autotools pkgconfig ptest
target_localstatedir := "${localstatedir}"
OPKGLIBDIR ??= "${target_localstatedir}/lib"
-PACKAGECONFIG ??= "libsolv"
+PACKAGECONFIG ??= "libsolv ${@bb.utils.filter('DISTRO_FEATURES', 'acl xattr',
d)}"
+PACKAGECONFIG[acl] = "--with-acl,--without-acl"
+PACKAGECONFIG[xattr] = "--with-xattr,--without-xattr"
PACKAGECONFIG[gpg] = "--enable-gpg,--disable-gpg,\
gnupg gpgme libgpg-error,\
${@ "gnupg" if ("native" in d.getVar("PN")) else "gnupg-gpg"}\
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184873):
https://lists.openembedded.org/g/openembedded-core/message/184873
Mute This Topic: https://lists.openembedded.org/mt/100367377/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-Core][PATCH v11][master-next 1/5] package_ipk.bbclass: add support for ACLs and xattr
Extend OPKGBUILDCMD variable, with additional parameters, depending
on target distro features, in order to support ACLs and xattr.
With fix pushed to the opkg-devel:
https://groups.google.com/g/opkg-devel/c/dYNHrLjDwg8
opkg-build is able to create tar archives with ACLs and xattr.
Signed-off-by: Piotr Łobacz
---
meta/classes-global/package_ipk.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes-global/package_ipk.bbclass
b/meta/classes-global/package_ipk.bbclass
index b4b7bc9ac2..a0f106e4ad 100644
--- a/meta/classes-global/package_ipk.bbclass
+++ b/meta/classes-global/package_ipk.bbclass
@@ -15,7 +15,7 @@ IPKGCONF_SDK_TARGET = "${WORKDIR}/opkg-sdk-target.conf"
PKGWRITEDIRIPK = "${WORKDIR}/deploy-ipks"
# Program to be used to build opkg packages
-OPKGBUILDCMD ??= 'opkg-build -Z xz -a "${XZ_DEFAULTS}"'
+OPKGBUILDCMD ??= 'opkg-build -Z xz -a "${XZ_DEFAULTS}"
${@bb.utils.contains('DISTRO_FEATURES', 'acl', '-A', '', d)}
${@bb.utils.contains('DISTRO_FEATURES', 'xattr', '-X', '', d)}'
OPKG_ARGS += "--force_postinstall --prefer-arch-to-version"
OPKG_ARGS += "${@['',
'--no-install-recommends'][d.getVar("NO_RECOMMENDATIONS") == "1"]}"
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184870):
https://lists.openembedded.org/g/openembedded-core/message/184870
Mute This Topic: https://lists.openembedded.org/mt/100367374/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] Toolchain test results
On Wed, 2023-07-26 at 06:00 +, Mittal, Anuj wrote: > On Thu, 2023-07-20 at 12:26 +0100, Richard Purdie wrote: > > On Tue, 2023-07-18 at 10:14 +0100, Richard Purdie via > > lists.openembedded.org wrote: > > > qemuarm has ~350 failures > > > qemuarm64 has ~350 failures > > > qemux86-64 has ~4000 (3900 in glibc) > > > qemux86 has ~4000 (3500 in glibc) > > > qemuppc has ~600 failures > > > qemumips64 has ~5000 failures (all over) > > > qemumips has ~1600 failures > > > > > > Anuj: Can Intel look into the glibc test failures on x86? > > > > I realised the glibc issues were due to the network being disabled > > for > > the tests and have sent a patch to fix that. That reduces the > > failures > > from ~3900 to ~330. We should really try and reduce that further but > > it > > is a start! > > > > A lot of locale/iconv tests seemed to be failing when calling write > with large buffers/files over NFS. Some of others were triggering OOM. > > I ran the tests again after making a few changes: > > https://autobuilder.yocto.io/pub/non-release/20230726-11/testresults/qemux86-64-tc/ > > After switching NFS mount to TCP and increasing the memory available to > 1024, the number of tests failed came down to 69. > > === > === > qemux86-64 PTest Result Summary > === > === > --- > --- > Recipe | Passed | Failed | Skipped | Time(s) > --- > --- > binutils | 289 | 0| 8 | - > binutils-gas | 1582 | 4| 1 | - > binutils-ld | 1622 | 6| 111 | - > gcc | 149696 | 28 | 27599 | - > gcc-g++ | 219260 | 30 | 21108 | - > gcc-libatomic| 27 | 1| 27 | - > gcc-libgomp | 3426 | 1| 1962| - > gcc-libitm | 24 | 1| 24 | - > gcc-libstdc++-v3 | 9695 | 32 | 5459| - > glibc| 4984 | 69 | 147 | - > rust | 15768| 0| 554 | - > --- > --- That looks like really good progress, thanks Anuj! I think we might rebuild M2 to allow for some of the resulttool, ltp and other test fixes to make it in. I want to look into this 32 bit arm regression first to see what is going on there. If you're able to send some of these out we should pull them in and improve the failures for glibc too. Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184869): https://lists.openembedded.org/g/openembedded-core/message/184869 Mute This Topic: https://lists.openembedded.org/mt/100212267/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone] cherry-pick kernel: add missing path to search for debug files
Hello Steve I would like to ask you to cherry-picking commit 8252367023b31d923c6031280843cdd35050df56 to kirckstone. We are using it successfully and it's a trivial fix. The original discussion is here: https://lists.openembedded.org/g/openembedded-core/topic/88532225#160734 Thank you and best regards, Adrian -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184868): https://lists.openembedded.org/g/openembedded-core/message/184868 Mute This Topic: https://lists.openembedded.org/mt/100366955/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [mickledore][PATCH] cups: Fix CVE-2023-34241
From: Mingli Yu
Backport patch [1] to fix CVE-2023-34241.
[1]
https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2
Signed-off-by: Mingli Yu
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2023-34241.patch| 70 +++
2 files changed, 71 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-34241.patch
diff --git a/meta/recipes-extended/cups/cups.inc
b/meta/recipes-extended/cups/cups.inc
index d77758fd3f..c6a676b747 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -16,6 +16,7 @@ SRC_URI =
"${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://volatiles.99_cups \
file://cups-volatiles.conf \
file://CVE-2023-32324.patch \
+ file://CVE-2023-34241.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases;
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-34241.patch
b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch
new file mode 100644
index 00..4950ca341d
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch
@@ -0,0 +1,70 @@
+From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001
+From: Rose <83477269+ataridre...@users.noreply.github.com>
+Date: Thu, 1 Jun 2023 11:33:39 -0400
+Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection
+
+httpClose frees the memory of con->http. This is problematic because
httpGetHostname then tries to access the memory it points to.
+
+We have to log the hostname first.
+
+CVE: CVE-2023-34241
+
+Upstream-Status: Backport
[https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2]
+
+Signed-off-by: Mingli Yu
+---
+ scheduler/client.c | 16 +++-
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 91e441188..327473a4d 100644
+--- a/scheduler/client.c
b/scheduler/client.c
+@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener
socket */
+/*
+ * Can't have an unresolved IP address with double-lookups enabled...
+ */
+-
+-httpClose(con->http);
+-
+ cupsdLogClient(con, CUPSD_LOG_WARN,
+-"Name lookup failed - connection from %s closed!",
++"Name lookup failed - closing connection from %s!",
+ httpGetHostname(con->http, NULL, 0));
+
++httpClose(con->http);
+ free(con);
+ return;
+ }
+@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener
socket */
+ * with double-lookups enabled...
+ */
+
+- httpClose(con->http);
+-
+ cupsdLogClient(con, CUPSD_LOG_WARN,
+- "IP lookup failed - connection from %s closed!",
++ "IP lookup failed - closing connection from %s!",
+ httpGetHostname(con->http, NULL, 0));
++
++ httpClose(con->http);
+ free(con);
+ return;
+ }
+@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener
socket */
+
+ if (!hosts_access(_req))
+ {
+-httpClose(con->http);
+-
+ cupsdLogClient(con, CUPSD_LOG_WARN,
+ "Connection from %s refused by /etc/hosts.allow and "
+ "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL,
0));
++
++httpClose(con->http);
+ free(con);
+ return;
+ }
+--
+2.25.1
+
--
2.35.5
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184867):
https://lists.openembedded.org/g/openembedded-core/message/184867
Mute This Topic: https://lists.openembedded.org/mt/100366862/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v2] nfs-utils: Fix host path contamination building locktest
Signed-off-by: Khem Raj
---
v2: Fix build on ppc32
...t-Makefile.am-Do-not-use-build-flags.patch | 36 +
...locktest-Use-intmax_t-to-print-off_t.patch | 53 +++
.../nfs-utils/nfs-utils_2.6.3.bb | 2 +
3 files changed, 91 insertions(+)
create mode 100644
meta/recipes-connectivity/nfs-utils/nfs-utils/0001-locktest-Makefile.am-Do-not-use-build-flags.patch
create mode 100644
meta/recipes-connectivity/nfs-utils/nfs-utils/0001-tools-locktest-Use-intmax_t-to-print-off_t.patch
diff --git
a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-locktest-Makefile.am-Do-not-use-build-flags.patch
b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-locktest-Makefile.am-Do-not-use-build-flags.patch
new file mode 100644
index 000..351407ddcd4
--- /dev/null
+++
b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-locktest-Makefile.am-Do-not-use-build-flags.patch
@@ -0,0 +1,36 @@
+From 9efa7a0d37665d9bb0f46d2407883a5ab42c2b84 Mon Sep 17 00:00:00 2001
+From: Khem Raj
+Date: Mon, 24 Jul 2023 20:39:16 -0700
+Subject: [PATCH] locktest: Makefile.am: Do not use build flags
+
+Using CFLAGS_FOR_BUILD etc. here means it is using wrong flags
+when thse flags are speficied different than target flags which
+is common when cross-building. It can pass wrong paths to linker
+and it would find incompatible libraries during link since they
+are from host system and target maybe not same as build host.
+
+Fixes subtle errors like
+| aarch64-yoe-linux-ld.lld: error:
/mnt/b/yoe/master/build/tmp/work/cortexa72-cortexa53-crypto-yoe-linux/nfs-utils/2.6.3-r0/recipe-sysroot-native/usr/lib/libsqlite3.so
is incompatible with elf64-littleaarch64
+
+Upstream-Status: Submitted
[https://marc.info/?l=linux-nfs=169025681008001=2]
+Signed-off-by: Khem Raj
+---
+ tools/locktest/Makefile.am | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/tools/locktest/Makefile.am b/tools/locktest/Makefile.am
+index e8914655..2fd36971 100644
+--- a/tools/locktest/Makefile.am
b/tools/locktest/Makefile.am
+@@ -2,8 +2,5 @@
+
+ noinst_PROGRAMS = testlk
+ testlk_SOURCES = testlk.c
+-testlk_CFLAGS=$(CFLAGS_FOR_BUILD)
+-testlk_CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+-testlk_LDFLAGS=$(LDFLAGS_FOR_BUILD)
+
+ MAINTAINERCLEANFILES = Makefile.in
+--
+2.41.0
+
diff --git
a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-tools-locktest-Use-intmax_t-to-print-off_t.patch
b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-tools-locktest-Use-intmax_t-to-print-off_t.patch
new file mode 100644
index 000..7d903e04bc1
--- /dev/null
+++
b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-tools-locktest-Use-intmax_t-to-print-off_t.patch
@@ -0,0 +1,53 @@
+From e2e9251dbeb452f5382179023d8ae18b511167a1 Mon Sep 17 00:00:00 2001
+From: Khem Raj
+Date: Tue, 25 Jul 2023 23:47:08 -0700
+Subject: [PATCH] tools/locktest: Use intmax_t to print off_t
+
+off_t could be 64bit on 32bit architectures which means using %z printf
+modifier is not enough to print it and compiler will complain about
+format mismatch
+
+Fixes
+| testlk.c:84:66: error: format '%zd' expects argument of type 'signed
size_t', but argument 4 has type '__off64_t' {aka 'long long int'}
[-Werror=format=]
+|84 | printf("%s: conflicting lock by %d on
(%zd;%zd)\n",
+| |~~^
+| | |
+| | int
+| |%lld
+|85 | fname, fl.l_pid, fl.l_start,
fl.l_len);
+| | ~~
+| ||
+| |__off64_t {aka
long long int}
+
+Upstream-Status: Submitted
[https://marc.info/?l=linux-nfs=169035457128067=2]
+Signed-off-by: Khem Raj
+---
+ tools/locktest/testlk.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/locktest/testlk.c b/tools/locktest/testlk.c
+index ea51f788..9d4c88c4 100644
+--- a/tools/locktest/testlk.c
b/tools/locktest/testlk.c
+@@ -2,6 +2,7 @@
+ #include
+ #endif
+
++#include
+ #include
+ #include
+ #include
+@@ -81,8 +82,8 @@ main(int argc, char **argv)
+ if (fl.l_type == F_UNLCK) {
+ printf("%s: no conflicting lock\n", fname);
+ } else {
+- printf("%s: conflicting lock by %d on (%zd;%zd)\n",
+- fname, fl.l_pid, fl.l_start, fl.l_len);
++ printf("%s: conflicting lock by %d on (%jd;%jd)\n",
++ fname, fl.l_pid, (intmax_t)fl.l_start,
(intmax_t)fl.l_len);
+ }
+ return 0;
+ }
+--
+2.41.0
+
diff --git
Re: [OE-core][PATCH] meta-networking: cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
There is already a patch available to convert all of meta-openembedded recipes https://lists.openembedded.org/g/openembedded-devel/message/103992 Also this is incorrect mailing list... Peter -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184865): https://lists.openembedded.org/g/openembedded-core/message/184865 Mute This Topic: https://lists.openembedded.org/mt/100365993/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH] libtiff: fix CVE-2023-26965 heap-based use after free
Upstream-Status: Backport from
https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf
Signed-off-by: Hitendra Prajapati
---
.../libtiff/tiff/CVE-2023-26965.patch | 97 +++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 +
2 files changed, 98 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-26965.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-26965.patch
b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-26965.patch
new file mode 100644
index 00..2162493e34
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-26965.patch
@@ -0,0 +1,97 @@
+From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
+From: Su_Laus
+Date: Tue, 14 Feb 2023 20:43:43 +0100
+Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
+ Fix issue 527
+
+Reuse of read_buff within loadImage() from previous image is quite unsafe,
because other functions (like rotateImage() etc.) reallocate that buffer with
different size without updating the local prev_readsize value.
+
+Closes #527
+
+Upstream-Status: Backport
[https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf]
+CVE: CVE-2023-26965
+Signed-off-by: Hitendra Prajapati
+---
+ tools/tiffcrop.c | 47 +++
+ 1 file changed, 15 insertions(+), 32 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index b811fbb..ce77c74 100644
+--- a/tools/tiffcrop.c
b/tools/tiffcrop.c
+@@ -6066,9 +6066,7 @@ loadImage(TIFF* in, struct image_data *image, struct
dump_opts *dump, unsigned c
+ uint32_t tw = 0, tl = 0; /* Tile width and length */
+ tmsize_t tile_rowsize = 0;
+ unsigned char *read_buff = NULL;
+- unsigned char *new_buff = NULL;
+ int readunit = 0;
+- static tmsize_t prev_readsize = 0;
+
+ TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, );
+ TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, );
+@@ -6361,47 +6359,32 @@ loadImage(TIFF* in, struct image_data *image, struct
dump_opts *dump, unsigned c
+ }
+
+ read_buff = *read_ptr;
+- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
+- /* outside buffer */
+- if (!read_buff)
+- {
+-if( buffsize > 0xU - 3 )
++/* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
++ * outside buffer */
++/* Reuse of read_buff from previous image is quite unsafe, because other
++ * functions (like rotateImage() etc.) reallocate that buffer with
different
++ * size without updating the local prev_readsize value. */
++ if (read_buff)
+ {
+-TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+-return (-1);
++_TIFFfree(read_buff);
+ }
+-read_buff = (unsigned char *)limitMalloc(buffsize +
NUM_BUFF_OVERSIZE_BYTES);
+- }
+- else
++if (buffsize > 0xU - 3)
+ {
+-if (prev_readsize < buffsize)
+-{
+- if( buffsize > 0xU - 3 )
+- {
+- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+- return (-1);
+- }
+- new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
+- if (!new_buff)
+-{
+- free (read_buff);
+-read_buff = (unsigned char *)limitMalloc(buffsize +
NUM_BUFF_OVERSIZE_BYTES);
+-}
+- else
+-read_buff = new_buff;
+- }
++TIFFError("loadImage", "Required read buffer size too large");
++return (-1);
+ }
+- if (!read_buff)
++read_buff =
++(unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
++if (!read_buff)
+ {
+-TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+-return (-1);
++TIFFError("loadImage", "Unable to allocate read buffer");
++return (-1);
+ }
+
+ read_buff[buffsize] = 0;
+ read_buff[buffsize+1] = 0;
+ read_buff[buffsize+2] = 0;
+
+- prev_readsize = buffsize;
+ *read_ptr = read_buff;
+
+ /* N.B. The read functions used copy separate plane data into a buffer as
interleaved
+--
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 2ee10fca72..4796dfde24 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -37,6 +37,7 @@ SRC_URI =
"http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-0795_0796_0797_0798_0799.patch \
file://CVE-2023-25433.patch \
file://CVE-2023-25434-CVE-2023-25435.patch \
+ file://CVE-2023-26965.patch \
"
SRC_URI[sha256sum] =
"0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184864):
[OE-core] [dunfell] [PATCH] harfbuzz: Resolve backported commit bug.
The commit
[https://github.com/openembedded/openembedded-core/commit/c22bbe9b45e3]
backports fix for CVE-2023-25193 for version 2.6.4.
The apply() in src/hb-ot-layout-gpos-table.hh ends prematurely.
The if block in apply() has an extra return statement,
which causes it to return w/o executing
buffer->unsafe_to_concat_from_outbuffer() function.
Signed-off-by: Dhairya Nagodra
---
.../harfbuzz/harfbuzz/CVE-2023-25193.patch | 16
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch
b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch
index 8243117551..e4ac13dbad 100644
--- a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch
@@ -1,4 +1,4 @@
-From 8708b9e081192786c027bb7f5f23d76dbe5c19e8 Mon Sep 17 00:00:00 2001
+From 9c8e972dbecda93546038d2d8216397d75a3 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod
Date: Mon, 6 Feb 2023 14:51:25 -0700
Subject: [PATCH] [GPOS] Avoid O(n^2) behavior in mark-attachment
@@ -8,13 +8,15 @@ Comment1: The Original Patch
[https://github.com/harfbuzz/harfbuzz/commit/85be87
Comment2: The Patch contained files MarkBasePosFormat1.hh and
MarkLigPosFormat1.hh which were moved from hb-ot-layout-gpos-table.hh as per
https://github.com/harfbuzz/harfbuzz/commit/197d9a5c994eb41c8c89b7b958b26b1eacfeeb00
CVE: CVE-2023-25193
Signed-off-by: Siddharth Doshi
+Signed-off-by: Dhairya Nagodra
+
---
- src/hb-ot-layout-gpos-table.hh | 101 -
+ src/hb-ot-layout-gpos-table.hh | 103 +++--
src/hb-ot-layout-gsubgpos.hh | 5 +-
- 2 files changed, 77 insertions(+), 29 deletions(-)
+ 2 files changed, 78 insertions(+), 30 deletions(-)
diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh
-index 024312d..88df13d 100644
+index 024312d..db5f9ae 100644
--- a/src/hb-ot-layout-gpos-table.hh
+++ b/src/hb-ot-layout-gpos-table.hh
@@ -1458,6 +1458,25 @@ struct MarkBasePosFormat1
@@ -102,8 +104,9 @@ index 024312d..88df13d 100644
+//if (!_hb_glyph_info_is_base_glyph (>info[idx])) { return_trace
(false); }
-unsigned int base_index = (this+baseCoverage).get_coverage
(buffer->info[skippy_iter.idx].codepoint);
+-if (base_index == NOT_COVERED) return_trace (false);
+unsigned int base_index = (this+baseCoverage).get_coverage
(buffer->info[idx].codepoint);
- if (base_index == NOT_COVERED) return_trace (false);
++if (base_index == NOT_COVERED)
+{
+ buffer->unsafe_to_concat_from_outbuffer (idx, buffer->idx + 1);
+ return_trace (false);
@@ -174,6 +177,3 @@ index 5a7e564..437123c 100644
void set_auto_zwj (bool auto_zwj_) { auto_zwj = auto_zwj_; init_iters (); }
void set_auto_zwnj (bool auto_zwnj_) { auto_zwnj = auto_zwnj_; init_iters
(); }
void set_random (bool random_) { random = random_; }
---
-2.25.1
-
--
2.35.6
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184863):
https://lists.openembedded.org/g/openembedded-core/message/184863
Mute This Topic: https://lists.openembedded.org/mt/100366039/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] Toolchain test results
On Tue, 2023-07-25 at 23:29 -0700, Khem Raj wrote: > On Tue, Jul 25, 2023 at 11:00 PM Anuj Mittal > wrote: > > > > On Thu, 2023-07-20 at 12:26 +0100, Richard Purdie wrote: > > > On Tue, 2023-07-18 at 10:14 +0100, Richard Purdie via > > > lists.openembedded.org wrote: > > > > qemuarm has ~350 failures > > > > qemuarm64 has ~350 failures > > > > qemux86-64 has ~4000 (3900 in glibc) > > > > qemux86 has ~4000 (3500 in glibc) > > > > qemuppc has ~600 failures > > > > qemumips64 has ~5000 failures (all over) > > > > qemumips has ~1600 failures > > > > > > > > Anuj: Can Intel look into the glibc test failures on x86? > > > > > > I realised the glibc issues were due to the network being > > > disabled > > > for > > > the tests and have sent a patch to fix that. That reduces the > > > failures > > > from ~3900 to ~330. We should really try and reduce that further > > > but > > > it > > > is a start! > > > > > > > A lot of locale/iconv tests seemed to be failing when calling write > > with large buffers/files over NFS. Some of others were triggering > > OOM. > > > > I ran the tests again after making a few changes: > > > > https://autobuilder.yocto.io/pub/non-release/20230726-11/testresults/qemux86-64-tc/ > > > > After switching NFS mount to TCP and increasing the memory > > available to > > 1024, the number of tests failed came down to 69. > > > > This is a nice, thanks for doing it. I looked quickly at your results > especially glibc part > and it seems some of remaining failures are in nss module. I could > not > see detail logs > why those tests were failing but few things to check is if we install All the nss tests are failing here: https://github.com/bminor/glibc/blob/master/support/test-container.c#L842 Could be a NFS problem as well. I have not looked at it in much detail yet. Thanks, Anuj -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184862): https://lists.openembedded.org/g/openembedded-core/message/184862 Mute This Topic: https://lists.openembedded.org/mt/100212267/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH] meta-networking: cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
2023-07-26
Thread
Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org
From: Sanjay Chitroda
- OE-core has added support for CVE_STATUS:
https://github.com/openembedded/openembedded-core/commit/1634ed4048cf
- Try to add convert and apply statuses for old CVEs
Signed-off-by: Sanjay Chitroda
---
.../freeradius/freeradius_3.0.26.bb | 7 +++---
.../mbedtls/mbedtls_2.28.3.bb | 8 +++
.../mbedtls/mbedtls_3.4.0.bb | 8 +++
.../openthread/wpantund_git.bb| 17 ++---
.../samba/samba_4.18.4.bb | 12 +-
.../recipes-protocols/mdns/mdns_1790.80.10.bb | 24 +--
.../recipes-protocols/openflow/openflow.inc | 13 +-
.../recipes-support/dovecot/dovecot_2.3.20.bb | 4 ++--
.../recipes-support/ntp/ntp_4.2.8p17.bb | 18 +++---
.../recipes-support/openvpn/openvpn_2.6.3.bb | 6 +++--
.../recipes-support/spice/spice_git.bb| 8 +++
11 files changed, 62 insertions(+), 63 deletions(-)
diff --git
a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.26.bb
b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.26.bb
index 9a2bbab39..d33aa72e8 100644
--- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.26.bb
+++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.26.bb
@@ -43,10 +43,9 @@ SRCREV = "d956f683d37ea40e7977cc5907361f3e6988a439"
UPSTREAM_CHECK_GITTAGREGEX = "release_(?P\d+(\_\d+)+)"
-CVE_CHECK_IGNORE = "\
-CVE-2002-0318 \
-CVE-2011-4966 \
-"
+CVE_STATUS_GROUPS += "CVE_STATUS_FREERADIUS"
+CVE_STATUS_FREERADIUS = "CVE-2002-0318 CVE-2011-4966"
+CVE_STATUS_FREERADIUS[status] = "ignored"
PARALLEL_MAKE = ""
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb
b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb
index ce094d5af..a9fb693e0 100644
--- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb
@@ -57,10 +57,10 @@ BBCLASSEXTEND = "native nativesdk"
CVE_PRODUCT = "mbed_tls"
-# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310
-CVE_CHECK_IGNORE += "CVE-2021-43666"
-# Fix merged upstream
https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c
-CVE_CHECK_IGNORE += "CVE-2021-45451"
+CVE_STATUS[CVE-2021-43666] = "cpe-incorrect: \
+Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310;
+CVE_STATUS[CVE-2021-45451] = "cpe-incorrect: \
+Fix merged upstream
https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c;
# Strip host paths from autogenerated test files
do_compile:append() {
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb
b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb
index b8c9662de..1f7684633 100644
--- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb
@@ -58,10 +58,10 @@ BBCLASSEXTEND = "native nativesdk"
CVE_PRODUCT = "mbed_tls"
-# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310
-CVE_CHECK_IGNORE += "CVE-2021-43666"
-# Fix merged upstream
https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c
-CVE_CHECK_IGNORE += "CVE-2021-45451"
+CVE_STATUS[CVE-2021-43666] = "cpe-incorrect: \
+Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310;
+CVE_STATUS[CVE-2021-45451] = "cpe-incorrect: \
+Fix merged upstream
https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c;
# Strip host paths from autogenerated test files
do_compile:append() {
diff --git a/meta-networking/recipes-connectivity/openthread/wpantund_git.bb
b/meta-networking/recipes-connectivity/openthread/wpantund_git.bb
index a7fcc202a..223223ce3 100644
--- a/meta-networking/recipes-connectivity/openthread/wpantund_git.bb
+++ b/meta-networking/recipes-connectivity/openthread/wpantund_git.bb
@@ -22,11 +22,12 @@ S = "${WORKDIR}/git"
inherit pkgconfig perlnative autotools
-# CVE-2020-8916 has been fixed in commit
-# 3f108441e23e033b936e85be5b6877dd0a1fbf1c which is included in the SRCREV
-# CVE-2021-33889 has been fixed in commit
-# a8f3f761f6753b567d1e5ad22cbe6b0ceb6f2649 which is included in the SRCREV
-# There has not been a wpantund release as of yet that includes these fixes.
-# That means cve-check can not match them. Once a new release comes we can
-# remove the ignore statement.
-CVE_CHECK_IGNORE = "CVE-2020-8916 CVE-2021-33889"
+CVE_STATUS[CVE-2020-8916] = "cpe-incorrect: \
+CVE has been fixed in commit \
+3f108441e23e033b936e85be5b6877dd0a1fbf1c which is included in the SRCREV"
+CVE_STATUS[CVE-2021-33889] = "cpe-incorrect: \
+CVE has been fixed in commit \
+a8f3f761f6753b567d1e5ad22cbe6b0ceb6f2649 which is included in the SRCREV \
+There has not been a wpantund release as of yet that includes these fixes. \
+That means cve-check can not match them. Once a new release comes
Re: [OE-core] Toolchain test results
On Tue, Jul 25, 2023 at 11:00 PM Anuj Mittal wrote: > > On Thu, 2023-07-20 at 12:26 +0100, Richard Purdie wrote: > > On Tue, 2023-07-18 at 10:14 +0100, Richard Purdie via > > lists.openembedded.org wrote: > > > qemuarm has ~350 failures > > > qemuarm64 has ~350 failures > > > qemux86-64 has ~4000 (3900 in glibc) > > > qemux86 has ~4000 (3500 in glibc) > > > qemuppc has ~600 failures > > > qemumips64 has ~5000 failures (all over) > > > qemumips has ~1600 failures > > > > > > Anuj: Can Intel look into the glibc test failures on x86? > > > > I realised the glibc issues were due to the network being disabled > > for > > the tests and have sent a patch to fix that. That reduces the > > failures > > from ~3900 to ~330. We should really try and reduce that further but > > it > > is a start! > > > > A lot of locale/iconv tests seemed to be failing when calling write > with large buffers/files over NFS. Some of others were triggering OOM. > > I ran the tests again after making a few changes: > > https://autobuilder.yocto.io/pub/non-release/20230726-11/testresults/qemux86-64-tc/ > > After switching NFS mount to TCP and increasing the memory available to > 1024, the number of tests failed came down to 69. > This is a nice, thanks for doing it. I looked quickly at your results especially glibc part and it seems some of remaining failures are in nss module. I could not see detail logs why those tests were failing but few things to check is if we install libnss-db and glibc-extra-nss packages into image or not. some of these tests edit /etc/nsswitch.conf, so are these tests running in parallel and racing. > === > === > qemux86-64 PTest Result Summary > === > === > --- > --- > Recipe | Passed | Failed | Skipped | Time(s) > --- > --- > binutils | 289 | 0| 8 | - > binutils-gas | 1582 | 4| 1 | - > binutils-ld | 1622 | 6| 111 | - > gcc | 149696 | 28 | 27599 | - > gcc-g++ | 219260 | 30 | 21108 | - > gcc-libatomic| 27 | 1| 27 | - > gcc-libgomp | 3426 | 1| 1962| - > gcc-libitm | 24 | 1| 24 | - > gcc-libstdc++-v3 | 9695 | 32 | 5459| - > glibc| 4984 | 69 | 147 | - > rust | 15768| 0| 554 | - > --- > --- > > Thanks, > > Anuj > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184860): https://lists.openembedded.org/g/openembedded-core/message/184860 Mute This Topic: https://lists.openembedded.org/mt/100212267/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH] tiff: fix multiple CVEs
Backport fixes for:
* CVE-2023-25433 - Upstream-Status: Backport from
https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678
&&
https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44
* CVE-2023-25434 & CVE-2023-25435 - Upstream-Status: Backport from
https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38
Signed-off-by: Hitendra Prajapati
---
.../libtiff/tiff/CVE-2023-25433.patch | 195 ++
.../tiff/CVE-2023-25434-CVE-2023-25435.patch | 94 +
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 2 +
3 files changed, 291 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-25433.patch
create mode 100644
meta/recipes-multimedia/libtiff/tiff/CVE-2023-25434-CVE-2023-25435.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25433.patch
b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25433.patch
new file mode 100644
index 00..285aa3d1c4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-25433.patch
@@ -0,0 +1,195 @@
+From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001
+From: Su_Laus
+Date: Fri, 3 Feb 2023 15:31:31 +0100
+Subject: [PATCH] CVE-2023-25433
+
+tiffcrop correctly update buffersize after rotateImage()
+fix#520 rotateImage() set up a new buffer and calculates its size
+individually. Therefore, seg_buffs[] size needs to be updated accordingly.
+Before this fix, the seg_buffs buffer size was calculated with a different
+formula than within rotateImage().
+
+Closes #520.
+
+Upstream-Status: Backport
[https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678
&&
https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44]
+CVE: CVE-2023-25433
+Signed-off-by: Hitendra Prajapati
+---
+ tools/tiffcrop.c | 78 +---
+ 1 file changed, 60 insertions(+), 18 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index eee26bf..cbd24cc 100644
+--- a/tools/tiffcrop.c
b/tools/tiffcrop.c
+@@ -523,7 +523,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t,
uint16_t, uint32_t,
+ static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
+ uint32_t, uint32_t, uint8_t *, uint8_t
*);
+ static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
+- unsigned char **, int);
++ unsigned char **, size_t *);
+ static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
+unsigned char *);
+ static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
+@@ -6515,7 +6515,7 @@ static int correct_orientation(struct image_data
*image, unsigned char **work_b
+* but switch xres, yres there. */
+ uint32_t width = image->width;
+ uint32_t length = image->length;
+- if (rotateImage(rotation, image, , , work_buff_ptr, TRUE))
++ if (rotateImage(rotation, image, , , work_buff_ptr, NULL))
+ {
+ TIFFError ("correct_orientation", "Unable to rotate image");
+ return (-1);
+@@ -7695,16 +7695,19 @@ processCropSelections(struct image_data *image, struct
crop_mask *crop,
+
+ if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can
reallocate the buffer */
+ {
++/* rotateImage() set up a new buffer and calculates its size
++ * individually. Therefore, seg_buffs size needs to be updated
++ * accordingly. */
++ size_t rot_buf_size = 0;
+ if (rotateImage(crop->rotation, image, >combined_width,
+- >combined_length, _buff, FALSE))
++ >combined_length, _buff, _buf_size))
+ {
+ TIFFError("processCropSelections",
+ "Failed to rotate composite regions by %"PRIu32" degrees",
crop->rotation);
+ return (-1);
+ }
+ seg_buffs[0].buffer = crop_buff;
+- seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8)
+-* image->spp) * crop->combined_length;
++ seg_buffs[0].size = rot_buf_size;
+ }
+ }
+ else /* Separated Images */
+@@ -7804,9 +7807,13 @@ processCropSelections(struct image_data *image, struct
crop_mask *crop,
+ {
+ /* rotateImage() changes image->width, ->length, ->xres and ->yres,
what it schouldn't do here, when more than one section is processed.
+* ToDo: Therefore rotateImage() and its usage has to be reworked
(e.g. like mirrorImage()) !!
+- */
+- if (rotateImage(crop->rotation, image, >regionlist[i].width,
+- >regionlist[i].length, _buff, FALSE))
++ * Furthermore, rotateImage() set up a new buffer and calculates
++ * its size individually. Therefore, seg_buffs size needs to be
++ * updated
Re: [OE-core] Toolchain test results
On Thu, 2023-07-20 at 12:26 +0100, Richard Purdie wrote: > On Tue, 2023-07-18 at 10:14 +0100, Richard Purdie via > lists.openembedded.org wrote: > > qemuarm has ~350 failures > > qemuarm64 has ~350 failures > > qemux86-64 has ~4000 (3900 in glibc) > > qemux86 has ~4000 (3500 in glibc) > > qemuppc has ~600 failures > > qemumips64 has ~5000 failures (all over) > > qemumips has ~1600 failures > > > > Anuj: Can Intel look into the glibc test failures on x86? > > I realised the glibc issues were due to the network being disabled > for > the tests and have sent a patch to fix that. That reduces the > failures > from ~3900 to ~330. We should really try and reduce that further but > it > is a start! > A lot of locale/iconv tests seemed to be failing when calling write with large buffers/files over NFS. Some of others were triggering OOM. I ran the tests again after making a few changes: https://autobuilder.yocto.io/pub/non-release/20230726-11/testresults/qemux86-64-tc/ After switching NFS mount to TCP and increasing the memory available to 1024, the number of tests failed came down to 69. === === qemux86-64 PTest Result Summary === === --- --- Recipe | Passed | Failed | Skipped | Time(s) --- --- binutils | 289 | 0| 8 | - binutils-gas | 1582 | 4| 1 | - binutils-ld | 1622 | 6| 111 | - gcc | 149696 | 28 | 27599 | - gcc-g++ | 219260 | 30 | 21108 | - gcc-libatomic| 27 | 1| 27 | - gcc-libgomp | 3426 | 1| 1962| - gcc-libitm | 24 | 1| 24 | - gcc-libstdc++-v3 | 9695 | 32 | 5459| - glibc| 4984 | 69 | 147 | - rust | 15768| 0| 554 | - --- --- Thanks, Anuj -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184858): https://lists.openembedded.org/g/openembedded-core/message/184858 Mute This Topic: https://lists.openembedded.org/mt/100212267/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
