Re: Patchtest results for [OE-core][PATCH] patchtest: shorten test result outputs

[Marta Rybczynska]

On Wed, 1 Nov 2023, 11:48 Anuj Mittal,  wrote:

> On Tue, 2023-10-31 at 19:33 -0700, Tim Orling wrote:
> >
> >
> > On Tue, Oct 31, 2023 at 7:26 PM Anuj Mittal 
> > wrote:
> > > On Tue, 2023-10-31 at 14:20 +, Trevor Gamblin wrote:
> > > > Thank you for your submission. Patchtest identified one
> > > > or more issues with the patch. Please see the log below for
> > > > more information:
> > > >
> > > > ---
> > > > Testing patch /home/patchtest/share/mboxes/patchtest-shorten-
> > > > test-
> > > > result-outputs.patch
> > > >
> > > > FAIL: test CVE presence in commit message: A CVE tag should be
> > > > provided in the commit message with format: "CVE: CVE--"
> > > > (test_mbox.TestMbox.test_cve_presence_in_commit_message)
> > >
> > > Is this a requirement to have this in commit message in this
> > > format? I
> > > don't think this was being followed until now. A lot of patches
> > > seem to
> > > be failing this test as a result.
> > >
> >
> >
> > This was required when patchtest was running previously. It has been
> > ignored for a while now, but that does not mean we should not enforce
> > it. It should be documented as required.
> >
> > The tags allow for machines to parse the relevant info. Anything else
> > is purely random and chaos.
>
> The tag is already required to be present in the CVE patch itself which
> is/can be parsed by scripts which actually I think is a better way of
> detecting whether a CVE is patched rather than looking at commit
> messages.
>
> If having it in a specific format in commit message as well helps,
> sure. It shouldn't take time to add it but we seem to be adding too
> many rules ...
>
>
(adding Steve)

I agree with Anuj, and I do not remember seeing a rule to put the
CVE number in the commit message. We already have it in the
patch file name (recommended) and inside the patch file itself.
Those two places are enough in my opinion. In fact, it will likely
be there in the commit message (its title), so repeating it does
not make much logical sense.

In fact, I have an update of the manual with more detailed information
on submitting CVE fixes and looking for a resolution of this question
to submit it :)

Steve, does such additional tag in the commit message make it
easier for you?

Kind regards,
Marta

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189896): 
https://lists.openembedded.org/g/openembedded-core/message/189896
Mute This Topic: https://lists.openembedded.org/mt/102275009/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: Patchtest results for [OE-core][PATCH] patchtest: shorten test result outputs

[Anuj Mittal]

On Tue, 2023-10-31 at 19:33 -0700, Tim Orling wrote:
> 
> 
> On Tue, Oct 31, 2023 at 7:26 PM Anuj Mittal 
> wrote:
> > On Tue, 2023-10-31 at 14:20 +, Trevor Gamblin wrote:
> > > Thank you for your submission. Patchtest identified one
> > > or more issues with the patch. Please see the log below for
> > > more information:
> > > 
> > > ---
> > > Testing patch /home/patchtest/share/mboxes/patchtest-shorten-
> > > test-
> > > result-outputs.patch
> > > 
> > > FAIL: test CVE presence in commit message: A CVE tag should be
> > > provided in the commit message with format: "CVE: CVE--"
> > > (test_mbox.TestMbox.test_cve_presence_in_commit_message)
> > 
> > Is this a requirement to have this in commit message in this
> > format? I
> > don't think this was being followed until now. A lot of patches
> > seem to
> > be failing this test as a result.
> > 
> 
> 
> This was required when patchtest was running previously. It has been
> ignored for a while now, but that does not mean we should not enforce
> it. It should be documented as required.
> 
> The tags allow for machines to parse the relevant info. Anything else
> is purely random and chaos.

The tag is already required to be present in the CVE patch itself which
is/can be parsed by scripts which actually I think is a better way of
detecting whether a CVE is patched rather than looking at commit
messages.

If having it in a specific format in commit message as well helps,
sure. It shouldn't take time to add it but we seem to be adding too
many rules ...

Thanks,

Anuj

> 
> > 
> > The wiki just mentions that CVE number should be in commit message.
> > 
> > Thanks,
> > 
> > Anuj
> > 
> > > 
> > > PASS: pretest pylint (test_python_pylint.PyLint.pretest_pylint)
> > > PASS: test Signed-off-by presence
> > > (test_mbox.TestMbox.test_signed_off_by_presence)
> > > PASS: test author valid (test_mbox.TestMbox.test_author_valid)
> > > PASS: test commit message presence
> > > (test_mbox.TestMbox.test_commit_message_presence)
> > > PASS: test max line length
> > > (test_metadata.TestMetadata.test_max_line_length)
> > > PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
> > > PASS: test non-AUH upgrade
> > > (test_mbox.TestMbox.test_non_auh_upgrade)
> > > PASS: test pylint (test_python_pylint.PyLint.test_pylint)
> > > PASS: test shortlog format
> > > (test_mbox.TestMbox.test_shortlog_format)
> > > PASS: test shortlog length
> > > (test_mbox.TestMbox.test_shortlog_length)
> > > 
> > > SKIP: pretest lic files chksum modified not mentioned: No
> > > modified
> > > recipes, skipping pretest
> > > (test_metadata.TestMetadata.pretest_lic_files_chksum_modified_not
> > > _men
> > > tioned)
> > > SKIP: pretest src uri left files: No modified recipes, skipping
> > > pretest (test_metadata.TestMetadata.pretest_src_uri_left_files)
> > > SKIP: test CVE tag format: No new CVE patches introduced
> > > (test_patch.TestPatch.test_cve_tag_format)
> > > SKIP: test Signed-off-by presence: No new CVE patches introduced
> > > (test_patch.TestPatch.test_signed_off_by_presence)
> > > SKIP: test Upstream-Status presence: No new CVE patches
> > > introduced
> > > (test_patch.TestPatch.test_upstream_status_presence_format)
> > > SKIP: test bugzilla entry format: No bug ID found
> > > (test_mbox.TestMbox.test_bugzilla_entry_format)
> > > SKIP: test lic files chksum modified not mentioned: No modified
> > > recipes, skipping test
> > > (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_me
> > > ntio
> > > ned)
> > > SKIP: test lic files chksum presence: No added recipes, skipping
> > > test
> > > (test_metadata.TestMetadata.test_lic_files_chksum_presence)
> > > SKIP: test license presence: No added recipes, skipping test
> > > (test_metadata.TestMetadata.test_license_presence)
> > > SKIP: test series merge on head: Merge test is disabled for now
> > > (test_mbox.TestMbox.test_series_merge_on_head)
> > > SKIP: test src uri left files: No modified recipes, skipping
> > > pretest
> > > (test_metadata.TestMetadata.test_src_uri_left_files)
> > > SKIP: test summary presence: No added recipes, skipping test
> > > (test_metadata.TestMetadata.test_summary_presence)
> > > SKIP: test target mailing list: Series merged, no reason to check
> > > other mailing lists (test_mbox.TestMbox.test_target_mailing_list)
> > > 
> > > ---
> > > 
> > > Please address the issues identified and
> > > submit a new revision of the patch, or alternatively, reply to
> > > this
> > > email with an explanation of why the patch should be accepted. If
> > > you
> > > believe these results are due to an error in patchtest, please
> > > submit
> > > a
> > > bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest'
> > > category
> > > under 'Yocto Project Subprojects'). For more information on
> > > specific
> > > failures, see: https://wiki.yoctoproject.org/wiki/Patchtest.
> > > Thank
> > > you!
> > > 
> > > 
> > > 
> > 
> > 
> > 
> > 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to 

Re: Patchtest results for [OE-core][PATCH] patchtest: shorten test result outputs

[Tim Orling]

On Tue, Oct 31, 2023 at 7:26 PM Anuj Mittal  wrote:

> On Tue, 2023-10-31 at 14:20 +, Trevor Gamblin wrote:
> > Thank you for your submission. Patchtest identified one
> > or more issues with the patch. Please see the log below for
> > more information:
> >
> > ---
> > Testing patch /home/patchtest/share/mboxes/patchtest-shorten-test-
> > result-outputs.patch
> >
> > FAIL: test CVE presence in commit message: A CVE tag should be
> > provided in the commit message with format: "CVE: CVE--"
> > (test_mbox.TestMbox.test_cve_presence_in_commit_message)
>
> Is this a requirement to have this in commit message in this format? I
> don't think this was being followed until now. A lot of patches seem to
> be failing this test as a result.
>

This was required when patchtest was running previously. It has been
ignored for a while now, but that does not mean we should not enforce it.
It should be documented as required.

The tags allow for machines to parse the relevant info. Anything else is
purely random and chaos.


> The wiki just mentions that CVE number should be in commit message.
>
> Thanks,
>
> Anuj
>
> >
> > PASS: pretest pylint (test_python_pylint.PyLint.pretest_pylint)
> > PASS: test Signed-off-by presence
> > (test_mbox.TestMbox.test_signed_off_by_presence)
> > PASS: test author valid (test_mbox.TestMbox.test_author_valid)
> > PASS: test commit message presence
> > (test_mbox.TestMbox.test_commit_message_presence)
> > PASS: test max line length
> > (test_metadata.TestMetadata.test_max_line_length)
> > PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
> > PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
> > PASS: test pylint (test_python_pylint.PyLint.test_pylint)
> > PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
> > PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
> >
> > SKIP: pretest lic files chksum modified not mentioned: No modified
> > recipes, skipping pretest
> > (test_metadata.TestMetadata.pretest_lic_files_chksum_modified_not_men
> > tioned)
> > SKIP: pretest src uri left files: No modified recipes, skipping
> > pretest (test_metadata.TestMetadata.pretest_src_uri_left_files)
> > SKIP: test CVE tag format: No new CVE patches introduced
> > (test_patch.TestPatch.test_cve_tag_format)
> > SKIP: test Signed-off-by presence: No new CVE patches introduced
> > (test_patch.TestPatch.test_signed_off_by_presence)
> > SKIP: test Upstream-Status presence: No new CVE patches introduced
> > (test_patch.TestPatch.test_upstream_status_presence_format)
> > SKIP: test bugzilla entry format: No bug ID found
> > (test_mbox.TestMbox.test_bugzilla_entry_format)
> > SKIP: test lic files chksum modified not mentioned: No modified
> > recipes, skipping test
> > (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentio
> > ned)
> > SKIP: test lic files chksum presence: No added recipes, skipping test
> > (test_metadata.TestMetadata.test_lic_files_chksum_presence)
> > SKIP: test license presence: No added recipes, skipping test
> > (test_metadata.TestMetadata.test_license_presence)
> > SKIP: test series merge on head: Merge test is disabled for now
> > (test_mbox.TestMbox.test_series_merge_on_head)
> > SKIP: test src uri left files: No modified recipes, skipping pretest
> > (test_metadata.TestMetadata.test_src_uri_left_files)
> > SKIP: test summary presence: No added recipes, skipping test
> > (test_metadata.TestMetadata.test_summary_presence)
> > SKIP: test target mailing list: Series merged, no reason to check
> > other mailing lists (test_mbox.TestMbox.test_target_mailing_list)
> >
> > ---
> >
> > Please address the issues identified and
> > submit a new revision of the patch, or alternatively, reply to this
> > email with an explanation of why the patch should be accepted. If you
> > believe these results are due to an error in patchtest, please submit
> > a
> > bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest'
> > category
> > under 'Yocto Project Subprojects'). For more information on specific
> > failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
> > you!
> >
> >
> >
>
>
> 
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189894): 
https://lists.openembedded.org/g/openembedded-core/message/189894
Mute This Topic: https://lists.openembedded.org/mt/102275009/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: Patchtest results for [OE-core][PATCH] patchtest: shorten test result outputs

[Anuj Mittal]

On Tue, 2023-10-31 at 14:20 +, Trevor Gamblin wrote:
> Thank you for your submission. Patchtest identified one
> or more issues with the patch. Please see the log below for
> more information:
> 
> ---
> Testing patch /home/patchtest/share/mboxes/patchtest-shorten-test-
> result-outputs.patch
> 
> FAIL: test CVE presence in commit message: A CVE tag should be
> provided in the commit message with format: "CVE: CVE--"
> (test_mbox.TestMbox.test_cve_presence_in_commit_message)

Is this a requirement to have this in commit message in this format? I
don't think this was being followed until now. A lot of patches seem to
be failing this test as a result.

The wiki just mentions that CVE number should be in commit message.

Thanks,

Anuj

> 
> PASS: pretest pylint (test_python_pylint.PyLint.pretest_pylint)
> PASS: test Signed-off-by presence
> (test_mbox.TestMbox.test_signed_off_by_presence)
> PASS: test author valid (test_mbox.TestMbox.test_author_valid)
> PASS: test commit message presence
> (test_mbox.TestMbox.test_commit_message_presence)
> PASS: test max line length
> (test_metadata.TestMetadata.test_max_line_length)
> PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
> PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
> PASS: test pylint (test_python_pylint.PyLint.test_pylint)
> PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
> PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
> 
> SKIP: pretest lic files chksum modified not mentioned: No modified
> recipes, skipping pretest
> (test_metadata.TestMetadata.pretest_lic_files_chksum_modified_not_men
> tioned)
> SKIP: pretest src uri left files: No modified recipes, skipping
> pretest (test_metadata.TestMetadata.pretest_src_uri_left_files)
> SKIP: test CVE tag format: No new CVE patches introduced
> (test_patch.TestPatch.test_cve_tag_format)
> SKIP: test Signed-off-by presence: No new CVE patches introduced
> (test_patch.TestPatch.test_signed_off_by_presence)
> SKIP: test Upstream-Status presence: No new CVE patches introduced
> (test_patch.TestPatch.test_upstream_status_presence_format)
> SKIP: test bugzilla entry format: No bug ID found
> (test_mbox.TestMbox.test_bugzilla_entry_format)
> SKIP: test lic files chksum modified not mentioned: No modified
> recipes, skipping test
> (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentio
> ned)
> SKIP: test lic files chksum presence: No added recipes, skipping test
> (test_metadata.TestMetadata.test_lic_files_chksum_presence)
> SKIP: test license presence: No added recipes, skipping test
> (test_metadata.TestMetadata.test_license_presence)
> SKIP: test series merge on head: Merge test is disabled for now
> (test_mbox.TestMbox.test_series_merge_on_head)
> SKIP: test src uri left files: No modified recipes, skipping pretest
> (test_metadata.TestMetadata.test_src_uri_left_files)
> SKIP: test summary presence: No added recipes, skipping test
> (test_metadata.TestMetadata.test_summary_presence)
> SKIP: test target mailing list: Series merged, no reason to check
> other mailing lists (test_mbox.TestMbox.test_target_mailing_list)
> 
> ---
> 
> Please address the issues identified and
> submit a new revision of the patch, or alternatively, reply to this
> email with an explanation of why the patch should be accepted. If you
> believe these results are due to an error in patchtest, please submit
> a
> bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest'
> category
> under 'Yocto Project Subprojects'). For more information on specific
> failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
> you!
> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189893): 
https://lists.openembedded.org/g/openembedded-core/message/189893
Mute This Topic: https://lists.openembedded.org/mt/102275009/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] strace: upgrade 6.5 -> 6.6

[Randy MacLeod via lists.openembedded.org]

From: Randy MacLeod 

Update the COPYING checksum; only the copyright date changed.

Noteworthy changes in strace 6.6 (2023-10-31)
=

* Improvements
  * Implemented --kill-on-exit option that instructs the tracer to set
PTRACE_O_EXITKILL option to all tracee processes and not to detach them
on cleanup so they will not be left running after the tracer exit.
  * Implemented automatic activation of --kill-on-exit option when
--seccomp-bpf is enabled and -p/--attach option is not used.
  * Implemented decoding of map_shadow_stack syscall.
  * Implemented decoding of FSCONFIG_CMD_CREATE_EXCL fsconfig command.
  * Implemented decoding of IFLA_BRPORT_BACKUP_NHID netlink attribute.
  * Implemented decoding of SECCOMP_IOCTL_NOTIF_SET_FLAGS ioctl.
  * Implemented decoding of UFFDIO_CONTINUE, UFFDIO_POISON, and
UFFDIO_WRITEPROTECT ioctls.
  * Updated lists of ARCH_*, BPF_*, DEVCONF_*, IORING_*, KEXEC_*, MAP_*, NT_*,
PTRACE_*, QFMT_*, SEGV_*, UFFD_*, V4L2_*, and XDP_* constants.
  * Updated lists of ioctl commands from Linux 6.6.

ptest-runner results on qemux86-64/kvm with qemuparms="-m 1024 -smp 4":

Testsuite summary for strace 6.6



Signed-off-by: Randy MacLeod 
---
 .../strace/tests-fix-so_peerpidfd-test.patch  | 32 ---
 .../strace/{strace_6.5.bb => strace_6.6.bb}   |  5 ++-
 2 files changed, 2 insertions(+), 35 deletions(-)
 delete mode 100644 
meta/recipes-devtools/strace/strace/tests-fix-so_peerpidfd-test.patch
 rename meta/recipes-devtools/strace/{strace_6.5.bb => strace_6.6.bb} (90%)

diff --git 
a/meta/recipes-devtools/strace/strace/tests-fix-so_peerpidfd-test.patch 
b/meta/recipes-devtools/strace/strace/tests-fix-so_peerpidfd-test.patch
deleted file mode 100644
index 62f73d3643..00
--- a/meta/recipes-devtools/strace/strace/tests-fix-so_peerpidfd-test.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 44cf51a38cce1e90bb6c22208fa45f95cdcc8f5d Mon Sep 17 00:00:00 2001
-From: "Dmitry V. Levin" 
-Date: Sat, 14 Oct 2023 08:00:00 +
-Subject: [PATCH] tests: fix so_peerpidfd test
-
-* tests/so_peerpidfd.c (print_pidfd): Fix expected output.
-
-Fixes: v6.5~38 "net: implement decoding of SO_PEERPIDFD socket option"
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2243631
-
-Upstream-Status: Backport 
[https://github.com/strace/strace/commit/44cf51a38cce1e90bb6c22208fa45f95cdcc8f5d]
-Signed-off-by: Randy MacLeod 

- tests/so_peerpidfd.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/so_peerpidfd.c b/tests/so_peerpidfd.c
-index 33988edec..dfad1c434 100644
 a/tests/so_peerpidfd.c
-+++ b/tests/so_peerpidfd.c
-@@ -37,7 +37,7 @@ print_pidfd(int *p)
-   if (rc < 0)
-   printf("%p", p);
-   else
--  printf("%d%s", *p, pidfd_suffix);
-+  printf("[%d%s]", *p, pidfd_suffix);
- }
- 
- static void
--- 
-2.34.1
-
diff --git a/meta/recipes-devtools/strace/strace_6.5.bb 
b/meta/recipes-devtools/strace/strace_6.6.bb
similarity index 90%
rename from meta/recipes-devtools/strace/strace_6.5.bb
rename to meta/recipes-devtools/strace/strace_6.6.bb
index d1536b1e8d..a3de7941cf 100644
--- a/meta/recipes-devtools/strace/strace_6.5.bb
+++ b/meta/recipes-devtools/strace/strace_6.6.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "http://strace.io;
 DESCRIPTION = "strace is a diagnostic, debugging and instructional userspace 
utility for Linux. It is used to monitor and tamper with interactions between 
processes and the Linux kernel, which include system calls, signal deliveries, 
and changes of process state."
 SECTION = "console/utils"
 LICENSE = "LGPL-2.1-or-later & GPL-2.0-or-later"
-LIC_FILES_CHKSUM = "file://COPYING;md5=59a33f0a3e6122d67c0b3befccbdaa6b"
+LIC_FILES_CHKSUM = "file://COPYING;md5=63c8c3eb5c71b4362edac1397f40bdc7"
 
 SRC_URI = "https://strace.io/files/${PV}/strace-${PV}.tar.xz \
file://update-gawk-paths.patch \
@@ -14,9 +14,8 @@ SRC_URI = "https://strace.io/files/${PV}/strace-${PV}.tar.xz \
file://skip-load.patch \

file://0001-configure-Use-autoconf-macro-to-detect-largefile-sup.patch \
file://0002-tests-Replace-off64_t-with-off_t.patch \
-   file://tests-fix-so_peerpidfd-test.patch \
"
-SRC_URI[sha256sum] = 
"dfb051702389e1979a151892b5901afc9e93bbc1c70d84c906ade3224ca91980"
+SRC_URI[sha256sum] = 
"421b4186c06b705163e64dc85f271ebdcf67660af8667283147d5e859fc8a96c"
 
 inherit autotools ptest
 
-- 
2.42.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189892): 
https://lists.openembedded.org/g/openembedded-core/message/189892
Mute This Topic: https://lists.openembedded.org/mt/102310517/21656
Group Owner: 

Re: [OE-core] [PATCH] strace: backport fix for so_peerpidfd-test

[Randy MacLeod via lists.openembedded.org]

On 2023-10-31 7:47 p.m., Randy MacLeod via lists.openembedded.org wrote:

From: Randy MacLeod

Backport the fix for the so_peerpidfd-test:
44cf51a38 tests: fix so_peerpidfd test
and drop the patch that skipped that test.

Note that options-syntax.test failed with the default qemux86-64/kvm memory

size but works with 1024 MB.

../Randy



Signed-off-by: Randy MacLeod
---
  .../skip-test-so_peerpidfd.gen.test.patch | 25 ---
  .../strace/tests-fix-so_peerpidfd-test.patch  | 32 +++
  meta/recipes-devtools/strace/strace_6.5.bb|  2 +-
  3 files changed, 33 insertions(+), 26 deletions(-)
  delete mode 100644 
meta/recipes-devtools/strace/strace/skip-test-so_peerpidfd.gen.test.patch
  create mode 100644 
meta/recipes-devtools/strace/strace/tests-fix-so_peerpidfd-test.patch

diff --git 
a/meta/recipes-devtools/strace/strace/skip-test-so_peerpidfd.gen.test.patch 
b/meta/recipes-devtools/strace/strace/skip-test-so_peerpidfd.gen.test.patch
deleted file mode 100644
index 5c73e1f10e..00
--- a/meta/recipes-devtools/strace/strace/skip-test-so_peerpidfd.gen.test.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 002d9f2512245536dfc8d62db429d97e2216ec3a Mon Sep 17 00:00:00 2001
-From: Randy MacLeod
-Date: Fri, 6 Oct 2023 12:08:23 -0700
-Subject: [PATCH] skip tests/so_peerpidfd.gen.test
-
-Upstream-Status: Inappropriate
-
-Signed-off-by: Randy MacLeod

- tests/so_peerpidfd.gen.test | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/tests/so_peerpidfd.gen.test b/tests/so_peerpidfd.gen.test
-index 64ad3a2..f89da9f 100755
 a/tests/so_peerpidfd.gen.test
-+++ b/tests/so_peerpidfd.gen.test
-@@ -1,4 +1,5 @@
- #!/bin/sh -efu
- # Generated by ./tests/gen_tests.sh from ./tests/gen_tests.in (so_peerpidfd 
--trace=getsockopt -y); do not edit.
- . "${srcdir=.}/init.sh"
-+skip_ "Test fails due to apparently trivial log format differences"
- run_strace_match_diff --trace=getsockopt -y
---
-2.39.0
-
diff --git 
a/meta/recipes-devtools/strace/strace/tests-fix-so_peerpidfd-test.patch 
b/meta/recipes-devtools/strace/strace/tests-fix-so_peerpidfd-test.patch
new file mode 100644
index 00..62f73d3643
--- /dev/null
+++ b/meta/recipes-devtools/strace/strace/tests-fix-so_peerpidfd-test.patch
@@ -0,0 +1,32 @@
+From 44cf51a38cce1e90bb6c22208fa45f95cdcc8f5d Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin"
+Date: Sat, 14 Oct 2023 08:00:00 +
+Subject: [PATCH] tests: fix so_peerpidfd test
+
+* tests/so_peerpidfd.c (print_pidfd): Fix expected output.
+
+Fixes: v6.5~38 "net: implement decoding of SO_PEERPIDFD socket option"
+Resolves:https://bugzilla.redhat.com/show_bug.cgi?id=2243631
+
+Upstream-Status: Backport 
[https://github.com/strace/strace/commit/44cf51a38cce1e90bb6c22208fa45f95cdcc8f5d]
+Signed-off-by: Randy MacLeod
+---
+ tests/so_peerpidfd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/so_peerpidfd.c b/tests/so_peerpidfd.c
+index 33988edec..dfad1c434 100644
+--- a/tests/so_peerpidfd.c
 b/tests/so_peerpidfd.c
+@@ -37,7 +37,7 @@ print_pidfd(int *p)
+   if (rc < 0)
+   printf("%p", p);
+   else
+-  printf("%d%s", *p, pidfd_suffix);
++  printf("[%d%s]", *p, pidfd_suffix);
+ }
+
+ static void
+--
+2.34.1
+
diff --git a/meta/recipes-devtools/strace/strace_6.5.bb 
b/meta/recipes-devtools/strace/strace_6.5.bb
index d6475e8db9..d1536b1e8d 100644
--- a/meta/recipes-devtools/strace/strace_6.5.bb
+++ b/meta/recipes-devtools/strace/strace_6.5.bb
@@ -14,7 +14,7 @@ SRC_URI ="https://strace.io/files/${PV}/strace-${PV}.tar.xz \ 
file://skip-load.patch \ 
file://0001-configure-Use-autoconf-macro-to-detect-largefile-sup.patch 
\ file://0002-tests-Replace-off64_t-with-off_t.patch \ - 
file://skip-test-so_peerpidfd.gen.test.patch \ + 
file://tests-fix-so_peerpidfd-test.patch \ "

  SRC_URI[sha256sum] = 
"dfb051702389e1979a151892b5901afc9e93bbc1c70d84c906ade3224ca91980"
  






--
# Randy MacLeod
# Wind River Linux

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189891): 
https://lists.openembedded.org/g/openembedded-core/message/189891
Mute This Topic: https://lists.openembedded.org/mt/102309591/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] strace: backport fix for so_peerpidfd-test

[Randy MacLeod via lists.openembedded.org]

From: Randy MacLeod 

Backport the fix for the so_peerpidfd-test:
   44cf51a38 tests: fix so_peerpidfd test
and drop the patch that skipped that test.

Signed-off-by: Randy MacLeod 
---
 .../skip-test-so_peerpidfd.gen.test.patch | 25 ---
 .../strace/tests-fix-so_peerpidfd-test.patch  | 32 +++
 meta/recipes-devtools/strace/strace_6.5.bb|  2 +-
 3 files changed, 33 insertions(+), 26 deletions(-)
 delete mode 100644 
meta/recipes-devtools/strace/strace/skip-test-so_peerpidfd.gen.test.patch
 create mode 100644 
meta/recipes-devtools/strace/strace/tests-fix-so_peerpidfd-test.patch

diff --git 
a/meta/recipes-devtools/strace/strace/skip-test-so_peerpidfd.gen.test.patch 
b/meta/recipes-devtools/strace/strace/skip-test-so_peerpidfd.gen.test.patch
deleted file mode 100644
index 5c73e1f10e..00
--- a/meta/recipes-devtools/strace/strace/skip-test-so_peerpidfd.gen.test.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 002d9f2512245536dfc8d62db429d97e2216ec3a Mon Sep 17 00:00:00 2001
-From: Randy MacLeod 
-Date: Fri, 6 Oct 2023 12:08:23 -0700
-Subject: [PATCH] skip tests/so_peerpidfd.gen.test
-
-Upstream-Status: Inappropriate
-
-Signed-off-by: Randy MacLeod 

- tests/so_peerpidfd.gen.test | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/tests/so_peerpidfd.gen.test b/tests/so_peerpidfd.gen.test
-index 64ad3a2..f89da9f 100755
 a/tests/so_peerpidfd.gen.test
-+++ b/tests/so_peerpidfd.gen.test
-@@ -1,4 +1,5 @@
- #!/bin/sh -efu
- # Generated by ./tests/gen_tests.sh from ./tests/gen_tests.in (so_peerpidfd 
--trace=getsockopt -y); do not edit.
- . "${srcdir=.}/init.sh"
-+skip_ "Test fails due to apparently trivial log format differences"
- run_strace_match_diff --trace=getsockopt -y
--- 
-2.39.0
-
diff --git 
a/meta/recipes-devtools/strace/strace/tests-fix-so_peerpidfd-test.patch 
b/meta/recipes-devtools/strace/strace/tests-fix-so_peerpidfd-test.patch
new file mode 100644
index 00..62f73d3643
--- /dev/null
+++ b/meta/recipes-devtools/strace/strace/tests-fix-so_peerpidfd-test.patch
@@ -0,0 +1,32 @@
+From 44cf51a38cce1e90bb6c22208fa45f95cdcc8f5d Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" 
+Date: Sat, 14 Oct 2023 08:00:00 +
+Subject: [PATCH] tests: fix so_peerpidfd test
+
+* tests/so_peerpidfd.c (print_pidfd): Fix expected output.
+
+Fixes: v6.5~38 "net: implement decoding of SO_PEERPIDFD socket option"
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2243631
+
+Upstream-Status: Backport 
[https://github.com/strace/strace/commit/44cf51a38cce1e90bb6c22208fa45f95cdcc8f5d]
+Signed-off-by: Randy MacLeod 
+---
+ tests/so_peerpidfd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/so_peerpidfd.c b/tests/so_peerpidfd.c
+index 33988edec..dfad1c434 100644
+--- a/tests/so_peerpidfd.c
 b/tests/so_peerpidfd.c
+@@ -37,7 +37,7 @@ print_pidfd(int *p)
+   if (rc < 0)
+   printf("%p", p);
+   else
+-  printf("%d%s", *p, pidfd_suffix);
++  printf("[%d%s]", *p, pidfd_suffix);
+ }
+ 
+ static void
+-- 
+2.34.1
+
diff --git a/meta/recipes-devtools/strace/strace_6.5.bb 
b/meta/recipes-devtools/strace/strace_6.5.bb
index d6475e8db9..d1536b1e8d 100644
--- a/meta/recipes-devtools/strace/strace_6.5.bb
+++ b/meta/recipes-devtools/strace/strace_6.5.bb
@@ -14,7 +14,7 @@ SRC_URI = "https://strace.io/files/${PV}/strace-${PV}.tar.xz \
file://skip-load.patch \

file://0001-configure-Use-autoconf-macro-to-detect-largefile-sup.patch \
file://0002-tests-Replace-off64_t-with-off_t.patch \
-   file://skip-test-so_peerpidfd.gen.test.patch \
+   file://tests-fix-so_peerpidfd-test.patch \
"
 SRC_URI[sha256sum] = 
"dfb051702389e1979a151892b5901afc9e93bbc1c70d84c906ade3224ca91980"
 
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189890): 
https://lists.openembedded.org/g/openembedded-core/message/189890
Mute This Topic: https://lists.openembedded.org/mt/102309591/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863

[Martin Jansa]

I'm surprised this one does apply in kirkstone as there is this security
issue already fixed as 2023-5129 (see dunfell commit
https://git.openembedded.org/openembedded-core/commit/?h=dunfell=7dce529515baa843ba3e5c89b2ad605b9845c59b
and
a bit more details in
https://lists.openembedded.org/g/openembedded-core/message/189262 )

Is
https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520
really related to CVE-2023-4863 ?

On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman  wrote:

> From: Soumya Sambu 
>
> Heap buffer overflow in WebP in Google Chrome prior to
> 116.0.5845.187 allowed a remote attacker to perform an
> out of bounds memory write via a crafted HTML page.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-4863
> https://security-tracker.debian.org/tracker/CVE-2023-4863
> https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12
>
> Signed-off-by: Soumya Sambu 
> Signed-off-by: Steve Sakoman 
> ---
>  .../webp/files/CVE-2023-4863.patch| 53 +++
>  meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
>  2 files changed, 54 insertions(+)
>  create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
>
> diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> new file mode 100644
> index 00..2b1817822c
> --- /dev/null
> +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> @@ -0,0 +1,53 @@
> +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
> +From: Vincent Rabaud 
> +Date: Mon, 11 Sep 2023 16:06:08 +0200
> +Subject: [PATCH] Fix invalid incremental decoding check.
> +
> +The first condition is only necessary if we have not read enough
> +(enough being defined by src_last, not src_end which is the end
> +of the image).
> +The second condition now fits the comment below: "if not
> +incremental, and we are past the end of buffer".
> +
> +BUG=oss-fuzz:62136
> +
> +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
> +
> +CVE: CVE-2023-4863
> +
> +Upstream-Status: Backport [
> https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520
> ]
> +
> +Signed-off-by: Soumya Sambu 
> +---
> + src/dec/vp8l_dec.c | 15 +--
> + 1 file changed, 13 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
> +index 186b0b2..59a9e64 100644
> +--- a/src/dec/vp8l_dec.c
>  b/src/dec/vp8l_dec.c
> +@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec,
> uint32_t* const data,
> +   }
> +
> +   br->eos_ = VP8LIsEndOfStream(br);
> +-  if (dec->incremental_ && br->eos_ && src < src_end) {
> ++  // In incremental decoding:
> ++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer
> and
> ++  // 'src_last' has not been reached yet, there is not enough data.
> 'dec' has to
> ++  // be reset until there is more data.
> ++  // !br->eos_ && src < src_last: this cannot happen as either the
> buffer is
> ++  // fully read, either enough has been read to reach 'src_last'.
> ++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can
> actually go
> ++  // beyond 'src_last' in case the image is cropped and an LZ77 goes
> further.
> ++  // The buffer might have been enough or there is some left. 'br->eos_'
> does
> ++  // not matter.
> ++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >=
> src_last);
> ++  if (dec->incremental_ && br->eos_ && src < src_last) {
> + RestoreState(dec);
> +-  } else if (!br->eos_) {
> ++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
> + // Process the remaining rows corresponding to last row-block.
> + if (process_func != NULL) {
> +   process_func(dec, row > last_row ? last_row : row);
> +--
> +2.40.0
> diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> index 4defdd5e42..0728ca60f5 100644
> --- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> +++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM =
> "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
>  SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
> file://CVE-2023-1999.patch \
> file://CVE-2023-5129.patch \
> +   file://CVE-2023-4863.patch \
> "
>  SRC_URI[sha256sum] =
> "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
>
> --
> 2.34.1
>
>
> 
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189889): 
https://lists.openembedded.org/g/openembedded-core/message/189889
Mute This Topic: https://lists.openembedded.org/mt/102307907/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][RFC v2 11/12] create-spdx-3.0: support for License profile

[Louis Rannou]

From: Samantha Jalabert 

Add classes AnyLicenseInfo, LicenseExpression and SimpleLicensingText. Suppose
inheritance of AnyLicenseInfo in LicenseExpression and SimpleLicensingText

Add the option to enable Licensing Profile: SPDX_ENABLE_LICENSING = "1"

Add methods to SPDX3SpdxDocument to return the list of existing
SPDX3LicenseExpression and SPDX3SimpleLicensingText

Split function convert_license_to_spdx into three separate functions and adapt
them to match spdx3.0 classes

Signed-off-by: Samantha Jalabert 
Signed-off-by: Louis Rannou 
---
 meta/classes/create-spdx-3.0.bbclass | 197 +--
 meta/lib/oe/spdx3.py |  22 +++
 2 files changed, 148 insertions(+), 71 deletions(-)

diff --git a/meta/classes/create-spdx-3.0.bbclass 
b/meta/classes/create-spdx-3.0.bbclass
index 3ef01783a7..270d812abc 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -200,77 +200,102 @@ python() {
 d.setVar("SPDX_LICENSE_DATA", data)
 }
 
-def convert_license_to_spdx(lic, document, d, existing={}):
+def add_extracted_license(d, document, ident, name):
 from pathlib import Path
-import oe.spdx
+import oe.spdx3
 
-license_data = d.getVar("SPDX_LICENSE_DATA")
-extracted = {}
+extracted_info = oe.spdx3.SPDX3SimpleLicensingText()
+extracted_info.name = name
+extracted_info.licenseText = None
 
-def add_extracted_license(ident, name):
-nonlocal document
+if name == "PD":
+# Special-case this.
+extracted_info.licenseText = "Software released to the public domain"
+else:
+# Seach for the license in COMMON_LICENSE_DIR and LICENSE_PATH
+for directory in [d.getVar('COMMON_LICENSE_DIR')] + 
(d.getVar('LICENSE_PATH') or '').split():
+try:
+with (Path(directory) / name).open(errors="replace") as f:
+extracted_info.licenseText = f.read()
+break
+except FileNotFoundError:
+pass
+if extracted_info.licenseText is None:
+# If it's not SPDX or PD, then NO_GENERIC_LICENSE must be set
+filename = d.getVarFlag('NO_GENERIC_LICENSE', name)
+if filename:
+filename = d.expand("${S}/" + filename)
+with open(filename, errors="replace") as f:
+extracted_info.licenseText = f.read()
+else:
+bb.fatal("Cannot find any text for license %s" % name)
 
-if name in extracted:
-return
+return extracted_info
 
-extracted_info = oe.spdx.SPDX3ExtractedLicensingInfo()
-extracted_info.name = name
-extracted_info.licenseId = ident
-extracted_info.extractedText = None
+def convert(d, l, document):
+import oe.spdx3
 
-if name == "PD":
-# Special-case this.
-extracted_info.extractedText = "Software released to the public 
domain"
-else:
-# Seach for the license in COMMON_LICENSE_DIR and LICENSE_PATH
-for directory in [d.getVar('COMMON_LICENSE_DIR')] + 
(d.getVar('LICENSE_PATH') or '').split():
-try:
-with (Path(directory) / name).open(errors="replace") as f:
-extracted_info.extractedText = f.read()
-break
-except FileNotFoundError:
-pass
-if extracted_info.extractedText is None:
-# If it's not SPDX or PD, then NO_GENERIC_LICENSE must be set
-filename = d.getVarFlag('NO_GENERIC_LICENSE', name)
-if filename:
-filename = d.expand("${S}/" + filename)
-with open(filename, errors="replace") as f:
-extracted_info.extractedText = f.read()
-else:
-bb.fatal("Cannot find any text for license %s" % name)
+license_data = d.getVar("SPDX_LICENSE_DATA")
 
-extracted[name] = extracted_info
-document.hasExtractedLicensingInfos.append(extracted_info)
+if l == "(" or l == ")":
+return l
 
-def convert(l):
-if l == "(" or l == ")":
-return l
+if l == "&":
+return "AND"
 
-if l == "&":
-return "AND"
+if l == "|":
+return "OR"
 
-if l == "|":
-return "OR"
+if l == "CLOSED":
+return "NONE"
 
-if l == "CLOSED":
-return "NONE"
+spdx_license = d.getVarFlag("SPDXLICENSEMAP", l) or l
 
-spdx_license = d.getVarFlag("SPDXLICENSEMAP", l) or l
-if spdx_license in license_data["licenses"]:
-return spdx_license
+if spdx_license in license_data["licenses"]:
+lic = oe.spdx3.SPDX3LicenseExpression()
+lic.licenseExpression = spdx_license
+lic.licenseListVersion = 
d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
+

[OE-core][RFC v2 12/12] oeqa/selftest/cases/spdx: change test for spdx3

[Louis Rannou]

fix issue in selftest due to spdx bump

Signed-off-by: Louis Rannou 
---
 meta/lib/oeqa/selftest/cases/spdx.py | 16 +++-
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/spdx.py 
b/meta/lib/oeqa/selftest/cases/spdx.py
index 05fc4e390b..215c3c5365 100644
--- a/meta/lib/oeqa/selftest/cases/spdx.py
+++ b/meta/lib/oeqa/selftest/cases/spdx.py
@@ -41,11 +41,17 @@ INHERIT += "create-spdx"
 with open(filename) as f:
 report = json.load(f)
 self.assertNotEqual(report, None)
-self.assertNotEqual(report["SPDXID"], None)
-
-python = os.path.join(get_bb_var('STAGING_BINDIR', 
'python3-spdx-tools-native'), 'nativepython3')
-validator = os.path.join(get_bb_var('STAGING_BINDIR', 
'python3-spdx-tools-native'), 'pyspdxtools')
-result = runCmd("{} {} -i {}".format(python, validator, filename))
+self.assertNotEqual(report["@graph"], None)
+for e in report["@graph"]:
+if e["type"] == "SpdxDocument":
+self.assertNotEqual(e["spdxId"], None)
+break
+else:
+self.assertFalse("SpdxDocument not found")
+
+# python = os.path.join(get_bb_var('STAGING_BINDIR', 
'python3-spdx-tools-native'), 'nativepython3')
+# validator = os.path.join(get_bb_var('STAGING_BINDIR', 
'python3-spdx-tools-native'), 'pyspdxtools')
+# result = runCmd("{} {} -i {}".format(python, validator, 
filename))
 
 self.assertExists(full_file_path)
 result = check_spdx_json(full_file_path)
-- 
2.42.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189888): 
https://lists.openembedded.org/g/openembedded-core/message/189888
Mute This Topic: https://lists.openembedded.org/mt/102308614/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][RFC v2 09/12] create-spdx-3.0: support for spdx image

[Louis Rannou]

From: Samantha Jalabert 

Support for dependencies to provide the complete recipe SPDX.
Support for runtime SPDX
Support for combined SPDX

Signed-off-by: Samantha Jalabert 
Signed-off-by: Louis Rannou 
---
 meta/classes/create-spdx-2.2.bbclass |   1 -
 meta/classes/create-spdx-3.0.bbclass | 389 +--
 2 files changed, 371 insertions(+), 19 deletions(-)

diff --git a/meta/classes/create-spdx-2.2.bbclass 
b/meta/classes/create-spdx-2.2.bbclass
index b0aef80db1..799c2fa092 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -713,7 +713,6 @@ do_create_spdx[depends] += "${PATCHDEPENDENCY}"
 def collect_package_providers(d):
 from pathlib import Path
 import oe.sbom
-import oe.spdx
 import json
 
 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
diff --git a/meta/classes/create-spdx-3.0.bbclass 
b/meta/classes/create-spdx-3.0.bbclass
index 39f3db7233..2cd91dd791 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -129,12 +129,26 @@ def get_supplier(d, doc=None):
 
 return agent
 
-def recipe_spdx_is_native(d, recipe):
+def create_annotation(d, doc, recipe, comment):
+import oe.spdx3
+
+c = oe.spdx3.SPDX3Annotation()
+c.annotationType = "other"
+c.subject = recipe.spdxId
+c.statement = comment
+
+doc.element.append(c)
+
+def recipe_spdx_is_native(doc, recipe):
+import oe.spdx3
+
+for element in doc.element:
+if isinstance(element, oe.spdx3.SPDX3Annotation) \
+and element.subject == recipe.spdxId \
+and element.statement == "isNative":
+return True
+
 return False
-# TODO: find a better way to mark native recipes
-#return any(a.annotationType == "OTHER" and
-#  a.annotator == "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), 
d.getVar("SPDX_TOOL_VERSION")) and
-#  a.comment == "isNative" for a in recipe.annotations)
 
 def is_work_shared_spdx(d):
 return bb.data.inherits_class('kernel', d) or ('work-shared' in 
d.getVar('WORKDIR'))
@@ -435,10 +449,23 @@ def add_download_packages(d, doc, recipe):
 doc.add_relationship(doc, "describes", package)
 doc.add_relationship(package, "buildDependency", recipe)
 
-
 def collect_direct_deps(d, dep_task):
+current_task = "do_" + d.getVar("BB_CURRENTTASK")
+pn = d.getVar("PN")
+
+taskdepdata = d.getVar("BB_TASKDEPDATA", False)
+
+for this_dep in taskdepdata.values():
+if this_dep[0] == pn and this_dep[1] == current_task:
+break
+else:
+bb.fatal(f"Unable to find this {pn}:{current_task} in taskdepdata")
 
 deps = set()
+for dep_name in this_dep[3]:
+dep_data = taskdepdata[dep_name]
+if dep_data[1] == dep_task and dep_data[0] != pn:
+deps.add((dep_data[0], dep_data[7]))
 
 return sorted(deps)
 
@@ -511,12 +538,7 @@ python do_create_spdx() {
 recipe.suppliedBy.append(get_supplier(d, doc))
 
 if bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", 
d):
-comment = oe.spdx3.SPDX3Annotation()
-comment.annotationType = "other"
-comment.subject = recipe.spdxId
-comment.statement = "isNative"
-
-doc.element.append(comment)
+create_annotation(d, doc, recipe, "isNative")
 
 homepage = d.getVar("HOMEPAGE")
 if homepage:
@@ -536,7 +558,7 @@ python do_create_spdx() {
 
 if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"):
 for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split():
-recipe.annotations.append(create_annotation(d, var + "=" + 
d.getVar(var)))
+recipe.annotations.append(create_annotation(d, doc, recipe, var + 
"=" + d.getVar(var)))
 
 # TODO: CVE handling
 
@@ -574,7 +596,7 @@ python do_create_spdx() {
 
 #found_licenses = {license.name:recipe_ref.externalDocumentId + ":" + 
license.licenseId for license in doc.hasExtractedLicensingInfos}
 
-if not recipe_spdx_is_native(d, recipe):
+if not recipe_spdx_is_native(doc, recipe):
 bb.build.exec_func("read_subpackage_metadata", d)
 
 pkgdest = Path(d.getVar("PKGDEST"))
@@ -685,11 +707,131 @@ def collect_package_providers(d):
 collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA"
 
 python do_create_runtime_spdx() {
-# TODO: implement for SPDX3
-return
+from datetime import datetime, timezone
+import oe.sbom
+import oe.spdx3
+import oe.packagedata
+from pathlib import Path
+
+deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
+spdx_deploy = Path(d.getVar("SPDXRUNTIMEDEPLOY"))
+is_native = bb.data.inherits_class("native", d) or 
bb.data.inherits_class("cross", d)
+
+creation_time = 
datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+
+providers = collect_package_providers(d)
+pkg_arch = d.getVar("SSTATE_PKGARCH")
+package_archs = d.getVar("SSTATE_ARCHS").split()
+package_archs.reverse()
+
+ 

[OE-core][RFC v2 10/12] create-spdx-3.0: Use FQDN spdx ids

[Louis Rannou]

From: Samantha Jalabert 

Create a function to generate spdxIds
Create a function to generate relationship and remove add_relationship method
Implement both functions

Signed-off-by: Samantha Jalabert 
Signed-off-by: Louis Rannou 
---
 meta/classes/create-spdx-3.0.bbclass | 73 
 meta/lib/oe/spdx3.py | 27 --
 2 files changed, 53 insertions(+), 47 deletions(-)

diff --git a/meta/classes/create-spdx-3.0.bbclass 
b/meta/classes/create-spdx-3.0.bbclass
index 2cd91dd791..3ef01783a7 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -42,6 +42,10 @@ SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for 
SPDX packages created f
 is the contact information for the person or organization who is doing the 
\
 build."
 
+def new_spdxid(d, doc, *suffix):
+pn = d.getVar("PN")
+return "/".join([get_doc_namespace(d, doc), pn] + list(suffix))
+
 def extract_licenses(filename):
 import re
 
@@ -83,21 +87,21 @@ def generate_creationInfo(d, document, comment=None):
 
 tool = oe.spdx3.SPDX3Tool()
 tool.name = "OpenEmbedded Core create-spdx.bbclass"
-tool.spdxId = "spdx-" + d.getVar("PN") + ":SPDXRef-Actor-" + 
tool.name.replace(" ", "")
+tool.spdxId = new_spdxid(d, document, "Actor", tool.name.replace(" ", ""))
 tool.creationInfo = document.creationInfo
 document.element.append(tool)
 document.creationInfo.createdUsing.append(tool)
 
 organization = oe.spdx3.SPDX3Organization()
 organization.name = d.getVar("SPDX_ORG")
-organization.spdxId = "spdx-" + d.getVar("PN") + ":SPDXRef-Actor-" + 
organization.name.replace(" ", "")
+organization.spdxId = new_spdxid(d, document, "Actor", 
organization.name.replace(" ", ""))
 organization.creationInfo = document.creationInfo
 document.element.append(organization)
 document.creationInfo.createdBy.append(organization)
 
 person = oe.spdx3.SPDX3Person()
 person.name = "Person: N/A ()"
-person.spdxId = "spdx-" + d.getVar("PN") + ":SPDXRef-Actor-" + 
person.name.replace(" ", "")
+person.spdxId = new_spdxid(d, document, "Actor", person.name.replace(" ", 
""))
 document.creationInfo.createdBy.append(person)
 document.element.append(person)
 
@@ -124,7 +128,7 @@ def get_supplier(d, doc=None):
 raise KeyError("%r is not a valid SPDX agent type" % agentType)
 
 agent.name = agentName
-agent.spdxId = "spdx-" + d.getVar("PN") + ":SPDXRef-Actor-" + 
agent.name.replace(" ", "")
+agent.spdxId = new_spdxid(d, doc, "Actor", agent.name)
 agent.creationInfo = doc.creationInfo
 
 return agent
@@ -136,9 +140,35 @@ def create_annotation(d, doc, recipe, comment):
 c.annotationType = "other"
 c.subject = recipe.spdxId
 c.statement = comment
+c.spdxId = new_spdxid(d, doc, "annotation", comment)
 
 doc.element.append(c)
 
+def create_relationship(d, doc, _from, relationshipType, to):
+import oe.spdx3
+
+if isinstance(_from, oe.spdx3.SPDX3Element):
+_from = _from.spdxId
+
+if isinstance(to, oe.spdx3.SPDX3Element):
+to = to.spdxId
+
+for el in doc.element:
+if isinstance(el, oe.spdx3.SPDX3Relationship) and \
+el._from == _from and \
+el.relationshipType == relationshipType:
+el.to.append(to)
+return el.spdxId
+
+r = oe.spdx3.SPDX3Relationship()
+r.spdxId = new_spdxid(d, doc, "Relationship", relationshipType)
+r._from = _from
+r.to.append(to)
+r.relationshipType = relationshipType
+
+doc.element.append(r)
+return r.spdxId
+
 def recipe_spdx_is_native(doc, recipe):
 import oe.spdx3
 
@@ -340,7 +370,7 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, 
get_types, *, archiv
 
 doc.element.append(spdx_file)
 
-doc.add_relationship(spdx_pkg, "contains", spdx_file)
+create_relationship(d, doc, spdx_pkg, "contains", spdx_file)
 
 spdx_files.append(spdx_file)
 file_counter += 1
@@ -386,14 +416,14 @@ def collect_dep_recipes(d, doc, spdx_recipe):
 dep_recipes.append(oe.sbom.DepRecipe(spdx_dep_doc, spdx_dep_sha1, 
spdx_dep_recipe))
 
 dep_recipe_ref = oe.spdx3.SPDX3ExternalMap()
-dep_recipe_ref.externalId = "DocumentRef-%s" % spdx_dep_doc["name"]
+dep_recipe_ref.externalId = spdx_dep_doc["spdxId"]
 hashSha1 = oe.spdx3.SPDX3Hash()
 hashSha1.algorithm = "sha1"
 hashSha1.hashValue = spdx_dep_sha1
 dep_recipe_ref.verifiedUsing.append(hashSha1)
 
 doc.imports.append(dep_recipe_ref)
-doc.add_relationship("%s:%s" % (dep_recipe_ref.externalId, 
spdx_dep_recipe["spdxId"]), "buildDependency", spdx_recipe)
+create_relationship(d, doc, dep_recipe_ref.externalId, 
"buildDependency", spdx_recipe)
 
 # return dep_recipes
 
@@ -415,7 +445,7 @@ def add_download_packages(d, doc, recipe):
 for 

[OE-core][RFC v2 07/12] create-spdx-3.0: support for recipe spdx creation

[Louis Rannou]

From: Samantha Jalabert 

Change functions and tasks to match the SPDX 3 model.

Signed-off-by: Samantha Jalabert 
Signed-off-by: Louis Rannou 
---
 meta/classes/create-spdx-3.0.bbclass | 731 +--
 meta/lib/oe/spdx3.py |   4 +-
 2 files changed, 230 insertions(+), 505 deletions(-)

diff --git a/meta/classes/create-spdx-3.0.bbclass 
b/meta/classes/create-spdx-3.0.bbclass
index b0aef80db1..33e9798fb0 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -11,7 +11,7 @@ DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx"
 CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"
 
-SPDXDIR ??= "${WORKDIR}/spdx"
+SPDXDIR ??= "${WORKDIR}/spdx-3.0"
 SPDXDEPLOY = "${SPDXDIR}/deploy"
 SPDXWORK = "${SPDXDIR}/work"
 SPDXIMAGEWORK = "${SPDXDIR}/image-work"
@@ -64,21 +64,77 @@ def get_doc_namespace(d, doc):
 namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, 
d.getVar("SPDX_UUID_NAMESPACE"))
 return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), doc.name, 
str(uuid.uuid5(namespace_uuid, doc.name)))
 
-def create_annotation(d, comment):
+def generate_creationInfo(d, document, comment=None):
+"""
+Generate the creationInfo and its elements for a document
+"""
 from datetime import datetime, timezone
+import oe.spdx3
 
 creation_time = 
datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
-annotation = oe.spdx.SPDXAnnotation()
-annotation.annotationDate = creation_time
-annotation.annotationType = "OTHER"
-annotation.annotator = "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), 
d.getVar("SPDX_TOOL_VERSION"))
-annotation.comment = comment
-return annotation
+
+document.creationInfo = oe.spdx3.SPDX3CreationInfo()
+document.creationInfo.specVersion = "3.0.0"
+document.creationInfo.created = creation_time
+document.creationInfo.dataLicense = "https://spdx.org/licenses/CC0-1.0;
+
+if comment is not None:
+document.creationInfo.comment = comment
+
+tool = oe.spdx3.SPDX3Tool()
+tool.name = "OpenEmbedded Core create-spdx.bbclass"
+tool.spdxId = "spdx-" + d.getVar("PN") + ":SPDXRef-Actor-" + 
tool.name.replace(" ", "")
+tool.creationInfo = document.creationInfo
+document.element.append(tool)
+document.creationInfo.createdUsing.append(tool)
+
+organization = oe.spdx3.SPDX3Organization()
+organization.name = d.getVar("SPDX_ORG")
+organization.spdxId = "spdx-" + d.getVar("PN") + ":SPDXRef-Actor-" + 
organization.name.replace(" ", "")
+organization.creationInfo = document.creationInfo
+document.element.append(organization)
+document.creationInfo.createdBy.append(organization)
+
+person = oe.spdx3.SPDX3Person()
+person.name = "Person: N/A ()"
+person.spdxId = "spdx-" + d.getVar("PN") + ":SPDXRef-Actor-" + 
person.name.replace(" ", "")
+document.creationInfo.createdBy.append(person)
+document.element.append(person)
+
+def get_supplier(d, doc=None):
+"""
+Get the supplier of a document or create it.
+"""
+import oe.spdx3
+
+supplier = d.getVar("SPDX_SUPPLIER")
+agentName = supplier.split(": ")[1]
+agentType = supplier.split(": ")[0]
+
+if doc:
+for element in doc.element:
+if(isinstance(element, oe.spdx3.SPDX3Agent) and element.name == 
agentName):
+return element
+
+if(agentType == "Organization"):
+agent = oe.spdx3.SPDX3Organization()
+elif(agentType == "Person"):
+agent = oe.spdx3.SPDX3Person()
+else:
+raise KeyError("%r is not a valid SPDX agent type" % agentType)
+
+agent.name = agentName
+agent.spdxId = "spdx-" + d.getVar("PN") + ":SPDXRef-Actor-" + 
agent.name.replace(" ", "")
+agent.creationInfo = doc.creationInfo
+
+return agent
 
 def recipe_spdx_is_native(d, recipe):
-return any(a.annotationType == "OTHER" and
-  a.annotator == "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), 
d.getVar("SPDX_TOOL_VERSION")) and
-  a.comment == "isNative" for a in recipe.annotations)
+return False
+# TODO: find a better way to mark native recipes
+#return any(a.annotationType == "OTHER" and
+#  a.annotator == "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), 
d.getVar("SPDX_TOOL_VERSION")) and
+#  a.comment == "isNative" for a in recipe.annotations)
 
 def is_work_shared_spdx(d):
 return bb.data.inherits_class('kernel', d) or ('work-shared' in 
d.getVar('WORKDIR'))
@@ -113,7 +169,7 @@ def convert_license_to_spdx(lic, document, d, existing={}):
 if name in extracted:
 return
 
-extracted_info = oe.spdx.SPDXExtractedLicensingInfo()
+extracted_info = oe.spdx.SPDX3ExtractedLicensingInfo()
 extracted_info.name = name
 extracted_info.licenseId = ident
 extracted_info.extractedText = None
@@ -202,8 +258,7 @@ def process_sources(d):
 
 def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, 
archive=None, 

[OE-core][RFC v2 08/12] create-spdx-3.0: draft: remove low value stuff

[Louis Rannou]

remove stuff which are hard to fix and low value

Signed-off-by: Louis Rannou 
---
 meta/classes/create-spdx-3.0.bbclass | 109 ++-
 1 file changed, 5 insertions(+), 104 deletions(-)

diff --git a/meta/classes/create-spdx-3.0.bbclass 
b/meta/classes/create-spdx-3.0.bbclass
index 33e9798fb0..39f3db7233 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -335,73 +335,6 @@ def add_package_files(d, doc, spdx_pkg, topdir, 
get_spdxid, get_types, *, archiv
 
 
 def add_package_sources_from_debug(d, package_doc, spdx_package, package, 
package_files, sources):
-from pathlib import Path
-import oe.packagedata
-import oe.spdx3
-
-debug_search_paths = [
-Path(d.getVar('PKGD')),
-Path(d.getVar('STAGING_DIR_TARGET')),
-Path(d.getVar('STAGING_DIR_NATIVE')),
-Path(d.getVar('STAGING_KERNEL_DIR')),
-]
-
-pkg_data = oe.packagedata.read_subpkgdata_extended(package, d)
-
-if pkg_data is None:
-return
-
-for file_path, file_data in pkg_data["files_info"].items():
-if not "debugsrc" in file_data:
-continue
-
-for pkg_file in package_files:
-if file_path.lstrip("/") == pkg_file.name.lstrip("/"):
-break
-else:
-bb.fatal("No package file found for %s in %s; SPDX found: %s" % 
(str(file_path), package,
-" ".join(p.name for p in package_files)))
-continue
-
-for debugsrc in file_data["debugsrc"]:
-ref_id = None
-for search in debug_search_paths:
-if debugsrc.startswith("/usr/src/kernel"):
-debugsrc_path = search / 
debugsrc.replace('/usr/src/kernel/', '')
-else:
-debugsrc_path = search / debugsrc.lstrip("/")
-if not debugsrc_path.exists():
-continue
-
-file_sha256 = bb.utils.sha256_file(debugsrc_path)
-
-if file_sha256 in sources:
-source_file = sources[file_sha256]
-doc_ref = 
package_doc.find_external_map(source_file.doc.documentNamespace)
-if doc_ref is None:
-doc_ref = oe.spdx3.SPDX3ExternalMap()
-doc_ref.externalId = "DocumentRef-dependency-" + 
source_file.doc.name
-doc_ref.verifiedUsing = oe.spdx3.SPDX3Hash()
-doc_ref.verifiedUsing.algorithm = "sha1"
-doc_ref.verifiedUsing.hashValue = source_file.doc_sha1
-doc_ref.definingDocument = 
source_file.doc.documentNamespace
-
-package_doc.imports.append(doc_ref)
-
-ref_id = "%s:%s" % (doc_ref.externalId, 
source_file.file.spdxId)
-else:
-bb.debug(1, "Debug source %s with SHA256 %s not found in 
any dependency" % (str(debugsrc_path), file_sha256))
-break
-else:
-bb.debug(1, "Debug source %s not found" % debugsrc)
-
-relation_id = package_doc.add_relationship(ref_id, "generates", 
pkg_file)
-comment = oe.spdx3.SPDX3Annotation()
-comment.subject = relation_id
-comment.annotationType = "other"
-comment.statement = "debugsrc"
-package_doc.element.append(comment)
-
 return
 
 add_package_sources_from_debug[vardepsexclude] += "STAGING_KERNEL_DIR"
@@ -448,43 +381,12 @@ def collect_dep_recipes(d, doc, spdx_recipe):
 doc.imports.append(dep_recipe_ref)
 doc.add_relationship("%s:%s" % (dep_recipe_ref.externalId, 
spdx_dep_recipe["spdxId"]), "buildDependency", spdx_recipe)
 
-return dep_recipes
+# return dep_recipes
 
 collect_dep_recipes[vardepsexclude] = "SSTATE_ARCHS"
 
 def collect_dep_sources(d, dep_recipes):
-import oe.sbom
-import oe.spdx3
-
-sources = {}
-for dep in dep_recipes:
-# Don't collect sources from native recipes as they
-# match non-native sources also.
-if hasattr(dep.doc, "element"):
-for element in dep.doc.element:
-if isinstance(element, oe.spdx3.SPDX3Annotation) \
-and element.subject == dep.recipe.spdxId \
-and element.statement == "isNative":
-continue
-
-recipe_files = []
-
-if hasattr(dep.doc, "element"):
-for element in dep.doc.element:
-if isinstance(element, oe.spdx3.SPDX3Relationship) and 
element._from == dep.recipe.spdxId and element.relationshipType == "contains":
-recipe_files = element.to
-
-for element in dep.doc.element:
-if isinstance(element, oe.spdx3.SPDX3File) \
-and element.spdxId not in recipe_files \
-and (element.primaryPurpose == "source" or "source" in 

[OE-core][RFC v2 06/12] README.SPDX3: add file

[Louis Rannou]

From: Marta Rybczynska 

Add a specific readme for SPDX3 with open questions and other notes
related to the PoC.

Signed-off-by: Marta Rybczynska 
Signed-off-by: Samantha Jalabert 
Signed-off-by: Louis Rannou 
---
 README.SPDX3 | 45 +
 1 file changed, 45 insertions(+)
 create mode 100644 README.SPDX3

diff --git a/README.SPDX3 b/README.SPDX3
new file mode 100644
index 00..73f67c2857
--- /dev/null
+++ b/README.SPDX3
@@ -0,0 +1,45 @@
+This repository contains the Proof-of-Concept code for SPDX3 support
+in the Yocto Project.
+
+What does the code include:
+* The SPDX3 generation with JSON-LD serialization, still using .json extension
+* Implementations of the core, and software profiles
+
+Here are the known limitations:
+* At the time of writing this code, the SPDX3 specification is still undergoing
+  changes. Especially, the root element has not been yet decided. Because of
+  that, the code might require changes when the final specification is
+  released.
+
+* Some parts of the SPDX3 require clarifications. Current issues:
+  - Software.Package.homepage is sometiemes also called homePage: need to
+confirm spelling
+  - Core.Relationship.from needs special care in Python as it conflicts
+with a built-in
+  - should suppliedBy be serialized by an array or as a single string?
+  - In examples, SpdxDocument has an attribute namespace. It does not in the
+documentation
+  - what is the equivalent of the documentNamespace that was in 2.2?
+
+* SPDX3 introduces modular model, where content depends on the profile used.
+  The configuration of profiles to generate needs to be reworked. Today,
+  generation is gated by variables shared with SPDX2.2 code like
+  SPDX_INCLUDE_SOURCES. In SPDX3 it could be done by enabling specific
+  profiles and variables like SPDX3_ENABLE_LICENSING or SPDX3_ENABLE_SECURITY.
+
+* The implementation includes data similar to the YP SPDX 2.2 content. SPDX 3.0
+  has additional profiles and fields that did not exist in the earier version.
+  The project needs a discussion on what is useful to include in the YP SPDX.
+  Additional profiles and classes might be implemented to carry that data.
+
+* The security profile implementation has been prototyped. However, some part
+  of the needed data is necessary from the cve-check database (for example:
+  CVSS). Obtaining the information is possible, but will require dependency on
+  the cve-check to download the database, then refactoring of the cve-check
+  database accesses so that they can be done from other classes while keeping
+  correct locks. Also, VulnAssessmentRelationship requires classification
+  of fixes as "Fixed", "NotAffected", while YP cve-check has only one category
+  for both. At the moment of writing this, there is a patch on the ML.
+
+* SPDX 3.0 cannot be validate yet with pyspdxtools. The default SPDX version is
+  set to 2.2.
\ No newline at end of file
-- 
2.42.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189882): 
https://lists.openembedded.org/g/openembedded-core/message/189882
Mute This Topic: https://lists.openembedded.org/mt/102308608/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][RFC v2 03/12] oe/sbom: change the write_doc to prepare for spdx3

[Louis Rannou]

This changes the prototype of write_doc as the SPDX3 documentation does not
specify yet which is the root element.

Signed-off-by: Louis Rannou 
Signed-off-by: Marta Rybczynska 
Signed-off-by: Samantha Jalabert 
---
 meta/classes/create-spdx.bbclass | 2 +-
 meta/lib/oe/sbom.py  | 6 --
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/meta/classes/create-spdx.bbclass b/meta/classes/create-spdx.bbclass
index 19c6c0ff0b..b604973ae0 100644
--- a/meta/classes/create-spdx.bbclass
+++ b/meta/classes/create-spdx.bbclass
@@ -5,4 +5,4 @@
 #
 # Include this class when you don't care what version of SPDX you get; it will
 # be updated to the latest stable version that is supported
-inherit create-spdx-2.2
+inherit create-spdx-3.0
diff --git a/meta/lib/oe/sbom.py b/meta/lib/oe/sbom.py
index 824839378a..ec543fa43d 100644
--- a/meta/lib/oe/sbom.py
+++ b/meta/lib/oe/sbom.py
@@ -68,7 +68,9 @@ def doc_path(spdx_deploy, doc_name, arch, subdir):
 return spdx_deploy / arch / subdir / (doc_name + ".spdx.json")
 
 
-def write_doc(d, spdx_doc, arch, subdir, spdx_deploy=None, indent=None):
+# WARNING: This is for SPDX3. As long as we don't know which is the root
+# element, this suggest a virtual graph as top of the tree
+def write_doc(d, spdx_graph, spdx_doc, arch, subdir, spdx_deploy=None, 
indent=None):
 from pathlib import Path
 
 if spdx_deploy is None:
@@ -77,7 +79,7 @@ def write_doc(d, spdx_doc, arch, subdir, spdx_deploy=None, 
indent=None):
 dest = doc_path(spdx_deploy, spdx_doc.name, arch, subdir)
 dest.parent.mkdir(exist_ok=True, parents=True)
 with dest.open("wb") as f:
-doc_sha1 = spdx_doc.to_json(f, sort_keys=False, indent=indent)
+doc_sha1 = spdx_graph.to_json(f, sort_keys=False, indent=indent)
 
 l = _doc_path_by_namespace(spdx_deploy, arch, spdx_doc.documentNamespace)
 l.parent.mkdir(exist_ok=True, parents=True)
-- 
2.42.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189880): 
https://lists.openembedded.org/g/openembedded-core/message/189880
Mute This Topic: https://lists.openembedded.org/mt/102308606/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][RFC v2 04/12] create-spdx-3.0: SPDX3 objects as classes

[Louis Rannou]

Create SPDX3 objects that classes as they are described in the SPDX3 model.

Signed-off-by: Louis Rannou 
Signed-off-by: Samantha Jalabert 
---
 meta/lib/oe/spdx3.py | 386 +++
 1 file changed, 386 insertions(+)
 create mode 100644 meta/lib/oe/spdx3.py

diff --git a/meta/lib/oe/spdx3.py b/meta/lib/oe/spdx3.py
new file mode 100644
index 00..a027c0ee5b
--- /dev/null
+++ b/meta/lib/oe/spdx3.py
@@ -0,0 +1,386 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+#
+# This library is intended to set the data types for the SPDX3 specification. 
It
+# is not intended to encode any particular OE specific behaviors, see the
+# sbom.py for that.
+#
+
+from oe.spdx import _String, _StringList, _Object, _ObjectList
+from oe.spdx import SPDXObject
+
+import json
+import hashlib
+
+class SPDX3Tool(SPDXObject):
+pass
+
+class SPDX3Agent(SPDXObject):
+pass
+
+#
+# Profile: Core - Enumerations
+#
+SPDX3HashAlgorithm = [
+"blake2b256",
+"blake2b384",
+"blake2b512",
+"blake3",
+"crystalsKyber",
+"crystalsDilithium",
+"falcon",
+"md2",
+"md4",
+"md5",
+"md6",
+"other",
+"sha1",
+"sha224",
+"sha256",
+"sha3_224",
+"sha3_256",
+"sha3_384",
+"sha3_512",
+"sha384",
+"sha512",
+"spdxPvcSha1",
+"spdxPvcSha256",
+"sphincsPlus"
+]
+
+#
+# Profile: Core - Datatypes
+#
+
+class SPDX3IntegrityMethod(SPDXObject):
+comment = _String()
+
+class SPDX3Hash(SPDX3IntegrityMethod):
+hashValue = _String()
+algorithm = _String()
+
+#
+# Profile: Core - Classes
+#
+class SPDX3CreationInfo(SPDXObject):
+specVersion = _String(default="3.0.0")
+created = _String()
+createdBy = _ObjectList(SPDX3Agent)
+profile = _StringList(default=["core", "software"])  # TODO: not in 
creationInfo in spec
+createdUsing = _ObjectList(SPDX3Tool)
+dataLicense = _String(default="CC0-1.0")
+
+def serializer(self):
+"""
+Serialize a creationInfo element.
+createdBy and createdUsing are only stored with their spdxId.
+other attributes are ordinary serialized
+"""
+main = {"type": self.__class__.__name__[len("SPDX3"):],
+"createdBy": []}
+
+main["createdBy"] = [c.spdxId for c in self._spdx["createdBy"]]
+if "createdUsing" in self._spdx and len(self._spdx["createdUsing"]):
+main["createdUsing"] = [c.spdxId for c in 
self._spdx["createdUsing"]]
+
+for (key, value) in self._spdx.items():
+if not key in ["createdBy", "createdUsing"]:
+main.update({key: value})
+return main
+
+class SPDX3ExternalMap(SPDXObject):
+externalId = _String()
+verifiedUsing = _ObjectList(SPDX3IntegrityMethod)
+definingDocument = _String()
+
+class SPDX3Element(SPDXObject):
+spdxId = _String(default="SPDXRef-DOCUMENT")
+name = _String()
+summary = _String()
+description = _String()
+creationInfo = _String()
+verifiedUsing = _ObjectList(SPDX3IntegrityMethod)
+#packages = _ObjectList(SPDXPackage)
+#files = _ObjectList(SPDXFile)
+#relationships = _ObjectList(SPDXRelationship)
+#externalDocumentRefs = _ObjectList(SPDXExternalDocumentRef)
+#hasExtractedLicensingInfos = _ObjectList(SPDXExtractedLicensingInfo)
+
+def serializer(self, rootElement, ignorekeys=[]):
+"""
+Default serialization of an Element
+creationInfo is moved to the root and refered with its id
+context and element defined in ElementCollection and Bundle are ignored
+Element objects are ignored
+other attributes are ordinary serialized
+"""
+main = {"type": self.__class__.__name__[len("SPDX3"):]}
+
+for (key, value) in self._spdx.items():
+if key == "creationInfo":
+_id = rootElement.creationinfo(value)
+main["creationInfo"] = _id
+elif key not in ignorekeys \
+and not isinstance(value, SPDX3Element):
+if key[0] == '_':
+main.update({key[1:]: value})
+else:
+main.update({key: value})
+return main
+
+def add_relationship(self, _from, relationship, _to):
+if isinstance(_from, SPDX3Element):
+from_spdxid = _from.spdxId
+else:
+from_spdxid = _from
+
+if isinstance(_to, SPDX3Element):
+to_spdxid = _to.spdxId
+else:
+to_spdxid = _to
+
+for element in self.element:
+if isinstance(element, SPDX3Relationship) \
+and element._from == from_spdxid \
+and element.relationshipType == relationship:
+element.to.append(to_spdxid)
+return element.spdxId
+
+r = SPDX3Relationship(
+_from=from_spdxid,
+relationshipType=relationship,
+  

[OE-core][RFC v2 05/12] oe/sbom: search into json

[Louis Rannou]

Create a function that search into a json-ld instead of completely loading it.

Signed-off-by: Louis Rannou 
---
 meta/lib/oe/sbom.py  | 32 
 meta/lib/oe/spdx3.py | 13 +++--
 2 files changed, 39 insertions(+), 6 deletions(-)

diff --git a/meta/lib/oe/sbom.py b/meta/lib/oe/sbom.py
index ec543fa43d..c99ae1a228 100644
--- a/meta/lib/oe/sbom.py
+++ b/meta/lib/oe/sbom.py
@@ -120,3 +120,35 @@ def read_doc(fn):
 doc = oe.spdx.SPDXDocument.from_json(f)
 
 return (doc, sha1.hexdigest())
+
+
+def search_doc(fn, attr_types=None):
+"""
+Look for all attributes in the given dictionary. Return the document
+element, a dictionary of the required attributes and the sha1 of the file.
+"""
+import hashlib
+import oe.spdx3
+import io
+import contextlib
+
+@contextlib.contextmanager
+def get_file():
+if isinstance(fn, io.IOBase):
+yield fn
+else:
+with fn.open("rb") as f:
+yield f
+
+with get_file() as f:
+sha1 = hashlib.sha1()
+while True:
+chunk = f.read(4096)
+if not chunk:
+break
+sha1.update(chunk)
+
+f.seek(0)
+doc, attributes = oe.spdx3.SPDX3SpdxDocument.from_json(f, attr_types 
or [])
+
+return (doc, attributes, sha1.hexdigest())
diff --git a/meta/lib/oe/spdx3.py b/meta/lib/oe/spdx3.py
index a027c0ee5b..36ba7aa1c3 100644
--- a/meta/lib/oe/spdx3.py
+++ b/meta/lib/oe/spdx3.py
@@ -286,17 +286,16 @@ class SPDX3SpdxDocument(SPDX3Bundle):
 @classmethod
 def from_json(cls, f, attributes=[]):
 """
-Look into a json file for all objects of given type. Return the 
document
-element and a dictionary of required objects.
+Look into a json file. This will return a dictionnary that represents
+the SpdxDocument, and is attributes is specified, a list of
+representation of thos attributes.
 """
+
 class Decoder(json.JSONDecoder):
 def __init__(self, *args, **kwargs):
 super().__init__(object_hook=self.object_hook, *args, **kwargs)
 
 def object_hook(self, d):
-if 'type' in d.keys():
-if d['type'] in attributes or d['type'] == 'SpdxDocument':
-return d
 if '@graph' in d.keys():
 spdxDocument = None
 attr = {a: [] for a in attributes}
@@ -304,9 +303,11 @@ class SPDX3SpdxDocument(SPDX3Bundle):
 if p is not None:
 if p['type'] == 'SpdxDocument':
 spdxDocument = p
-else:
+elif p['type'] in attributes:
 attr[p['type']].append(p)
 return (spdxDocument, attr)
+else:
+return d
 
 return json.load(f, cls=Decoder)
 
-- 
2.42.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189881): 
https://lists.openembedded.org/g/openembedded-core/message/189881
Mute This Topic: https://lists.openembedded.org/mt/102308607/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][RFC v2 02/12] oe/spdx: extend spdx.py objects

[Louis Rannou]

Extend objects used to build the spdx scheme:

- add support for inheritance
- hide all attributes starting by _spdx
- add methods to list properties and item pairs
- improve the serializer to match the spdx3 scheme

Signed-off-by: Louis Rannou 
---
 meta/lib/oe/sbom.py |  2 +-
 meta/lib/oe/spdx.py | 30 +++---
 2 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/meta/lib/oe/sbom.py b/meta/lib/oe/sbom.py
index fd4b6895d8..824839378a 100644
--- a/meta/lib/oe/sbom.py
+++ b/meta/lib/oe/sbom.py
@@ -77,7 +77,7 @@ def write_doc(d, spdx_doc, arch, subdir, spdx_deploy=None, 
indent=None):
 dest = doc_path(spdx_deploy, spdx_doc.name, arch, subdir)
 dest.parent.mkdir(exist_ok=True, parents=True)
 with dest.open("wb") as f:
-doc_sha1 = spdx_doc.to_json(f, sort_keys=True, indent=indent)
+doc_sha1 = spdx_doc.to_json(f, sort_keys=False, indent=indent)
 
 l = _doc_path_by_namespace(spdx_deploy, arch, spdx_doc.documentNamespace)
 l.parent.mkdir(exist_ok=True, parents=True)
diff --git a/meta/lib/oe/spdx.py b/meta/lib/oe/spdx.py
index 7aaf2af5ed..97b9e011ad 100644
--- a/meta/lib/oe/spdx.py
+++ b/meta/lib/oe/spdx.py
@@ -145,9 +145,13 @@ class MetaSPDXObject(type):
 def __new__(mcls, name, bases, attrs):
 attrs["_properties"] = {}
 
-for key in attrs.keys():
-if isinstance(attrs[key], _Property):
-prop = attrs[key]
+at = {}
+for basecls in bases:
+at.update(basecls._properties)
+at.update(attrs)
+for key in at.keys():
+if isinstance(at[key], _Property):
+prop = at[key]
 attrs["_properties"][key] = prop
 prop.set_property(attrs, key)
 
@@ -166,15 +170,27 @@ class SPDXObject(metaclass=MetaSPDXObject):
 if name in d:
 self._spdx[name] = prop.init(d[name])
 
-def serializer(self):
-return self._spdx
-
 def __setattr__(self, name, value):
-if name in self._properties or name == "_spdx":
+# All attributes must be in _properties or are hidden variables which
+# must be prefixed with _spdx
+if name in self._properties or name[:len("_spdx")] == "_spdx":
 super().__setattr__(name, value)
 return
 raise KeyError("%r is not a valid SPDX property" % name)
 
+def properties(self):
+return self._properties.keys()
+
+def items(self):
+return self._properties.items()
+
+def serializer(self, rootElement):
+main = {"type": self.__class__.__name__[len("SPDX3"):]}
+for (key, value) in self._spdx.items():
+if key[0] == '_':
+key = key[1:]
+main.update({key: value})
+return main
 #
 # These are the SPDX objects implemented from the spec. The *only* properties
 # that can be added to these objects are ones directly specified in the SPDX
-- 
2.42.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189878): 
https://lists.openembedded.org/g/openembedded-core/message/189878
Mute This Topic: https://lists.openembedded.org/mt/102308604/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][RFC v2 01/12] create-spdx-3.0: copy 2.2 class

[Louis Rannou]

Initialize the work on SPDX 3 with a copy of the SPDX 2.2. Change default to
SPDX 3.

Signed-off-by: Marta Rybczynska 
Signed-off-by: Louis Rannou 
---
 meta/classes/create-spdx-3.0.bbclass | 1158 ++
 1 file changed, 1158 insertions(+)
 create mode 100644 meta/classes/create-spdx-3.0.bbclass

diff --git a/meta/classes/create-spdx-3.0.bbclass 
b/meta/classes/create-spdx-3.0.bbclass
new file mode 100644
index 00..b0aef80db1
--- /dev/null
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -0,0 +1,1158 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx"
+
+# The product name that the CVE database uses.  Defaults to BPN, but may need 
to
+# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
+CVE_PRODUCT ??= "${BPN}"
+CVE_VERSION ??= "${PV}"
+
+SPDXDIR ??= "${WORKDIR}/spdx"
+SPDXDEPLOY = "${SPDXDIR}/deploy"
+SPDXWORK = "${SPDXDIR}/work"
+SPDXIMAGEWORK = "${SPDXDIR}/image-work"
+SPDXSDKWORK = "${SPDXDIR}/sdk-work"
+SPDXDEPS = "${SPDXDIR}/deps.json"
+
+SPDX_TOOL_NAME ??= "oe-spdx-creator"
+SPDX_TOOL_VERSION ??= "1.0"
+
+SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
+
+SPDX_INCLUDE_SOURCES ??= "0"
+SPDX_ARCHIVE_SOURCES ??= "0"
+SPDX_ARCHIVE_PACKAGED ??= "0"
+
+SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
+SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdoc;
+SPDX_PRETTY ??= "0"
+
+SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
+
+SPDX_CUSTOM_ANNOTATION_VARS ??= ""
+
+SPDX_ORG ??= "OpenEmbedded ()"
+SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
+SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created 
from \
+this recipe. For SPDX documents create using this class during the build, 
this \
+is the contact information for the person or organization who is doing the 
\
+build."
+
+def extract_licenses(filename):
+import re
+
+lic_regex = re.compile(rb'^\W*SPDX-License-Identifier:\s*([ 
\w\d.()+-]+?)(?:\s+\W*)?$', re.MULTILINE)
+
+try:
+with open(filename, 'rb') as f:
+size = min(15000, os.stat(filename).st_size)
+txt = f.read(size)
+licenses = re.findall(lic_regex, txt)
+if licenses:
+ascii_licenses = [lic.decode('ascii') for lic in licenses]
+return ascii_licenses
+except Exception as e:
+bb.warn(f"Exception reading {filename}: {e}")
+return None
+
+def get_doc_namespace(d, doc):
+import uuid
+namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, 
d.getVar("SPDX_UUID_NAMESPACE"))
+return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), doc.name, 
str(uuid.uuid5(namespace_uuid, doc.name)))
+
+def create_annotation(d, comment):
+from datetime import datetime, timezone
+
+creation_time = 
datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+annotation = oe.spdx.SPDXAnnotation()
+annotation.annotationDate = creation_time
+annotation.annotationType = "OTHER"
+annotation.annotator = "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), 
d.getVar("SPDX_TOOL_VERSION"))
+annotation.comment = comment
+return annotation
+
+def recipe_spdx_is_native(d, recipe):
+return any(a.annotationType == "OTHER" and
+  a.annotator == "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), 
d.getVar("SPDX_TOOL_VERSION")) and
+  a.comment == "isNative" for a in recipe.annotations)
+
+def is_work_shared_spdx(d):
+return bb.data.inherits_class('kernel', d) or ('work-shared' in 
d.getVar('WORKDIR'))
+
+def get_json_indent(d):
+if d.getVar("SPDX_PRETTY") == "1":
+return 2
+return None
+
+python() {
+import json
+if d.getVar("SPDX_LICENSE_DATA"):
+return
+
+with open(d.getVar("SPDX_LICENSES"), "r") as f:
+data = json.load(f)
+# Transform the license array to a dictionary
+data["licenses"] = {l["licenseId"]: l for l in data["licenses"]}
+d.setVar("SPDX_LICENSE_DATA", data)
+}
+
+def convert_license_to_spdx(lic, document, d, existing={}):
+from pathlib import Path
+import oe.spdx
+
+license_data = d.getVar("SPDX_LICENSE_DATA")
+extracted = {}
+
+def add_extracted_license(ident, name):
+nonlocal document
+
+if name in extracted:
+return
+
+extracted_info = oe.spdx.SPDXExtractedLicensingInfo()
+extracted_info.name = name
+extracted_info.licenseId = ident
+extracted_info.extractedText = None
+
+if name == "PD":
+# Special-case this.
+extracted_info.extractedText = "Software released to the public 
domain"
+else:
+# Seach for the license in COMMON_LICENSE_DIR and LICENSE_PATH
+for directory in [d.getVar('COMMON_LICENSE_DIR')] + 
(d.getVar('LICENSE_PATH') or '').split():
+try:
+with (Path(directory) / name).open(errors="replace") as f:
+

[OE-core][RFC v2 00/12] SPDX3 Proof-of-Concept

[Louis Rannou]

This patch-set adds a proof-of-concept implementation of the upcoming
SPDX3 standard to the SBOM generation of the Yocto Project/OpenEmbedded.

The current code delivers an equivalent of what is produced for SPDX2.2.
The standard has not been released yet, and there is some specification
work in progress still. Our questions and open points are available
in the README.SPDX3 file.

Louis Rannou (7):
  create-spdx-3.0: copy 2.2 class
  oe/spdx: extend spdx.py objects
  oe/sbom: change the write_doc to prepare for spdx3
  create-spdx-3.0: SPDX3 objects as classes
  oe/sbom: search into json
  create-spdx-3.0: draft: remove low value stuff
  oeqa/selftest/cases/spdx: change test for spdx3

Marta Rybczynska (1):
  README.SPDX3: add file

Samantha Jalabert (4):
  create-spdx-3.0: support for recipe spdx creation
  create-spdx-3.0: support for spdx image
  create-spdx-3.0: Use FQDN spdx ids
  create-spdx-3.0: support for License profile

Louis Rannou (7):
  create-spdx-3.0: copy 2.2 class
  oe/spdx: extend spdx.py objects
  oe/sbom: change the write_doc to prepare for spdx3
  create-spdx-3.0: SPDX3 objects as classes
  oe/sbom: search into json
  create-spdx-3.0: draft: remove low value stuff
  oeqa/selftest/cases/spdx: change test for spdx3

Marta Rybczynska (1):
  README.SPDX3: add file

Samantha Jalabert (4):
  create-spdx-3.0: support for recipe spdx creation
  create-spdx-3.0: support for spdx image
  create-spdx-3.0: Use FQDN spdx ids
  create-spdx-3.0: support for License profile

 README.SPDX3 |   45 +
 meta/classes/create-spdx-2.2.bbclass |1 -
 meta/classes/create-spdx-3.0.bbclass | 1223 ++
 meta/classes/create-spdx.bbclass |2 +-
 meta/lib/oe/sbom.py  |   38 +-
 meta/lib/oe/spdx.py  |   30 +-
 meta/lib/oe/spdx3.py |  384 
 meta/lib/oeqa/selftest/cases/spdx.py |   16 +-
 8 files changed, 1723 insertions(+), 16 deletions(-)
 create mode 100644 README.SPDX3
 create mode 100644 meta/classes/create-spdx-3.0.bbclass
 create mode 100644 meta/lib/oe/spdx3.py

-- 
2.42.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189876): 
https://lists.openembedded.org/g/openembedded-core/message/189876
Mute This Topic: https://lists.openembedded.org/mt/102308602/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Patchtest results for [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863

[Steve Sakoman]

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch 
/home/patchtest/share/mboxes/kirkstone-3-3-libwebp-Fix-CVE-2023-4863.patch

FAIL: test CVE presence in commit message: A CVE tag should be provided in the 
commit message with format: "CVE: CVE--" 
(test_mbox.TestMbox.test_cve_presence_in_commit_message)

PASS: pretest lic files chksum modified not mentioned 
(test_metadata.TestMetadata.pretest_lic_files_chksum_modified_not_mentioned)
PASS: pretest src uri left files 
(test_metadata.TestMetadata.pretest_src_uri_left_files)
PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence 
(test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence 
(test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence 
(test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence 
(test_mbox.TestMbox.test_commit_message_presence)
PASS: test lic files chksum modified not mentioned 
(test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test src uri left files 
(test_metadata.TestMetadata.test_src_uri_left_files)

SKIP: pretest pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found 
(test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now 
(test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test summary presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_summary_presence)
SKIP: test target mailing list: Series merged, no reason to check other mailing 
lists (test_mbox.TestMbox.test_target_mailing_list)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189875): 
https://lists.openembedded.org/g/openembedded-core/message/189875
Mute This Topic: https://lists.openembedded.org/mt/102308199/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Patchtest results for [OE-core][kirkstone 1/3] libxml2: Patch CVE-2023-45322

[Steve Sakoman]

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch 
/home/patchtest/share/mboxes/kirkstone-1-3-libxml2-Patch-CVE-2023-45322.patch

FAIL: test CVE presence in commit message: A CVE tag should be provided in the 
commit message with format: "CVE: CVE--" 
(test_mbox.TestMbox.test_cve_presence_in_commit_message)

PASS: pretest lic files chksum modified not mentioned 
(test_metadata.TestMetadata.pretest_lic_files_chksum_modified_not_mentioned)
PASS: pretest src uri left files 
(test_metadata.TestMetadata.pretest_src_uri_left_files)
PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence 
(test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence 
(test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence 
(test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence 
(test_mbox.TestMbox.test_commit_message_presence)
PASS: test lic files chksum modified not mentioned 
(test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test src uri left files 
(test_metadata.TestMetadata.test_src_uri_left_files)

SKIP: pretest pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found 
(test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now 
(test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test summary presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_summary_presence)
SKIP: test target mailing list: Series merged, no reason to check other mailing 
lists (test_mbox.TestMbox.test_target_mailing_list)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189874): 
https://lists.openembedded.org/g/openembedded-core/message/189874
Mute This Topic: https://lists.openembedded.org/mt/102308198/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863

[Steve Sakoman]

From: Soumya Sambu 

Heap buffer overflow in WebP in Google Chrome prior to
116.0.5845.187 allowed a remote attacker to perform an
out of bounds memory write via a crafted HTML page.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/tracker/CVE-2023-4863
https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12

Signed-off-by: Soumya Sambu 
Signed-off-by: Steve Sakoman 
---
 .../webp/files/CVE-2023-4863.patch| 53 +++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch 
b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
new file mode 100644
index 00..2b1817822c
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
@@ -0,0 +1,53 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud 
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH] Fix invalid incremental decoding check.
+
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+
+BUG=oss-fuzz:62136
+
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+
+CVE: CVE-2023-4863
+
+Upstream-Status: Backport 
[https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
+
+Signed-off-by: Soumya Sambu 
+---
+ src/dec/vp8l_dec.c | 15 +--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 186b0b2..59a9e64 100644
+--- a/src/dec/vp8l_dec.c
 b/src/dec/vp8l_dec.c
+@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, 
uint32_t* const data,
+   }
+
+   br->eos_ = VP8LIsEndOfStream(br);
+-  if (dec->incremental_ && br->eos_ && src < src_end) {
++  // In incremental decoding:
++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
++  // 'src_last' has not been reached yet, there is not enough data. 'dec' has 
to
++  // be reset until there is more data.
++  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
++  // fully read, either enough has been read to reach 'src_last'.
++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually 
go
++  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
++  // The buffer might have been enough or there is some left. 'br->eos_' does
++  // not matter.
++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= 
src_last);
++  if (dec->incremental_ && br->eos_ && src < src_last) {
+ RestoreState(dec);
+-  } else if (!br->eos_) {
++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
+ // Process the remaining rows corresponding to last row-block.
+ if (process_func != NULL) {
+   process_func(dec, row > last_row ? last_row : row);
+--
+2.40.0
diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb 
b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
index 4defdd5e42..0728ca60f5 100644
--- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
+++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
@@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
 SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
file://CVE-2023-1999.patch \
file://CVE-2023-5129.patch \
+   file://CVE-2023-4863.patch \
"
 SRC_URI[sha256sum] = 
"7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
 
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189873): 
https://lists.openembedded.org/g/openembedded-core/message/189873
Mute This Topic: https://lists.openembedded.org/mt/102307907/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 2/3] tiff: CVE patch correction for CVE-2023-3576

[Steve Sakoman]

From: Vijay Anusuri 

- The commit 
[https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
fixes CVE-2023-3576
- Hence, renamed the CVE-2023-3618-1.patch to CVE-2023-3576.patch
- Reference: https://security-tracker.debian.org/tracker/CVE-2023-3576
 https://security-tracker.debian.org/tracker/CVE-2023-3618

Signed-off-by: Vijay Anusuri 
Signed-off-by: Steve Sakoman 
---
 .../tiff/{CVE-2023-3618-1.patch => CVE-2023-3576.patch}   | 3 ++-
 .../tiff/{CVE-2023-3618-2.patch => CVE-2023-3618.patch}   | 0
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 4 ++--
 3 files changed, 4 insertions(+), 3 deletions(-)
 rename meta/recipes-multimedia/libtiff/tiff/{CVE-2023-3618-1.patch => 
CVE-2023-3576.patch} (93%)
 rename meta/recipes-multimedia/libtiff/tiff/{CVE-2023-3618-2.patch => 
CVE-2023-3618.patch} (100%)

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch 
b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3576.patch
similarity index 93%
rename from meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch
rename to meta/recipes-multimedia/libtiff/tiff/CVE-2023-3576.patch
index 8f55d2b496..b17dd72170 100644
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3576.patch
@@ -4,8 +4,9 @@ Date: Tue, 7 Mar 2023 15:02:08 +0800
 Subject: [PATCH] Fix memory leak in tiffcrop.c
 
 Upstream-Status: Backport 
[https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
-CVE: CVE-2023-3618
+CVE: CVE-2023-3576
 Signed-off-by: Hitendra Prajapati 
+Signed-off-by: Vijay Anusuri 
 ---
  tools/tiffcrop.c | 7 ++-
  1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-2.patch 
b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618.patch
similarity index 100%
rename from meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-2.patch
rename to meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb 
b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 8dcd73273e..e925b7d652 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -40,8 +40,8 @@ SRC_URI = 
"http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-26965.patch \
file://CVE-2023-2908.patch \
file://CVE-2023-3316.patch \
-   file://CVE-2023-3618-1.patch \
-   file://CVE-2023-3618-2.patch \
+   file://CVE-2023-3576.patch \
+   file://CVE-2023-3618.patch \
file://CVE-2023-26966.patch \
file://CVE-2022-40090.patch \
file://CVE-2023-1916.patch \
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189872): 
https://lists.openembedded.org/g/openembedded-core/message/189872
Mute This Topic: https://lists.openembedded.org/mt/102307906/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 1/3] libxml2: Patch CVE-2023-45322

[Steve Sakoman]

From: Peter Marko 

Backport patch for gitlab issue mentioned in NVD CVE report.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
Backport also one of 14 patches for older issue with similar errors
to have clean cherry-pick without patch fuzz.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/344

The CVE is disputed because the maintainer does not think that
errors after memory allocation failures are not critical enough
to warrant a CVE ID.
This patch will formally fix reported error case, trying to backport
another 13 patches and resolve conflicts would be probably overkill
due to disputed state.
This CVE was ignored on master branch (as diputed).

Signed-off-by: Peter Marko 
Signed-off-by: Steve Sakoman 
---
 .../libxml/libxml2/CVE-2023-45322-1.patch | 49 
 .../libxml/libxml2/CVE-2023-45322-2.patch | 79 +++
 meta/recipes-core/libxml/libxml2_2.9.14.bb|  2 +
 3 files changed, 130 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
new file mode 100644
index 00..5f1cb72534
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
@@ -0,0 +1,49 @@
+From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Wed, 2 Nov 2022 15:44:42 +0100
+Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList
+
+Found with libFuzzer, see #344.
+
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce]
+
+Signed-off-by: Peter Marko 
+---
+ tree.c | 7 +--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 507869efe..647288ce3 100644
+--- a/tree.c
 b/tree.c
+@@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, 
xmlNodePtr parent) {
+   }
+   if (doc->intSubset == NULL) {
+   q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-  if (q == NULL) return(NULL);
++  if (q == NULL) goto error;
+   q->doc = doc;
+   q->parent = parent;
+   doc->intSubset = (xmlDtdPtr) q;
+@@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, 
xmlNodePtr parent) {
+   } else
+ #endif /* LIBXML_TREE_ENABLED */
+   q = xmlStaticCopyNode(node, doc, parent, 1);
+-  if (q == NULL) return(NULL);
++  if (q == NULL) goto error;
+   if (ret == NULL) {
+   q->prev = NULL;
+   ret = p = q;
+@@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, 
xmlNodePtr parent) {
+   node = node->next;
+ }
+ return(ret);
++error:
++xmlFreeNodeList(ret);
++return(NULL);
+ }
+ 
+ /**
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
new file mode 100644
index 00..845fd70c66
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,79 @@
+From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Wed, 23 Aug 2023 20:24:24 +0200
+Subject: [PATCH] tree: Fix copying of DTDs
+
+- Don't create multiple DTD nodes.
+- Fix UAF if malloc fails.
+- Skip DTD nodes if tree module is disabled.
+
+Fixes #583.
+
+CVE: CVE-2023-45322
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
+
+Signed-off-by: Peter Marko 
+---
+ tree.c | 31 ---
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 6c8a875b9..02c1b5791 100644
+--- a/tree.c
 b/tree.c
+@@ -4471,29 +4471,28 @@ xmlNodePtr
+ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+ xmlNodePtr ret = NULL;
+ xmlNodePtr p = NULL,q;
++xmlDtdPtr newSubset = NULL;
+ 
+ while (node != NULL) {
+-#ifdef LIBXML_TREE_ENABLED
+   if (node->type == XML_DTD_NODE ) {
+-  if (doc == NULL) {
++#ifdef LIBXML_TREE_ENABLED
++  if ((doc == NULL) || (doc->intSubset != NULL)) {
+   node = node->next;
+   continue;
+   }
+-  if (doc->intSubset == NULL) {
+-  q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-  if (q == NULL) goto error;
+-  q->doc = doc;
+-  q->parent = parent;
+-  doc->intSubset = (xmlDtdPtr) q;
+-  xmlAddChild(parent, q);
+-  } else {
+-  q = (xmlNodePtr) doc->intSubset;
+-  xmlAddChild(parent, q);
+-  }
+-  } else
++q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
++if (q == NULL) goto error;
++q->doc = doc;
++ 

[OE-core][kirkstone 0/3] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, October 2

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6124

The following changes since commit 56503e3e80603de3b69acef2f6d32836bc9e5e5d:

  linux-firmware: create separate packages (2023-10-29 06:30:03 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Peter Marko (1):
  libxml2: Patch CVE-2023-45322

Soumya Sambu (1):
  libwebp: Fix CVE-2023-4863

Vijay Anusuri (1):
  tiff: CVE patch correction for CVE-2023-3576

 .../libxml/libxml2/CVE-2023-45322-1.patch | 49 
 .../libxml/libxml2/CVE-2023-45322-2.patch | 79 +++
 meta/recipes-core/libxml/libxml2_2.9.14.bb|  2 +
 ...-2023-3618-1.patch => CVE-2023-3576.patch} |  3 +-
 ...-2023-3618-2.patch => CVE-2023-3618.patch} |  0
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |  4 +-
 .../webp/files/CVE-2023-4863.patch| 53 +
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
 8 files changed, 188 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
 rename meta/recipes-multimedia/libtiff/tiff/{CVE-2023-3618-1.patch => 
CVE-2023-3576.patch} (93%)
 rename meta/recipes-multimedia/libtiff/tiff/{CVE-2023-3618-2.patch => 
CVE-2023-3618.patch} (100%)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch

-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189870): 
https://lists.openembedded.org/g/openembedded-core/message/189870
Mute This Topic: https://lists.openembedded.org/mt/102307904/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [master][kirkstone][PATCH] lsb-release: use https for UPSTREAM_CHECK_URI

[Tim Orling]

http:// results in 301 Moved Permanently and redirects to https://

Also drop SRC_URI[md5sum].

Signed-off-by: Tim Orling 
---
Steve,

Really this applies to any stable release... this is after all 2001 code.

 meta/recipes-extended/lsb/lsb-release_1.4.bb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/meta/recipes-extended/lsb/lsb-release_1.4.bb 
b/meta/recipes-extended/lsb/lsb-release_1.4.bb
index ad16554e985..00d8183a4f1 100644
--- a/meta/recipes-extended/lsb/lsb-release_1.4.bb
+++ b/meta/recipes-extended/lsb/lsb-release_1.4.bb
@@ -14,10 +14,9 @@ SRC_URI = 
"${SOURCEFORGE_MIRROR}/project/lsb/lsb_release/1.4/lsb-release-1.4.tar
file://help2man-reproducibility.patch \
"
 
-SRC_URI[md5sum] = "30537ef5a01e0ca94b7b8eb6a36bb1e4"
 SRC_URI[sha256sum] = 
"99321288f8d62e7a1d485b7c6bdccf06766fb8ca603c6195806e4457fdf17172"
 
-UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/lsb/files/lsb_release/;
+UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/lsb/files/lsb_release/;
 UPSTREAM_CHECK_REGEX = "/lsb_release/(?P(\d+[\.\-_]*)+)/"
 
 CLEANBROKEN = "1"
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189869): 
https://lists.openembedded.org/g/openembedded-core/message/189869
Mute This Topic: https://lists.openembedded.org/mt/102307102/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] cve-check: don't warn if a patch is remote

[Ross Burton]

From: Ross Burton 

We don't make do_cve_check depend on do_unpack because that would be a
waste of time 99% of the time.  The compromise here is that we can't
scan remote patches for issues, but this isn't a problem so downgrade
the warning to a note.

Also move the check for CVEs in the filename before the local file check
so that even with remote patches, we still check for CVE references in
the name.

Signed-off-by: Ross Burton 
---
 meta/lib/oe/cve_check.py | 11 ++-
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index c0ab22d25ea..3fa77bf9a71 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -95,11 +95,6 @@ def get_patched_cves(d):
 for url in oe.patch.src_patches(d):
 patch_file = bb.fetch.decodeurl(url)[2]
 
-# Remote compressed patches may not be unpacked, so silently ignore 
them
-if not os.path.isfile(patch_file):
-bb.warn("%s does not exist, cannot extract CVE list" % patch_file)
-continue
-
 # Check patch file name for CVE ID
 fname_match = cve_file_name_match.search(patch_file)
 if fname_match:
@@ -107,6 +102,12 @@ def get_patched_cves(d):
 patched_cves.add(cve)
 bb.debug(2, "Found CVE %s from patch file name %s" % (cve, 
patch_file))
 
+# Remote patches won't be present and compressed patches won't be
+# unpacked, so say we're not scanning them
+if not os.path.isfile(patch_file):
+bb.note("%s is remote or compressed, not scanning content" % 
patch_file)
+continue
+
 with open(patch_file, "r", encoding="utf-8") as f:
 try:
 patch_text = f.read()
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189868): 
https://lists.openembedded.org/g/openembedded-core/message/189868
Mute This Topic: https://lists.openembedded.org/mt/102304042/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] patchtest: make pylint tests compatible with 3.x

[Trevor Gamblin]

pylint 3.x has removed epylint, which is now a separate module. To avoid
adding another recipe or using outdated modules, modify the
test_python_pylint tests so that they use the standard pylint API.

Signed-off-by: Trevor Gamblin 
---
 meta/lib/patchtest/tests/test_python_pylint.py | 17 -
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/meta/lib/patchtest/tests/test_python_pylint.py 
b/meta/lib/patchtest/tests/test_python_pylint.py
index 304b2d5ee9a..ef315e591ca 100644
--- a/meta/lib/patchtest/tests/test_python_pylint.py
+++ b/meta/lib/patchtest/tests/test_python_pylint.py
@@ -5,8 +5,11 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
 import base
+from io import StringIO
 from data import PatchTestInput
-import pylint.epylint as lint
+from pylint.reporters.text import TextReporter
+import pylint.lint as lint
+
 
 class PyLint(base.Base):
 pythonpatches  = []
@@ -32,8 +35,10 @@ class PyLint(base.Base):
 def pretest_pylint(self):
 for pythonpatch in self.pythonpatches:
 if pythonpatch.is_modified_file:
-(pylint_stdout, pylint_stderr) = lint.py_run(command_options = 
pythonpatch.path + self.pylint_options, return_std=True)
-for line in pylint_stdout.readlines():
+pylint_output = StringIO()
+reporter = TextReporter(pylint_output)
+lint.Run([self.pylint_options, pythonpatch.path], 
reporter=reporter, exit=False)
+for line in pylint_output.readlines():
 if not '*' in line:
 if line.strip():
 self.pylint_pretest[line.strip().split(' ',1)[0]] 
= line.strip().split(' ',1)[1]
@@ -46,8 +51,10 @@ class PyLint(base.Base):
 path = pythonpatch.target_file[2:]
 else:
 path = pythonpatch.path
-(pylint_stdout, pylint_stderr) = lint.py_run(command_options = 
path + self.pylint_options, return_std=True)
-for line in pylint_stdout.readlines():
+pylint_output = StringIO()
+reporter = TextReporter(pylint_output)
+lint.Run([self.pylint_options, pythonpatch.path], 
reporter=reporter, exit=False)
+for line in pylint_output.readlines():
 if not '*' in line:
 if line.strip():
 self.pylint_test[line.strip().split(' ',1)[0]] = 
line.strip().split(' ',1)[1]
-- 
2.41.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189867): 
https://lists.openembedded.org/g/openembedded-core/message/189867
Mute This Topic: https://lists.openembedded.org/mt/102303546/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] glibc: ignore CVE-2023-4527

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

This vulnerability was introduced in 2.36, so 2.31 is not vulnerable.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/glibc/glibc_2.31.bb | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/meta/recipes-core/glibc/glibc_2.31.bb 
b/meta/recipes-core/glibc/glibc_2.31.bb
index 1862586749..8298088323 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -29,6 +29,13 @@ CVE_CHECK_WHITELIST += "CVE-2019-1010025"
 # 
https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?h=dunfell=e1e89ff7d75c3d2223f9e3bd875b9b0c5e15836b
 CVE_CHECK_WHITELIST += "CVE-2021-35942"
 
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4527
+# This vulnerability was introduced in 2.36 by commit
+# f282cdbe7f436c75864e5640a409a10485e9abb2 resolv: Implement no- stub 
resolver option
+# so our version is not yet vulnerable
+# See https://sourceware.org/bugzilla/show_bug.cgi?id=30842
+CVE_CHECK_WHITELIST += "CVE-2023-4527"
+
 DEPENDS += "gperf-native bison-native make-native"
 
 NATIVESDKFIXES ?= ""
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189866): 
https://lists.openembedded.org/g/openembedded-core/message/189866
Mute This Topic: https://lists.openembedded.org/mt/102303419/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] glibc: ignore CVE-2023-4527

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

This vulnerability was introduced in 2.36, so 2.35 is not vulnerable.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/glibc/glibc_2.35.bb | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/meta/recipes-core/glibc/glibc_2.35.bb 
b/meta/recipes-core/glibc/glibc_2.35.bb
index 271520f76b..21cd99dfdd 100644
--- a/meta/recipes-core/glibc/glibc_2.35.bb
+++ b/meta/recipes-core/glibc/glibc_2.35.bb
@@ -16,6 +16,13 @@ CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 
CVE-2019-1010024"
 # Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
 CVE_CHECK_IGNORE += "CVE-2019-1010025"
 
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4527
+# This vulnerability was introduced in 2.36 by commit
+# f282cdbe7f436c75864e5640a409a10485e9abb2 resolv: Implement no- stub 
resolver option
+# so our version is not yet vulnerable
+# See https://sourceware.org/bugzilla/show_bug.cgi?id=30842
+CVE_CHECK_IGNORE += "CVE-2023-4527"
+
 # To avoid these in cve-check reports since the recipe version did not change
 CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 CVE-2023-5156"
 
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189865): 
https://lists.openembedded.org/g/openembedded-core/message/189865
Mute This Topic: https://lists.openembedded.org/mt/102303256/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][mickledore 0/5] Patch review

[Steve Sakoman]

On Tue, Oct 31, 2023 at 5:55 AM Richard Purdie
 wrote:
>
> On Tue, 2023-10-31 at 05:35 -1000, Steve Sakoman wrote:
> > Please review this set of patches for mickledore and have comments back by
> > end of day Thursday, November 2
> >
> > Passed a-full on autobuilder:
> >
> > https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6123
> >
> > The following changes since commit e9ca1405b732720ff72d379e0262a78bfd2e7d53:
> >
> >   busybox: Set PATH in syslog initscript (2023-10-19 04:34:38 -1000)
> >
> > are available in the Git repository at:
> >
> >   https://git.openembedded.org/openembedded-core-contrib 
> > stable/mickledore-nut
> >   
> > https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/mickledore-nut
> >
> > Peter Marko (1):
> >   openssl: Upgrade 3.1.3 -> 3.1.4
> >
> > Xiangyu Chen (4):
> >   grub2: fix CVE-2023-4692
> >   grub2: fix CVE-2023-4693
> >   shadow: Fix CVE-2023-4641
> >   linux-yocto: make sure the pahole-native available before
> > do_kernel_configme
> >
>
> Some of these are not in nanbield :/

I guess I better start working on nanbield too then!

Steve

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189864): 
https://lists.openembedded.org/g/openembedded-core/message/189864
Mute This Topic: https://lists.openembedded.org/mt/102299561/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][mickledore 0/5] Patch review

[Richard Purdie]

On Tue, 2023-10-31 at 05:35 -1000, Steve Sakoman wrote:
> Please review this set of patches for mickledore and have comments back by
> end of day Thursday, November 2
> 
> Passed a-full on autobuilder:
> 
> https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6123
> 
> The following changes since commit e9ca1405b732720ff72d379e0262a78bfd2e7d53:
> 
>   busybox: Set PATH in syslog initscript (2023-10-19 04:34:38 -1000)
> 
> are available in the Git repository at:
> 
>   https://git.openembedded.org/openembedded-core-contrib stable/mickledore-nut
>   
> https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/mickledore-nut
> 
> Peter Marko (1):
>   openssl: Upgrade 3.1.3 -> 3.1.4
> 
> Xiangyu Chen (4):
>   grub2: fix CVE-2023-4692
>   grub2: fix CVE-2023-4693
>   shadow: Fix CVE-2023-4641
>   linux-yocto: make sure the pahole-native available before
> do_kernel_configme
> 

Some of these are not in nanbield :/

Cheers,

Richard


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189863): 
https://lists.openembedded.org/g/openembedded-core/message/189863
Mute This Topic: https://lists.openembedded.org/mt/102299561/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH v3 1/1] libwebp: Fix CVE-2023-4863

[Soumya via lists.openembedded.org]

From: Soumya Sambu 

Heap buffer overflow in WebP in Google Chrome prior to
116.0.5845.187 allowed a remote attacker to perform an
out of bounds memory write via a crafted HTML page.

CVE: CVE-2023-4863

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/tracker/CVE-2023-4863
https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12

Signed-off-by: Soumya Sambu 
---
 .../webp/files/CVE-2023-4863.patch| 53 +++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch 
b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
new file mode 100644
index 00..2b1817822c
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
@@ -0,0 +1,53 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud 
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH] Fix invalid incremental decoding check.
+
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+
+BUG=oss-fuzz:62136
+
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+
+CVE: CVE-2023-4863
+
+Upstream-Status: Backport 
[https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
+
+Signed-off-by: Soumya Sambu 
+---
+ src/dec/vp8l_dec.c | 15 +--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 186b0b2..59a9e64 100644
+--- a/src/dec/vp8l_dec.c
 b/src/dec/vp8l_dec.c
+@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, 
uint32_t* const data,
+   }
+
+   br->eos_ = VP8LIsEndOfStream(br);
+-  if (dec->incremental_ && br->eos_ && src < src_end) {
++  // In incremental decoding:
++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
++  // 'src_last' has not been reached yet, there is not enough data. 'dec' has 
to
++  // be reset until there is more data.
++  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
++  // fully read, either enough has been read to reach 'src_last'.
++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually 
go
++  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
++  // The buffer might have been enough or there is some left. 'br->eos_' does
++  // not matter.
++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= 
src_last);
++  if (dec->incremental_ && br->eos_ && src < src_last) {
+ RestoreState(dec);
+-  } else if (!br->eos_) {
++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
+ // Process the remaining rows corresponding to last row-block.
+ if (process_func != NULL) {
+   process_func(dec, row > last_row ? last_row : row);
+--
+2.40.0
diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb 
b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
index 4defdd5e42..0728ca60f5 100644
--- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
+++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
@@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
 SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
file://CVE-2023-1999.patch \
file://CVE-2023-5129.patch \
+   file://CVE-2023-4863.patch \
"
 SRC_URI[sha256sum] = 
"7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189862): 
https://lists.openembedded.org/g/openembedded-core/message/189862
Mute This Topic: https://lists.openembedded.org/mt/102299989/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Patchtest results for [OE-core][mickledore 2/5] grub2: fix CVE-2023-4693

[Steve Sakoman]

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch 
/home/patchtest/share/mboxes/mickledore-2-5-grub2-fix-CVE-2023-4693.patch

FAIL: test CVE presence in commit message: A CVE tag should be provided in the 
commit message with format: "CVE: CVE--" 
(test_mbox.TestMbox.test_cve_presence_in_commit_message)

PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence 
(test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence 
(test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence 
(test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence 
(test_mbox.TestMbox.test_commit_message_presence)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)

SKIP: pretest lic files chksum modified not mentioned: No modified recipes, 
skipping pretest 
(test_metadata.TestMetadata.pretest_lic_files_chksum_modified_not_mentioned)
SKIP: pretest pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.pretest_pylint)
SKIP: pretest src uri left files: Patch cannot be merged 
(test_metadata.TestMetadata.pretest_src_uri_left_files)
SKIP: test bugzilla entry format: No bug ID found 
(test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum modified not mentioned: No modified recipes, 
skipping test 
(test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
SKIP: test lic files chksum presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now 
(test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test src uri left files: Patch cannot be merged 
(test_metadata.TestMetadata.test_src_uri_left_files)
SKIP: test summary presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_summary_presence)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189859): 
https://lists.openembedded.org/g/openembedded-core/message/189859
Mute This Topic: https://lists.openembedded.org/mt/102299961/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Patchtest results for [OE-core][mickledore 5/5] linux-yocto: make sure the pahole-native available before do_kernel_configme

[Steve Sakoman]

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch 
/home/patchtest/share/mboxes/mickledore-5-5-linux-yocto-make-sure-the-pahole-native-available-before-do_kernel_configme.patch

FAIL: test shortlog length: Edit shortlog so that it is 90 characters or less 
(currently 93 characters) (test_mbox.TestMbox.test_shortlog_length)

PASS: test Signed-off-by presence 
(test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence 
(test_mbox.TestMbox.test_commit_message_presence)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)

SKIP: pretest lic files chksum modified not mentioned: No modified recipes, 
skipping pretest 
(test_metadata.TestMetadata.pretest_lic_files_chksum_modified_not_mentioned)
SKIP: pretest pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.pretest_pylint)
SKIP: pretest src uri left files: No modified recipes, skipping pretest 
(test_metadata.TestMetadata.pretest_src_uri_left_files)
SKIP: test CVE presence in commit message: No new patches introduced 
(test_mbox.TestMbox.test_cve_presence_in_commit_message)
SKIP: test CVE tag format: No new CVE patches introduced 
(test_patch.TestPatch.test_cve_tag_format)
SKIP: test Signed-off-by presence: No new CVE patches introduced 
(test_patch.TestPatch.test_signed_off_by_presence)
SKIP: test Upstream-Status presence: No new CVE patches introduced 
(test_patch.TestPatch.test_upstream_status_presence_format)
SKIP: test bugzilla entry format: No bug ID found 
(test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum modified not mentioned: No modified recipes, 
skipping test 
(test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
SKIP: test lic files chksum presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now 
(test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test src uri left files: No modified recipes, skipping pretest 
(test_metadata.TestMetadata.test_src_uri_left_files)
SKIP: test summary presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_summary_presence)
SKIP: test target mailing list: Series merged, no reason to check other mailing 
lists (test_mbox.TestMbox.test_target_mailing_list)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189861): 
https://lists.openembedded.org/g/openembedded-core/message/189861
Mute This Topic: https://lists.openembedded.org/mt/102299963/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Patchtest results for [OE-core][mickledore 1/5] grub2: fix CVE-2023-4692

[Steve Sakoman]

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch 
/home/patchtest/share/mboxes/mickledore-1-5-grub2-fix-CVE-2023-4692.patch

FAIL: test CVE presence in commit message: A CVE tag should be provided in the 
commit message with format: "CVE: CVE--" 
(test_mbox.TestMbox.test_cve_presence_in_commit_message)

PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence 
(test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence 
(test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence 
(test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence 
(test_mbox.TestMbox.test_commit_message_presence)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)

SKIP: pretest lic files chksum modified not mentioned: No modified recipes, 
skipping pretest 
(test_metadata.TestMetadata.pretest_lic_files_chksum_modified_not_mentioned)
SKIP: pretest pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.pretest_pylint)
SKIP: pretest src uri left files: No modified recipes, skipping pretest 
(test_metadata.TestMetadata.pretest_src_uri_left_files)
SKIP: test bugzilla entry format: No bug ID found 
(test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum modified not mentioned: No modified recipes, 
skipping test 
(test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
SKIP: test lic files chksum presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now 
(test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test src uri left files: No modified recipes, skipping pretest 
(test_metadata.TestMetadata.test_src_uri_left_files)
SKIP: test summary presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_summary_presence)
SKIP: test target mailing list: Series merged, no reason to check other mailing 
lists (test_mbox.TestMbox.test_target_mailing_list)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189858): 
https://lists.openembedded.org/g/openembedded-core/message/189858
Mute This Topic: https://lists.openembedded.org/mt/102299960/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Patchtest results for [OE-core][mickledore 3/5] shadow: Fix CVE-2023-4641

[Steve Sakoman]

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch 
/home/patchtest/share/mboxes/mickledore-3-5-shadow-Fix-CVE-2023-4641.patch

FAIL: test CVE presence in commit message: A CVE tag should be provided in the 
commit message with format: "CVE: CVE--" 
(test_mbox.TestMbox.test_cve_presence_in_commit_message)

PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence 
(test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence 
(test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence 
(test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence 
(test_mbox.TestMbox.test_commit_message_presence)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)

SKIP: pretest lic files chksum modified not mentioned: No modified recipes, 
skipping pretest 
(test_metadata.TestMetadata.pretest_lic_files_chksum_modified_not_mentioned)
SKIP: pretest pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.pretest_pylint)
SKIP: pretest src uri left files: No modified recipes, skipping pretest 
(test_metadata.TestMetadata.pretest_src_uri_left_files)
SKIP: test bugzilla entry format: No bug ID found 
(test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum modified not mentioned: No modified recipes, 
skipping test 
(test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
SKIP: test lic files chksum presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now 
(test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test src uri left files: No modified recipes, skipping pretest 
(test_metadata.TestMetadata.test_src_uri_left_files)
SKIP: test summary presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_summary_presence)
SKIP: test target mailing list: Series merged, no reason to check other mailing 
lists (test_mbox.TestMbox.test_target_mailing_list)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189860): 
https://lists.openembedded.org/g/openembedded-core/message/189860
Mute This Topic: https://lists.openembedded.org/mt/102299962/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][mickledore 5/5] linux-yocto: make sure the pahole-native available before do_kernel_configme

[Steve Sakoman]

From: Xiangyu Chen 

When using debug-btf.scc in a clean workspace, the 
CONFIG_MODULE_ALLOW_BTF_MISMATCH cannot
apply to kernel until clean the kernel code(bitbake linux-yocto -c cleanall) 
and rebuild.

After tracking the code, some options depend on CONFIG_PAHOLE_VERSION, it was 
generated by
scripts/pahole-version.sh in kernel, but during do_kernel_configme step, the 
pahole-native
is not available in sysroot-native, so need to wait pahole-native install to 
sysroot-native
before do_kernel_configme.

(cherry picked from commit 217a4db53edbd88001f6390bbff39e5dd3d137af)
Signed-off-by: Xiangyu Chen 
Signed-off-by: Luca Ceresoli 
Signed-off-by: Richard Purdie 
Signed-off-by: Steve Sakoman 
---
 meta/recipes-kernel/linux/linux-yocto.inc | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto.inc 
b/meta/recipes-kernel/linux/linux-yocto.inc
index 04a8105e17..461e5684cd 100644
--- a/meta/recipes-kernel/linux/linux-yocto.inc
+++ b/meta/recipes-kernel/linux/linux-yocto.inc
@@ -65,7 +65,10 @@ KERNEL_DEBUG ?= ""
 DEPENDS += '${@bb.utils.contains_any("ARCH", [ "x86", "arm64" ], 
"elfutils-native", "", d)}'
 DEPENDS += "openssl-native util-linux-native"
 DEPENDS += "gmp-native libmpc-native"
-DEPENDS += '${@bb.utils.contains("KERNEL_DEBUG", "True", "pahole-native", "", 
d)}'
+
+# Some options depend on CONFIG_PAHOLE_VERSION, so need to make pahole-native 
available before do_kernel_configme
+do_kernel_configme[depends] += '${@bb.utils.contains("KERNEL_DEBUG", "True", 
"pahole-native:do_populate_sysroot", "", d)}'
+
 EXTRA_OEMAKE += '${@bb.utils.contains("KERNEL_DEBUG", "True", "", 
"PAHOLE=false", d)}'
 
 do_devshell:prepend() {
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189857): 
https://lists.openembedded.org/g/openembedded-core/message/189857
Mute This Topic: https://lists.openembedded.org/mt/102299571/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][mickledore 4/5] openssl: Upgrade 3.1.3 -> 3.1.4

[Steve Sakoman]

From: Peter Marko 

https://github.com/openssl/openssl/blob/openssl-3.1/NEWS.md#major-changes-between-openssl-313-and-openssl-314-24-oct-2023

Major changes between OpenSSL 3.1.3 and OpenSSL 3.1.4 [24 Oct 2023]
* Mitigate incorrect resize handling for symmetric cipher keys and IVs. 
(CVE-2023-5363)

Signed-off-by: Peter Marko 
Signed-off-by: Steve Sakoman 
---
 .../openssl/{openssl_3.1.3.bb => openssl_3.1.4.bb}  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/openssl/{openssl_3.1.3.bb => 
openssl_3.1.4.bb} (99%)

diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.3.bb 
b/meta/recipes-connectivity/openssl/openssl_3.1.4.bb
similarity index 99%
rename from meta/recipes-connectivity/openssl/openssl_3.1.3.bb
rename to meta/recipes-connectivity/openssl/openssl_3.1.4.bb
index ff9df693b8..72338b0022 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.1.3.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.4.bb
@@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \
file://environment.d-openssl.sh \
"
 
-SRC_URI[sha256sum] = 
"f0316a2ebd89e7f2352976445458689f80302093788c466692fb2a188b2eacf6"
+SRC_URI[sha256sum] = 
"840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3"
 
 inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189856): 
https://lists.openembedded.org/g/openembedded-core/message/189856
Mute This Topic: https://lists.openembedded.org/mt/102299569/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][mickledore 3/5] shadow: Fix CVE-2023-4641

[Steve Sakoman]

From: Xiangyu Chen 

shadow-utils: possible password leak during passwd(1) change

Signed-off-by: Xiangyu Chen 
Signed-off-by: Steve Sakoman 
---
 .../shadow/files/CVE-2023-4641.patch  | 147 ++
 meta/recipes-extended/shadow/shadow.inc   |   1 +
 2 files changed, 148 insertions(+)
 create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-4641.patch

diff --git a/meta/recipes-extended/shadow/files/CVE-2023-4641.patch 
b/meta/recipes-extended/shadow/files/CVE-2023-4641.patch
new file mode 100644
index 00..1fabfe928e
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2023-4641.patch
@@ -0,0 +1,147 @@
+From 25dbe2ce166a13322b7536ff2f738786ea2e61e7 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar 
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: [PATCH] gpasswd(1): Fix password leak
+
+How to trigger this password leak?
+~~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password).  Each of those 2 password prompts
+uses agetpass() to get the password.  If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+-  malloc(3) or readpassphrase(3) failure.
+
+   These are going to be difficult to trigger.  Maybe getting the system
+   to the limits of memory utilization at that exact point, so that the
+   next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+   About readpassphrase(3), ENFILE and EINTR seem the only plausible
+   ones, and EINTR probably requires privilege or being the same user;
+   but I wouldn't discard ENFILE so easily, if a process starts opening
+   files.
+
+-  The password is longer than PASS_MAX.
+
+   The is plausible with physical access.  However, at that point, a
+   keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable.  Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> -  brk / sbrk
+> -  mmap MAP_ANONYMOUS
+> -  mmap /dev/zero
+> -  mmap some other file
+> -  shm_open
+> -  shmget
+>
+> Most of these return only pages of zeros to a process.  Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZED.  This is rare.
+>
+> malloc(3) doesn't zero memory, to our collective frustration, but all the
+> garbage in the allocations is from previous allocations in the current
+> process.  It isn't leftover from other processes.
+>
+> The avenues available for reading the memory:
+> -  /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
+> -  /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
+> -  ptrace (requires ptrace privileges, mediated by YAMA)
+> -  causing memory to be swapped to disk, and then inspecting the swap
+>
+> These all require a certain amount of privileges.
+
+How to fix it?
+~~
+
+memzero(), which internally calls explicit_bzero(3), or whatever
+alternative the system provides with a slightly different name, will
+make sure that the buffer is zeroed in memory, and optimizations are not
+allowed to impede this zeroing.
+
+This is not really 100% effective, since compilers may place copies of
+the string somewhere hidden in the stack.  Those copies won't get zeroed
+by explicit_bzero(3).  However, that's arguably a compiler bug, since
+compilers should make everything possible to avoid optimizing strings
+that are later passed to explicit_bzero(3).  But we all know that
+sometimes it's impossible to have perfect knowledge in the compiler, so
+this is plausible.  Nevertheless, there's nothing we can do against such
+issues, except minimizing the time such passwords are stored in plain
+text.
+
+Security concerns
+~
+
+We believe this isn't easy to exploit.  Nevertheless, and since the fix
+is trivial, this fix should probably be applied soon, and backported to
+all supported distributions, to prevent someone else having more

[OE-core][mickledore 2/5] grub2: fix CVE-2023-4693

[Steve Sakoman]

From: Xiangyu Chen 

There an out-of-bounds read at fs/ntfs.c, a physically present attacker
may leverage that by presenting a specially crafted NTFS file system
image to read arbitrary memory locations. A successful attack may allow
sensitive data cached in memory or EFI variables values to be leaked
presenting a high Confidentiality risk.

Signed-off-by: Xiangyu Chen 
Signed-off-by: Steve Sakoman 
---
 .../grub/files/CVE-2023-4693.patch| 63 +++
 meta/recipes-bsp/grub/grub2.inc   |  1 +
 2 files changed, 64 insertions(+)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4693.patch

diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch 
b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
new file mode 100644
index 00..544226a9aa
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
@@ -0,0 +1,63 @@
+From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov 
+Date: Mon, 28 Aug 2023 16:32:33 +0300
+Subject: fs/ntfs: Fix an OOB read when reading data from the resident $DATA
+ attribute
+
+When reading a file containing resident data, i.e., the file data is stored in
+the $DATA attribute within the NTFS file record, not in external clusters,
+there are no checks that this resident data actually fits the corresponding
+file record segment.
+
+When parsing a specially-crafted file system image, the current NTFS code will
+read the file data from an arbitrary, attacker-chosen memory offset and of
+arbitrary, attacker-chosen length.
+
+This allows an attacker to display arbitrary chunks of memory, which could
+contain sensitive information like password hashes or even plain-text,
+obfuscated passwords from BS EFI variables.
+
+This fix implements a check to ensure that resident data is read from the
+corresponding file record segment only.
+
+Fixes: CVE-2023-4693
+
+Upstream-Status: Backport from 
+[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0ed2458cc4eff6d9a9199527e2a0b6d445802f94]
+CVE: CVE-2023-4693
+
+Reported-by: Maxim Suhanov 
+Signed-off-by: Maxim Suhanov 
+Reviewed-by: Daniel Kiper 
+Signed-off-by: Xiangyu Chen 
+---
+ grub-core/fs/ntfs.c | 13 -
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index c3c4db1..a68e173 100644
+--- a/grub-core/fs/ntfs.c
 b/grub-core/fs/ntfs.c
+@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, 
grub_uint8_t *dest,
+ {
+   if (ofs + len > u32at (pa, 0x10))
+   return grub_error (GRUB_ERR_BAD_FS, "read out of range");
+-  grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
++
++  if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++  return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
++
++  if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++  return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++  if (u16at (pa, 0x14) + u32at (pa, 0x10) >
++(grub_addr_t) at->mft->buf + (at->mft->data->mft_size << 
GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
++  return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++  grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
+   return 0;
+ }
+ 
+-- 
+cgit v1.1
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index ac73a0b940..fa949fc081 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -43,6 +43,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://0001-risc-v-Handle-R_RISCV_CALL_PLT-reloc.patch \
file://0001-fs-ext2-Ignore-checksum-seed-incompat-feature.patch \
file://CVE-2023-4692.patch \
+   file://CVE-2023-4693.patch \
 "
 
 SRC_URI[sha256sum] = 
"23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189854): 
https://lists.openembedded.org/g/openembedded-core/message/189854
Mute This Topic: https://lists.openembedded.org/mt/102299565/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][mickledore 1/5] grub2: fix CVE-2023-4692

[Steve Sakoman]

From: Xiangyu Chen 

Crafted file system images can cause heap-based buffer overflow and may
allow arbitrary code execution and secure boot bypass

Reference:
https://security-tracker.debian.org/tracker/CVE-2023-4692

Signed-off-by: Xiangyu Chen 
Signed-off-by: Steve Sakoman 
---
 .../grub/files/CVE-2023-4692.patch| 98 +++
 meta/recipes-bsp/grub/grub2.inc   |  1 +
 2 files changed, 99 insertions(+)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4692.patch

diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch 
b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
new file mode 100644
index 00..305fcc93d8
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
@@ -0,0 +1,98 @@
+From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov 
+Date: Mon, 28 Aug 2023 16:31:57 +0300
+Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST 
attribute
+ for the $MFT file
+
+When parsing an extremely fragmented $MFT file, i.e., the file described
+using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
+containing bytes read from the underlying drive to store sector numbers,
+which are consumed later to read data from these sectors into another buffer.
+
+These sectors numbers, two 32-bit integers, are always stored at predefined
+offsets, 0x10 and 0x14, relative to first byte of the selected entry within
+the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
+
+However, when parsing a specially-crafted file system image, this may cause
+the NTFS code to write these integers beyond the buffer boundary, likely
+causing the GRUB memory allocator to misbehave or fail. These integers contain
+values which are controlled by on-disk structures of the NTFS file system.
+
+Such modification and resulting misbehavior may touch a memory range not
+assigned to the GRUB and owned by firmware or another EFI application/driver.
+
+This fix introduces checks to ensure that these sector numbers are never
+written beyond the boundary.
+
+Fixes: CVE-2023-4692
+
+Upstream-Status: Backport from 
+[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea]
+CVE: CVE-2023-4692
+
+Reported-by: Maxim Suhanov 
+Signed-off-by: Maxim Suhanov 
+Reviewed-by: Daniel Kiper 
+Signed-off-by: Xiangyu Chen 
+---
+ grub-core/fs/ntfs.c | 18 +-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index bbdbe24..c3c4db1 100644
+--- a/grub-core/fs/ntfs.c
 b/grub-core/fs/ntfs.c
+@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ }
+   if (at->attr_end)
+ {
+-  grub_uint8_t *pa;
++  grub_uint8_t *pa, *pa_end;
+ 
+   at->emft_buf = grub_malloc (at->mft->data->mft_size << 
GRUB_NTFS_BLK_SHR);
+   if (at->emft_buf == NULL)
+@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+   }
+ at->attr_nxt = at->edat_buf;
+ at->attr_end = at->edat_buf + u32at (pa, 0x30);
++pa_end = at->edat_buf + n;
+   }
+   else
+   {
+ at->attr_nxt = at->attr_end + u16at (pa, 0x14);
+ at->attr_end = at->attr_end + u32at (pa, 4);
++pa_end = at->mft->buf + (at->mft->data->mft_size << 
GRUB_NTFS_BLK_SHR);
+   }
+   at->flags |= GRUB_NTFS_AF_ALST;
+   while (at->attr_nxt < at->attr_end)
+@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ at->flags |= GRUB_NTFS_AF_GPOS;
+ at->attr_cur = at->attr_nxt;
+ pa = at->attr_cur;
++
++if ((pa >= pa_end) || (pa_end - pa < 0x18))
++  {
++grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
++return NULL;
++  }
++
+ grub_set_unaligned32 ((char *) pa + 0x10,
+   grub_cpu_to_le32 (at->mft->data->mft_start));
+ grub_set_unaligned32 ((char *) pa + 0x14,
+@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+   {
+ if (*pa != attr)
+   break;
++
++  if ((pa >= pa_end) || (pa_end - pa < 0x18))
++{
++grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
++return NULL;
++  }
++
+ if (read_attr
+ (at, pa + 0x10,
+  u32at (pa, 0x10) * (at->mft->data->mft_size << 
GRUB_NTFS_BLK_SHR),
+-- 
+cgit v1.1
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 58b215d79c..ac73a0b940 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -42,6 +42,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://CVE-2022-3775.patch \
file://0001-risc-v-Handle-R_RISCV_CALL_PLT-reloc.patch \

[OE-core][mickledore 0/5] Patch review

[Steve Sakoman]

Please review this set of patches for mickledore and have comments back by
end of day Thursday, November 2

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6123

The following changes since commit e9ca1405b732720ff72d379e0262a78bfd2e7d53:

  busybox: Set PATH in syslog initscript (2023-10-19 04:34:38 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/mickledore-nut
  
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/mickledore-nut

Peter Marko (1):
  openssl: Upgrade 3.1.3 -> 3.1.4

Xiangyu Chen (4):
  grub2: fix CVE-2023-4692
  grub2: fix CVE-2023-4693
  shadow: Fix CVE-2023-4641
  linux-yocto: make sure the pahole-native available before
do_kernel_configme

 .../grub/files/CVE-2023-4692.patch|  98 
 .../grub/files/CVE-2023-4693.patch|  63 
 meta/recipes-bsp/grub/grub2.inc   |   2 +
 .../{openssl_3.1.3.bb => openssl_3.1.4.bb}|   2 +-
 .../shadow/files/CVE-2023-4641.patch  | 147 ++
 meta/recipes-extended/shadow/shadow.inc   |   1 +
 meta/recipes-kernel/linux/linux-yocto.inc |   5 +-
 7 files changed, 316 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4692.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4693.patch
 rename meta/recipes-connectivity/openssl/{openssl_3.1.3.bb => 
openssl_3.1.4.bb} (99%)
 create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-4641.patch

-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189852): 
https://lists.openembedded.org/g/openembedded-core/message/189852
Mute This Topic: https://lists.openembedded.org/mt/102299561/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] package: split strip cmd when ccache is used

[Christopher Larson]

I'd suggest using shlex.split() all the time when dealing with pieces of a
shell command-line, rather than assuming single-word or using str.split().

On Tue, Oct 31, 2023 at 5:26 AM Richard Purdie <
richard.pur...@linuxfoundation.org> wrote:

> On Mon, 2023-10-30 at 22:27 -0600, Javier Tia wrote:
> > Using ccache stopped to work after 77497dbdca with following error:
> >
> >   FileNotFoundError: [Errno 2] No such file or directory: 'ccache
> aarch64-trs-linux-strip'
> >
> > Signed-off-by: Javier Tia 
> > ---
> >  meta/lib/oe/package.py | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py
> > index 1dd20f85eb..2685da0af9 100644
> > --- a/meta/lib/oe/package.py
> > +++ b/meta/lib/oe/package.py
> > @@ -39,7 +39,7 @@ def runstrip(arg):
> >  newmode = origmode | stat.S_IWRITE | stat.S_IREAD
> >  os.chmod(file, newmode)
> >
> > -stripcmd = [strip]
> > +stripcmd = strip.split() if "ccache" in strip else [strip]
> >  skip_strip = False
> >  # kernel module
> >  if elftype & 16:
>
> That looks very like a hack/workaround rather than a real fix. The
> packaging code shouldn't know/care about ccache.
>
> Should we always be splitting strip?
>
> Cheers,
>
> Richard
>
>
>
> 
>
>

-- 
Christopher Larson
chris_lar...@mentor.com, chris.lar...@siemens.com, kerg...@gmail.com
Principal Software Engineer, Embedded Linux Solutions, Siemens Digital
Industries Software

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189851): 
https://lists.openembedded.org/g/openembedded-core/message/189851
Mute This Topic: https://lists.openembedded.org/mt/102291706/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] oeqa/selftest/context: Rely on bitbake-getvar --value to only return value

[Peter Kjellerstedt]

*ping*

> -Original Message-
> From: openembedded-core@lists.openembedded.org 
>  On Behalf Of Peter Kjellerstedt
> Sent: den 6 oktober 2023 17:38
> To: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH] oeqa/selftest/context: Rely on bitbake-getvar 
> --value to only return value
> 
> > -Original Message-
> > From: openembedded-core@lists.openembedded.org 
> >  On Behalf Of Peter Kjellerstedt
> > Sent: den 23 september 2023 06:06
> > To: openembedded-core@lists.openembedded.org
> > Subject: [OE-core] [PATCH] oeqa/selftest/context: Rely on bitbake-getvar 
> > --value to only return value
> >
> > Before, "bitbake-getvar --value " would include log output together
> > with the value. This was handled by piping the output to "tail -1".
> > Now, "bitbake-getvar --value" will no longer output any logs so the
> > piping to "tail" is no longer needed.
> >
> > Signed-off-by: Peter Kjellerstedt 
> > ---
> >
> > This of course relies on the corresponding patch for bitbake-getvar to
> > have been applied first.
> >
> >  meta/lib/oeqa/selftest/context.py | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/meta/lib/oeqa/selftest/context.py 
> > b/meta/lib/oeqa/selftest/context.py
> > index 5a09aeedff..c148aa5aab 100644
> > --- a/meta/lib/oeqa/selftest/context.py
> > +++ b/meta/lib/oeqa/selftest/context.py
> > @@ -111,7 +111,7 @@ class OESelftestTestContext(OETestContext):
> >
> >  # Relative paths in BBLAYERS only works when the new build dir 
> > share the same ascending node
> >  if self.newbuilddir:
> > -bblayers = subprocess.check_output("bitbake-getvar --value 
> > BBLAYERS | tail -1", cwd=builddir, shell=True, text=True)
> > +bblayers = subprocess.check_output("bitbake-getvar --value 
> > BBLAYERS", cwd=builddir, shell=True, text=True)
> >  if '..' in bblayers:
> >  bblayers_abspath = [os.path.abspath(path) for path in 
> > bblayers.split()]
> >  with open("%s/conf/bblayers.conf" % newbuilddir, "a") as f:
> 
> Since the fixes to bitbake-getvalue have merged, it should be possible
> to merge this now.
> 
> //Peter

//Peter


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189850): 
https://lists.openembedded.org/g/openembedded-core/message/189850
Mute This Topic: https://lists.openembedded.org/mt/101535023/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: Patchtest results for [OE-core][PATCH] patchtest: shorten test result outputs

[Trevor Gamblin]

On 2023-10-31 10:54, Michael Opdenacker wrote:

Hi Trevor,

On 31.10.23 at 15:20, Trevor Gamblin wrote:

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch 
/home/patchtest/share/mboxes/patchtest-shorten-test-result-outputs.patch


Thanks for this very useful service!

However, could the replies have an "In-Reply-To" header so that e-mail 
clients can put the reply in the same thread as the patch?


Hi Michael,

There is actually already a bug open: 
https://bugzilla.yoctoproject.org/show_bug.cgi?id=15270


I'm looking at it now, but still figuring out the implementation.

- Trevor



Happy to create an entry in Bugzilla if this helps.
Cheers
Michael.


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189849): 
https://lists.openembedded.org/g/openembedded-core/message/189849
Mute This Topic: https://lists.openembedded.org/mt/102275009/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Patchtest results for [OE-core][kirkstone][PATCH v2 1/1] libwebp: Fix CVE-2023-4863

[Soumya via lists.openembedded.org]

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch 
/home/patchtest/share/mboxes/kirkstone-v2-1-1-libwebp-Fix-CVE-2023-4863.patch

FAIL: test CVE presence in commit message: A CVE tag should be provided in the 
commit message with format: "CVE: CVE--" 
(test_mbox.TestMbox.test_cve_presence_in_commit_message)

PASS: pretest lic files chksum modified not mentioned 
(test_metadata.TestMetadata.pretest_lic_files_chksum_modified_not_mentioned)
PASS: pretest src uri left files 
(test_metadata.TestMetadata.pretest_src_uri_left_files)
PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence 
(test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence 
(test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence 
(test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence 
(test_mbox.TestMbox.test_commit_message_presence)
PASS: test lic files chksum modified not mentioned 
(test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test src uri left files 
(test_metadata.TestMetadata.test_src_uri_left_files)

SKIP: pretest pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found 
(test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now 
(test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test summary presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_summary_presence)
SKIP: test target mailing list: Series merged, no reason to check other mailing 
lists (test_mbox.TestMbox.test_target_mailing_list)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189848): 
https://lists.openembedded.org/g/openembedded-core/message/189848
Mute This Topic: https://lists.openembedded.org/mt/102293418/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: Patchtest results for [OE-core][PATCH] patchtest: shorten test result outputs

[Michael Opdenacker via lists.openembedded.org]

Hi Trevor,

On 31.10.23 at 15:20, Trevor Gamblin wrote:

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch 
/home/patchtest/share/mboxes/patchtest-shorten-test-result-outputs.patch


Thanks for this very useful service!

However, could the replies have an "In-Reply-To" header so that e-mail 
clients can put the reply in the same thread as the patch?


Happy to create an entry in Bugzilla if this helps.
Cheers
Michael.

--
Michael Opdenacker, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189847): 
https://lists.openembedded.org/g/openembedded-core/message/189847
Mute This Topic: https://lists.openembedded.org/mt/102275009/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH v2 1/1] libwebp: Fix CVE-2023-4863

[Soumya via lists.openembedded.org]

From: Soumya Sambu 

Heap buffer overflow in WebP in Google Chrome prior to
116.0.5845.187 allowed a remote attacker to perform an
out of bounds memory write via a crafted HTML page.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/tracker/CVE-2023-4863
https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12

Signed-off-by: Soumya Sambu 
---
 .../webp/files/CVE-2023-4863.patch| 53 +++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch 
b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
new file mode 100644
index 00..2b1817822c
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
@@ -0,0 +1,53 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud 
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH] Fix invalid incremental decoding check.
+
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+
+BUG=oss-fuzz:62136
+
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+
+CVE: CVE-2023-4863
+
+Upstream-Status: Backport 
[https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
+
+Signed-off-by: Soumya Sambu 
+---
+ src/dec/vp8l_dec.c | 15 +--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 186b0b2..59a9e64 100644
+--- a/src/dec/vp8l_dec.c
 b/src/dec/vp8l_dec.c
+@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, 
uint32_t* const data,
+   }
+
+   br->eos_ = VP8LIsEndOfStream(br);
+-  if (dec->incremental_ && br->eos_ && src < src_end) {
++  // In incremental decoding:
++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
++  // 'src_last' has not been reached yet, there is not enough data. 'dec' has 
to
++  // be reset until there is more data.
++  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
++  // fully read, either enough has been read to reach 'src_last'.
++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually 
go
++  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
++  // The buffer might have been enough or there is some left. 'br->eos_' does
++  // not matter.
++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= 
src_last);
++  if (dec->incremental_ && br->eos_ && src < src_last) {
+ RestoreState(dec);
+-  } else if (!br->eos_) {
++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
+ // Process the remaining rows corresponding to last row-block.
+ if (process_func != NULL) {
+   process_func(dec, row > last_row ? last_row : row);
+--
+2.40.0
diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb 
b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
index 4defdd5e42..0728ca60f5 100644
--- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
+++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
@@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
 SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
file://CVE-2023-1999.patch \
file://CVE-2023-5129.patch \
+   file://CVE-2023-4863.patch \
"
 SRC_URI[sha256sum] = 
"7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189846): 
https://lists.openembedded.org/g/openembedded-core/message/189846
Mute This Topic: https://lists.openembedded.org/mt/102293347/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Patchtest results for [OE-core][PATCH] patchtest: shorten test result outputs

[Trevor Gamblin]

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch 
/home/patchtest/share/mboxes/patchtest-shorten-test-result-outputs.patch

FAIL: test CVE presence in commit message: A CVE tag should be provided in the 
commit message with format: "CVE: CVE--" 
(test_mbox.TestMbox.test_cve_presence_in_commit_message)

PASS: pretest pylint (test_python_pylint.PyLint.pretest_pylint)
PASS: test Signed-off-by presence 
(test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence 
(test_mbox.TestMbox.test_commit_message_presence)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test pylint (test_python_pylint.PyLint.test_pylint)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)

SKIP: pretest lic files chksum modified not mentioned: No modified recipes, 
skipping pretest 
(test_metadata.TestMetadata.pretest_lic_files_chksum_modified_not_mentioned)
SKIP: pretest src uri left files: No modified recipes, skipping pretest 
(test_metadata.TestMetadata.pretest_src_uri_left_files)
SKIP: test CVE tag format: No new CVE patches introduced 
(test_patch.TestPatch.test_cve_tag_format)
SKIP: test Signed-off-by presence: No new CVE patches introduced 
(test_patch.TestPatch.test_signed_off_by_presence)
SKIP: test Upstream-Status presence: No new CVE patches introduced 
(test_patch.TestPatch.test_upstream_status_presence_format)
SKIP: test bugzilla entry format: No bug ID found 
(test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum modified not mentioned: No modified recipes, 
skipping test 
(test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
SKIP: test lic files chksum presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_license_presence)
SKIP: test series merge on head: Merge test is disabled for now 
(test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test src uri left files: No modified recipes, skipping pretest 
(test_metadata.TestMetadata.test_src_uri_left_files)
SKIP: test summary presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_summary_presence)
SKIP: test target mailing list: Series merged, no reason to check other mailing 
lists (test_mbox.TestMbox.test_target_mailing_list)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189845): 
https://lists.openembedded.org/g/openembedded-core/message/189845
Mute This Topic: https://lists.openembedded.org/mt/102275009/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] ccache.conf: Remove obsolete configuration option

[Niko Mauno via lists.openembedded.org]

From: Niko Mauno 

Since ccache version 4.0, according to
https://github.com/ccache/ccache/blob/master/doc/NEWS.adoc#ccache-40

 * An appropriate cache directory level structure is now chosen automatically. 
The cache_dir_levels (CCACHE_NLEVELS) configuration option has therefore been 
removed.

Therefore remove the option which has not been supported by ccache
recipe version since Yocto Hardknott.

Signed-off-by: Niko Mauno 
---
 meta/conf/ccache.conf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/meta/conf/ccache.conf b/meta/conf/ccache.conf
index 931012dec9..4406ae561b 100644
--- a/meta/conf/ccache.conf
+++ b/meta/conf/ccache.conf
@@ -1,2 +1 @@
 max_size = 0
-cache_dir_levels = 1
-- 
2.39.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189844): 
https://lists.openembedded.org/g/openembedded-core/message/189844
Mute This Topic: https://lists.openembedded.org/mt/102297730/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] Core workflow: sstate for all, bblock/bbunlock, tools for why is sstate not being reused?

[Alexander Kanavin]

On Tue, 31 Oct 2023 at 13:28, Richard Purdie
 wrote:

> > Then we can pull all of it together into 'devtool esdk '
> > command (or similar), which would enter the esdk environment directly
> > via:
> > - running 'bitbake  meta-ide-support'
> > - running the above mentioned bitbake local.conf task to generate the
> > esdk-specific local.conf
> > - sourcing the environment script produced by meta-ide-support
> > - rewriting PATH to provide only the curated esdk tools and not
> > everything plus bitbake.
> > - writing a custom devtool.conf similar to that of standalone esdk so
> > that devtool can find bitbake and bitbake can use the esdk-specific
> > local.conf
> >
> > And it would be tested in the same way standalone esdks are.
> >
> > Thoughts? Anything missing from the above list?
>
> That sounds like a good way to handle this to me!

A couple followup points:

- copy_buildsystem() in populate_sdk_ext class is overly long at 400
lines and does many different barely related things, writing
local.conf for esdk one of them:

https://git.yoctoproject.org/poky/tree/meta/classes-recipe/populate_sdk_ext.bbclass#n189

The first step would be to structure it into separate functions each
doing one thing and hopefully fitting on a single screen. Then these
functions can be hand-picked into a task designed to provide esdk
things in a yocto build context, and the code would simply be more
readable, as right now I can barely understand all the various things
that function does, and the spaghetti of local variables etc.

- the tool that would set up the esdk environment in a plain yocto
build could be a shell script in scripts/oe-init-esdk-env perhaps,
similar to oe-init-build-env. No need to make it a devtool plugin; it
could use python helpers to program the more tricky bits such as PATH
manipulations etc. So one would first initialize the yocto
environment, then transition to an esdk environment from that (there
would be no way to go back, as one can simply start a new session).

Alex

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189843): 
https://lists.openembedded.org/g/openembedded-core/message/189843
Mute This Topic: https://lists.openembedded.org/mt/101356420/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [yocto] Yocto Project Status 31 October 2023 (WW44)

[Neal Caidin]

Yes! You are correct Michael. This is that strange in-between week. Next
week it goes back to 17:00 CET.

Good catch!

-- Neal

*Neal Caidin*
Program Manager
The Linux Foundation
Durham, NC, U.S.A. - Eastern time zone
+1 (919) 238-9104 (w/h)
+1 (919) 949-1861 (m)
ncai...@linuxfoundation.org




On Tue, Oct 31, 2023 at 9:33 AM Michael Opdenacker <
michael.opdenac...@bootlin.com> wrote:

> Greetings,
>
> On 31.10.23 at 13:29, Neal Caidin wrote:
> >
> > Current Dev Position: YP 4.3 M4 (Feature Freeze)
> >
> > Next Deadline: 2nd October 2023 YP 4.3 M4 build date
> >
> >
> > Next Team Meetings:
> >
> >  *
> >
> > Bug Triage meeting Thursday November 2, 7:30 am PDT
> > (https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5aVpHVVZ6dz09
> > )
> >
> >  *
> >
> > Weekly Project Engineering Sync Tuesday October 31st at 8 am PDT
> > (https://zoom.us/j/990892712?pwd=cHU1MjhoM2x6ck81bkcrYjRrcmJsUT09
> > )
> > 
> >
>
> Reminder: this week 8:00 PDT translates to 16:00 CET if I understood
> correctly. That's one hour earlier because daylight saving time changes
> happen in Europe 1 week earlier than in the USA.
>
> Michael.
> --
>
> Michael Opdenacker, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189842): 
https://lists.openembedded.org/g/openembedded-core/message/189842
Mute This Topic: https://lists.openembedded.org/mt/102296935/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [yocto] Yocto Project Status 31 October 2023 (WW44)

[Michael Opdenacker via lists.openembedded.org]

Greetings,

On 31.10.23 at 13:29, Neal Caidin wrote:


Current Dev Position: YP 4.3 M4 (Feature Freeze)

Next Deadline: 2nd October 2023 YP 4.3 M4 build date


Next Team Meetings:

 *

Bug Triage meeting Thursday November 2, 7:30 am PDT
(https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5aVpHVVZ6dz09
)

 *

Weekly Project Engineering Sync Tuesday October 31st at 8 am PDT
(https://zoom.us/j/990892712?pwd=cHU1MjhoM2x6ck81bkcrYjRrcmJsUT09
)




Reminder: this week 8:00 PDT translates to 16:00 CET if I understood 
correctly. That's one hour earlier because daylight saving time changes 
happen in Europe 1 week earlier than in the USA.


Michael.
--

Michael Opdenacker, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189841): 
https://lists.openembedded.org/g/openembedded-core/message/189841
Mute This Topic: https://lists.openembedded.org/mt/102296935/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] Yocto Project Status 31 October 2023 (WW44)

[Neal Caidin]

Current Dev Position: YP 4.3 M4 (Feature Freeze)

Next Deadline: 2nd October 2023 YP 4.3 M4 build date

Next Team Meetings:

   -

   Bug Triage meeting Thursday November 2, 7:30 am PDT (
   https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5aVpHVVZ6dz09)
   -

   Weekly Project Engineering Sync Tuesday October 31st at 8 am PDT (
   https://zoom.us/j/990892712?pwd=cHU1MjhoM2x6ck81bkcrYjRrcmJsUT09)
   
   -

   Twitch -  See https://www.twitch.tv/theyoctojester


Key Status/Updates:

   -

   The YP 4.3 passed QA and is now pending finalizing the release notes and
   migration guide.
   -

   Work has continued on trying to track down the 32bit x86 non-kvm 6.5
   kernel early boot crash (thanks Paul).
   -

   Patchtest is now replying live on the mailing list for OE-Core. There
   are some open bugs including a threading/references issue but it is great
   to welcome it back, thanks Trevor.
   -

   The autobuilder generated ‘metrics’ target has been altered to work per
   branch and we’re close to support for testing other layers such as
   meta-openembedded.
   -

   Toaster automated testing is close to being usable again.
   -

   Recipetool is now able to better handle various python module formats
   for recipe creation (Thanks Julien and Tim).
   -

   Various pieces of security information and processes are being added to
   our documentation.


Ways to contribute:

   -

   As people are likely aware, the project has a number of components which
   are either unmaintained, or have people with little to no time trying to
   keep them alive. These components include: patchtest, layerindex, devtool,
   toaster, wic, oeqa, autobuilder, CROPs containers, pseudo and more. Many
   have open bugs. Help is welcome in trying to better look after these
   components!
   -

   There are bugs identified as possible for newcomers to the project:
   https://wiki.yoctoproject.org/wiki/Newcomers
   -

   There are bugs that are currently unassigned for YP 4.3. See:
   
https://wiki.yoctoproject.org/wiki/Bug_Triage#Medium.2B_4.3_Unassigned_Enhancements.2FBugs
   -

   We’d welcome new maintainers for recipes in OE-Core. Please see the list
   at:
   
http://git.yoctoproject.org/cgit.cgi/poky/tree/meta/conf/distro/include/maintainers.inc
   and discuss with the existing maintainer, or ask on the OE-Core mailing
   list. We will likely move a chunk of these to “Unassigned” soon to help
   facilitate this.
   -

   Help is very much welcome in trying to resolve our autobuilder
   intermittent issues. You can see the list of failures we’re continuing to
   see by searching for the “AB-INT” tag in bugzilla:
   https://bugzilla.yoctoproject.org/buglist.cgi?quicksearch=AB-INT.
   -

   Help us resolve CVE issues: CVE metrics
   
   -

   We have a growing number of bugs in bugzilla, any help with them is
   appreciated.


YP 4.3 Milestone Dates:

   -

   YP 4.3 M3 was released.
   -

   YP 4.3 M4 build date  2023/10/02
   -

   YP 4.3 M4 Release date 2023/10/27


YP 5.0 Milestone Dates:

   -

   YP 5.0 M1 build date 2023/12/04
   -

   YP 5.0 M1 Release date 2023/12/15
   -

   YP 5.0 M2 build date  2024/01/15
   -

   YP 5.0 M2 Release date 2024/01/24
   -

   YP 5.0 M3 build date  2024/02/19
   -

   YP 5.0 M3 Release date 2024/03/01
   -

   YP 5.0 M4 build date  2024/04/01
   -

   YP 5.0 M4 Release date 2024/04/30


Upcoming dot releases:

   -

   YP 3.1.29 build date 2023/10/30
   -

   YP 3.1.29 Release date 2023/11/10
   -

   YP 4.0.14 build date 2023/11/06
   -

   YP 4.0.14 Release date 2023/11/17
   -

   YP 4.2.4 build date 2023/11/13
   -

   YP 4.2.4 Release date 2023/11/24
   -

   YP 4.3.1 build date 2023/11/27
   -

   YP 4.3.1 Release date 2023/12/08
   -

   YP 3.1.30 build date 2023/12/11
   -

   YP 3.1.30 Release date 2023/12/22
   -

   YP 4.0.15 build date 2023/12/18
   -

   YP 4.0.15 Release date 2023/12/29
   -

   YP 4.3.2 build date 2024/01/08
   -

   YP 4.3.2 Release date 2024/01/19
   -

   YP 3.1.31 build date 2024/01/22
   -

   YP 3.1.31 Release date 2024/02/02
   -

   YP 4.0.16 build date 2024/01/29
   -

   YP 4.0.16 Release date 2024/02/09
   -

   YP 4.3.3 build date 2024/02/12
   -

   YP 4.3.3 Release date 2024/02/23
   -

   YP 3.1.32 build date 2024/03/04
   -

   YP 3.1.32 Release date 2024/03/15
   -

   YP 4.0.17 build date 2024/03/11
   -

   YP 4.0.17 Release date 2024/03/22
   -

   YP 4.3.4 build date 2024/03/25
   -

   YP 4.3.4 Release date 2024/04/05
   -

   YP 3.1.33 build date 2024/04/15
   -

   YP 3.1.33 Release date 2024/04/26
   -

   YP 4.0.18 build date 2024/04/22
   -

   YP 4.0.18 Release date 2024/05/03
   -

   YP 4.0.19 build date 2024/06/03
   -

   YP 4.0.19 Release date 2024/06/14


Tracking Metrics:

   -

   WDD 2555 (last week 2475) (
   https://wiki.yoctoproject.org/charts/combo.html)
   -

   OE-Core/Poky Patch Metrics
   -

  Total patches found: 

Re: [OE-core] Core workflow: sstate for all, bblock/bbunlock, tools for why is sstate not being reused?

[Richard Purdie]

On Tue, 2023-10-31 at 13:08 +0100, Alexander Kanavin wrote:
> On Mon, 30 Oct 2023 at 16:02, Alexander Kanavin via
> lists.openembedded.org 
> wrote:
> > So here's what could be done:
> > 
> > - esdk tools become symlinks in poky/scripts/esdk-tools/. esdk
> > environment script puts that in PATH, rather than some custom
> > esdk-specific location (the code to generate that can then be
> > dropped).
> 
> This is now implemented (needs to be tested on AB).
> 
> > - esdk tweaks to local.conf move into a dedicated include file, which
> > can be static and under version control, except for perhaps
> > METADATA_REVISION:poky = "4a1e0b9625729e422fcf24e632ee2a3c79f986d5" -
> > I need to check why is it there and how that is used.
> 
> It's actually more complicated. The code to generate esdk-specific
> local.conf with all the tweaks has too much dynamic stuff in it which
> is subject to what various variables are set to. So I'm thinking of
> extracting that to a dedicated function, then attaching a bitbake task
> to that function.
> 
> Then we can pull all of it together into 'devtool esdk '
> command (or similar), which would enter the esdk environment directly
> via:
> - running 'bitbake  meta-ide-support'
> - running the above mentioned bitbake local.conf task to generate the
> esdk-specific local.conf
> - sourcing the environment script produced by meta-ide-support
> - rewriting PATH to provide only the curated esdk tools and not
> everything plus bitbake.
> - writing a custom devtool.conf similar to that of standalone esdk so
> that devtool can find bitbake and bitbake can use the esdk-specific
> local.conf
> 
> And it would be tested in the same way standalone esdks are.
> 
> Thoughts? Anything missing from the above list?

That sounds like a good way to handle this to me!

Cheers,

Richard

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189839): 
https://lists.openembedded.org/g/openembedded-core/message/189839
Mute This Topic: https://lists.openembedded.org/mt/101356420/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] package: split strip cmd when ccache is used

[Richard Purdie]

On Mon, 2023-10-30 at 22:27 -0600, Javier Tia wrote:
> Using ccache stopped to work after 77497dbdca with following error:
> 
>   FileNotFoundError: [Errno 2] No such file or directory: 'ccache 
> aarch64-trs-linux-strip'
> 
> Signed-off-by: Javier Tia 
> ---
>  meta/lib/oe/package.py | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py
> index 1dd20f85eb..2685da0af9 100644
> --- a/meta/lib/oe/package.py
> +++ b/meta/lib/oe/package.py
> @@ -39,7 +39,7 @@ def runstrip(arg):
>  newmode = origmode | stat.S_IWRITE | stat.S_IREAD
>  os.chmod(file, newmode)
>  
> -stripcmd = [strip]
> +stripcmd = strip.split() if "ccache" in strip else [strip]
>  skip_strip = False
>  # kernel module
>  if elftype & 16:

That looks very like a hack/workaround rather than a real fix. The
packaging code shouldn't know/care about ccache.

Should we always be splitting strip?

Cheers,

Richard



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189838): 
https://lists.openembedded.org/g/openembedded-core/message/189838
Mute This Topic: https://lists.openembedded.org/mt/102291706/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] Core workflow: sstate for all, bblock/bbunlock, tools for why is sstate not being reused?

[Alexander Kanavin]

On Mon, 30 Oct 2023 at 16:02, Alexander Kanavin via
lists.openembedded.org 
wrote:
> So here's what could be done:
>
> - esdk tools become symlinks in poky/scripts/esdk-tools/. esdk
> environment script puts that in PATH, rather than some custom
> esdk-specific location (the code to generate that can then be
> dropped).

This is now implemented (needs to be tested on AB).

> - esdk tweaks to local.conf move into a dedicated include file, which
> can be static and under version control, except for perhaps
> METADATA_REVISION:poky = "4a1e0b9625729e422fcf24e632ee2a3c79f986d5" -
> I need to check why is it there and how that is used.

It's actually more complicated. The code to generate esdk-specific
local.conf with all the tweaks has too much dynamic stuff in it which
is subject to what various variables are set to. So I'm thinking of
extracting that to a dedicated function, then attaching a bitbake task
to that function.

Then we can pull all of it together into 'devtool esdk '
command (or similar), which would enter the esdk environment directly
via:
- running 'bitbake  meta-ide-support'
- running the above mentioned bitbake local.conf task to generate the
esdk-specific local.conf
- sourcing the environment script produced by meta-ide-support
- rewriting PATH to provide only the curated esdk tools and not
everything plus bitbake.
- writing a custom devtool.conf similar to that of standalone esdk so
that devtool can find bitbake and bitbake can use the esdk-specific
local.conf

And it would be tested in the same way standalone esdks are.

Thoughts? Anything missing from the above list?

Alex

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189837): 
https://lists.openembedded.org/g/openembedded-core/message/189837
Mute This Topic: https://lists.openembedded.org/mt/101356420/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH v7 8/8] docs: cover devtool ide

[Michael Opdenacker via lists.openembedded.org]

Hi Adrian

Thanks for the new code and the corresponding documentation. See my 
comments below... (also copying the "docs" mailing list).


On 30.10.23 at 22:32, Adrian Freihofer wrote:

Cover the new devtool ide plugin in the extensible sdk section.

Many thanks to Enguerrand de Ribaucourt for his re-view and
contributions.

Signed-off-by: Adrian Freihofer 
---
  documentation/sdk-manual/extensible.rst | 158 +++-
  1 file changed, 157 insertions(+), 1 deletion(-)

diff --git a/documentation/sdk-manual/extensible.rst 
b/documentation/sdk-manual/extensible.rst
index 355c6cb0e4a..361ca091fbf 100644
--- a/documentation/sdk-manual/extensible.rst
+++ b/documentation/sdk-manual/extensible.rst
@@ -230,13 +230,15 @@ all the commands.
 See the ":doc:`/ref-manual/devtool-reference`"
 section in the Yocto Project Reference Manual.
  
-Three ``devtool`` subcommands provide entry-points into development:

+Four ``devtool`` subcommands provide entry-points into development:
  
  -  *devtool add*: Assists in adding new software to be built.
  
  -  *devtool modify*: Sets up an environment to enable you to modify

 the source of an existing component.
  
+-  *devtool ide*: Generates a configuration for an IDE.

+
  -  *devtool upgrade*: Updates an existing recipe so that you can
 build it for an updated set of source files.
  
@@ -614,6 +616,160 @@ command:

decide you do not want to proceed with your work. If you do use this
command, realize that the source tree is preserved.
  
+Use ``devtool ide`` to generate a configuration for the IDE

+---
+
+``devtool ide`` automatically configures IDEs for cross-compiling and remote 
debugging.
+
+Two different use cases are supported:
+
+#. *Recipe mode*: Generate the IDE configuration for a workspace created by 
``devtool modify``.
+
+   In order to use the tool, a few settings must be made.
+   As a starting example, the following lines of code can be added to the 
local.conf file.


I would use ``local.conf`` here.

Also, there's a simpler solution to get a code block here:

... to the ``local.conf``file::

  # Build the companion debug file system
  ...


+
+   .. code-block::
+
+  # Build the companion debug file system
+  IMAGE_GEN_DEBUGFS = "1"
+  # Optimize build time: with devtool ide the dbg tar is not needed
+  IMAGE_FSTYPES_DEBUGFS = ""
+
+  # ssh is mandatory, no password simplifies the usage
+  EXTRA_IMAGE_FEATURES += "\
+ ssh-server-openssh \
+ debug-tweaks \
+  "
+
+  # Remote debugging needs the gdbserver on the target device
+  IMAGE_INSTALL:append = " gdbserver"
+
+   Assuming the development environment is set up correctly and a workspace 
has been created
+   for the recipe using ``devtool modify recipe``, the following command can 
create the
+   configuration for VSCode in the recipe workspace:
+
+   .. code-block::
+
+  $ devtool ide recipe core-image-minimal --target root@192.168.7.2


Same here.


+
+   What this command does exactly depends on the recipe or the build tool used 
by the recipe.
+   Currently, only CMake and Meson are supported natively.
+
+   For a recipe which inherits ``cmake`` it does:


Since you are talking about the cmake class:

s/``cmake``/the :ref:`ref-classes-cmake` class/

Anyway, I find that the sentence doesn't fit well with the following items.

What about

"Here is it does for a recipe which inherits the 
:ref:`ref-classes-cmake` class:"?



+
+   - Prepare the SDK by calling ``bitbake core-image-minimal``, ``gdb-cross``, 
``qemu-native``...
+
+   - Generate a cmake-preset with configures CMake to use exactly the same 
environent and
+ the same cmake-cache configuration as used by ``bitbake recipe``. The 
cmake-preset referres
+ to the per-recipe-sysroot of the recipe.
+
+ Currently Configure, Build and Test presets are supported. Test presets 
execute the test
+ binaries with Qemu.
+
+   - Generates a helper script to handle the ``do_install`` with pseudo


s/Generates/Generate/, for consistency with the previous items.


+
+   - Generates some helper scripts to start ``gdbserver`` on the target device
+
+   - Generates the ``.vscode`` folder containing the following files:



Same here in the above two lines.


+
+   - ``c_ccp_properties.json``: configure the code navigation



s/configure/Configure/. Be consistent with the following items.


+
+   - ``extensions.json``: Recommend the extensions which are used.
+
+   - ``launch.json``: Provide a configuration for remote debugging with 
``gdb-cross`` and ``gdbserver``.
+ The debug-symbols are searched in the build-folder, the 
per-recipe-sysroot and the rootfs-dbg
+ folder which is provided by the image.
+
+   - ``settings.json``: configure the indexer to ignore the build folders.


s/configure/Configure/



+
+   - ``tasks.json``: Provide some helpers for running
+
+  - 

Re: [OE-core] is it worth a newbie cleanup task to update "class Whatever(object)"?

[Ross Burton]

On 26 Oct 2023, at 17:31, Robert P. J. Day via lists.openembedded.org 
 wrote:
>  just noticed that there is a lot of "class Something(object):" in
> oe-core, where AIUI, the argument of "object" is a throwback to
> Python2 and shouldn't(?) be necessary.
> 
>  is there any value in letting a newbie loose on a task to clean all
> that up? or is that more churn than it's worth?

Nothing wrong with simple cleanups like that, no.

Ross
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189835): 
https://lists.openembedded.org/g/openembedded-core/message/189835
Mute This Topic: https://lists.openembedded.org/mt/102203669/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH V5] kbd:Add ptest support

[Alexander Kanavin]

Hello Qiu,

I think the easiest is to adjust the code so that it first obtains the
datadir from some environment variable, and if that is not set, falls
back to the hardcoded default. Then run-ptest can set the variable.
Such a patch can even be proposed upstream.

Alex

On Tue, 31 Oct 2023 at 09:27, Tingting Qiu (Fujitsu)  wrote:
>
> Hi, Alex
>
> I'm afraid DATADIR should be an absolute path.
> Tried to make a ptest.patch with relative path, but failed.
> As we know the ptest directory is not a fixed path, so making a patch may be 
> not suitable.
> For no 'make clean', we can modify the Makefile.am in do_patch().
> Any ideas？
>
> Best Regards,
> Qiu Tingting
> > -Original Message-
> > From: Alexander Kanavin 
> > Sent: Tuesday, October 24, 2023 4:51 PM
> > To: Qiu, Tingting/仇 婷婷 
> > Cc: openembedded-core@lists.openembedded.org
> > Subject: Re: [OE-core] [PATCH V5] kbd:Add ptest support
> >
> > On Tue, 24 Oct 2023 at 06:12, qi...@fujitsu.com  wrote:
> > >
> > > Hi，Alex
> > >
> > > As you said, it is not-that-elegant bit of code.
> > > But DATADIR is used as a part of CPPFLAGS for compiling c files in
> > > tests, such as libkeymap/libkeymap-test01.c, 
> > > libkbdfile/libkbdfile-test13.c
> > and others.
> > > sample:
> > >
> > > libkeymap/libkeymap-test01.c: f = fopen(DATADIR
> > "/data/libkeymap/charset-keymap0.map", "r");
> > libkeymap/libkeymap-test09.c:   setenv("LOADKEYS_INCLUDE_PATH",
> > DATADIR "/data/libkeymap", 1);
> >
> > I see, thanks. I would suggest that Makefile.am is patched with a dedicated
> > patch that sets DATADIR to ptest directory on target (you can mark it
> > Inappropriate), so that the change is robust (sed expressions are prone to
> > silent regressions, and), and happens before actual build, so no 'make 
> > clean' is
> > needed.
> >
> > Alex

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189834): 
https://lists.openembedded.org/g/openembedded-core/message/189834
Mute This Topic: https://lists.openembedded.org/mt/102128673/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Patchtest results for [OE-core][kirkstone][PATCH v2 1/1] libwebp: Fix CVE-2023-4863

[Soumya via lists.openembedded.org]

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch 
/home/patchtest/share/mboxes/kirkstone-v2-1-1-libwebp-Fix-CVE-2023-4863.patch

FAIL: test CVE presence in commit message: A CVE tag should be provided in the 
commit message with format: "CVE: CVE--" 
(test_mbox.TestMbox.test_cve_presence_in_commit_message)

PASS: pretest lic files chksum modified not mentioned 
(test_metadata.TestMetadata.pretest_lic_files_chksum_modified_not_mentioned)
PASS: pretest src uri left files 
(test_metadata.TestMetadata.pretest_src_uri_left_files)
PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence 
(test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence 
(test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence 
(test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence 
(test_mbox.TestMbox.test_commit_message_presence)
PASS: test lic files chksum modified not mentioned 
(test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test src uri left files 
(test_metadata.TestMetadata.test_src_uri_left_files)

SKIP: pretest pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found 
(test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test 
(test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now 
(test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test summary presence: No added recipes, skipping test 
(test_metadata.TestMetadata.test_summary_presence)
SKIP: test target mailing list: Series merged, no reason to check other mailing 
lists (test_mbox.TestMbox.test_target_mailing_list)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189833): 
https://lists.openembedded.org/g/openembedded-core/message/189833
Mute This Topic: https://lists.openembedded.org/mt/102293418/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH V5] kbd:Add ptest support

[qi...@fujitsu.com]

Hi, Alex

I'm afraid DATADIR should be an absolute path.
Tried to make a ptest.patch with relative path, but failed.
As we know the ptest directory is not a fixed path, so making a patch may be 
not suitable.
For no 'make clean', we can modify the Makefile.am in do_patch().
Any ideas？

Best Regards,
Qiu Tingting
> -Original Message-
> From: Alexander Kanavin 
> Sent: Tuesday, October 24, 2023 4:51 PM
> To: Qiu, Tingting/仇 婷婷 
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH V5] kbd:Add ptest support
> 
> On Tue, 24 Oct 2023 at 06:12, qi...@fujitsu.com  wrote:
> >
> > Hi，Alex
> >
> > As you said, it is not-that-elegant bit of code.
> > But DATADIR is used as a part of CPPFLAGS for compiling c files in
> > tests, such as libkeymap/libkeymap-test01.c, libkbdfile/libkbdfile-test13.c
> and others.
> > sample:
> >
> > libkeymap/libkeymap-test01.c: f = fopen(DATADIR
> "/data/libkeymap/charset-keymap0.map", "r");
> libkeymap/libkeymap-test09.c:   setenv("LOADKEYS_INCLUDE_PATH",
> DATADIR "/data/libkeymap", 1);
> 
> I see, thanks. I would suggest that Makefile.am is patched with a dedicated
> patch that sets DATADIR to ptest directory on target (you can mark it
> Inappropriate), so that the change is robust (sed expressions are prone to
> silent regressions, and), and happens before actual build, so no 'make clean' 
> is
> needed.
> 
> Alex

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189832): 
https://lists.openembedded.org/g/openembedded-core/message/189832
Mute This Topic: https://lists.openembedded.org/mt/102128673/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH v2 1/1] libwebp: Fix CVE-2023-4863

[Soumya via lists.openembedded.org]

From: Soumya Sambu 

Heap buffer overflow in WebP in Google Chrome prior to
116.0.5845.187 allowed a remote attacker to perform an
out of bounds memory write via a crafted HTML page.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/tracker/CVE-2023-4863
https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12

Signed-off-by: Soumya Sambu 
---
 .../webp/files/CVE-2023-4863.patch| 53 +++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch 
b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
new file mode 100644
index 00..2b1817822c
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
@@ -0,0 +1,53 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud 
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH] Fix invalid incremental decoding check.
+
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+
+BUG=oss-fuzz:62136
+
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+
+CVE: CVE-2023-4863
+
+Upstream-Status: Backport 
[https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
+
+Signed-off-by: Soumya Sambu 
+---
+ src/dec/vp8l_dec.c | 15 +--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 186b0b2..59a9e64 100644
+--- a/src/dec/vp8l_dec.c
 b/src/dec/vp8l_dec.c
+@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, 
uint32_t* const data,
+   }
+
+   br->eos_ = VP8LIsEndOfStream(br);
+-  if (dec->incremental_ && br->eos_ && src < src_end) {
++  // In incremental decoding:
++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
++  // 'src_last' has not been reached yet, there is not enough data. 'dec' has 
to
++  // be reset until there is more data.
++  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
++  // fully read, either enough has been read to reach 'src_last'.
++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually 
go
++  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
++  // The buffer might have been enough or there is some left. 'br->eos_' does
++  // not matter.
++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= 
src_last);
++  if (dec->incremental_ && br->eos_ && src < src_last) {
+ RestoreState(dec);
+-  } else if (!br->eos_) {
++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
+ // Process the remaining rows corresponding to last row-block.
+ if (process_func != NULL) {
+   process_func(dec, row > last_row ? last_row : row);
+--
+2.40.0
diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb 
b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
index 4defdd5e42..0728ca60f5 100644
--- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
+++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
@@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
 SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
file://CVE-2023-1999.patch \
file://CVE-2023-5129.patch \
+   file://CVE-2023-4863.patch \
"
 SRC_URI[sha256sum] = 
"7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189831): 
https://lists.openembedded.org/g/openembedded-core/message/189831
Mute This Topic: https://lists.openembedded.org/mt/102293347/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][kirkstone][PATCH 1/1] libwebp: Fix CVE-2023-4863

[Soumya via lists.openembedded.org]

Yes Anuj, I will correct it and will send v2.

Regards,
Soumya

From: Mittal, Anuj 
Sent: Tuesday, October 31, 2023 10:25 AM
To: openembedded-core@lists.openembedded.org 
; Sambu, Soumya 

Subject: Re: [OE-core][kirkstone][PATCH 1/1] libwebp: Fix CVE-2023-4863

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

On Tue, 2023-10-31 at 04:37 +, Soumya via lists.openembedded.org
wrote:
> From: Soumya Sambu 
>
> Heap buffer overflow in WebP in Google Chrome prior to
> 116.0.5845.187 allowed a remote attacker to perform an
> out of bounds memory write via a crafted HTML page.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-4863
> https://security-tracker.debian.org/tracker/CVE-2023-4863
> https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12
>
> Signed-off-by: Soumya Sambu 
> ---
>  .../webp/files/CVE-2023-4863.patch| 109
> ++
>  meta/recipes-multimedia/webp/libwebp_1.2.4.bb |   1 +
>  2 files changed, 110 insertions(+)
>  create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-
> 4863.patch
>
> diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> new file mode 100644
> index 00..4c60cbc9a1
> --- /dev/null
> +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> @@ -0,0 +1,109 @@
> +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00
> 2001
> +From: Vincent Rabaud 
> +Date: Mon, 11 Sep 2023 16:06:08 +0200
> +Subject: [PATCH] Fix invalid incremental decoding check.
> +
> +The first condition is only necessary if we have not read enough
> +(enough being defined by src_last, not src_end which is the end
> +of the image).
> +The second condition now fits the comment below: "if not
> +incremental, and we are past the end of buffer".
> +
> +BUG=oss-fuzz:62136
> +
> +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
> +
> +CVE: CVE-2023-4863
> +
> +Upstream-Status: Backport
> [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240c
> cff26f0b006037c520]
> +
> +Signed-off-by: Soumya Sambu 
> +---
> + ...x-invalid-incremental-decoding-check.patch | 48
> +++

Patch file included by mistake?

Thanks,

Anuj

> + src/dec/vp8l_dec.c| 15 +-
> + 2 files changed, 61 insertions(+), 2 deletions(-)
> + create mode 100644 0001-Fix-invalid-incremental-decoding-
> check.patch
> +
> +diff --git a/0001-Fix-invalid-incremental-decoding-check.patch
> b/0001-Fix-invalid-incremental-decoding-check.patch
> +new file mode 100644
> +index 000..21f67f4
> +--- /dev/null
>  b/0001-Fix-invalid-incremental-decoding-check.patch
> +@@ -0,0 +1,48 @@
> ++From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00
> 2001
> ++From: Vincent Rabaud 
> ++Date: Mon, 11 Sep 2023 16:06:08 +0200
> ++Subject: [PATCH] Fix invalid incremental decoding check.
> ++
> ++The first condition is only necessary if we have not read enough
> ++(enough being defined by src_last, not src_end which is the end
> ++of the image).
> ++The second condition now fits the comment below: "if not
> ++incremental, and we are past the end of buffer".
> ++
> ++BUG=oss-fuzz:62136
> ++
> ++Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
> ++---
> ++ src/dec/vp8l_dec.c | 15 +--
> ++ 1 file changed, 13 insertions(+), 2 deletions(-)
> ++
> ++diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
> ++index 5ab34f56..809b1aa9 100644
> ++--- a/src/dec/vp8l_dec.c
> + b/src/dec/vp8l_dec.c
> ++@@ -1233,9 +1233,20 @@ static int DecodeImageData(VP8LDecoder*
> const dec, uint32_t* const data,
> ++   }
> ++
> ++   br->eos_ = VP8LIsEndOfStream(br);
> ++-  if (dec->incremental_ && br->eos_ && src < src_end) {
> +++  // In incremental decoding:
> +++  // br->eos_ && src < src_last: if 'br' reached the end of the
> buffer and
> +++  // 'src_last' has not been reached yet, there is not enough
> data. 'dec' has to
> +++  // be reset until there is more data.
> +++  // !br->eos_ && src < src_last: this cannot happen as either the
> buffer is
> +++  // fully read, either enough has been read to reach 'src_last'.
> +++  // src >= src_last: 'src_last' is reached, all is fine. 'src'
> can actually go
> +++  // beyond 'src_last' in case the image is cropped and an LZ77
> goes further.
> +++  // The buffer might have been enough or there is some left. 'br-
> >eos_' does
> +++  // not matter.
> +++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src
> >= src_last);
> +++  if (dec->incremental_ && br->eos_ && src < src_last) {
> ++ RestoreState(dec);
> ++-  } else if (!br->eos_) {
> +++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_)
> {
> ++ // Process the remaining rows corresponding to last row-block.
> ++ if (process_func != NULL) {
> ++   process_func(dec, row >