Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 10 Apr 2022 02:00:01 AM HST

I thought I'd update on a quick check through the status of the CVEs this is reporting for master/kirkstone. On Sun, 2022-04-10 at 02:02 -1000, Steve Sakoman wrote: > Branch: master > > Full list: Found 12 unpatched CVEs > CVE-2019-1010238 (CVSS3: 9.8 CRITICAL): pango:pango-native >

[OE-core] [meta-oe][PATCH 6/8] wpa-supplicant: Use upstream defconfig

The copy of defconfig we were carrying was from 2014 and very out of date; drop it and use the upstream version with appropriate edits for our PACKAGECONFIG. Switch PACKAGECONFIG to using a default (?=) rather than weak default (??=) as per current recommendation. Signed-off-by: Alex Kiernan

[OE-core] [meta-oe][PATCH 7/8] wpa-supplicant: Simplify build/install flow

The build/install steps for wpa-supplicant support CFLAGS and an install target, so use these rather than attempting to do it manually (which was broken by upstream splitting into build.rules and lib.rules). Note that this installs wpa_passphrase into sbindir rather than bindir. Signed-off-by:

[OE-core] [meta-oe][PATCH 8/8] wpa-supplicant: Package dynamic modules

If CONFIG_DYNAMIC_EAP_METHODS and some modules are set to `dyn` ensure these are packaged as part of the build. Signed-off-by: Alex Kiernan --- .../wpa-supplicant/wpa-supplicant_2.10.bb | 22 ++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git

[OE-core] [meta-oe][PATCH 2/8] wpa-supplicant: Avoid changing directory in do_install

Changing directory leads to anyone coming later needing to be explicit in their directory usage as the working directory is no longer ${B}. Signed-off-by: Alex Kiernan --- .../recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)

[OE-core] [meta-oe][PATCH 1/8] wpa-supplicant: Reorder/group following style guide

Signed-off-by: Alex Kiernan --- .../wpa-supplicant/wpa-supplicant_2.10.bb | 41 ++- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb

[OE-core] [meta-oe][PATCH 3/8] wpa-supplicant: Use PACKAGE_BEFORE_PN/${PN}

Use PACKAGE_BEFORE_PN for packages which need to capture files early, switch to idiomatic ${PN} for additional packages. Signed-off-by: Alex Kiernan --- .../wpa-supplicant/wpa-supplicant_2.10.bb | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git

[OE-core] [meta-oe][PATCH 4/8] wpa-supplicant: Backport libwpa/clean build fixes

Enabling CONFIG_BUILD_WPA_CLIENT_SO or CONFIG_NO_WPA_PASSPHRASE do nothing in the released 2.10 wpa-supplicant; backport the fixes for this. Also backport the fixes for `make clean` when `wpa_passphrase` is built. Signed-off-by: Alex Kiernan --- ...options-for-libwpa_client.so-and-wpa.patch |

[OE-core] [meta-oe][PATCH 5/8] wpa-supplicant: Build static library if not DISABLE_STATIC

Build the static library if the configuration indicates we should. Signed-off-by: Alex Kiernan --- .../wpa-supplicant/wpa-supplicant_2.10.bb | 11 +++ 1 file changed, 11 insertions(+) diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb

[OE-core] [PATCH] git: Ignore CVE-2022-24975

Everyone I've talked to doesn't see this as a major issue. The CVE asks for a documentation improvement on the --mirror option to git clone as deleted content could be leaked into a mirror. For OE's general users/use cases, we wouldn't build or ship docs so this wouldn't affect us. Signed-off-by:

Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 10 Apr 2022 02:00:01 AM HST

On Tue, Apr 12, 2022 at 12:52 AM Richard Purdie wrote: > > I thought I'd update on a quick check through the status of the CVEs this is > reporting for master/kirkstone. > > On Sun, 2022-04-10 at 02:02 -1000, Steve Sakoman wrote: > > Branch: master > > > > Full list: Found 12 unpatched CVEs > >

[OE-core] [PATCH 2/2] tiff: Add marker for CVE-2022-1056 being fixed

As far as I can tell, the patches being applied also fix CVE-2022-1056 so mark as such. Signed-off-by: Richard Purdie --- ...02-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch | 1 + 1 file changed, 1 insertion(+) diff --git

[OE-core] [PATCH 1/2] qemu: Add fix for CVE-2022-1050

Add a fix queued upstream for the issue in this CVE: """ Guest driver might execute HW commands when shared buffers are not yet allocated. This might happen on purpose (malicious guest) or because some other guest/host address mapping. We need to protect againts such case. """ Signed-off-by:

[OE-core] [PATCH] externalsrc/devtool: Fix to work with fixed export funcition flags handling

If we fix bitbake to correctly handle the cleandirs and fakeroot flags for tasks handled by EXPORT_FUNCTIONS, we break devtool since it only considers these for top level functions. Add in extra code to intercept the cleandirs flags for commonly used sub functions too. [YOCTO #8621]

[OE-core] [meta-oe][PATCH] kernel: Delete unused KERNEL_LOCALVERSION variable

This has been unused since: commit fb61dc1430f81ae2ee59766ffab8404fd79ff1b1 Author: Richard Purdie Date: Mon Jan 8 21:05:18 2007 + kernel.bbclass: Drop KERNEL_RELEASE variable git-svn-id: https://svn.o-hand.com/repos/poky/trunk@1123 311d38ba-8fff-0310-9ca6-ca027cbcb966

Re: [OE-core] [PATCH v3 1/1] apt: add apt selftest to test signed package feeds

Hello, On 11/04/2022 22:50:36+0200, Ferry Toth wrote: > From: Ferry Toth > > Since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow > unsigned repositories by default. > Currently when building images this requirement is worked around by using > [allow-insecure=yes] and >

Re: [OE-core] [PATCH 4/4] libcap: add pam_cap license

> -Original Message- > From: openembedded-core@lists.openembedded.org > On Behalf Of Konrad Weihmann > Sent: den 12 april 2022 09:10 > To: openembedded-core@lists.openembedded.org > Cc: Konrad Weihmann > Subject: [OE-core] [PATCH 4/4] libcap: add pam_cap license > > If libcap is

Re: [OE-core] [PATCH][dunfell] zlib: backport the fix for CVE-2018-25032

On Mon, Apr 11, 2022 at 10:12 PM Steve Sakoman wrote: > What distro is your build machine? On the autobuilder it is using a non > debian distro for the debian build. > > My build machine is Ubuntu, so that is a major difference! My build was also done on Ubuntu. I have just completed a build

[OE-core] [hardknott][PATCH 1/2] qemu: fix CVE-2021-4145

Fix CVE by backporting relevant patches. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-4145_1.patch | 60 ++ .../qemu/qemu/CVE-2021-4145_2.patch | 83 +++ 3 files changed, 145

[OE-core] [hardknott][PATCH 2/2] qemu: fix CVE-2022-26354

Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2022-26354.patch| 59 +++ 2 files changed, 60 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch diff --git

[OE-core] Yocto Project Status WW15`22

Current Dev Position: YP 4.0 rc2 Next Deadline: 29th April 2022 YP 4.0 final release Next Team Meetings: * Bug Triage meeting Thursday Apr.14th 7:30 am PDT (

Re: [OE-core] [yocto] QA notification for completed autobuilder build (yocto-4.0.rc1)

Hi all, This is the full report for yocto-4.0.rc1: https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults === Summary No high milestone defects. new issue found Bug 14779 - [4.0rc1] Edgerouter can not boot up Bug 14782 - [QA

Re: [OE-core] [yocto] QA notification for completed autobuilder build (yocto-4.0.rc1)

On Tue, 2022-04-12 at 16:20 +, Teoh, Jay Shen wrote: > Hi all, > > This is the full report for yocto-4.0.rc1: > https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults > > === Summary > No high milestone defects. > > new issue

[OE-core] [PATCH v2] ccache: Fix build with gcc12/mips

Avoid gcc12 failure to inline function on mips Signed-off-by: Khem Raj --- ...t-Do-not-use-always_inline-with-mips.patch | 33 +++ meta/recipes-devtools/ccache/ccache_4.6.bb| 7 +++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644

[OE-core] [PATCH 1/8] linux-yocto/5.15: arm: poky-tiny cleanup and fixes

From: Bruce Ashfield Integrating the following commit(s) to linux-yocto/.: 20dcef87913 versatile: restore explicit CONFIG_ARM 8e63ec2fc66 qemuarm64: cleanup for tiny enablement fa720c009a8 arm-versatile-926ejs: reorg for tiny and preempt-rt 7febff689a8 qemuarma15: fix tiny and

[OE-core] [PATCH 0/8] kernel: consolidated pull request

From: Bruce Ashfield Richard, Here's the collection of -stable, fixes and tweaks that I was talking about during the engineering sync on Tuesday. Feel free to take what you want, or just wait on them all until the release is over. It is worth taking the 5.18 -dev and lttng fixes IMHO, since

[OE-core] [PATCH 2/8] linux-yocto/5.15: update to v5.15.33

From: Bruce Ashfield Updating linux-yocto/5.15 to the latest korg -stable release that comprises the following commits: 06f50ca83ace Linux 5.15.33 541b7456fc4d PCI: xgene: Revert "PCI: xgene: Use inbound resources for setup" 39fd0cc079c9 coredump: Use the vma snapshot in

[OE-core] [PATCH 4/8] linux-yocto/5.10: base: enable kernel crypto userspace API

From: Bruce Ashfield Integrating the following commit(s) to linux-yocto/.: bddb0e4921f base.cfg: enable kernel crypto userspace API Signed-off-by: Alexander Kanavin Signed-off-by: Bruce Ashfield --- meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb | 2 +-

[OE-core] [PATCH 3/8] linux-yocto/5.10: update to v5.10.110

From: Bruce Ashfield Updating linux-yocto/5.10 to the latest korg -stable release that comprises the following commits: 3238bffaf992 Linux 5.10.110 cf342cbfb37f PCI: xgene: Revert "PCI: xgene: Use inbound resources for setup" a25864c5bc20 arm64: Do not defer reserve_crashkernel()

[OE-core] [PATCH 6/8] linux-yocto/5.15: kasan: fix BUG: sleeping function called from invalid context

From: Bruce Ashfield Integrating the following commit(s) to linux-yocto/5.15: 7ba4cb36fd4f rcu: Avoid alloc_pages() when recording stack f78574dee71e kasan: test: silence intentional read overflow warnings d313cb89b6b1 kasan: arm64: fix pcpu_page_first_chunk crash with

[OE-core] [PATCH 5/8] linux-yocto/5.15: base: enable kernel crypto userspace API

From: Bruce Ashfield Integrating the following commit(s) to linux-yocto/.: 645b337371e base.cfg: enable kernel crypto userspace API Signed-off-by: Alexander Kanavin Signed-off-by: Bruce Ashfield --- meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb | 2 +-

[OE-core] [PATCH 8/8] linux-yocto-dev: update to v5.18+

From: Bruce Ashfield 5.18-rc2 has been released, so we bump the -dev kernel to allow easier testing of our components against the latest korg. Signed-off-by: Bruce Ashfield --- meta/recipes-kernel/linux/linux-yocto-dev.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git

[OE-core] [PATCH 7/8] lttng-modules: support kernel 5.18+

From: Bruce Ashfield Backporting changes from lttng master to support building against the 5.18+ kernel. No changes required to the patches. Once a new -stable 2.13.x is released, we can drop these patches. To enable newer kernel development against the LTS, it is worth pulling these in while we

Re: [OE-core] [PATCH][dunfell] zlib: backport the fix for CVE-2018-25032

On Tue, Apr 12, 2022 at 6:07 AM Ralph Siemsen wrote: > > On Mon, Apr 11, 2022 at 10:12 PM Steve Sakoman wrote: > > > What distro is your build machine? On the autobuilder it is using a non > > debian distro for the debian build. > > > > My build machine is Ubuntu, so that is a major difference!

Re: [OE-core] [PATCH v3 1/1] apt: add apt selftest to test signed package feeds

On 12/04/2022 23:32:49+0200, Ferry Toth wrote: > Hi > > Op 12-04-2022 om 16:16 schreef Alexandre Belloni: > > Hello, > > > > On 11/04/2022 22:50:36+0200, Ferry Toth wrote: > > > From: Ferry Toth > > > > > > Since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow > > > unsigned

Re: [OE-core] [PATCH v3 1/1] apt: add apt selftest to test signed package feeds

Hi Op 12-04-2022 om 16:16 schreef Alexandre Belloni: Hello, On 11/04/2022 22:50:36+0200, Ferry Toth wrote: From: Ferry Toth Since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow unsigned repositories by default. Currently when building images this requirement is worked

Re: [OE-core] [PATCH v3 1/1] apt: add apt selftest to test signed package feeds

On Tue, 2022-04-12 at 23:48 +0200, Alexandre Belloni wrote: > On 12/04/2022 23:32:49+0200, Ferry Toth wrote: > > Hi > > > > Op 12-04-2022 om 16:16 schreef Alexandre Belloni: > > > Hello, > > > > > > On 11/04/2022 22:50:36+0200, Ferry Toth wrote: > > > > From: Ferry Toth > > > > > > > > Since

[OE-core] [PATCH] icewm:include imlib2-loaders package

From: KARN JYE LAU icewm 2.0.0 above have use imlib2 as default rendering engine.Update icewm recipe to include the essential packages for icewm to work properly. Signed-off-by: KARN JYE LAU --- meta-oe/recipes-extended/icewm/icewm_2.9.0.bb | 1 + 1 file changed, 1 insertion(+) diff --git

Re: [OE-core] [PATCH] icewm:include imlib2-loaders package

wrong ML and you probably wanted RDEPENDS:${PN}:append not RDEPENDS:append:${PN} On Tue, Apr 12, 2022 at 8:40 AM wrote: > From: KARN JYE LAU > > icewm 2.0.0 above have use imlib2 as default > rendering engine.Update icewm recipe to include > the essential packages for icewm to work properly.

Re: [OE-core] [PATCH][dunfell] zlib: backport the fix for CVE-2018-25032

On Tue, Apr 12, 2022 at 5:49 PM Steve Sakoman wrote: > I added a debug option to the failing command and did another autobuilder run. > > You can see the output here: > > https://errors.yoctoproject.org/Errors/Details/654608/ Okay, same error, "Hash Sum mismatch". And if I squint between all

Re: [OE-core] [PATCH v3 1/1] apt: add apt selftest to test signed package feeds

Hi, Op 12-04-2022 om 23:51 schreef Richard Purdie: On Tue, 2022-04-12 at 23:48 +0200, Alexandre Belloni wrote: On 12/04/2022 23:32:49+0200, Ferry Toth wrote: Hi Op 12-04-2022 om 16:16 schreef Alexandre Belloni: Hello, On 11/04/2022 22:50:36+0200, Ferry Toth wrote: From: Ferry Toth Since

[OE-core] [hardknott][PATCH] libsdl2: fix CVE-2021-33657

From: Changqing Li Signed-off-by: Changqing Li --- meta/recipes-graphics/libsdl2/libsdl2_2.0.14.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.14.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.0.14.bb index 54556abb27..28b3b20beb 100644 ---

Re: [OE-core] [PATCH v3 1/1] apt: add apt selftest to test signed package feeds

On 13/04/2022 00:20:40+0200, Ferry Toth wrote: > Hi, > > Op 12-04-2022 om 23:51 schreef Richard Purdie: > > On Tue, 2022-04-12 at 23:48 +0200, Alexandre Belloni wrote: > > > On 12/04/2022 23:32:49+0200, Ferry Toth wrote: > > > > Hi > > > > > > > > Op 12-04-2022 om 16:16 schreef Alexandre

Re: [OE-core] [PATCH v2 2/2] pango: Upgrade to 1.50.6

Hi Khem, On 10/04/2022 16:16:59-0700, Khem Raj wrote: > Changes in this release [1] > > [1] > https://github.com/GNOME/pango/commit/37a427018c92a2bc679ef104097e07a619609c9c New ptest failures with this release:

Re: [OE-core] [PATCH] icewm:include imlib2-loaders package

Or just add it in the line above and save bitbake some work with the append. On Tue, Apr 12, 2022 at 8:44 AM Martin Jansa via lists.openembedded.org wrote: > wrong ML and you probably wanted RDEPENDS:${PN}:append not > RDEPENDS:append:${PN} > > On Tue, Apr 12, 2022 at 8:40 AM wrote: > >> From:

[OE-core] [PATCH 1/4] kern-tools-native: add missing license

add the Kconfiglib license, as this was missing in before. Add MIT identifier to LICENSE Signed-off-by: Konrad Weihmann --- meta/recipes-kernel/kern-tools/kern-tools-native_git.bb | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git

[OE-core] [PATCH 2/4] gmp: add missing COPYINGv3

add COPYINGv3 license text to LIC_FILES_CHKSUM Signed-off-by: Konrad Weihmann --- meta/recipes-support/gmp/gmp_6.2.1.bb | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/meta/recipes-support/gmp/gmp_6.2.1.bb b/meta/recipes-support/gmp/gmp_6.2.1.bb index

[OE-core] [PATCH 3/4] itstool: add missing COPYING.GPL3

to LIC_FILES_CHKSUM. Format the list for better readability. Remove useless line continuation from SRC_URI Signed-off-by: Konrad Weihmann --- meta/recipes-support/itstool/itstool_2.0.7.bb | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git

[OE-core] [PATCH 4/4] libcap: add pam_cap license

If libcap is compiled with pam in PACKAGECONFIG additional one additional license text becomes effective, add that as a conditional Signed-off-by: Konrad Weihmann --- meta/recipes-support/libcap/libcap_2.63.bb | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git