[OE-core] [PATCH] python3-pycairo:upgrade 1.18.1 -> 1.18.2
Signed-off-by: Zang Ruochen --- .../{python3-pycairo_1.18.1.bb => python3-pycairo_1.18.2.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-devtools/python/{python3-pycairo_1.18.1.bb => python3-pycairo_1.18.2.bb} (84%) diff --git a/meta/recipes-devtools/python/python3-pycairo_1.18.1.bb b/meta/recipes-devtools/python/python3-pycairo_1.18.2.bb similarity index 84% rename from meta/recipes-devtools/python/python3-pycairo_1.18.1.bb rename to meta/recipes-devtools/python/python3-pycairo_1.18.2.bb index 5aaa01a00a..3aedf3d142 100644 --- a/meta/recipes-devtools/python/python3-pycairo_1.18.1.bb +++ b/meta/recipes-devtools/python/python3-pycairo_1.18.2.bb @@ -13,8 +13,8 @@ DEPENDS = "cairo python3" SRC_URI = "https://github.com/pygobject/pycairo/releases/download/v${PV}/pycairo-${PV}.tar.gz"; UPSTREAM_CHECK_URI = "https://github.com/pygobject/pycairo/releases/"; -SRC_URI[md5sum] = "7610da8a40a7bed548991aa3416431d1" -SRC_URI[sha256sum] = "70172e58b6bad7572a3518c26729b074acdde15e6fee6cbab6d3528ad552b786" +SRC_URI[md5sum] = "be2ba51f234270dec340f28f1695a95e" +SRC_URI[sha256sum] = "dcb853fd020729516e8828ad364084e752327d4cff8505d20b13504b32b16531" S = "${WORKDIR}/pycairo-${PV}" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH V2] go: fix CVE-2019-17596
https://github.com/golang/go/commit/2017d88dbc096381d4f348d2fb08bfb3c2b7ed73 Signed-off-by: Hongxu Jia --- meta/recipes-devtools/go/go-1.12.inc | 1 + .../go/go-1.12/0010-fix-CVE-2019-17596.patch | 42 +++ 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.12/0010-fix-CVE-2019-17596.patch diff --git a/meta/recipes-devtools/go/go-1.12.inc b/meta/recipes-devtools/go/go-1.12.inc index ed14b175e6..6aecaad75d 100644 --- a/meta/recipes-devtools/go/go-1.12.inc +++ b/meta/recipes-devtools/go/go-1.12.inc @@ -17,6 +17,7 @@ SRC_URI += "\ file://0007-cmd-go-make-GOROOT-precious-by-default.patch \ file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \ +file://0010-fix-CVE-2019-17596.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.12/0010-fix-CVE-2019-17596.patch b/meta/recipes-devtools/go/go-1.12/0010-fix-CVE-2019-17596.patch new file mode 100644 index 00..134cfab737 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.12/0010-fix-CVE-2019-17596.patch @@ -0,0 +1,42 @@ +From f1783e1ce44a86c000a7c380a57a805c89c3efbe Mon Sep 17 00:00:00 2001 +From: Katie Hockman +Date: Mon, 14 Oct 2019 16:42:21 -0400 +Subject: [PATCH] crypto/dsa: prevent bad public keys from causing panic + +dsa.Verify might currently use a nil s inverse in a +multiplication if the public key contains a non-prime Q, +causing a panic. Change this to check that the mod +inverse exists before using it. + +Fixes CVE-2019-17596 + +Change-Id: I94d5f3cc38f1b5d52d38dcb1d253c71b7fd1cae7 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/572809 +Reviewed-by: Filippo Valsorda +(cherry picked from commit 9119dfb0511326d4485b248b83d4fde19c95d0f7) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/575232 + +CVE: CVE-2019-17596 +Upstream-Status: Backport [https://github.com/golang/go/commit/2017d88dbc096381d4f348d2fb08bfb3c2b7ed73] +Signed-off-by: Hongxu Jia +--- + src/crypto/dsa/dsa.go | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/crypto/dsa/dsa.go b/src/crypto/dsa/dsa.go +index 575314b..2fc4f1f 100644 +--- a/src/crypto/dsa/dsa.go b/src/crypto/dsa/dsa.go +@@ -279,6 +279,9 @@ func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool { + } + + w := new(big.Int).ModInverse(s, pub.Q) ++ if w == nil { ++ return false ++ } + + n := pub.Q.BitLen() + if n&7 != 0 { +-- +2.23.0 + -- 2.17.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] ✗ patchtest: failure for go: fix CVE-2019-17596
== Series Details == Series: go: fix CVE-2019-17596 Revision: 1 URL : https://patchwork.openembedded.org/series/20914/ State : failure == Summary == Thank you for submitting this patch series to OpenEmbedded Core. This is an automated response. Several tests have been executed on the proposed series by patchtest resulting in the following failures: * Issue Series does not apply on top of target branch [test_series_merge_on_head] Suggested fixRebase your series on top of targeted branch Targeted branch master (currently at ab661f96e2) If you believe any of these test results are incorrect, please reply to the mailing list (openembedded-core@lists.openembedded.org) raising your concerns. Otherwise we would appreciate you correcting the issues and submitting a new version of the patchset if applicable. Please ensure you add/increment the version number when sending the new version (i.e. [PATCH] -> [PATCH v2] -> [PATCH v3] -> ...). --- Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] go: fix CVE-2019-17596
https://github.com/golang/go/commit/2017d88dbc096381d4f348d2fb08bfb3c2b7ed73 Signed-off-by: Hongxu Jia --- meta/recipes-devtools/go/go-1.12.inc | 1 + .../go/go-1.12/0010-fix-CVE-2019-17596.patch | 42 +++ 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.12/0010-fix-CVE-2019-17596.patch diff --git a/meta/recipes-devtools/go/go-1.12.inc b/meta/recipes-devtools/go/go-1.12.inc index 39157ff882..34be06eff3 100644 --- a/meta/recipes-devtools/go/go-1.12.inc +++ b/meta/recipes-devtools/go/go-1.12.inc @@ -16,6 +16,7 @@ SRC_URI += "\ file://0006-cmd-dist-separate-host-and-target-builds.patch \ file://0007-cmd-go-make-GOROOT-precious-by-default.patch \ file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ +file://0010-fix-CVE-2019-17596.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.12/0010-fix-CVE-2019-17596.patch b/meta/recipes-devtools/go/go-1.12/0010-fix-CVE-2019-17596.patch new file mode 100644 index 00..134cfab737 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.12/0010-fix-CVE-2019-17596.patch @@ -0,0 +1,42 @@ +From f1783e1ce44a86c000a7c380a57a805c89c3efbe Mon Sep 17 00:00:00 2001 +From: Katie Hockman +Date: Mon, 14 Oct 2019 16:42:21 -0400 +Subject: [PATCH] crypto/dsa: prevent bad public keys from causing panic + +dsa.Verify might currently use a nil s inverse in a +multiplication if the public key contains a non-prime Q, +causing a panic. Change this to check that the mod +inverse exists before using it. + +Fixes CVE-2019-17596 + +Change-Id: I94d5f3cc38f1b5d52d38dcb1d253c71b7fd1cae7 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/572809 +Reviewed-by: Filippo Valsorda +(cherry picked from commit 9119dfb0511326d4485b248b83d4fde19c95d0f7) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/575232 + +CVE: CVE-2019-17596 +Upstream-Status: Backport [https://github.com/golang/go/commit/2017d88dbc096381d4f348d2fb08bfb3c2b7ed73] +Signed-off-by: Hongxu Jia +--- + src/crypto/dsa/dsa.go | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/crypto/dsa/dsa.go b/src/crypto/dsa/dsa.go +index 575314b..2fc4f1f 100644 +--- a/src/crypto/dsa/dsa.go b/src/crypto/dsa/dsa.go +@@ -279,6 +279,9 @@ func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool { + } + + w := new(big.Int).ModInverse(s, pub.Q) ++ if w == nil { ++ return false ++ } + + n := pub.Q.BitLen() + if n&7 != 0 { +-- +2.23.0 + -- 2.23.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] python-setuptools: upgrade 41.4.0 -> 41.6.0
Signed-off-by: Zang Ruochen --- meta/recipes-devtools/python/python-setuptools.inc| 4 ++-- ...ython-setuptools_41.4.0.bb => python-setuptools_41.6.0.bb} | 0 ...hon3-setuptools_41.4.0.bb => python3-setuptools_41.6.0.bb} | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-devtools/python/{python-setuptools_41.4.0.bb => python-setuptools_41.6.0.bb} (100%) rename meta/recipes-devtools/python/{python3-setuptools_41.4.0.bb => python3-setuptools_41.6.0.bb} (100%) diff --git a/meta/recipes-devtools/python/python-setuptools.inc b/meta/recipes-devtools/python/python-setuptools.inc index 027e259be8..f0f100f2ae 100644 --- a/meta/recipes-devtools/python/python-setuptools.inc +++ b/meta/recipes-devtools/python/python-setuptools.inc @@ -10,8 +10,8 @@ inherit pypi SRC_URI_append_class-native = " file://0001-conditionally-do-not-fetch-code-by-easy_install.patch" -SRC_URI[md5sum] = "89a592d733b31e180a4b6ad760c0685a" -SRC_URI[sha256sum] = "7eae782ccf36b790c21bde7d86a4f303a441cd77036b25c559a602cf5186ce4d" +SRC_URI[md5sum] = "5585a55bfc28474ef13cc0b1819c5a46" +SRC_URI[sha256sum] = "6afa61b391dcd16cb8890ec9f66cc4015a8a31a6e1c2b4e0c464514be1a3d722" DEPENDS += "${PYTHON_PN}" diff --git a/meta/recipes-devtools/python/python-setuptools_41.4.0.bb b/meta/recipes-devtools/python/python-setuptools_41.6.0.bb similarity index 100% rename from meta/recipes-devtools/python/python-setuptools_41.4.0.bb rename to meta/recipes-devtools/python/python-setuptools_41.6.0.bb diff --git a/meta/recipes-devtools/python/python3-setuptools_41.4.0.bb b/meta/recipes-devtools/python/python3-setuptools_41.6.0.bb similarity index 100% rename from meta/recipes-devtools/python/python3-setuptools_41.4.0.bb rename to meta/recipes-devtools/python/python3-setuptools_41.6.0.bb -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] ✗ patchtest: failure for add python3-nose to RDEPENDS
== Series Details == Series: add python3-nose to RDEPENDS Revision: 1 URL : https://patchwork.openembedded.org/series/20911/ State : failure == Summary == Thank you for submitting this patch series to OpenEmbedded Core. This is an automated response. Several tests have been executed on the proposed series by patchtest resulting in the following failures: * Patchadd python3-nose to RDEPENDS Issue Shortlog does not follow expected format [test_shortlog_format] Suggested fixCommit shortlog (first line of commit message) should follow the format ": " If you believe any of these test results are incorrect, please reply to the mailing list (openembedded-core@lists.openembedded.org) raising your concerns. Otherwise we would appreciate you correcting the issues and submitting a new version of the patchset if applicable. Please ensure you add/increment the version number when sending the new version (i.e. [PATCH] -> [PATCH v2] -> [PATCH v3] -> ...). --- Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] Yocto Project Newcomer & Unassigned Bugs - Help Needed
All, The triage team is starting to try and collect up and classify bugs which a newcomer to the project would be able to work on in a way which means people can find them. They're being listed on the triage page under the appropriate heading: https://wiki.yoctoproject.org/wiki/Bug_Triage#Newcomer_Bugs The idea is these bugs should be straight forward for a person to help work on who doesn't have deep experience with the project. If anyone can help, please take ownership of the bug and send patches! If anyone needs help/advice there are people on irc who can likely do so, or some of the more experienced contributors will likely be happy to help too. Also, the triage team meets weekly and does its best to handle the bugs reported into the Bugzilla. The number of people attending that meeting has fallen, as have the number of people available to help fix bugs. One of the things we hear users report is they don't know how to help. We (the triage team) are therefore going to start reporting out the currently 298 unassigned or newcomer bugs. We're hoping people may be able to spare some time now and again to help out with these. Bugs are split into two types, "true bugs" where things don't work as they should and "enhancements" which are features we'd want to add to the system. There are also roughly four different "priority" classes right now, “3.1”, “3.2, "3.99" and "Future", the more pressing/urgent issues being in "3.1" and then “3.2”. Please review this link and if a bug is something you would be able to help with either take ownership of the bug, or send me (sjolley.yp...@gmail.com) an e-mail with the bug number you would like and I will assign it to you (please make sure you have a Bugzilla account). The list is at: https://wiki.yoctoproject.org/wiki/Bug_Triage#Unassigned_or_Newcomer_Bugs Thanks, *Stephen K. Jolley* *Yocto Project Program Manager* *7867 SW Bayberry Dr., Beaverton, OR 97007* (*Cell*:(208) 244-4460 * *Email*: *s jolley.yp...@gmail.com * -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH V2] python3-git: add python3-nose to RDEPENDS
$>>> import git.test.lib Traceback (most recent call last): File "", line 1, in File "/usr/lib/python3/dist-packages/git/test/lib/__init__.py", line 9, in from .asserts import * File "/usr/lib/python3/dist-packages/git/test/lib/asserts.py", line 10, in from nose.tools import ( ModuleNotFoundError: No module named 'nose' Signed-off-by: Hongxu Jia --- meta/recipes-devtools/python/python3-git_3.0.2.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/python/python3-git_3.0.2.bb b/meta/recipes-devtools/python/python3-git_3.0.2.bb index 9dd753db4f..7c6cda8cd4 100644 --- a/meta/recipes-devtools/python/python3-git_3.0.2.bb +++ b/meta/recipes-devtools/python/python3-git_3.0.2.bb @@ -27,6 +27,7 @@ RDEPENDS_${PN} += " \ ${PYTHON_PN}-stringold \ ${PYTHON_PN}-unittest \ ${PYTHON_PN}-unixadmin \ + ${PYTHON_PN}-nose \ git \ " -- 2.17.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] add python3-nose to RDEPENDS
$>>> import git.test.lib Traceback (most recent call last): File "", line 1, in File "/usr/lib/python3/dist-packages/git/test/lib/__init__.py", line 9, in from .asserts import * File "/usr/lib/python3/dist-packages/git/test/lib/asserts.py", line 10, in from nose.tools import ( ModuleNotFoundError: No module named 'nose' Signed-off-by: Hongxu Jia --- meta/recipes-devtools/python/python3-git_3.0.2.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/python/python3-git_3.0.2.bb b/meta/recipes-devtools/python/python3-git_3.0.2.bb index 9dd753db4f..7c6cda8cd4 100644 --- a/meta/recipes-devtools/python/python3-git_3.0.2.bb +++ b/meta/recipes-devtools/python/python3-git_3.0.2.bb @@ -27,6 +27,7 @@ RDEPENDS_${PN} += " \ ${PYTHON_PN}-stringold \ ${PYTHON_PN}-unittest \ ${PYTHON_PN}-unixadmin \ + ${PYTHON_PN}-nose \ git \ " -- 2.23.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] perf: Add /scripts to sources
On Mon, Nov 4, 2019 at 5:56 PM Daniel Díaz wrote: > > Hello! > > On Thu, 24 Oct 2019 at 13:34, Daniel Díaz wrote: > > As of linux-next-20191022, we need bpf_helpers_doc.py in order to > > build libbpf, which lives in /scripts. Otherwise, do_compile fails > > with: > > | /bin/sh: 1: > > /oe/build/tmp/work/machine-triplet/perf/1.0-r9/perf-1.0/scripts/bpf_helpers_doc.py: > > not found > > | Makefile:184: recipe for target 'bpf_helper_defs.h' failed > > > > See commit e01a75c159691 ("libbpf: Move bpf_{helpers, helper_defs, > > endian, tracing}.h into libbpf") from linux-next. > > > > Signed-off-by: Daniel Díaz > > --- > > meta/recipes-kernel/perf/perf.bb | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/meta/recipes-kernel/perf/perf.bb > > b/meta/recipes-kernel/perf/perf.bb > > index 8201c0cb60..a463eebc52 100644 > > --- a/meta/recipes-kernel/perf/perf.bb > > +++ b/meta/recipes-kernel/perf/perf.bb > > @@ -113,6 +113,7 @@ PERF_SRC ?= "Makefile \ > > tools/Makefile \ > > tools/perf \ > > tools/scripts \ > > + scripts \ > > " > > > > PERF_EXTRA_LDFLAGS = "" > > -- > > 2.20.1 > > Ping. I just went through trying to reduce the amount of source that we copy for perf, since it has often ended up causing us maintenance pain. Can we just copy the one script we need, versus a complete copy of the directory ? My patch from a few weeks ago, makes it safe to copy a single file, so it should be doable. Cheers, Bruce > > Daniel Díaz > daniel.d...@linaro.org > -- > ___ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] ell: update to 0.26
This has API changes that will break iwd On Thu, Oct 31, 2019 at 10:23 AM Oleksandr Kravchuk wrote: > > Changelog: > - Fix issue with memory leak and TLS certificates > - Fix issue with buffer size and TLS PRF handling > - Add support for D-Bus non-root ObjectManager > > Signed-off-by: Oleksandr Kravchuk > --- > meta/recipes-core/ell/{ell_0.25.bb => ell_0.26.bb} | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > rename meta/recipes-core/ell/{ell_0.25.bb => ell_0.26.bb} (83%) > > diff --git a/meta/recipes-core/ell/ell_0.25.bb > b/meta/recipes-core/ell/ell_0.26.bb > similarity index 83% > rename from meta/recipes-core/ell/ell_0.25.bb > rename to meta/recipes-core/ell/ell_0.26.bb > index f6201f9bf6..f1f252ce4f 100644 > --- a/meta/recipes-core/ell/ell_0.25.bb > +++ b/meta/recipes-core/ell/ell_0.26.bb > @@ -14,8 +14,8 @@ DEPENDS = "dbus" > inherit autotools pkgconfig > > SRC_URI = > "https://mirrors.edge.kernel.org/pub/linux/libs/${BPN}/${BPN}-${PV}.tar.xz"; > -SRC_URI[md5sum] = "8a8adc712718c770a72e4df6c9855c26" > -SRC_URI[sha256sum] = > "7f2be568219d991d566ca50c58a56e69df9a248619fed758dcd9a4b04e655e5b" > +SRC_URI[md5sum] = "4660e25541071e933a2bb02ef2f94e7d" > +SRC_URI[sha256sum] = > "7855b4b8f271ba6ee67d87d0965b975a9a8dbeaa616665ca2248afa3b5fcbc77" > > do_configure_prepend () { > mkdir -p ${S}/build-aux > -- > 2.17.1 > > -- > ___ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] perf: Add /scripts to sources
Hello! On Thu, 24 Oct 2019 at 13:34, Daniel Díaz wrote: > As of linux-next-20191022, we need bpf_helpers_doc.py in order to > build libbpf, which lives in /scripts. Otherwise, do_compile fails > with: > | /bin/sh: 1: > /oe/build/tmp/work/machine-triplet/perf/1.0-r9/perf-1.0/scripts/bpf_helpers_doc.py: > not found > | Makefile:184: recipe for target 'bpf_helper_defs.h' failed > > See commit e01a75c159691 ("libbpf: Move bpf_{helpers, helper_defs, > endian, tracing}.h into libbpf") from linux-next. > > Signed-off-by: Daniel Díaz > --- > meta/recipes-kernel/perf/perf.bb | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/recipes-kernel/perf/perf.bb > b/meta/recipes-kernel/perf/perf.bb > index 8201c0cb60..a463eebc52 100644 > --- a/meta/recipes-kernel/perf/perf.bb > +++ b/meta/recipes-kernel/perf/perf.bb > @@ -113,6 +113,7 @@ PERF_SRC ?= "Makefile \ > tools/Makefile \ > tools/perf \ > tools/scripts \ > + scripts \ > " > > PERF_EXTRA_LDFLAGS = "" > -- > 2.20.1 Ping. Daniel Díaz daniel.d...@linaro.org -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v6] mesa: Upgrade to 19.2.1
From: Alistair Francis Upgrade mesa and mesa-gl to 19.2.1. The license hash change was a trivial new line removal. The glx-tls option was removed as it isn't included in the meson.build file. It has been replaced with 'use-elf-tls' instead. The -Dasm=false was removed as it also is no longer included. Signed-off-by: Alistair Francis Signed-off-by: Alistair Francis Acked-by: Otavio Salvador --- v6: - Rebase on master v4: - Add a patch (first patch in the series) to fix libsdl2 build v3: - Fix missing Upstream-Status v2: - Add back "make TLS ELF optional" patch ...02-meson.build-make-TLS-ELF-optional.patch | 48 + ...on.build-make-TLS-GLX-optional-again.patch | 52 --- .../{mesa-gl_19.1.6.bb => mesa-gl_19.2.1.bb} | 0 meta/recipes-graphics/mesa/mesa.inc | 15 +++--- .../mesa/{mesa_19.1.6.bb => mesa_19.2.1.bb} | 6 +-- 5 files changed, 57 insertions(+), 64 deletions(-) create mode 100644 meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-ELF-optional.patch delete mode 100644 meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-GLX-optional-again.patch rename meta/recipes-graphics/mesa/{mesa-gl_19.1.6.bb => mesa-gl_19.2.1.bb} (100%) rename meta/recipes-graphics/mesa/{mesa_19.1.6.bb => mesa_19.2.1.bb} (77%) diff --git a/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-ELF-optional.patch b/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-ELF-optional.patch new file mode 100644 index 00..c3b5e14cd6 --- /dev/null +++ b/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-ELF-optional.patch @@ -0,0 +1,48 @@ +From edd03b8ea66ccf81b0c1d27868756d06e2d177ab Mon Sep 17 00:00:00 2001 +From: Alistair Francis +Date: Wed, 23 Oct 2019 09:46:28 -0700 +Subject: [PATCH] meson.build: make TLS ELF optional + +USE_ELF_TLS has replaced GLX_USE_TLS so this patch is the original "make +TLS GLX optional again" patch updated to the latest mesa. + +Upstream-Status: Inappropriate [configuration] +Signed-off-by: Alistair Francis +--- + meson.build | 2 +- + meson_options.txt | 6 ++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/meson.build b/meson.build +index 7992734..06653fe 100644 +--- a/meson.build b/meson.build +@@ -378,7 +378,7 @@ if with_egl and not (with_platform_drm or with_platform_surfaceless or with_plat + endif + + # Android uses emutls for versions <= P/28. For USE_ELF_TLS we need ELF TLS. +-if not with_platform_android or get_option('platform-sdk-version') >= 29 ++if (not with_platform_android or get_option('platform-sdk-version') >= 29) and get_option('elf-tls') + pre_args += '-DUSE_ELF_TLS' + endif + +diff --git a/meson_options.txt b/meson_options.txt +index 188e132..ddd47b7 100644 +--- a/meson_options.txt b/meson_options.txt +@@ -339,6 +339,12 @@ option( + value : true, + description : 'Enable direct rendering in GLX and EGL for DRI', + ) ++option( ++ 'elf-tls', ++ type : 'boolean', ++ value : true, ++ description : 'Enable TLS support in ELF', ++) + option( + 'I-love-half-baked-turnips', + type : 'boolean', +-- +2.23.0 + diff --git a/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-GLX-optional-again.patch b/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-GLX-optional-again.patch deleted file mode 100644 index 641bacf1d9..00 --- a/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-GLX-optional-again.patch +++ /dev/null @@ -1,52 +0,0 @@ -From cee8e48c5344124e5d84307cb0c48ee0c9b3e684 Mon Sep 17 00:00:00 2001 -From: Fabio Berton -Date: Wed, 12 Jun 2019 14:15:57 -0300 -Subject: [PATCH] meson.build: make TLS GLX optional again -Organization: O.S. Systems Software LTDA. - -This was optional with autotools, and needs to be disabled -when using musl C library, for instance. - -Upstream-Status: Pending - -Signed-off-by: Alexander Kanavin -Signed-off-by: Fabio Berton -Signed-off-by: Otavio Salvador - meson.build | 4 +++- - meson_options.txt | 7 +++ - 2 files changed, 10 insertions(+), 1 deletion(-) - -diff --git a/meson.build b/meson.build -index b33b430aed4..0e50bb26c0a 100644 a/meson.build -+++ b/meson.build -@@ -369,7 +369,9 @@ if with_egl and not (with_platform_drm or with_platform_surfaceless or with_plat - endif - endif - --pre_args += '-DGLX_USE_TLS' -+if get_option('glx-tls') -+ pre_args += '-DGLX_USE_TLS' -+endif - if with_glx != 'disabled' - if not (with_platform_x11 and with_any_opengl) - error('Cannot build GLX support without X11 platform support and at least one OpenGL API') -diff --git a/meson_options.txt b/meson_options.txt -index 1f72faabee8..fcd49efea27 100644 a/meson_options.txt -+++ b/meson_options.txt -@@ -339,6 +339,13 @@ option( - value : true, - description : 'Enable direct rendering in GLX and EGL for DRI', - ) -+option( -+ 'glx-tls', -+ type : 'boolean', -+ value : true, -+ description : 'Enable TLS support in GLX', -+) -+ - option( - 'I
Re: [OE-core] [PATCH 3/6] oe-selftest: extend virgl gtk test to also check the SDL option
On Sat, 2 Nov 2019 at 23:29, Alexander Kanavin wrote: > Same failures on the Debian 10 worker: > >> >>> https://autobuilder.yoctoproject.org/typhoon/#/builders/56/builds/778 >>> >> >> runqemu - ERROR - Failed to run qemu: Xlib: extension "RANDR" missing on >> display ":1". >> qemu-system-x86_64: ../libepoxy-1.5.3/src/dispatch_common.c:863: >> epoxy_get_proc_address: Assertion `0 && "Couldn't find current GLX or EGL >> context.\n"' failed. >> >> Thanks - the Gtk part is passing fine, so it's something SDL does that >> upsets the X/GL stack on the Debian 10 host. >> I am reluctant to disable the SDL part of the virgl tests on Debian 10, >> as it is a new distro (unlike centos 7). >> >> I'll try to see if I can run Debian 10 in a VM here and try to reproduce. >> Or is it possible to debug directly on a Debian 10 worker? >> > > So I actually went ahead, and installed Debian 10 into a qemu image, then > transferred a pre-populated build directory into it, and ran runqemu there > against tigervnc (hurray for the nested kvm feature!). > > Both 'runqemu kvm sdl gl' and 'runqemu kvm gtk gl' work fine, including > running kmscube! > > So I'd like to see what packages are installed on the Debian 10 worker vs. > my Debian 10 installation. > > Can you issue 'dpkg -l' on the worker, and send me the output, please? > Maybe something is missing? > After additional digging I reproduced this. The culprit is the outdated VNC server implementation that runs on the Debian 10 autobuilder (and maybe others as well). Specifically, it's tightvncserver, where all Linux development has ceased 10 years ago (!). https://www.tightvnc.com/ If you replace that with tigervnc (a modern, supported fork of tightvnc), then the tests pass fine. https://tigervnc.org/ As Fedora has already obsoleted tightvnc in favor of tigervnc, I think we should do the same on all debian machines (debian provides both tightvnc and tigervnc, but treats them as equal). https://src.fedoraproject.org/rpms/tightvnc/blob/master/f/dead.package I also checked that tightvnc is not available for opensuse either. Alex -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH v2] insane: file-rdeps: Readability only
On 4/11/19 11:29 PM, Richard Purdie wrote: On Mon, 2019-11-04 at 17:52 +1300, Douglas Royds via Openembedded-core wrote: Mostly just longer (and hopefully more meaningful) variable names. "Mostly" - what else is in there? Readability changes only. * Longer variable names * Reworded some comments * Some extra blank lines (as visual paragraph breaks) I replaced this comment + hard-coded string-length: # We already know it starts with FILERDEPENDS_ filerdepends[subkey] = key[13:] With this one-liner: unsatisfied_rdepends[target_dependency] = executable_that_rdepends[len('FILERDEPENDS_'):] -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] lz4: Whitelist CVE-2014-4715
Signed-off-by: Adrian Bunk --- meta/recipes-support/lz4/lz4_1.9.2.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-support/lz4/lz4_1.9.2.bb b/meta/recipes-support/lz4/lz4_1.9.2.bb index f0a8416a96..ed4452c82e 100644 --- a/meta/recipes-support/lz4/lz4_1.9.2.bb +++ b/meta/recipes-support/lz4/lz4_1.9.2.bb @@ -18,6 +18,9 @@ UPSTREAM_CHECK_GITTAGREGEX = "v(?P.*)" S = "${WORKDIR}/git" +# Fixed in r118, which is larger than the current version. +CVE_CHECK_WHITELIST += "CVE-2014-4715" + EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir}" do_install() { -- 2.17.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] iputils: Whitelist CVE-2000-1213 CVE-2000-1214
Signed-off-by: Adrian Bunk --- meta/recipes-extended/iputils/iputils_s20190709.bb | 4 1 file changed, 4 insertions(+) diff --git a/meta/recipes-extended/iputils/iputils_s20190709.bb b/meta/recipes-extended/iputils/iputils_s20190709.bb index d8f2470d0c..3f9e9917f0 100644 --- a/meta/recipes-extended/iputils/iputils_s20190709.bb +++ b/meta/recipes-extended/iputils/iputils_s20190709.bb @@ -17,6 +17,10 @@ S = "${WORKDIR}/git" UPSTREAM_CHECK_GITTAGREGEX = "(?Ps\d+)" +# Fixed in 2000-10-10, but the versioning of iputils +# breaks the version order. +CVE_CHECK_WHITELIST += "CVE-2000-1213 CVE-2000-1214" + PACKAGECONFIG ??= "libcap libgcrypt rarpd traceroute6" PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false, libcap" PACKAGECONFIG[libgcrypt] = "-DUSE_CRYPTO=gcrypt, -DUSE_CRYPTO=none, libgcrypt" -- 2.17.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2] python3: Upgrade 3.7.4 -> 3.7.5
Backported patches removed. Signed-off-by: Adrian Bunk --- v2: Rebased to master. --- ...lib-as-location-for-site-packages-an.patch | 2 +- ...nt-parse-domains-containing-GH-13079.patch | 132 -- server-Escape-the-server_title-GH-1.patch | 86 ...asename-to-replace-CC-for-checking-c.patch | 2 +- .../{python3_3.7.4.bb => python3_3.7.5.bb}| 6 +- 5 files changed, 4 insertions(+), 224 deletions(-) delete mode 100644 meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch delete mode 100644 meta/recipes-devtools/python/python3/0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch rename meta/recipes-devtools/python/{python3_3.7.4.bb => python3_3.7.5.bb} (97%) diff --git a/meta/recipes-devtools/python/python3/0001-Do-not-hardcode-lib-as-location-for-site-packages-an.patch b/meta/recipes-devtools/python/python3/0001-Do-not-hardcode-lib-as-location-for-site-packages-an.patch index 661f52d01f..ea75262c4f 100644 --- a/meta/recipes-devtools/python/python3/0001-Do-not-hardcode-lib-as-location-for-site-packages-an.patch +++ b/meta/recipes-devtools/python/python3/0001-Do-not-hardcode-lib-as-location-for-site-packages-an.patch @@ -70,7 +70,7 @@ index 6e81b2f..671a20e 100644 Programs/python.o: $(srcdir)/Programs/python.c @@ -856,7 +857,7 @@ regen-opcode: - Python/compile.o Python/symtable.o Python/ast_unparse.o Python/ast.o: $(srcdir)/Include/graminit.h $(srcdir)/Include/Python-ast.h + Python/compile.o Python/symtable.o Python/ast_unparse.o Python/ast.o Python/future.o Parser/parsetok.o: $(srcdir)/Include/graminit.h $(srcdir)/Include/Python-ast.h Python/getplatform.o: $(srcdir)/Python/getplatform.c - $(CC) -c $(PY_CORE_CFLAGS) -DPLATFORM='"$(MACHDEP)"' -o $@ $(srcdir)/Python/getplatform.c diff --git a/meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch b/meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch deleted file mode 100644 index 319e7ed07e..00 --- a/meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 90d56127ae15b1e452755e62c77dc475dedf7161 Mon Sep 17 00:00:00 2001 -From: jpic -Date: Wed, 17 Jul 2019 23:54:25 +0200 -Subject: [PATCH] bpo-34155: Dont parse domains containing @ (GH-13079) - -Before: - ->>> email.message_from_string('From: a...@malicious.org@important.com', policy=email.policy.default)['from'].addresses -(Address(display_name='', username='a', domain='malicious.org'),) - ->>> parseaddr('a...@malicious.org@important.com') -('', 'a...@malicious.org') - -After: - ->>> email.message_from_string('From: a...@malicious.org@important.com', policy=email.policy.default)['from'].addresses -(Address(display_name='', username='', domain=''),) - ->>> parseaddr('a...@malicious.org@important.com') -('', 'a@') - -https://bugs.python.org/issue34155 - -Upstream-Status: Backport [https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9] - -CVE: CVE-2019-16056 - -Signed-off-by: Chen Qi - Lib/email/_header_value_parser.py | 2 ++ - Lib/email/_parseaddr.py| 11 ++- - Lib/test/test_email/test__header_value_parser.py | 10 ++ - Lib/test/test_email/test_email.py | 14 ++ - .../2019-05-04-13-33-37.bpo-34155.MJll68.rst | 1 + - 5 files changed, 37 insertions(+), 1 deletion(-) - create mode 100644 Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst - -diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py -index fc00b4a098..bbc026ec71 100644 a/Lib/email/_header_value_parser.py -+++ b/Lib/email/_header_value_parser.py -@@ -1582,6 +1582,8 @@ def get_domain(value): - token, value = get_dot_atom(value) - except errors.HeaderParseError: - token, value = get_atom(value) -+if value and value[0] == '@': -+raise errors.HeaderParseError('Invalid Domain') - if leader is not None: - token[:0] = [leader] - domain.append(token) -diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py -index cdfa3729ad..41ff6f8c00 100644 a/Lib/email/_parseaddr.py -+++ b/Lib/email/_parseaddr.py -@@ -379,7 +379,12 @@ class AddrlistClass: - aslist.append('@') - self.pos += 1 - self.gotonext() --return EMPTYSTRING.join(aslist) + self.getdomain() -+domain = self.getdomain() -+if not domain: -+# Invalid domain, return an empty address instead of returning a -+# local part to denote failed parsing. -+return EMPTYSTRING -+return EMPTYSTRING.join(aslist) + domain - - def getdomain(self): - """Get the complete domain name from an address.""" -@@
[OE-core] [PATCH] libpam: set CVE_PRODUCT
Signed-off-by: Ross Burton --- meta/recipes-extended/pam/libpam_1.3.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-extended/pam/libpam_1.3.1.bb b/meta/recipes-extended/pam/libpam_1.3.1.bb index 6b73f0a2fed..a2aa1ecd16b 100644 --- a/meta/recipes-extended/pam/libpam_1.3.1.bb +++ b/meta/recipes-extended/pam/libpam_1.3.1.bb @@ -163,3 +163,5 @@ CONFFILES_${PN}-runtime += "${sysconfdir}/pam.d/common-account" CONFFILES_${PN}-runtime += "${sysconfdir}/security/limits.conf" UPSTREAM_CHECK_URI = "https://github.com/linux-pam/linux-pam/releases"; + +CVE_PRODUCT = "linux-pam" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] git: update to 2.24.0
Signed-off-by: Oleksandr Kravchuk --- meta/recipes-devtools/git/git_2.23.0.bb | 11 --- meta/recipes-devtools/git/git_2.24.0.bb | 11 +++ 2 files changed, 11 insertions(+), 11 deletions(-) delete mode 100644 meta/recipes-devtools/git/git_2.23.0.bb create mode 100644 meta/recipes-devtools/git/git_2.24.0.bb diff --git a/meta/recipes-devtools/git/git_2.23.0.bb b/meta/recipes-devtools/git/git_2.23.0.bb deleted file mode 100644 index 1539182a90..00 --- a/meta/recipes-devtools/git/git_2.23.0.bb +++ /dev/null @@ -1,11 +0,0 @@ -require git.inc - -EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \ - ac_cv_fread_reads_directories=${ac_cv_fread_reads_directories=yes} \ - " -EXTRA_OEMAKE += "NO_GETTEXT=1" - -SRC_URI[tarball.md5sum] = "203c238ffdcef76f9bd6c67cfbaf949f" -SRC_URI[tarball.sha256sum] = "e3396c90888111a01bf607346db09b0fbf49a95bc83faf9506b61195936f0cfe" -SRC_URI[manpages.md5sum] = "90a72e553de712d798d68b15b57bc928" -SRC_URI[manpages.sha256sum] = "a5b0998f95c2290386d191d34780d145ea67e527fac98541e0350749bf76be75" diff --git a/meta/recipes-devtools/git/git_2.24.0.bb b/meta/recipes-devtools/git/git_2.24.0.bb new file mode 100644 index 00..e9cb382f69 --- /dev/null +++ b/meta/recipes-devtools/git/git_2.24.0.bb @@ -0,0 +1,11 @@ +require git.inc + +EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \ + ac_cv_fread_reads_directories=${ac_cv_fread_reads_directories=yes} \ + " +EXTRA_OEMAKE += "NO_GETTEXT=1" + +SRC_URI[tarball.md5sum] = "ed39361a3ae362c8af852d1a06992bc2" +SRC_URI[tarball.sha256sum] = "ad11030d2eac656ee9e8862f56d1610550f7867181beff814c7712a99192e99d" +SRC_URI[manpages.md5sum] = "57465e83f13ba910a178b717d93958c0" +SRC_URI[manpages.sha256sum] = "ce995f86f441b56ab1fd0788a94786904ae2e2989e7191fd68060003011366d7" -- 2.17.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] libpng: whitelist CVE-2019-17371
On Mon, Nov 04, 2019 at 02:24:08PM +, Ross Burton wrote: > On 04/11/2019 14:01, Adrian Bunk wrote: > > On Mon, Nov 04, 2019 at 12:42:51PM +, Ross Burton wrote: > > > This is actually a memory leak in gif2png 2.x, so whitelist it in the > > > libpng > > > recipe. > > > > > > Signed-off-by: Ross Burton > > > --- > > > meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++ > > > 1 file changed, 3 insertions(+) > > > > > > diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb > > > b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb > > > index 66af2f3d60e..07970e14360 100644 > > > --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb > > > +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb > > > @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools" > > > FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix > > > ${bindir}/pngcp" > > > BBCLASSEXTEND = "native nativesdk" > > > + > > > +# CVE-2019-17371 is actually a memory leak in gif2png 2.x > > > +CVE_CHECK_WHITELIST = "CVE-2019-17371" > > > > These should use += to not overwrite whitelists defined by > > the distribution or the user. > > IMHO, the distribution or user should be using _append. The whitelist > should be explicitly per-recipe: there's a CVE which is tagged incorrectly > as being in openssl *and* mod_ssl, we don't want to whitelist it globally > but only in openssl. >... What I had in mind are a distribution-wide cve-whitelist.inc included from the distro conf or using CVE_CHECK_WHITELIST in conf/local.conf, you don't want to start creating dozens of bbappend files in such usecases. This CVE where a change in OpenSSL created a vulnerability in Apache would go to the global whitelist for me when I am not using Apache. In OE it should not be whitelisted in both OpenSSL and Apache, but this is a different situation. > Ross cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] archiver: avoid empty incfile in ar_recipe
Andrei, From: Andrei Gherzan Sent: Friday, November 1, 2019 13:28 To: Grygorii Tertychnyi (gtertych); openembedded-core@lists.openembedded.org Cc: xe-linux-external(mailer list) Subject: Re: [OE-core] [PATCH] archiver: avoid empty incfile in ar_recipe >> do_ar_recipe fails on perf recipe on line: >> >> include ${@bb.utils.contains('PACKAGECONFIG', 'scripting', 'perf-perl.inc', >> '', d)} >> >> 1. "${...}" part expands into empty string >> 2. bb.utils.which() takes empty string and returns first directory name from >> bbpath > This doesn't sound sane. If the include directive has no argument, > incfile should end up None. That's what the code "assumes" at this I agree. > point. I would fix it either at the regex expression level or > stripping the matched string. I reckon the former makes more sense > (.*). Not sure I understand. Archiver class does not interpret "include" directive. It just parses text files. The regular expression looks correct: These lines: 440 elif include_re.match(line): 441 incfile = include_re.match(line).group(1) put "${...}" _string_ into "incfile" variable. So, "incfile" is not None at this stage. Then, 443 incfile = d.expand(incfile) Now "incfile" is empty and nobody checks it. 444 incfile = bb.utils.which(bbpath, incfile) Now "incfile" is set to first directory name in BBPATH (wrong behavour?) 445 if incfile: 446 shutil.copy(incfile, outdir) Exception here: "incfile" is directory, not a file. -- Grygorii -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2 1/3] libpng: whitelist CVE-2019-17371
This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng recipe. Signed-off-by: Ross Burton --- meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb index 66af2f3d60e..2ed87a84374 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools" FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp" BBCLASSEXTEND = "native nativesdk" + +# CVE-2019-17371 is actually a memory leak in gif2png 2.x +CVE_CHECK_WHITELIST += "CVE-2019-17371" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2 3/3] libsndfile1: whitelist CVE-2018-13419
This is a memory leak that nobody else can replicate and has been rejected by upstream. Signed-off-by: Ross Burton --- meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb | 4 1 file changed, 4 insertions(+) diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index ffb45855a4b..7855008f3d8 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb @@ -33,3 +33,7 @@ PACKAGECONFIG[alsa] = "--enable-alsa,--disable-alsa,alsa-lib" PACKAGECONFIG[regtest] = "--enable-sqlite,--disable-sqlite,sqlite3" inherit autotools lib_package pkgconfig + +# This can't be replicated and is just a memory leak. +# https://github.com/erikd/libsndfile/issues/398 +CVE_CHECK_WHITELIST += "CVE-2018-13419" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2 2/3] procps: whitelist CVE-2018-1121
This CVE is about race conditions in 'ps' which make it unsuitable for security audits. As these race conditions are unavoidable ps shouldn't be used for security auditing, so this isn't a valid CVE. Signed-off-by: Ross Burton --- meta/recipes-extended/procps/procps_3.3.15.bb | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/meta/recipes-extended/procps/procps_3.3.15.bb b/meta/recipes-extended/procps/procps_3.3.15.bb index 9756db0e7b7..f240e54fd84 100644 --- a/meta/recipes-extended/procps/procps_3.3.15.bb +++ b/meta/recipes-extended/procps/procps_3.3.15.bb @@ -4,9 +4,9 @@ the /proc filesystem. The package includes the programs ps, top, vmstat, w, kill HOMEPAGE = "https://gitlab.com/procps-ng/procps"; SECTION = "base" LICENSE = "GPLv2+ & LGPLv2+" -LIC_FILES_CHKSUM="file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \ - " +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ +file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \ +" DEPENDS = "ncurses" @@ -64,3 +64,6 @@ python __anonymous() { d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog)) } +# 'ps' isn't suitable for use as a security tool so whitelist this CVE. +# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3 +CVE_CHECK_WHITELIST += "CVE-2018-1121" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] libpng: whitelist CVE-2019-17371
On 04/11/2019 14:01, Adrian Bunk wrote: On Mon, Nov 04, 2019 at 12:42:51PM +, Ross Burton wrote: This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng recipe. Signed-off-by: Ross Burton --- meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb index 66af2f3d60e..07970e14360 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools" FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp" BBCLASSEXTEND = "native nativesdk" + +# CVE-2019-17371 is actually a memory leak in gif2png 2.x +CVE_CHECK_WHITELIST = "CVE-2019-17371" These should use += to not overwrite whitelists defined by the distribution or the user. IMHO, the distribution or user should be using _append. The whitelist should be explicitly per-recipe: there's a CVE which is tagged incorrectly as being in openssl *and* mod_ssl, we don't want to whitelist it globally but only in openssl. V2 incoming, just to be safe, though. Ross -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] ✗ patchtest: failure for gdb: Discard sections whose size is greater than the file size.
== Series Details == Series: gdb: Discard sections whose size is greater than the file size. Revision: 1 URL : https://patchwork.openembedded.org/series/20897/ State : failure == Summary == Thank you for submitting this patch series to OpenEmbedded Core. This is an automated response. Several tests have been executed on the proposed series by patchtest resulting in the following failures: * Patchgdb: Discard sections whose size is greater than the file size. Issue Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format] Suggested fixCorrect or include the CVE tag on cve patch with format: "CVE: CVE--" * Issue A patch file has been added, but does not have a Signed-off-by tag [test_signed_off_by_presence] Suggested fixSign off the added patch file (meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch) * Issue Added patch file is missing Upstream-Status in the header [test_upstream_status_presence_format] Suggested fixAdd Upstream-Status: to the header of meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch Standard format Upstream-Status: Valid status Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where] If you believe any of these test results are incorrect, please reply to the mailing list (openembedded-core@lists.openembedded.org) raising your concerns. Otherwise we would appreciate you correcting the issues and submitting a new version of the patchset if applicable. Please ensure you add/increment the version number when sending the new version (i.e. [PATCH] -> [PATCH v2] -> [PATCH v3] -> ...). --- Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] libpng: whitelist CVE-2019-17371
On Mon, Nov 04, 2019 at 12:42:51PM +, Ross Burton wrote: > This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng > recipe. > > Signed-off-by: Ross Burton > --- > meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb > b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb > index 66af2f3d60e..07970e14360 100644 > --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb > +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb > @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools" > FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp" > > BBCLASSEXTEND = "native nativesdk" > + > +# CVE-2019-17371 is actually a memory leak in gif2png 2.x > +CVE_CHECK_WHITELIST = "CVE-2019-17371" These should use += to not overwrite whitelists defined by the distribution or the user. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 2/2] libsndfile1: whitelist CVE-2018-13419
This is a memory leak that nobody else can replicate and has been rejected by upstream. Signed-off-by: Ross Burton --- meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb | 4 1 file changed, 4 insertions(+) diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index ffb45855a4b..0ba58399624 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb @@ -33,3 +33,7 @@ PACKAGECONFIG[alsa] = "--enable-alsa,--disable-alsa,alsa-lib" PACKAGECONFIG[regtest] = "--enable-sqlite,--disable-sqlite,sqlite3" inherit autotools lib_package pkgconfig + +# This can't be replicated and is just a memory leak. +# https://github.com/erikd/libsndfile/issues/398 +CVE_CHECK_WHITELIST = "CVE-2018-13419" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 1/2] procps: whitelist CVE-2018-1121
This CVE is about race conditions in 'ps' which make it unsuitable for security audits. As these race conditions are unavoidable ps shouldn't be used for security auditing, so this isn't a valid CVE. Signed-off-by: Ross Burton --- meta/recipes-extended/procps/procps_3.3.15.bb | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/meta/recipes-extended/procps/procps_3.3.15.bb b/meta/recipes-extended/procps/procps_3.3.15.bb index 9756db0e7b7..e128477c5fa 100644 --- a/meta/recipes-extended/procps/procps_3.3.15.bb +++ b/meta/recipes-extended/procps/procps_3.3.15.bb @@ -4,9 +4,9 @@ the /proc filesystem. The package includes the programs ps, top, vmstat, w, kill HOMEPAGE = "https://gitlab.com/procps-ng/procps"; SECTION = "base" LICENSE = "GPLv2+ & LGPLv2+" -LIC_FILES_CHKSUM="file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \ - " +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ +file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \ +" DEPENDS = "ncurses" @@ -64,3 +64,6 @@ python __anonymous() { d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog)) } +# 'ps' isn't suitable for use as a security tool so whitelist this CVE. +# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3 +CVE_CHECK_WHITELIST = "CVE-2018-1121" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] target-sdk-provides-dummy: set nostamp for do_package
On Mon, 2019-11-04 at 14:51 +0800, changqing...@windriver.com wrote: > From: Changqing Li > > It exists a situation that there is a common config file includes > multilib.conf but variable MULTILIBS is not set by default: > > require conf/multilib.conf > MULTILIBS ?= "" > > When build target-sdk-provides-dummy in the same build project with > following steps, it fails. > > 1 $ echo 'MACHINE = "qemux86"' >>conf/local.conf > $ bitbake target-sdk-provides-dummy > 2 $ cat <>conf/local.conf > MACHINE = "qemux86-64" > MULTILIBS = "multilib:lib32" > DEFAULTTUNE_virtclass-multilib-lib32 = "i586" > EOF > $ bitbake target-sdk-provides-dummy > $ bitbake lib32-target-sdk-provides-dummy > > It fails to build lib32-target-sdk-provides-dummy with error > messages: > > > ERROR: target-sdk-provides-dummy-1.0-r0 do_packagedata: The recipe > > target-sdk-provides-dummy > > is trying to install files into a shared area when those files > > already exist. Those files > > and their manifest location are: > > .../tmp/pkgdata/qemux86-64/lib32-target-sdk-provides-dummy > > (matched in manifest-qemux86_64-lib32-target-sdk-provides- > > dummy.packagedata) > > .../tmp/pkgdata/qemux86-64/runtime/lib32-target-sdk-provides- > > dummy > > (matched in manifest-qemux86_64-lib32-target-sdk-provides- > > dummy.packagedata) > > ... snip ... > > Please verify which recipe should provide the above files. > > Because target-sdk-provides-dummy is a virtual package, its sstate > caches are same for both qemux86 and qemux86_64. So when build > target-sdk-provides-dummy for qemux86_64, it re-uses the sstate cache > from qemux86 and then create file lib32-target-sdk-provides-dummy > under > ${PKGDATA_DIR} which should not and it conflicts with > lib32-target-sdk-provides-dummy too. > > So make do_package always be executed to fix the issue. Because it is > a > dummy package, it won't cost too much build time. Shouldn't we ensure that the packagedata has different sstate signatures? Maybe do_packagedata needs a dependency on PN through vardeps? Cheers, Richard -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] gdb: Discard sections whose size is greater than the file size.
Backport the upstream fix. that was not present in master. CVE: CVE-2019-1010180 Upstream-Status: Backport Signed-off-by: Vinay Kumar --- meta/recipes-devtools/gdb/gdb-8.3.1.inc | 1 + meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch | 20 2 files changed, 21 insertions(+) create mode 100644 meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch diff --git a/meta/recipes-devtools/gdb/gdb-8.3.1.inc b/meta/recipes-devtools/gdb/gdb-8.3.1.inc index 39f1c48..aec913f 100644 --- a/meta/recipes-devtools/gdb/gdb-8.3.1.inc +++ b/meta/recipes-devtools/gdb/gdb-8.3.1.inc @@ -16,6 +16,7 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ file://0009-Change-order-of-CFLAGS.patch \ file://0010-resolve-restrict-keyword-conflict.patch \ file://0011-Fix-invalid-sigprocmask-call.patch \ + file://CVE-2019-1010180.patch \ " SRC_URI[md5sum] = "73b6a5d8141672c62bf851cd34c4aa83" SRC_URI[sha256sum] = "1e55b4d7cdca7b34be12f4ceae651623aa73b2fd640152313f9f66a7149757c4" diff --git a/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch b/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch new file mode 100644 index 000..2e4e842 --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/CVE-2019-1010180.patch @@ -0,0 +1,20 @@ +diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c +index 4251ed0..fafdb89 100644 +--- a/gdb/dwarf2read.c b/gdb/dwarf2read.c +@@ -2378,6 +2378,15 @@ dwarf2_per_objfile::locate_sections (bfd *abfd, asection *sectp, + if ((aflag & SEC_HAS_CONTENTS) == 0) + { + } ++ else if (elf_section_data (sectp)->this_hdr.sh_size ++ > bfd_get_file_size (abfd)) ++{ ++ bfd_size_type size = elf_section_data (sectp)->this_hdr.sh_size; ++ warning (_("Discarding section %s which has a section size (%s" ++ ") larger than the file size [in module %s]"), ++ bfd_section_name (abfd, sectp), phex_nz (size, sizeof (size)), ++ bfd_get_filename (abfd)); ++} + else if (section_is_p (sectp->name, &names.info)) + { + this->info.s.section = sectp; -- 2.7.4 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] linux-dummy: Add package kernel
On 01/11/2019 02:01, He Zhe wrote: It's the "efi" in MACHINE_FEATURES who asks for "kernel". https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/packagegroups/packagegroup-core-boot.bb#n31 I'd just rip out 'kernel' from that as that doesn't look right to me. Ross -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] libpng: whitelist CVE-2019-17371
This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng recipe. Signed-off-by: Ross Burton --- meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb index 66af2f3d60e..07970e14360 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools" FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp" BBCLASSEXTEND = "native nativesdk" + +# CVE-2019-17371 is actually a memory leak in gif2png 2.x +CVE_CHECK_WHITELIST = "CVE-2019-17371" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] patch: the CVE-2019-13638 fix also handles CVE-2018-20969
Signed-off-by: Ross Burton --- .../0001-Invoke-ed-directly-instead-of-using-the-shell.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch index f60dfe879af..d13d419f51c 100644 --- a/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch +++ b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch @@ -6,8 +6,8 @@ Subject: [PATCH] Invoke ed directly instead of using the shell * src/pch.c (do_ed_script): Invoke ed directly instead of using a shell command to avoid quoting vulnerabilities. -CVE: CVE-2019-13638 -Upstream-Status: Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0] +CVE: CVE-2019-13638 CVE-2018-20969 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0] Signed-off-by: Trevor Gamblin --- -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 2/3] file: remove redundant upstream check workaround
This tag has been removed, so we don't need to work around it anymore. Signed-off-by: Ross Burton --- meta/recipes-devtools/file/file_5.37.bb | 3 --- 1 file changed, 3 deletions(-) diff --git a/meta/recipes-devtools/file/file_5.37.bb b/meta/recipes-devtools/file/file_5.37.bb index 71801f9d479..80e8b91058b 100644 --- a/meta/recipes-devtools/file/file_5.37.bb +++ b/meta/recipes-devtools/file/file_5.37.bb @@ -11,9 +11,6 @@ LIC_FILES_CHKSUM = "file://COPYING;beginline=2;md5=0251eaec1188b20d9a72c502ecfdd DEPENDS = "zlib file-replacement-native" DEPENDS_class-native = "zlib-native" -# Blacklist a bogus tag in upstream check -UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P(?!6_23).+)" - SRC_URI = "git://github.com/file/file.git \ file://CVE-2019-18218.patch" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 3/3] file: run test suite when building natively
As we apply the same patches to native and target builds of file, we can verify that the patches are not breaking by executing the test suite during the build of file-native. Signed-off-by: Ross Burton --- meta/recipes-devtools/file/file_5.37.bb | 4 1 file changed, 4 insertions(+) diff --git a/meta/recipes-devtools/file/file_5.37.bb b/meta/recipes-devtools/file/file_5.37.bb index 80e8b91058b..a96ccc0d399 100644 --- a/meta/recipes-devtools/file/file_5.37.bb +++ b/meta/recipes-devtools/file/file_5.37.bb @@ -29,6 +29,10 @@ EXTRA_OEMAKE_append_class-nativesdk = "-e FILE_COMPILE=${STAGING_BINDIR_NATIVE}/ FILES_${PN} += "${datadir}/misc/*.mgc" +do_compile_append_class-native() { + oe_runmake check +} + do_install_append_class-native() { create_cmdline_wrapper ${D}/${bindir}/file \ --magic-file ${datadir}/misc/magic.mgc -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 1/3] file: fix CVE-2019-18218
Signed-off-by: Ross Burton --- .../file/file/CVE-2019-18218.patch| 55 +++ meta/recipes-devtools/file/file_5.37.bb | 3 +- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/file/file/CVE-2019-18218.patch diff --git a/meta/recipes-devtools/file/file/CVE-2019-18218.patch b/meta/recipes-devtools/file/file/CVE-2019-18218.patch new file mode 100644 index 000..3d02c5ad4b1 --- /dev/null +++ b/meta/recipes-devtools/file/file/CVE-2019-18218.patch @@ -0,0 +1,55 @@ +cdf_read_property_info in cdf.c in file through 5.37 does not restrict the +number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte +out-of-bounds write). + +CVE: CVE-2019-18218 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 46a8443f76cec4b41ec736eca396984c74664f84 Mon Sep 17 00:00:00 2001 +From: Christos Zoulas +Date: Mon, 26 Aug 2019 14:31:39 + +Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz) + +--- + src/cdf.c | 9 - + src/cdf.h | 1 + + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/cdf.c b/src/cdf.c +index 9d6396742..bb81d6374 100644 +--- a/src/cdf.c b/src/cdf.c +@@ -1016,8 +1016,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + goto out; + } + nelements = CDF_GETUINT32(q, 1); +- if (nelements == 0) { +- DPRINTF(("CDF_VECTOR with nelements == 0\n")); ++ if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) { ++ DPRINTF(("CDF_VECTOR with nelements == %" ++ SIZE_T_FORMAT "u\n", nelements)); + goto out; + } + slen = 2; +@@ -1060,8 +1061,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + goto out; + inp += nelem; + } +- DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", +- nelements)); + for (j = 0; j < nelements && i < sh.sh_properties; + j++, i++) + { +diff --git a/src/cdf.h b/src/cdf.h +index 2f7e554b7..05056668f 100644 +--- a/src/cdf.h b/src/cdf.h +@@ -48,6 +48,7 @@ + typedef int32_t cdf_secid_t; + + #define CDF_LOOP_LIMIT1 ++#define CDF_ELEMENT_LIMIT 10 + + #define CDF_SECID_NULL0 + #define CDF_SECID_FREE-1 diff --git a/meta/recipes-devtools/file/file_5.37.bb b/meta/recipes-devtools/file/file_5.37.bb index c53a120b840..71801f9d479 100644 --- a/meta/recipes-devtools/file/file_5.37.bb +++ b/meta/recipes-devtools/file/file_5.37.bb @@ -14,7 +14,8 @@ DEPENDS_class-native = "zlib-native" # Blacklist a bogus tag in upstream check UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P(?!6_23).+)" -SRC_URI = "git://github.com/file/file.git" +SRC_URI = "git://github.com/file/file.git \ + file://CVE-2019-18218.patch" SRCREV = "a0d5b0e4e9f97d74a9911e95cedd579852e25398" S = "${WORKDIR}/git" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] file: fix CVE-2019-18218
Signed-off-by: Ross Burton --- .../file/file/CVE-2019-18218.patch| 55 +++ meta/recipes-devtools/file/file_5.37.bb | 3 +- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/file/file/CVE-2019-18218.patch diff --git a/meta/recipes-devtools/file/file/CVE-2019-18218.patch b/meta/recipes-devtools/file/file/CVE-2019-18218.patch new file mode 100644 index 000..3d02c5ad4b1 --- /dev/null +++ b/meta/recipes-devtools/file/file/CVE-2019-18218.patch @@ -0,0 +1,55 @@ +cdf_read_property_info in cdf.c in file through 5.37 does not restrict the +number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte +out-of-bounds write). + +CVE: CVE-2019-18218 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 46a8443f76cec4b41ec736eca396984c74664f84 Mon Sep 17 00:00:00 2001 +From: Christos Zoulas +Date: Mon, 26 Aug 2019 14:31:39 + +Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz) + +--- + src/cdf.c | 9 - + src/cdf.h | 1 + + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/cdf.c b/src/cdf.c +index 9d6396742..bb81d6374 100644 +--- a/src/cdf.c b/src/cdf.c +@@ -1016,8 +1016,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + goto out; + } + nelements = CDF_GETUINT32(q, 1); +- if (nelements == 0) { +- DPRINTF(("CDF_VECTOR with nelements == 0\n")); ++ if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) { ++ DPRINTF(("CDF_VECTOR with nelements == %" ++ SIZE_T_FORMAT "u\n", nelements)); + goto out; + } + slen = 2; +@@ -1060,8 +1061,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + goto out; + inp += nelem; + } +- DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", +- nelements)); + for (j = 0; j < nelements && i < sh.sh_properties; + j++, i++) + { +diff --git a/src/cdf.h b/src/cdf.h +index 2f7e554b7..05056668f 100644 +--- a/src/cdf.h b/src/cdf.h +@@ -48,6 +48,7 @@ + typedef int32_t cdf_secid_t; + + #define CDF_LOOP_LIMIT1 ++#define CDF_ELEMENT_LIMIT 10 + + #define CDF_SECID_NULL0 + #define CDF_SECID_FREE-1 diff --git a/meta/recipes-devtools/file/file_5.37.bb b/meta/recipes-devtools/file/file_5.37.bb index c53a120b840..71801f9d479 100644 --- a/meta/recipes-devtools/file/file_5.37.bb +++ b/meta/recipes-devtools/file/file_5.37.bb @@ -14,7 +14,8 @@ DEPENDS_class-native = "zlib-native" # Blacklist a bogus tag in upstream check UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P(?!6_23).+)" -SRC_URI = "git://github.com/file/file.git" +SRC_URI = "git://github.com/file/file.git \ + file://CVE-2019-18218.patch" SRCREV = "a0d5b0e4e9f97d74a9911e95cedd579852e25398" S = "${WORKDIR}/git" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH v2] insane: file-rdeps: Readability only
On Mon, 2019-11-04 at 17:52 +1300, Douglas Royds via Openembedded-core wrote: > Mostly just longer (and hopefully more meaningful) variable names. "Mostly" - what else is in there? Cheers, Richard -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] python: Upgrade 2.7.16 -> 2.7.17
Patches applied upstream removed. Signed-off-by: Adrian Bunk --- ...-fix-one-do_populate_sysroot-warning.patch | 15 +- ...tive_2.7.16.bb => python-native_2.7.17.bb} | 0 meta/recipes-devtools/python/python.inc | 10 +- ...nt-parse-domains-containing-GH-13079.patch | 90 ...cape-the-server-title-of-DocXMLRPCSe.patch | 101 .../python/python/CVE-2018-20852.patch| 123 -- .../python/python/CVE-2019-9740.patch | 216 -- .../python/bpo-35907-cve-2019-9948-fix.patch | 55 - .../python/bpo-35907-cve-2019-9948.patch | 55 - .../python/bpo-36216-cve-2019-9636-fix.patch | 28 --- .../python/bpo-36216-cve-2019-9636.patch | 111 - .../python/bpo-36742-cve-2019-10160.patch | 81 --- .../python/python/builddir.patch | 6 +- .../{python_2.7.16.bb => python_2.7.17.bb}| 3 - 14 files changed, 12 insertions(+), 882 deletions(-) rename meta/recipes-devtools/python/{python-native_2.7.16.bb => python-native_2.7.17.bb} (100%) delete mode 100644 meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch delete mode 100644 meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch delete mode 100644 meta/recipes-devtools/python/python/CVE-2018-20852.patch delete mode 100644 meta/recipes-devtools/python/python/CVE-2019-9740.patch delete mode 100644 meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch delete mode 100644 meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch delete mode 100644 meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch delete mode 100644 meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch delete mode 100644 meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch rename meta/recipes-devtools/python/{python_2.7.16.bb => python_2.7.17.bb} (97%) diff --git a/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch b/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch index 989818927d..1277eab4c0 100644 --- a/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch +++ b/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch @@ -25,15 +25,14 @@ diff --git a/setup.py b/setup.py index 7bf13ed..6c0f29b 100644 --- a/setup.py +++ b/setup.py -@@ -40,7 +40,7 @@ def add_dir_to_list(dirlist, dir): - 1) 'dir' is not already in 'dirlist' - 2) 'dir' actually exists, and is a directory.""" - if dir is not None and os.path.isdir(dir) and dir not in dirlist: --dirlist.insert(0, dir) -+dirlist.append(dir) +@@ -40,5 +40,5 @@ def add_dir_to_list(dirlist, dir): + dir_exists = os.path.isdir(dir) + if dir_exists: +-dirlist.insert(0, dir) ++dirlist.append(dir) + + MACOS_SDK_ROOT = None - def macosx_sdk_root(): - """ -- 2.18.0 diff --git a/meta/recipes-devtools/python/python-native_2.7.16.bb b/meta/recipes-devtools/python/python-native_2.7.17.bb similarity index 100% rename from meta/recipes-devtools/python/python-native_2.7.16.bb rename to meta/recipes-devtools/python/python-native_2.7.17.bb diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc index 1462b779e9..a630c26e89 100644 --- a/meta/recipes-devtools/python/python.inc +++ b/meta/recipes-devtools/python/python.inc @@ -8,16 +8,10 @@ INC_PR = "r1" LIC_FILES_CHKSUM = "file://LICENSE;md5=e466242989bd33c1bd2b6a526a742498" SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ - file://bpo-35907-cve-2019-9948.patch \ - file://bpo-35907-cve-2019-9948-fix.patch \ - file://bpo-36216-cve-2019-9636.patch \ - file://bpo-36216-cve-2019-9636-fix.patch \ - file://CVE-2019-9740.patch \ - file://CVE-2018-20852.patch \ " -SRC_URI[md5sum] = "30157d85a2c0479c09ea2cbe61f2aaf5" -SRC_URI[sha256sum] = "f222ef602647eecb6853681156d32de4450a2c39f4de93bd5b20235f2e660ed7" +SRC_URI[md5sum] = "b3b6d2c92f42a60667814358ab9f0cfd" +SRC_URI[sha256sum] = "4d43f033cdbd0aa7b7023c81b0e986fd11e653b5248dac9144d508f11812ba41" # python recipe is actually python 2.x # also, exclude pre-releases for both python 2.x and 3.x diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch deleted file mode 100644 index 5415472a35..00 --- a/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 532ed09c5454bb789a301bb6f1339a0818255610 Mon Sep 17 00:00:00 2001 -F