[OE-core] [PATCH] qemu: fix CVE-2021-3527
From: Lee Chee Yang Signed-off-by: Lee Chee Yang --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-3527-1.patch | 42 + .../qemu/qemu/CVE-2021-3527-2.patch | 59 +++ 3 files changed, 103 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 6674936fef..33a8baea7f 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -37,6 +37,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch \ file://0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch \ file://0001-linux-user-Tag-vsx-with-ieee128-fpbits.patch \ + file://CVE-2021-3527-1.patch \ + file://CVE-2021-3527-2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch new file mode 100644 index 00..77a5385692 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch @@ -0,0 +1,42 @@ +From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 3 May 2021 15:29:15 +0200 +Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527) + +usb-host and usb-redirect try to batch bulk transfers by combining many +small usb packets into a single, large transfer request, to reduce the +overhead and improve performance. + +This patch adds a size limit of 1 MiB for those combined packets to +restrict the host resources the guest can bind that way. + +Signed-off-by: Gerd Hoffmann +Message-Id: <20210503132915.2335822-6-kra...@redhat.com> + +Upstream-Status: Backport +https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c +CVE: CVE-2021-3527 +Signed-off-by: Chee Yang Lee + +--- + hw/usb/combined-packet.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c +index 5d57e883dc..e56802f89a 100644 +--- a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c +@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep) + if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || + next == NULL || + /* Work around for Linux usbfs bulk splitting + migration */ +-(totalsize == (16 * KiB - 36) && p->int_req)) { ++(totalsize == (16 * KiB - 36) && p->int_req) || ++/* Next package may grow combined package over 1MiB */ ++totalsize > 1 * MiB - ep->max_packet_size) { + usb_device_handle_data(ep->dev, first); + assert(first->status == USB_RET_ASYNC); + if (first->combined) { +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch new file mode 100644 index 00..6371aced12 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch @@ -0,0 +1,59 @@ +From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 3 May 2021 15:29:12 +0200 +Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use autofree heap allocation instead. + +Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket") +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Gerd Hoffmann +Tested-by: Philippe Mathieu-Daudé +Message-Id: <20210503132915.2335822-3-kra...@redhat.com> + +Upstream-Status: Backport +https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 +CVE: CVE-2021-3527 +Signed-off-by: Chee Yang Lee + +--- + hw/usb/redirect.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c +index 17f06f3417..6a75b0dc4a 100644 +--- a/hw/usb/redirect.c b/hw/usb/redirect.c +@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p, + .endpoint = ep, + .length = p->iov.size + }; +-uint8_t buf[p->iov.size]; ++g_autofree uint8_t *buf = g_malloc(p->iov.size); + /* No id, we look at the ep when receiving a status back */ + usb_packet_copy(p, buf, p->iov.size); + usbredirparser_send_iso_packet(dev->parser, 0, _packet, +@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p, + usbredirparser_send_bulk_packet(dev->parser, p->id, +
Re: [OE-core] [dunfell][PATCH] rpm: fix CVE-2021-3421
In order to fix CVE-2021-3421, I added RPMSIGTAG_FILESIGNATURES and RPMSIGTAG_FILESIGNATURELENGTH in lib/rpmtag.h. So It is possible to build. but I cannot test on target yet. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153263): https://lists.openembedded.org/g/openembedded-core/message/153263 Mute This Topic: https://lists.openembedded.org/mt/83760299/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] Hardknott (GCC10) Compiler Issues
All, Please accept my apologies in advance for the detailed submission. I think it is warranted in this case. There is something... "odd" about the GCC 10 compiler that is delivered with Hardknott. I am still chasing it down, so I am not yet ready to declare a root cause or submit a bug, but I am posting what I have now in case anyone has some insights to offer. For all I know it is something unusual that I am doing, but we have a lot of history with our build/dev/release methods, so I would be surprised if that was actually the case. I have also discussed aspects of this on IRC for the last few days, so some of this may be familiar to some of you. Background: We maintain a virtual machine SDK for our developers that is as close as possible to the actual embedded hardware environment that we target. The SDK image is our baseline Linux OS plus lots of the expected dev and debugging tools. The image deployed to our target devices is the baseline Linux OS plus the core application suite. It is also important to note that we only support the x86_64 machine architecture in our target devices and development workstations. We also spin up and spin down the SDK VM for our nightly builds. This guarantees strict consistency and eliminates lots of variables when we are trying to troubleshoot something hairy. We just upgraded from Thud to Hardknott. This means we built our new Hardknott based SDK VM image from our Thud based SDK VM (GCC 8 / glibc 2.28). When we attempted to build our target device image in the new Hardknott based SDK VM, we consistently got a segfault when any build task involves bison issuing a warning of some sort. I traced this down for a very long time and it seemed to have something to do with the libtextstyle library from gettext and the way bison used it. But I now believe that this to be a red herring. Bison seems to be very fragile, but in this case, that may have actually been a good thing. After some experimentation I found that the issue went away when I dropped down to the 3.6.4 recipe of bison found at OE-Core:bc95820cd. But this did not sit right with me. There is no way I should be the only person seeing this issue. Then I tried an experiment... I assumed I was encountering a compiler bootstrap issue with such a big jump (GCC8 -> GCC10), so I rebuilt our hardknott based SDK VM with the 3.3.1 version of buildtools-extended. The build worked flawlessly, but when I booted into the new SDK VM and kicked off the build I got the same result (bison segfault when any build warnings are encountered). This is when I started to mentally put a few more details together with other post-upgrade issues that had been discovered in our lab. We attributed them to garden variety API and behavioral changes expected during a Yocto upgrade, but now I am not so sure. During the thud-to-hardknott upgrade process, we did nightly builds of the new hardknott based target image from our thud based SDK VM. I assumed that since GCC10 was being built as part of the build sysroot bootstrap process, we were getting a clean and consistent result irrespective of the underlying build server OS. One of the issues we were seeing in the lab was a periodic hang during the initramfs phase of the boot process. We run a couple of setup scripts to manage the sysroot before the switch_root, so it is not unusual to see some "growing pains" after an upgrade. The hangs were random with no obvious cause, but systemd is very weird anyway so we attributed it to a new dependency or race condition that we had to address after going from systemd 239 to 247. It is also worth noting that systemd itself was not hung, it responded to the 'ole "three finger salute" and dutifully filled the screen with shutdown messages. It was just that the boot process randomly stopped cold in initramfs before the switch root. We would also occasionally see systemd complaining in the logs, "Starting requested but asserts failed". Historically, when asserts fail, it is a sign of a much larger problem, so I did another experiment... Since we could build our SDK VM successfully with buildtools-extended, why not build the target images? So I did. After a day of testing in the lab, none of the testers have seen the boot hang up in the initramfs stage, whereas before it was happening about 50% of the time. I need a good week of successful test activity before I am willing to declare success, but the results were convincing enough to make it worth this summary post. I did an extensive amount of trial and error testing, including meticulously comparing buildtools-extended with our own versions of the same files. The only intersection point was gcc. The gcc delivered with buildtools-extended works great. When I build hardknott's gcc10 from the gcc in buildtools-extended, we are not able to build our target images with the resulting compiler. When I build our target images from the old thud environment, we get a mysterious hang and systemd asserts
Re: [OE-core] [dunfell][PATCH] rpm: fix CVE-2021-3421
> + /* Bump reference count for return. */ diff --git a/lib/rpmtag.h > +b/lib/rpmtag.h index 8c718b31b5..d562572c6f 100644 > +--- a/lib/rpmtag.h > b/lib/rpmtag.h > +@@ -65,6 +65,8 @@ typedef enum rpmTag_e { > + RPMTAG_LONGARCHIVESIZE = RPMTAG_SIG_BASE+15, /* l */ > + /* RPMTAG_SIG_BASE+16 reserved */ > + RPMTAG_SHA256HEADER = RPMTAG_SIG_BASE+17, /* s */ > ++/* RPMTAG_SIG_BASE+18 reserved for RPMSIGTAG_FILESIGNATURES */ > ++/* RPMTAG_SIG_BASE+19 reserved for > RPMSIGTAG_FILESIGNATURELENGTH > ++ */ > + > + RPMTAG_NAME = 1000, /* s */ > + #define RPMTAG_NRPMTAG_NAME /* s */ > +@@ -422,6 +424,8 @@ typedef enum rpmSigTag_e { > + RPMSIGTAG_LONGSIZE = RPMTAG_LONGSIGSIZE, /*!< internal > Header+Payload size (64bit) in bytes. */ > + RPMSIGTAG_LONGARCHIVESIZE = RPMTAG_LONGARCHIVESIZE, /*!< > internal uncompressed payload size (64bit) in bytes. */ > + RPMSIGTAG_SHA256= RPMTAG_SHA256HEADER, > ++RPMSIGTAG_FILESIGNATURES= RPMTAG_SIG_BASE + 18, > ++RPMSIGTAG_FILESIGNATURELENGTH = RPMTAG_SIG_BASE + 19, > + } rpmSigTag; > + Was this hunk added to make the backported patch compile? Considering 4.14.x version doesn't use RPMSIGTAG_FILESIGNATURES at all, I am wondering if this change works as intended? Thanks, Anuj -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153261): https://lists.openembedded.org/g/openembedded-core/message/153261 Mute This Topic: https://lists.openembedded.org/mt/83760299/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] qemurunner: Add info log for qemu startup
Add a couple of logging info to track time between activities, first is from after the Popen(launch_cmd) to after qmp.connect(), second is from qmp.connect() to the release of the qemu via the qmp("cont") command this includes the mmap() activity. Example output: QMP connected to QEMU at 06/24/21 11:11:56 and took 0.9556229114532471 seconds from launch QMP released QEMU at 06/24/21 11:11:56 and took 0.26789021492004395 seconds from connect Signed-off-by: Saul Wold --- meta/lib/oeqa/utils/qemurunner.py | 8 1 file changed, 8 insertions(+) diff --git a/meta/lib/oeqa/utils/qemurunner.py b/meta/lib/oeqa/utils/qemurunner.py index abbc7f7d1f6..c7f78603179 100644 --- a/meta/lib/oeqa/utils/qemurunner.py +++ b/meta/lib/oeqa/utils/qemurunner.py @@ -236,6 +236,7 @@ class QemuRunner: # to be a proper fix but this will suffice for now. self.runqemu = subprocess.Popen(launch_cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, preexec_fn=os.setpgrp, env=env, cwd=self.tmpdir) output = self.runqemu.stdout +launch_time = time.time() # # We need the preexec_fn above so that all runqemu processes can easily be killed @@ -339,6 +340,10 @@ class QemuRunner: try: self.qmp.connect() +connect_time = time.time() +self.logger.info("QMP connected to QEMU at %s and took %s seconds" % + (time.strftime("%D %H:%M:%S"), + time.time() - launch_time)) except OSError as msg: self.logger.warning("Failed to connect qemu monitor socket: %s File: %s" % (msg, msg.filename)) return False @@ -367,6 +372,9 @@ class QemuRunner: # Release the qemu process to continue running self.run_monitor('cont') +self.logger.info("QMP released QEMU at %s and took %s seconds from connect" % + (time.strftime("%D %H:%M:%S"), + time.time() - connect_time)) # We are alive: qemu is running out = self.getOutput(output) -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153260): https://lists.openembedded.org/g/openembedded-core/message/153260 Mute This Topic: https://lists.openembedded.org/mt/83770255/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] esdk: locked sig mismatch warnings when build from esdk env
From: Mani Selvaraj A repo with multiple layers are placed under /layers/ and a repo with single layer is placed under /layers/openembedded-core in esdk. This tiggered locked sig mismatch warnings when building image from esdk environment. - TOPDIR=/Code/build corebase=/Code/openembedded-core - /Code/meta-java /Code/meta-gplv2 /Code/meta-openembedded/meta-webserver /Code/meta-openembedded/meta-oe /Code/openembedded-core/meta Are moved to /sdk_org/layers/openembedded-core/meta-gplv2 /sdk_org/layers/openembedded-core/meta-java /sdk_org/layers/meta-openembedded/meta-webserver /sdk_org/layers/meta-openembedded/meta-oe /sdk_org/layers/openembedded-core/meta here fix it to move all layers under /layers dir. to check this fix build image from esdk environment and check for sig mismatch warnings. Signed-off-by: Mani Selvaraj Signed-off-by: Khem Raj --- meta/lib/oe/copy_buildsystem.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/meta/lib/oe/copy_buildsystem.py b/meta/lib/oe/copy_buildsystem.py index d97bf9d1b9..4998afa60f 100644 --- a/meta/lib/oe/copy_buildsystem.py +++ b/meta/lib/oe/copy_buildsystem.py @@ -102,8 +102,6 @@ class BuildSystem(object): layerdestpath += '/' + os.path.basename(corebase) else: layer_relative = os.path.relpath(layer, corebase) -if os.path.dirname(layer_relative) == corebase_relative: -layer_relative = os.path.dirname(corebase_relative) + '/' + layernewname layer_relative = os.path.basename(corebase) + '/' + layer_relative if os.path.dirname(layer_relative) != layernewname: layerdestpath += '/' + os.path.dirname(layer_relative) -- 2.32.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153259): https://lists.openembedded.org/g/openembedded-core/message/153259 Mute This Topic: https://lists.openembedded.org/mt/83764918/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] default-distrovars.inc: Remove seccomp for ARC
libseccomp needs too be ported to ARC first Signed-off-by: Alexey Brodkin Cc: Khem Raj --- meta/conf/distro/include/default-distrovars.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/conf/distro/include/default-distrovars.inc b/meta/conf/distro/include/default-distrovars.inc index ac10245767..e0726fa3bb 100644 --- a/meta/conf/distro/include/default-distrovars.inc +++ b/meta/conf/distro/include/default-distrovars.inc @@ -13,6 +13,9 @@ LOCALE_UTF8_IS_DEFAULT_class-nativesdk = "0" # seccomp is not yet ported to rv32 DISTRO_FEATURES_DEFAULT_remove_riscv32 = "seccomp" +# seccomp is not yet ported to ARC +DISTRO_FEATURES_DEFAULT_remove_arc = "seccomp" + DISTRO_FEATURES_DEFAULT ?= "acl alsa argp bluetooth debuginfod ext2 ipv4 ipv6 largefile pcmcia usbgadget usbhost wifi xattr nfs zeroconf pci 3g nfc x11 vfat seccomp" DISTRO_FEATURES ?= "${DISTRO_FEATURES_DEFAULT}" IMAGE_FEATURES ?= "" -- 2.16.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153258): https://lists.openembedded.org/g/openembedded-core/message/153258 Mute This Topic: https://lists.openembedded.org/mt/83761019/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [dunfell][PATCH] rpm: fix CVE-2021-3421
unsigned signature header leads to string injection into an rpm database reference: https://nvd.nist.gov/vuln/detail/CVE-2021-3421 https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21 --- .../rpm/files/CVE-2021-3421.patch | 197 ++ meta/recipes-devtools/rpm/rpm_4.14.2.1.bb | 1 + 2 files changed, 198 insertions(+) create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-3421.patch diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3421.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3421.patch new file mode 100644 index 00..b1a05b6863 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/CVE-2021-3421.patch @@ -0,0 +1,197 @@ +From 1e5b70cab83c95aa138107a38ecda75ff70e8985 Mon Sep 17 00:00:00 2001 +From: Minjae Kim +Date: Thu, 24 Jun 2021 01:11:26 + +Subject: [PATCH] Be much more careful about copying data from the signature + header + +Only look for known tags, and ensure correct type and size where known +before copying over. Bump the old arbitrary 16k count limit to 16M limit +though, it's not inconceivable that a package could have that many files. +While at it, ensure none of these tags exist in the main header, +which would confuse us greatly. + +This is optimized for backporting ease, upstream can remove redundancies +and further improve checking later. + +Reported and initial patches by Demi Marie Obenour. + +Fixes: RhBug:1935049, RhBug:1933867, RhBug:1935035, RhBug:1934125, ... + +Fixes: CVE-2021-3421, CVE-2021-20271 + +Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21] +CVE: CVE-2021-3421 +Signed-off-by: Minjae Kim +--- + lib/package.c | 115 -- + lib/rpmtag.h | 4 ++ + 2 files changed, 58 insertions(+), 61 deletions(-) + +diff --git a/lib/package.c b/lib/package.c +index 081123d84e..7c26ea323f 100644 +--- a/lib/package.c b/lib/package.c +@@ -20,76 +20,68 @@ + + #include "debug.h" + ++struct taglate_s { ++rpmTagVal stag; ++rpmTagVal xtag; ++rpm_count_t count; ++} const xlateTags[] = { ++{ RPMSIGTAG_SIZE, RPMTAG_SIGSIZE, 1 }, ++{ RPMSIGTAG_PGP, RPMTAG_SIGPGP, 0 }, ++{ RPMSIGTAG_MD5, RPMTAG_SIGMD5, 16 }, ++{ RPMSIGTAG_GPG, RPMTAG_SIGGPG, 0 }, ++/* { RPMSIGTAG_PGP5, RPMTAG_SIGPGP5, 0 }, */ /* long obsolete, dont use */ ++{ RPMSIGTAG_PAYLOADSIZE, RPMTAG_ARCHIVESIZE, 1 }, ++{ RPMSIGTAG_FILESIGNATURES, RPMTAG_FILESIGNATURES, 0 }, ++{ RPMSIGTAG_FILESIGNATURELENGTH, RPMTAG_FILESIGNATURELENGTH, 1 }, ++{ RPMSIGTAG_SHA1, RPMTAG_SHA1HEADER, 1 }, ++{ RPMSIGTAG_SHA256, RPMTAG_SHA256HEADER, 1 }, ++{ RPMSIGTAG_DSA, RPMTAG_DSAHEADER, 0 }, ++{ RPMSIGTAG_RSA, RPMTAG_RSAHEADER, 0 }, ++{ RPMSIGTAG_LONGSIZE, RPMTAG_LONGSIGSIZE, 1 }, ++{ RPMSIGTAG_LONGARCHIVESIZE, RPMTAG_LONGARCHIVESIZE, 1 }, ++{ 0 } ++}; ++ + /** \ingroup header + * Translate and merge legacy signature tags into header. + * @param h header (dest) + * @param sighsignature header (src) + */ + static +-void headerMergeLegacySigs(Header h, Header sigh) ++rpmTagVal headerMergeLegacySigs(Header h, Header sigh, char **msg) + { +-HeaderIterator hi; ++const struct taglate_s *xl; + struct rpmtd_s td; + +-hi = headerInitIterator(sigh); +-for (; headerNext(hi, ); rpmtdFreeData()) +-{ +- switch (td.tag) { +- /* XXX Translate legacy signature tag values. */ +- case RPMSIGTAG_SIZE: +- td.tag = RPMTAG_SIGSIZE; +- break; +- case RPMSIGTAG_PGP: +- td.tag = RPMTAG_SIGPGP; +- break; +- case RPMSIGTAG_MD5: +- td.tag = RPMTAG_SIGMD5; +- break; +- case RPMSIGTAG_GPG: +- td.tag = RPMTAG_SIGGPG; +- break; +- case RPMSIGTAG_PGP5: +- td.tag = RPMTAG_SIGPGP5; +- break; +- case RPMSIGTAG_PAYLOADSIZE: +- td.tag = RPMTAG_ARCHIVESIZE; +- break; +- case RPMSIGTAG_SHA1: +- case RPMSIGTAG_SHA256: +- case RPMSIGTAG_DSA: +- case RPMSIGTAG_RSA: +- default: +- if (!(td.tag >= HEADER_SIGBASE && td.tag < HEADER_TAGBASE)) +- continue; +- break; +- } +- if (!headerIsEntry(h, td.tag)) { +- switch (td.type) { +- case RPM_NULL_TYPE: +- continue; +- break; +- case RPM_CHAR_TYPE: +- case RPM_INT8_TYPE: +- case RPM_INT16_TYPE: +- case RPM_INT32_TYPE: +- case RPM_INT64_TYPE: +- if (td.count != 1) +- continue; +- break; +- case RPM_STRING_TYPE: +- case RPM_BIN_TYPE: +- if (td.count >= 16*1024) +- continue; +- break; +- case RPM_STRING_ARRAY_TYPE: +- case RPM_I18NSTRING_TYPE: +- continue; +- break; +- }
[OE-core] [PATCH] sstate.bbclass: fix errors about read-only sstate mirrors
From: Michael Ho If a read-only sstate mirror is used in conjunction with hash equiv, then OSError will be raised when an sstate-cache hit is achieved. This is because sstate_task_postfunc will try to "touch" the symlinks that point to the read-only sstate mirror when sstate_report_unihash has changed SSTATE_PKG. This commit adds an additional exception handler to silently mask read only rootfs errors thrown during the touch. The fix is also duplicated to sstate_eventhandler as the code is very similar but it may not be needed there. Example of the error: File: 'exec_python_func() autogenerated', lineno: 2, function: 0001: *** 0002:sstate_task_postfunc(d) 0003: File: '/poky/meta/classes/sstate.bbclass', lineno: 774, function: sstate_task_postfunc 0770: 0771:omask = os.umask(0o002) 0772:if omask != 0o002: 0773: bb.note("Using umask 0o002 (not %0o) for sstate packaging" % omask) *** 0774:sstate_package(shared_state, d) 0775:os.umask(omask) 0776: 0777:sstateinst = d.getVar("SSTATE_INSTDIR") 0778:d.setVar('SSTATE_FIXMEDIR', shared_state['fixmedir']) File: '/poky/meta/classes/sstate.bbclass', lineno: 703, function: sstate_package 0699:if not os.path.exists(siginfo): 0700:bb.siggen.dump_this_task(siginfo, d) 0701:else: 0702:try: *** 0703:os.utime(siginfo, None) 0704:except PermissionError: 0705:pass 0706: 0707:return Exception: OSError: [Errno 30] Read-only file system --- meta/classes/sstate.bbclass | 8 1 file changed, 8 insertions(+) diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass index 3a3f7cc24b..163f97495c 100644 --- a/meta/classes/sstate.bbclass +++ b/meta/classes/sstate.bbclass @@ -703,6 +703,10 @@ def sstate_package(ss, d): os.utime(siginfo, None) except PermissionError: pass +except OSError as e: +# Handle read-only file systems gracefully +if not e.errno == 30: +raise e return @@ -1145,6 +1149,10 @@ python sstate_eventhandler() { os.utime(siginfo, None) except PermissionError: pass +except OSError as e: +# Handle read-only file systems gracefully +if not e.errno == 30: +raise e } -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153256): https://lists.openembedded.org/g/openembedded-core/message/153256 Mute This Topic: https://lists.openembedded.org/mt/83757817/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] pypi: set SRC_URI with =, not with +=
On Thu, 24 Jun 2021 at 09:21, Andre McCurdy wrote: > On Wed, Jun 23, 2021 at 3:18 AM Alexander Kanavin > wrote: > > > > Frankly guys, I think maybe we should just break stuff in this case, and > have it fixed up properly, then try to guess what workaround might work. > > > > From that perspective the original patch is the most clear. > > The typical ordering of variables etc in recipes is to put SRC_URI > before inherit. > > From the perspective of trying to get recipes to stick to a standard > ordering of variables etc, _prepend seems to be the best solution. > That's fine with me, we should probably fix up gnomebase.bbclass as well, as using = there adds friction to how SRC_URI must be set in the recipes. Alex -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153255): https://lists.openembedded.org/g/openembedded-core/message/153255 Mute This Topic: https://lists.openembedded.org/mt/83721889/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH] curl: fix build when proxy is not enabled in PACKAGECONFIG
Backport upstream patches to fix issues introduced by a backported CVE patch. Fixes: | ../../curl-7.75.0/lib/vtls/vtls.c: In function ‘Curl_ssl_addsessionid’: | ../../curl-7.75.0/lib/vtls/vtls.c:508:14: error: ‘isProxy’ redeclared as different kind of symbol | 508 | const bool isProxy = FALSE; | | ^~~ | ../../curl-7.75.0/lib/vtls/vtls.c:488:37: note: previous definition of ‘isProxy’ with type ‘_Bool’ | 488 |bool isProxy, | | ^ Signed-off-by: Anuj Mittal --- .../curl/curl/vtls-fix-addsessionid.patch | 31 ++ .../curl/curl/vtls-fix-warning.patch | 40 +++ meta/recipes-support/curl/curl_7.75.0.bb | 2 + 3 files changed, 73 insertions(+) create mode 100644 meta/recipes-support/curl/curl/vtls-fix-addsessionid.patch create mode 100644 meta/recipes-support/curl/curl/vtls-fix-warning.patch diff --git a/meta/recipes-support/curl/curl/vtls-fix-addsessionid.patch b/meta/recipes-support/curl/curl/vtls-fix-addsessionid.patch new file mode 100644 index 00..a4b9cb8931 --- /dev/null +++ b/meta/recipes-support/curl/curl/vtls-fix-addsessionid.patch @@ -0,0 +1,31 @@ +From 2c26eeef12f0204fb85d6bf40b4e7a1e2ddcdf24 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Mar 2021 12:50:57 +0200 +Subject: [PATCH] vtls: fix addsessionid for non-proxy builds + +Follow-up to b09c8ee15771c61 +Fixes #6812 +Closes #6811 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/2c26eeef12f0204fb85d6bf40b4e7a1e2ddcdf24] +Signed-off-by: Anuj Mittal +--- + lib/vtls/vtls.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 95fd6356285f..2e07df0a0462 100644 +--- a/lib/vtls/vtls.c b/lib/vtls/vtls.c +@@ -504,11 +504,8 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + const char *hostname = isProxy ? conn->http_proxy.host.name : + conn->host.name; + #else +- /* proxy support disabled */ +- const bool isProxy = FALSE; + struct ssl_primary_config * const ssl_config = >ssl_config; + const char *hostname = conn->host.name; +- (void)sockindex; + #endif + (void)sockindex; + DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); diff --git a/meta/recipes-support/curl/curl/vtls-fix-warning.patch b/meta/recipes-support/curl/curl/vtls-fix-warning.patch new file mode 100644 index 00..113b6fd116 --- /dev/null +++ b/meta/recipes-support/curl/curl/vtls-fix-warning.patch @@ -0,0 +1,40 @@ +From b31d9ccfc2da288900e6857ad8d048c612328cac Mon Sep 17 00:00:00 2001 +From: Jay Satiro +Date: Sun, 20 Jun 2021 16:42:58 -0400 +Subject: [PATCH] vtls: fix warning due to function prototype mismatch + +b09c8ee changed the function prototype. Caught by Visual Studio. + +Upstream-Status: Backport [https://github.com/curl/curl/commit/b31d9ccfc2da288900e6857ad8d048c612328cac] +Signed-off-by: Anuj Mittal +--- + lib/vtls/vtls.c | 2 +- + lib/vtls/vtls.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 82883c9c55e2..fe43703bf8b8 100644 +--- a/lib/vtls/vtls.c b/lib/vtls/vtls.c +@@ -497,7 +497,7 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid) + */ + CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, +struct connectdata *conn, +- bool isProxy, ++ const bool isProxy, +void *ssl_sessionid, +size_t idsize, +int sockindex) +diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h +index a0585c9cec4c..f1a9b8033ae5 100644 +--- a/lib/vtls/vtls.h b/lib/vtls/vtls.h +@@ -247,7 +247,7 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data); + */ + bool Curl_ssl_getsessionid(struct Curl_easy *data, +struct connectdata *conn, +- const bool isproxy, ++ const bool isProxy, +void **ssl_sessionid, +size_t *idsize, /* set 0 if unknown */ +int sockindex); diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb index 7c7b363ae3..f7a8202bc9 100644 --- a/meta/recipes-support/curl/curl_7.75.0.bb +++ b/meta/recipes-support/curl/curl_7.75.0.bb @@ -13,6 +13,8 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://0001-replace-krb5-config-with-pkg-config.patch \ file://0001-vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch \ file://0002-transfer-strip-credentials-from-the-auto-referer-hea.patch \ + file://vtls-fix-addsessionid.patch \ + file://vtls-fix-warning.patch \ " SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026" -- 2.31.1
Re: [OE-core] [PATCH] pypi: set SRC_URI with =, not with +=
On Wed, Jun 23, 2021 at 3:18 AM Alexander Kanavin wrote: > > Frankly guys, I think maybe we should just break stuff in this case, and have > it fixed up properly, then try to guess what workaround might work. > > From that perspective the original patch is the most clear. The typical ordering of variables etc in recipes is to put SRC_URI before inherit. >From the perspective of trying to get recipes to stick to a standard ordering of variables etc, _prepend seems to be the best solution. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153253): https://lists.openembedded.org/g/openembedded-core/message/153253 Mute This Topic: https://lists.openembedded.org/mt/83721889/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] Curl CVE-2021-22876 backport in hardknott
On Thu, 2021-06-24 at 06:23 +, Sander Visser wrote: > Hi > > 0002-transfer-strip-credentials-from-the-auto-referer-hea.patch does > not allow building of Curl without PACKAGECONFIG “proxy” > I think we need this too: https://github.com/curl/curl/commit/2c26eeef12f0204fb85d6bf40b4e7a1e2ddcdf24.patch I will send a patch and include this in my next queue. Thanks, Anuj -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153252): https://lists.openembedded.org/g/openembedded-core/message/153252 Mute This Topic: https://lists.openembedded.org/mt/83755487/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [hardknott][PATCH 00/13] pull request (cover letter only)
Please merge these changes in hardknott. Thanks, Anuj The following changes since commit bfe25c99e914062b0527a6e74ebb8ce1eaad4ca8: linux-firmware: upgrade 20210315 -> 20210511 (2021-06-11 11:46:53 +0800) are available in the Git repository at: git://push.openembedded.org/openembedded-core-contrib stable/hardknott-next Andrea Adami (1): kernel.bbclass: fix do_sizecheck() comparison Bruce Ashfield (2): linux-yocto/5.4: update to v5.4.124 linux-yocto/5.4: update to v5.4.125 Kai Kang (1): libx11: fix CVE-2021-31535 Khem Raj (1): linuxloader: Be aware of riscv32 ldso Peter Kjellerstedt (2): util-linux.inc: Do not modify BPN native.bbclass: Do not remove "-native" in the middle of recipe names Richard Purdie (2): lttng-tools: upgrade 2.12.3 -> 2.12.4 perf: Use python3targetconfig to ensure we use target libraries Ross Burton (1): avahi: apply fix for CVE-2021-3468 Tony Tascioglu (2): valgrind: remove buggy ptest from arm64 valgrind: Actually install list of non-deterministic ptests Trevor Gamblin (1): curl: cleanup CVE patches for hardknott meta/classes/kernel.bbclass | 2 +- meta/classes/linuxloader.bbclass | 2 + meta/classes/native.bbclass | 8 +- meta/recipes-connectivity/avahi/avahi_0.8.bb | 1 + .../avahi/files/handle-hup.patch | 41 +++ meta/recipes-core/util-linux/util-linux.inc | 3 +- .../valgrind/valgrind/remove-for-aarch64 | 1 + .../valgrind/valgrind/run-ptest | 4 +- .../valgrind/taskset_nondeterministic_tests | 2 - .../valgrind/valgrind_3.16.1.bb | 2 + .../xorg-lib/libx11/fix-CVE-2021-31535.patch | 320 ++ .../recipes-graphics/xorg-lib/libx11_1.7.0.bb | 5 +- .../linux/linux-yocto-rt_5.4.bb | 6 +- .../linux/linux-yocto-tiny_5.4.bb | 8 +- meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +- ...-tools_2.12.3.bb => lttng-tools_2.12.4.bb} | 9 +- meta/recipes-kernel/perf/perf.bb | 2 +- ...-argument-to-Curl_ssl_get-addsession.patch | 16 +- ...redentials-from-the-auto-referer-hea.patch | 5 +- 19 files changed, 417 insertions(+), 42 deletions(-) create mode 100644 meta/recipes-connectivity/avahi/files/handle-hup.patch create mode 100644 meta/recipes-graphics/xorg-lib/libx11/fix-CVE-2021-31535.patch rename meta/recipes-kernel/lttng/{lttng-tools_2.12.3.bb => lttng-tools_2.12.4.bb} (94%) -- 2.31.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153251): https://lists.openembedded.org/g/openembedded-core/message/153251 Mute This Topic: https://lists.openembedded.org/mt/83755522/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] Curl CVE-2021-22876 backport in hardknott
Hi 0002-transfer-strip-credentials-from-the-auto-referer-hea.patch does not allow building of Curl without PACKAGECONFIG "proxy" /Regards Sander This email message (including its attachments) is confidential and may contain privileged information and is intended solely for the use of the individual and/or entity to whom it is addressed. If you are not the intended recipient of this e-mail you may not disseminate, distribute or copy this e-mail (including its attachments), or any part thereof. If this e-mail is received in error, please notify the sender immediately by return e-mail and make sure that this e-mail (including its attachments), and all copies thereof, are immediately deleted from your system. Please further note that when you communicate with us via email or visit our website we process your personal data. See our privacy policy for more information about how we process it: https://www.volvogroup.com/en-en/privacy.html -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153250): https://lists.openembedded.org/g/openembedded-core/message/153250 Mute This Topic: https://lists.openembedded.org/mt/83755487/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-