[OE-core] [dunfell][PATCH] pcre2: CVE-2022-1587 Out-of-bounds read

Source: https://github.com/PCRE2Project/pcre2 MR: 118031 Type: Security Fix Disposition: Backport from https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0 ChangeID: 8d5e1357918894374e3379daf1d1a6873c7b9bf3 Description: CVE-2022-1587 pcre2: Out-of-bounds read

[OE-core] [dunfell][PATCH] e2fsprogs: CVE-2022-1304 out-of-bounds read/write via crafted filesystem

Source: https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git MR: 117430 Type: Security Fix Disposition: Backport from https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=maint=ab51d587bb9b229b1fade1afd02e1574c1ba5c76 ChangeID: e6db00c6e8375a2e869fd2e4ead61ca9149eb8fa Description:

Re: [OE-core] [PATCH 1/4] qemu: fix CVE-2021-4145

This patch is for hardknott branch On 2022-05-31 18:08, Sakib Sajal wrote: Fix for CVE-2021-4145, commit 66fed30c9c, fixes another commit: d44dae1a7c ("block/mirror: fix active mirror dead-lock in mirror_wait_on_conflicts") Hence, backport both the patches to resolve the CVE.

Re: [OE-core] [PATCH 2/4] qemu: fix CVE-2021-3750

This set of patches is for hardknott branch. On 2022-05-31 18:08, Sakib Sajal wrote: Backport appropriate patches to resolve CVE-2021-3750. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 3 + .../qemu/qemu/CVE-2021-3750_1.patch | 60 +++

[OE-core][hardknott][PATCH 4/4] qemu: fix CVE-2021-4206

Backport fix to resolve CVE-2021-4206: fa892e9abb ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-4206.patch | 89 +++ 2 files changed, 90

[OE-core][hardknott][PATCH 3/4] qemu: fix CVE-2022-26353

Backport fix to resolve CVE-2022-26353: abe300d9d8 virtio-net: fix map leaking on error during receive Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2022-26353.patch| 44 +++ 2 files changed, 45

[OE-core][hardknott][PATCH 1/4] qemu: fix CVE-2021-4145

Fix for CVE-2021-4145, commit 66fed30c9c, fixes another commit: d44dae1a7c ("block/mirror: fix active mirror dead-lock in mirror_wait_on_conflicts") Hence, backport both the patches to resolve the CVE. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 +

[OE-core][hardknott][PATCH 2/4] qemu: fix CVE-2021-3750

Backport appropriate patches to resolve CVE-2021-3750. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 3 + .../qemu/qemu/CVE-2021-3750_1.patch | 60 +++ .../qemu/qemu/CVE-2021-3750_2.patch | 65

[OE-core] [honister][PATCH 00/12] Pull request (cover letter only)

The branch has reached EOL and will not be actively maintained after this merge. Thanks, Anuj The following changes since commit e0d5d93a18d1682f3393fc10133f08009f008601: perf: sort-pmuevents: allow for additional type qualifiers and storage class (2022-05-10 21:44:32 +0800) are available

[OE-core] [PATCH 2/4] qemu: fix CVE-2021-3750

Backport appropriate patches to resolve CVE-2021-3750. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 3 + .../qemu/qemu/CVE-2021-3750_1.patch | 60 +++ .../qemu/qemu/CVE-2021-3750_2.patch | 65

[OE-core] [PATCH 1/4] qemu: fix CVE-2021-4145

Fix for CVE-2021-4145, commit 66fed30c9c, fixes another commit: d44dae1a7c ("block/mirror: fix active mirror dead-lock in mirror_wait_on_conflicts") Hence, backport both the patches to resolve the CVE. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 +

[OE-core] [PATCH 3/4] qemu: fix CVE-2022-26353

Backport fix to resolve CVE-2022-26353: abe300d9d8 virtio-net: fix map leaking on error during receive Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2022-26353.patch| 44 +++ 2 files changed, 45

[OE-core] [PATCH 4/4] qemu: fix CVE-2021-4206

Backport fix to resolve CVE-2021-4206: fa892e9abb ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-4206.patch | 89 +++ 2 files changed, 90

[oe-core][PATCH v2] gstreamer1.0-plugins-bad: add libavtp packageconfig

From: Marcel Ziswiler Add avtp resp. libavtp PACKAGECONFIG. This allows building them GStreamer Audio Video Transport Protocol (AVTP) Plugins which rely on Avnu's libavtp. Signed-off-by: Marcel Ziswiler --- End-to-end tested on Verdin iMX8M Plus. Will talk about it at the Embedded World

[oe-core][PATCH v3 2/2] libavtp: add recipe to be able to use aaf config for alsa-plugins

From: Peter Bergin In order to enable configuration option aaf (AVTP Audio Format) used for AVB the library libavtp is a dependency but no recipe for this library was present. aaf support for alsa-plugins was introduced in ddf5421331180bc45697511b44cdd4a4e6dda6ff. Signed-off-by: Peter Bergin

[oe-core][PATCH v3 1/2] alsa-plugins: fix libavtp vs. avtp packageconfig

From: Marcel Ziswiler Fix PACKAGECONFIG to refer to libavtp instead of avtp as this is what the project and everything is really called everywhere. Signed-off-by: Marcel Ziswiler --- Changes in v3: - New patch. meta/recipes-multimedia/alsa/alsa-plugins_1.2.6.bb | 2 +- 1 file changed, 1

Re: [oe-core][PATCH 4/4] libsdl2: dont mix opengl and gles backends for wayland

With x11, wayland and opengl: -   SDL_OPENGL  (Wanted: ON): ON --   SDL_OPENGLES    (Wanted: ON): ON --   SDL_VULKAN  (Wanted: ON): ON --   SDL_WAYLAND (Wanted: ON): ON --   SDL_WAYLAND_LIBDECOR    (Wanted: ON): OFF --  

Re: [oe-core][PATCH 4/4] libsdl2: dont mix opengl and gles backends for wayland

On Tue, May 31, 2022 at 1:54 PM Richard Purdie < richard.pur...@linuxfoundation.org> wrote: > On Tue, 2022-05-31 at 21:06 +0200, Markus Volk wrote: > > This fixes "Could not initialize egl display" in libsdl2 apps for > > wayland without DISTRO_FEATURE x11 > > > > Signed-off-by: Markus Volk > >

Re: [oe-core][PATCH v2] libavtp: add recipe to be able to use aaf config for alsa-plugins

On Tue, May 31, 2022 at 1:14 PM Marcel Ziswiler wrote: > On Tue, 2022-05-31 at 12:01 -0700, Khem Raj wrote: > > Maybe call the recipe avtp > > No, here I disagree. As mentioned before the project and everything is > really called libavtp everywhere. So I > think the better solution is to

Re: [oe-core][PATCH 4/4] libsdl2: dont mix opengl and gles backends for wayland

On Tue, 2022-05-31 at 21:06 +0200, Markus Volk wrote: > This fixes "Could not initialize egl display" in libsdl2 apps for > wayland without DISTRO_FEATURE x11 > > Signed-off-by: Markus Volk > --- > meta/recipes-graphics/libsdl2/libsdl2_2.0.22.bb | 8 +--- > 1 file changed, 5 insertions(+),

[oe-core][PATCH 4/4] libsdl2: dont mix opengl and gles backends for wayland

This fixes "Could not initialize egl display" in libsdl2 apps for wayland without DISTRO_FEATURE x11 Signed-off-by: Markus Volk --- meta/recipes-graphics/libsdl2/libsdl2_2.0.22.bb | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git

[oe-core][PATCH 3/4] xdg-utils: allow to build for wayland

Signed-off-by: Markus Volk --- meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb index 73acf6b744..ef698d9f09

[oe-core][PATCH 1/4] xorg-lib-common: allow to build for wayland

Signed-off-by: Markus Volk --- meta/recipes-graphics/xorg-lib/xorg-lib-common.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc index 60bc8c76fa..30122f2bfa 100644 ---

[oe-core][PATCH 2/4] libxcb: allow to build for wayland

Signed-off-by: Markus Volk --- meta/recipes-graphics/xorg-lib/libxcb_1.15.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-graphics/xorg-lib/libxcb_1.15.bb b/meta/recipes-graphics/xorg-lib/libxcb_1.15.bb index 839577326e..6205030591 100644 ---

Re: [OE-core] [meta-oe][RFC PATCH 1/2] libdecor: initial add recipe

I have made some progress in building an image with DISTRO_FEATURE 'wayland' without X11. So far I had the problem that I had to enable x11 DISTRO_FEATURE to build many packages under wayland. So all recipes  additionally pulled  x11 support. I allowed the base xlibs to build under wayland and

Re: [oe-core][PATCH v2] libavtp: add recipe to be able to use aaf config for alsa-plugins

Maybe call the recipe avtp On Tue, May 31, 2022 at 11:36 AM Peter Bergin wrote: > Hi, > > thanks Marcel for bumping this patch again! > > On 2022-05-31 18:38, Khem Raj wrote: > > On Tue, May 31, 2022 at 8:57 AM Marcel Ziswiler > wrote: > >> From: Peter Bergin > >> > >> In order to enable

Re: [oe-core][PATCH v2] libavtp: add recipe to be able to use aaf config for alsa-plugins

Hi, thanks Marcel for bumping this patch again! On 2022-05-31 18:38, Khem Raj wrote: On Tue, May 31, 2022 at 8:57 AM Marcel Ziswiler wrote: From: Peter Bergin In order to enable configuration option aaf (AVTP Audio Format) used for AVB the library libavtp is a dependency but no recipe for

[oe-core][dunfell][PATCH] ncurses: Fix CVE-2022-29458

ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library. Backported from the link below, extracting only the relevant changes.

Re: [oe-core][PATCH v2] libavtp: add recipe to be able to use aaf config for alsa-plugins

On Tue, May 31, 2022 at 8:57 AM Marcel Ziswiler wrote: > > From: Peter Bergin > > In order to enable configuration option aaf (AVTP Audio Format) > used for AVB the library libavtp is a dependency but no recipe for > this library was present. aaf support for alsa-plugins was > introduced in

Re: [oe-core][PATCHv2] libva-initial: unbreak do_populate_sdk

On Tue, 2022-05-31 at 17:02 +0200, Markus Volk wrote: > For my build libva-initial is empty but libva-initial-dev contains > headers and .pc files That doesn't change my view that it shouldn't create any packages at all though! Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all

[oe-core][PATCH v1] gstreamer1.0-plugins-bad: add avtp packageconfig

From: Marcel Ziswiler Add avtp resp. libavtp PACKAGECONFIG. This allows building them GStreamer Audio Video Transport Protocol (AVTP) Plugins. Signed-off-by: Marcel Ziswiler --- End-to-end tested on Verdin iMX8M Plus. Will talk about it at the Embedded World Conference in the TSN & Linux

[oe-core][PATCH v2] libavtp: add recipe to be able to use aaf config for alsa-plugins

From: Peter Bergin In order to enable configuration option aaf (AVTP Audio Format) used for AVB the library libavtp is a dependency but no recipe for this library was present. aaf support for alsa-plugins was introduced in ddf5421331180bc45697511b44cdd4a4e6dda6ff. Signed-off-by: Peter Bergin

Re: [OE-core] [PATCH] json-c: Add ptest for json-c

On Mon, May 30, 2022 at 2:36 AM Simone Weiss wrote: > > Also add a script for executing the ptests. All tests were sucessful on a > trial > run. > > Signed-off-by: Simone Weiß > Signed-off-by: Kai Tomerius > --- > meta/conf/distro/include/ptest-packagelists.inc | 1 + >

[OE-core] [PATCH] rootfs.py: find .ko.zst kernel modules

With CONFIG_MODULE_COMPRESS_ZSTD enabled, kernel modules will have a .ko.zst extension. This fixes depmod not being run. Fixes: 1b696a45ddb ("rootfs.py: Add check for kernel modules before running depmod") Signed-off-by: Sean Anderson --- meta/lib/oe/rootfs.py | 2 +- 1 file changed, 1

Re: [oe-core][PATCHv2] libva-initial: unbreak do_populate_sdk

For my build libva-initial is empty but libva-initial-dev contains headers and .pc files Markus Am 31.05.22 um 16:23 schrieb richard.pur...@linuxfoundation.org: On Tue, 2022-05-24 at 17:50 +0200, Markus Volk wrote: Error: Problem: package libva-dev-2.14.0-r0.corei7_64 requires

Re: [oe-core][PATCH 1/2] nghttp2: unbreak do_populate_sdk

I'm not sure but since this error happened while trying to build nativesdk-nghttp2 i think the issue is, that RDEPENDS are removed for native but not for nativesdk. RDEPENDS:${PN}:class-native = "" Other possible fixes then should be either to remove them also for nativesdk

[OE-core] Yocto Project Status WW22`22

Current Dev Position: YP 4.1 M1 Next Deadline: 30th May 2022 YP 4.1 M1 Build Next Team Meetings: * Bug Triage meeting Thursday June 2nd 7:30 am PDT ( https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5aVpHVVZ6dz09) *

Re: [OE-core] [PATCH] tiff: Add jbig PACKAGECONFIG and clarify CVE-2022-1210

On Tue, 2022-05-31 at 07:10 -0700, akuster wrote: > > On 5/28/22 12:43, richard.pur...@linuxfoundation.org wrote: > > On Sat, 2022-05-28 at 11:07 -0700, akuster wrote: > > > On 5/28/22 03:05, Richard Purdie wrote: > > > > We never depended upon libjbig so this was never present. Add the > > > >

Re: [oe-core][PATCHv2] libva-initial: unbreak do_populate_sdk

On Tue, 2022-05-24 at 17:50 +0200, Markus Volk wrote: > Error: > Problem: package libva-dev-2.14.0-r0.corei7_64 requires libva-initial-dev, > but none of the providers can be installed > - conflicting requests > - nothing provides libva-initial = 2.14.0-r0 needed by >

Re: [oe-core][PATCH 1/2] nghttp2: unbreak do_populate_sdk

On Tue, 2022-05-24 at 16:49 +0200, Markus Volk wrote: > Error: > Problem 1: package nghttp2-dev-1.47.0-r0.corei7_64 requires nghttp2 = > 1.47.0-r0, but none of the providers can be installed > - conflicting requests > - nothing provides nghttp2-client >= 1.47.0 needed by >

[OE-core] [master][kirkstone][PATCH] ncurses: update to patchlevel 20220423

CVE: CVE-2022-29458 Signed-off-by: Davide Gardenal --- meta/recipes-core/ncurses/ncurses.inc | 2 +- .../ncurses/{ncurses_6.3.bb => ncurses_6.3+20220423.bb} | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) rename meta/recipes-core/ncurses/{ncurses_6.3.bb

Re: [OE-core] [PATCH] tiff: Add jbig PACKAGECONFIG and clarify CVE-2022-1210

On 5/28/22 12:43, richard.pur...@linuxfoundation.org wrote: On Sat, 2022-05-28 at 11:07 -0700, akuster wrote: On 5/28/22 03:05, Richard Purdie wrote: We never depended upon libjbig so this was never present. Add the PACKAGECONFIG to make this explict. CVE-2022-1210 is an issue in libjbig so

Re: [OE-core] [PATCH v6] Rust Oe-Selftest implementation

Hi Pgowda, Il giorno Wed, 25 May 2022 09:57:48 +0200 "Luca Ceresoli via lists.openembedded.org" ha scritto: > Pgowda, > > Il giorno Tue, 24 May 2022 21:32:58 -0700 > "Pgowda" ha scritto: > > > The patch implements Rust testing framework similar to other selftest, > > specifically the gcc

Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 29 May 2022 02:00:01 AM HST

On Sun, 2022-05-29 at 02:02 -1000, Steve Sakoman wrote: > Full list: Found 6 unpatched CVEs > CVE-2019-12067 (CVSS3: 6.5 MEDIUM): qemu:qemu-native:qemu-system-native > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067 * > CVE-2020-18974 (CVSS3: 3.3 LOW): nasm:nasm-native >

[OE-core] [meta][dunfell][PATCH] ffmpeg: Fix for CVE-2022-1475

From: Virendra Thakur Add patch to fix CVE-2022-1475 Signed-off-by: Virendra Thakur --- .../ffmpeg/ffmpeg/CVE-2022-1475.patch | 36 +++ .../recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644

Re: [OE-core] [kirkstone][PATCH v2] libpcre2: upgrade 10.39 -> 10.40

On Tue, May 31, 2022 at 10:29 AM Davide Gardenal wrote: > > After a bit of research I found out that the commit that fixes CVE-2022-1587 > (https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0) > is not directly applicable to .39, it needs a compiler update >

Re: [OE-core] [kirkstone][PATCH v2] libpcre2: upgrade 10.39 -> 10.40

After a bit of research I found out that the commit that fixes CVE-2022-1587 (https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0) is not directly applicable to .39, it needs a compiler update

[OE-core] [kirkstone][PATCH v2] libpcre2: upgrade 10.39 -> 10.40

Security fixes and update to Unicode property handling. Upstream release notes: https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.40 CVE: CVE-2022-1587 Signed-off-by: Davide Gardenal --- Updates: - v2: change commit message --- .../libpcre/libpcre2/CVE-2022-1586.patch | 58

Re: [OE-core] [kirkstone][PATCH] libpcre2: upgrade 10.39 -> 10.40

On Mon, May 30, 2022 at 09:08 AM, Steve Sakoman wrote: > > Yes, could you fix the CVE namning issue in kirkstone with a separate > patch, and then resubmit the version bump patch based on this change? I was checking the patch and realize that the CVE number is not wrong (I searched for the