[oe] Canceled: OpenEmbedded Happy Hour June 28
All, Due to the coinciding Embedded Open Source Summit (EOSS) in Prague, the OE Board has decided to cancel our regular Happy Hour on June 28. The next Happy Hour is scheduled for July 26 - see you all then. Thank you. -- Regards, Denys Dmytriyenko PGP: 0x420902729A92C964 - https://denix.org/0x420902729A92C964 Fingerprint: 25FC E4A5 8A72 2F69 1186 6D76 4209 0272 9A92 C964 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#103559): https://lists.openembedded.org/g/openembedded-devel/message/103559 Mute This Topic: https://lists.openembedded.org/mt/99759473/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [oe] [meta-oe][kirkstone][PATCH 1/1] python3-werkzeug: fix for CVE-2023-23934
This change is now merged in kirkstone and causes:
ERROR: python3-werkzeug-2.1.1-r0 do_patch: Fuzz detected:
Applying patch CVE-2023-23934.patch
patching file CHANGES.rst
Hunk #1 succeeded at 6 with fuzz 2 (offset 5 lines).
patching file src/werkzeug/_internal.py
patching file src/werkzeug/http.py
patching file tests/test_http.py
The context lines in the patches can be updated with devtool:
devtool modify python3-werkzeug
devtool finish --force-patch-refresh python3-werkzeug
Don't forget to review changes done by devtool!
ERROR: python3-werkzeug-2.1.1-r0 do_patch: QA Issue: Patch log
indicates that patches do not apply cleanly. [patch-fuzz]
Please send follow-up patch to fix patch-fuzz.
On Wed, May 10, 2023 at 4:16 PM Narpat Mali via lists.openembedded.org
wrote:
> From: Narpat Mali
>
> Werkzeug is a comprehensive WSGI web application library. Browsers may
> allow
> "nameless" cookies that look like `=value` instead of `key=value`. A
> vulnerable
> browser may allow a compromised application on an adjacent subdomain to
> exploit
> this to set a cookie like `=__Host-test=bad` for another subdomain.
> Werkzeug
> prior to 2.2.3 will parse the cookie `=__Host-test=bad` as
> __Host-test=bad`.
> If a Werkzeug application is running next to a vulnerable or malicious
> subdomain
> which sets such a cookie using a vulnerable browser, the Werkzeug
> application
> will see the bad cookie value but the valid cookie key. The issue is fixed
> in
> Werkzeug 2.2.3.
>
> Signed-off-by: Narpat Mali
> ---
> .../python3-werkzeug/CVE-2023-23934.patch | 116 ++
> .../python/python3-werkzeug_2.1.1.bb | 2 +
> 2 files changed, 118 insertions(+)
> create mode 100644
> meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
>
> diff --git
> a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
> b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
> new file mode 100644
> index 00..0be97d2888
> --- /dev/null
> +++
> b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
> @@ -0,0 +1,116 @@
> +From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001
> +From: David Lord
> +Date: Wed, 10 May 2023 11:33:18 +
> +Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q
> +
> +don't strip leading `=` when parsing cookie
> +
> +"src/werkzeug/sansio/http.py" file is not available in the current recipe
> +version 2.1.1 and this has been introduced from 2.2.0 version. Before
> 2.2.0
> +version, this http.py file was only available in the
> "src/werkzeug/http.py"
> +and we could see the same functions available there which are getting
> modified
> +in the CVE fix commit. Hence, modifying the same at
> "src/werkzeug/http.py" file.
> +
> +CVE: CVE-2023-23934
> +
> +Upstream-Status: Backport [
> https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
> ]
> +
> +Signed-off-by: Narpat Mali
> +---
> + CHANGES.rst | 4
> + src/werkzeug/_internal.py | 13 +
> + src/werkzeug/http.py | 4
> + tests/test_http.py| 4 +++-
> + 4 files changed, 16 insertions(+), 9 deletions(-)
> +
> +diff --git a/CHANGES.rst b/CHANGES.rst
> +index a351d7c..23505d3 100644
> +--- a/CHANGES.rst
> b/CHANGES.rst
> +@@ -1,5 +1,9 @@
> + .. currentmodule:: werkzeug
> +
> ++- A cookie header that starts with ``=`` is treated as an empty key
> and discarded,
> ++rather than stripping the leading ``==``.
> ++
> ++
> + Version 2.1.1
> + -
> +
> +diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
> +index a8b3523..d6290ba 100644
> +--- a/src/werkzeug/_internal.py
> b/src/werkzeug/_internal.py
> +@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].")
> + _legal_cookie_chars_re =
> rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
> + _cookie_re = re.compile(
> + rb"""
> +-(?P[^=;]+)
> ++(?P[^=;]*)
> + (?:\s*=\s*
> + (?P
> + "(?:[^\\"]|\\.)*" |
> +@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) ->
> t.Iterator[t.Tuple[bytes, bytes]]:
> + """Lowlevel cookie parsing facility that operates on bytes."""
> + i = 0
> + n = len(b)
> ++b += b";"
> +
> + while i < n:
> +-match = _cookie_re.search(b + b";", i)
> ++match = _cookie_re.match(b, i)
> ++
> + if not match:
> + break
> +
> +-key = match.group("key").strip()
> +-value = match.group("val") or b""
> + i = match.end(0)
> ++key = match.group("key").strip()
> ++
> ++if not key:
> ++continue
> +
> ++value = match.group("val") or b""
> + yield key, _cookie_unquote(value)
> +
> +
> +diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
> +index 9369900..ae133e3 100644
> +--- a/src/werkzeug/http.py
> b/src/werkzeug/http.py
> +@@ -1205,10 +1205,6 @@ def parse_cookie(
> + def
[oe] [meta-multimedia][PATCH 2/3] pipewire: Improve packageconfigs
Signed-off-by: Carlos Rafael Giani
---
.../recipes-multimedia/pipewire/pipewire_0.3.71.bb | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/meta-multimedia/recipes-multimedia/pipewire/pipewire_0.3.71.bb
b/meta-multimedia/recipes-multimedia/pipewire/pipewire_0.3.71.bb
index 051776cceb..414ae3ea8d 100644
--- a/meta-multimedia/recipes-multimedia/pipewire/pipewire_0.3.71.bb
+++ b/meta-multimedia/recipes-multimedia/pipewire/pipewire_0.3.71.bb
@@ -88,7 +88,7 @@ PACKAGECONFIG:class-target ??= " \
${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd
systemd-system-service systemd-user-service', '', d)} \
${@bb.utils.filter('DISTRO_FEATURES', 'alsa vulkan pulseaudio', d)} \
${PIPEWIRE_SESSION_MANAGER} \
-${FFMPEG_AVAILABLE} avahi flatpak gstreamer gsettings jack libusb pw-cat
raop sndfile v4l2 udev volume webrtc-echo-cancelling libcamera \
+${FFMPEG_AVAILABLE} avahi flatpak gstreamer gsettings jack libusb pw-cat
raop sndfile v4l2 udev volume webrtc-echo-cancelling libcamera readline \
"
# "jack" and "pipewire-jack" packageconfigs cannot be both enabled,
@@ -101,6 +101,10 @@ PACKAGECONFIG[avahi] =
"-Davahi=enabled,-Davahi=disabled,avahi"
PACKAGECONFIG[bluez] = "-Dbluez5=enabled,-Dbluez5=disabled,bluez5 sbc"
PACKAGECONFIG[bluez-aac] =
"-Dbluez5-codec-aac=enabled,-Dbluez5-codec-aac=disabled,fdk-aac"
PACKAGECONFIG[bluez-opus] =
"-Dbluez5-codec-opus=enabled,-Dbluez5-codec-opus=disabled,libopus"
+# From the pipewire git log:
+# "Some Linux phones doesn't use oFono but ModemManager to control the modem."
+# This packageconfig enables modemmanager specific code in the BlueZ backend.
+PACKAGECONFIG[bluez-backend-native-mm] =
"-Dbluez5-backend-native-mm=enabled,-Dbluez5-backend-native-mm=disabled,modemmanager"
PACKAGECONFIG[docs] = "-Ddocs=enabled,-Ddocs=disabled,doxygen-native
graphviz-native"
PACKAGECONFIG[ffmpeg] = "-Dffmpeg=enabled,-Dffmpeg=disabled,ffmpeg"
PACKAGECONFIG[flatpak] = "-Dflatpak=enabled,-Dflatpak=disabled,glib-2.0"
@@ -116,6 +120,9 @@ PACKAGECONFIG[pipewire-alsa] =
"-Dpipewire-alsa=enabled,-Dpipewire-alsa=disabled
PACKAGECONFIG[pipewire-jack] = "-Dpipewire-jack=enabled
-Dlibjack-path=${libdir}/${PW_MODULE_SUBDIR}/jack,-Dpipewire-jack=disabled,jack,,pipewire-jack,jack"
PACKAGECONFIG[pw-cat] = "-Dpw-cat=enabled,-Dpw-cat=disabled"
PACKAGECONFIG[raop] = "-Draop=enabled,-Draop=disabled,openssl"
+# Starting with version 0.3.60, readline usage can be turned off in pw-cli.
+# If it is disabled, getline() is used as a fallback.
+PACKAGECONFIG[readline] = "-Dreadline=enabled,-Dreadline=disabled,readline"
PACKAGECONFIG[sdl2] = "-Dsdl2=enabled,-Dsdl2=disabled,libsdl2"
PACKAGECONFIG[sndfile] = "-Dsndfile=enabled,-Dsndfile=disabled,libsndfile1"
PACKAGECONFIG[systemd] = "-Dsystemd=enabled,-Dsystemd=disabled,systemd"
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#103555):
https://lists.openembedded.org/g/openembedded-devel/message/103555
Mute This Topic: https://lists.openembedded.org/mt/99753147/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-multimedia][PATCH 1/3] pipewire: Disable libmysofa since it is not available in OE
Signed-off-by: Carlos Rafael Giani
---
meta-multimedia/recipes-multimedia/pipewire/pipewire_0.3.71.bb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta-multimedia/recipes-multimedia/pipewire/pipewire_0.3.71.bb
b/meta-multimedia/recipes-multimedia/pipewire/pipewire_0.3.71.bb
index 7f117e10b2..051776cceb 100644
--- a/meta-multimedia/recipes-multimedia/pipewire/pipewire_0.3.71.bb
+++ b/meta-multimedia/recipes-multimedia/pipewire/pipewire_0.3.71.bb
@@ -48,7 +48,7 @@ SYSTEMD_PACKAGES = "${PN}"
# it just prevents this subproject feature.
#
# AptX and LDAC are not available in OE. Currently, neither
-# are lv2 and ROC.
+# are lv2, ROC, and libmysofa.
#
# The RTKit module is deprecated in favor of the newer RT module.
# It still exists for legacy setups that still include it in
@@ -66,6 +66,7 @@ EXTRA_OEMESON += " \
-Dbluez5-codec-aptx=disabled \
-Dbluez5-codec-ldac=disabled \
-Dlegacy-rtkit=false \
+-Dlibmysofa=disabled \
"
# spa alsa plugin code uses typedef redefinition, which is officially a C11
feature.
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#103557):
https://lists.openembedded.org/g/openembedded-devel/message/103557
Mute This Topic: https://lists.openembedded.org/mt/99753149/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-multimedia][PATCH 3/3] pipewire: Add dedicated aes67 package and fix rlimits.d package assignment
Signed-off-by: Carlos Rafael Giani
---
.../recipes-multimedia/pipewire/pipewire_0.3.71.bb | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/meta-multimedia/recipes-multimedia/pipewire/pipewire_0.3.71.bb
b/meta-multimedia/recipes-multimedia/pipewire/pipewire_0.3.71.bb
index 414ae3ea8d..14a0e02f81 100644
--- a/meta-multimedia/recipes-multimedia/pipewire/pipewire_0.3.71.bb
+++ b/meta-multimedia/recipes-multimedia/pipewire/pipewire_0.3.71.bb
@@ -249,6 +249,7 @@ PACKAGES =+ "\
${PN}-modules-meta \
${PN}-alsa-card-profile \
${PN}-v4l2 \
+${PN}-aes67 \
gstreamer1.0-pipewire \
"
@@ -263,8 +264,6 @@ FILES:${PN} = " \
${systemd_user_unitdir} \
${bindir}/pipewire \
${bindir}/pipewire-avb \
-${bindir}/pipewire-aes67 \
-${sysconfdir}/security/limits.d \
"
RRECOMMENDS:${PN}:class-target += " \
@@ -358,6 +357,7 @@ RRECOMMENDS:${PN}-modules += "${PN}-modules-meta"
CONFFILES:${PN}-modules-rt = "${datadir}/pipewire/client-rt.conf"
FILES:${PN}-modules-rt += " \
${datadir}/pipewire/client-rt.conf \
+${sysconfdir}/security/limits.d/* \
"
CONFFILES:${PN}-modules-filter-chain = "${datadir}/pipewire/filter-chain/*"
@@ -376,6 +376,11 @@ FILES:${PN}-v4l2 += " \
${libdir}/${PW_MODULE_SUBDIR}/v4l2/libpw-v4l2.so \
"
+# AES67 is a standard for audio over IP, from the Audio Engineering Society
(AES).
+FILES:${PN}-aes67 += " \
+${bindir}/pipewire-aes67 \
+"
+
FILES:gstreamer1.0-pipewire = " \
${libdir}/gstreamer-1.0/* \
"
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#103556):
https://lists.openembedded.org/g/openembedded-devel/message/103556
Mute This Topic: https://lists.openembedded.org/mt/99753148/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
