[OE-core][mickledore][PATCH 1/1] python3-cryptography: fix CVE-2023-49083
From: Narpat Mali
cryptography is a package designed to expose cryptographic primitives
and recipes to Python developers. Calling `load_pem_pkcs7_certificates`
or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference
and segfault. Exploitation of this vulnerability poses a serious risk of
Denial of Service (DoS) for any application attempting to deserialize a
PKCS7 blob/certificate. The consequences extend to potential disruptions
in system availability and stability. This vulnerability has been patched
in version 41.0.6.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-49083
https://security-tracker.debian.org/tracker/CVE-2023-49083
Signed-off-by: Narpat Mali
---
.../python3-cryptography/CVE-2023-49083.patch | 53 +++
.../python/python3-cryptography_39.0.2.bb | 1 +
2 files changed, 54 insertions(+)
create mode 100644
meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch
diff --git
a/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch
b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch
new file mode 100644
index 00..3870529ecc
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch
@@ -0,0 +1,53 @@
+From df089065abde07b9b293c10f4d5c96cd99a1 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor
+Date: Thu, 7 Dec 2023 09:33:46 +
+Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no certificates
+ (#9926)
+
+CVE: CVE-2023-49083
+
+Upstream-Status: Backport
[https://github.com/pyca/cryptography/commit/1e7b4d074e14c4e694d3ce69ad6754a6039fd6ff]
+
+Signed-off-by: Narpat Mali
+---
+ src/cryptography/hazmat/backends/openssl/backend.py | 5 -
+ tests/hazmat/primitives/test_pkcs7.py | 6 ++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py
b/src/cryptography/hazmat/backends/openssl/backend.py
+index 48f4265..7b949be 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2466,9 +2466,12 @@ class Backend:
+ _Reasons.UNSUPPORTED_SERIALIZATION,
+ )
+
++certs: list[x509.Certificate] = []
++if p7.d.sign == self._ffi.NULL:
++return certs
++
+ sk_x509 = p7.d.sign.cert
+ num = self._lib.sk_X509_num(sk_x509)
+-certs = []
+ for i in range(num):
+ x509 = self._lib.sk_X509_value(sk_x509, i)
+ self.openssl_assert(x509 != self._ffi.NULL)
+diff --git a/tests/hazmat/primitives/test_pkcs7.py
b/tests/hazmat/primitives/test_pkcs7.py
+index d879563..36ce031 100644
+--- a/tests/hazmat/primitives/test_pkcs7.py
b/tests/hazmat/primitives/test_pkcs7.py
+@@ -89,6 +89,12 @@ class TestPKCS7Loading:
+ mode="rb",
+ )
+
++def test_load_pkcs7_empty_certificates(self):
++der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
++
++certificates = pkcs7.load_der_pkcs7_certificates(der)
++assert certificates == []
++
+
+ # We have no public verification API and won't be adding one until we get
+ # some requirements from users so this function exists to give us basic
+--
+2.40.0
diff --git a/meta/recipes-devtools/python/python3-cryptography_39.0.2.bb
b/meta/recipes-devtools/python/python3-cryptography_39.0.2.bb
index 449e3ba1bc..b54c7e1719 100644
--- a/meta/recipes-devtools/python/python3-cryptography_39.0.2.bb
+++ b/meta/recipes-devtools/python/python3-cryptography_39.0.2.bb
@@ -16,6 +16,7 @@ SRC_URI += "\
file://0001-pyproject.toml-remove-benchmark-disable-option.patch \
file://check-memfree.py \
file://run-ptest \
+file://CVE-2023-49083.patch \
"
require ${BPN}-crates.inc
--
2.40.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191945):
https://lists.openembedded.org/g/openembedded-core/message/191945
Mute This Topic: https://lists.openembedded.org/mt/103032561/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH 1/1] python3-cryptography: fix CVE-2023-49083
From: Narpat Mali cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6. References: https://nvd.nist.gov/vuln/detail/CVE-2023-49083 https://security-tracker.debian.org/tracker/CVE-2023-49083 Signed-off-by: Narpat Mali --- .../python3-cryptography/CVE-2023-49083.patch | 53 +++ .../python/python3-cryptography_36.0.2.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch new file mode 100644 index 00..d398eea1d9 --- /dev/null +++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch @@ -0,0 +1,53 @@ +From 627ac5e314303acc00a19d58f09eb1eabd029fd1 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Wed, 6 Dec 2023 08:04:53 + +Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no certificates + (#9926) + +CVE: CVE-2023-49083 + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/1e7b4d074e14c4e694d3ce69ad6754a6039fd6ff] + +Signed-off-by: Narpat Mali +--- + src/cryptography/hazmat/backends/openssl/backend.py | 5 - + tests/hazmat/primitives/test_pkcs7.py | 6 ++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index 5606fe6..c43fea0 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -2189,9 +2189,12 @@ class Backend(BackendInterface): + _Reasons.UNSUPPORTED_SERIALIZATION, + ) + ++certs: list[x509.Certificate] = [] ++if p7.d.sign == self._ffi.NULL: ++return certs ++ + sk_x509 = p7.d.sign.cert + num = self._lib.sk_X509_num(sk_x509) +-certs = [] + for i in range(num): + x509 = self._lib.sk_X509_value(sk_x509, i) + self.openssl_assert(x509 != self._ffi.NULL) +diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py +index 91ac842..b98a9f1 100644 +--- a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py +@@ -81,6 +81,12 @@ class TestPKCS7Loading(object): + mode="rb", + ) + ++def test_load_pkcs7_empty_certificates(self): ++der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" ++ ++certificates = pkcs7.load_der_pkcs7_certificates(der) ++assert certificates == [] ++ + + # We have no public verification API and won't be adding one until we get + # some requirements from users so this function exists to give us basic +-- +2.40.0 diff --git a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb index c3ae0c1ab9..c429c75e1b 100644 --- a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb +++ b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb @@ -18,6 +18,7 @@ SRC_URI += " \ file://0002-Cargo.toml-edition-2018-2021.patch \ file://fix-leak-metric.patch \ file://CVE-2023-23931.patch \ +file://CVE-2023-49083.patch \ " inherit pypi python_setuptools3_rust -- 2.40.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#191875): https://lists.openembedded.org/g/openembedded-core/message/191875 Mute This Topic: https://lists.openembedded.org/mt/103009685/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH 1/1] python3-jinja2: Fixed ptest result output as per the standard
From: Narpat Mali
There was an extra space between the result and ':'.
After removing extra space, the ptest result will be:
result : testname -> result: testname
Signed-off-by: Narpat Mali
---
meta/recipes-devtools/python/python3-jinja2/run-ptest | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/python/python3-jinja2/run-ptest
b/meta/recipes-devtools/python/python3-jinja2/run-ptest
index 3004024619..5817735a63 100644
--- a/meta/recipes-devtools/python/python3-jinja2/run-ptest
+++ b/meta/recipes-devtools/python/python3-jinja2/run-ptest
@@ -1,3 +1,3 @@
#!/bin/sh
-pytest -o log_cli=true -o log_cli_level=INFO | sed -e 's/\[...%\]//g'| sed -e
's/PASSED/PASS/g'| sed -e 's/FAILED/FAIL/g'| sed -e 's/SKIPPED/SKIP/g'| awk
'{if ($NF=="PASS" || $NF=="FAIL" || $NF=="SKIP" || $NF=="XFAIL" ||
$NF=="XPASS"){printf "%s : %s\n", $NF, $0}else{print}}'| awk '{if ($NF=="PASS"
|| $NF=="FAIL" || $NF=="SKIP" || $NF=="XFAIL" || $NF=="XPASS") {$NF="";print
$0}else{print}}'
+pytest -o log_cli=true -o log_cli_level=INFO | sed -e 's/\[...%\]//g'| sed -e
's/PASSED/PASS/g'| sed -e 's/FAILED/FAIL/g'| sed -e 's/SKIPPED/SKIP/g'| awk
'{if ($NF=="PASS" || $NF=="FAIL" || $NF=="SKIP" || $NF=="XFAIL" ||
$NF=="XPASS"){printf "%s: %s\n", $NF, $0}else{print}}'| awk '{if ($NF=="PASS"
|| $NF=="FAIL" || $NF=="SKIP" || $NF=="XFAIL" || $NF=="XPASS") {$NF="";print
$0}else{print}}'
--
2.40.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190271):
https://lists.openembedded.org/g/openembedded-core/message/190271
Mute This Topic: https://lists.openembedded.org/mt/102440832/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][kirkstone][PATCH 1/1] python3-jinja2: fix for the ptest result format
On 02-10-2023 20:04, Steve Sakoman wrote:
CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know
the content is safe.
On Thu, Sep 28, 2023 at 10:24 PM Narpat Mali via
lists.openembedded.org
wrote:
From: Narpat Mali
The output of python3-jinja2 ptest should follow a unified format as below
result: testname
Reference:
https://wiki.yoctoproject.org/wiki/Ptest
Is this also an issue with the version in the master branch?
If so, please submit a patch for master branch too. We don't want to
fix this in a stable branch without also fixing it in master.
Hi Steve,
In master branch, it has been already fixed using
"python3-unittest-automake-output" instead of sed to reformat the output.
https://git.openembedded.org/openembedded-core/commit/?id=def25193748fac40c4120e9a6e8861ae4c7ae760
../Narpat
Thanks!
Steve
Signed-off-by: Narpat Mali
---
meta/recipes-devtools/python/python3-jinja2/run-ptest | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/python/python3-jinja2/run-ptest
b/meta/recipes-devtools/python/python3-jinja2/run-ptest
index 5cec711696..3004024619 100644
--- a/meta/recipes-devtools/python/python3-jinja2/run-ptest
+++ b/meta/recipes-devtools/python/python3-jinja2/run-ptest
@@ -1,3 +1,3 @@
#!/bin/sh
-pytest
+pytest -o log_cli=true -o log_cli_level=INFO | sed -e 's/\[...%\]//g'| sed -e 's/PASSED/PASS/g'| sed -e 's/FAILED/FAIL/g'| sed -e 's/SKIPPED/SKIP/g'| awk '{if ($NF=="PASS" ||
$NF=="FAIL" || $NF=="SKIP" || $NF=="XFAIL" || $NF=="XPASS"){printf "%s : %s\n", $NF, $0}else{print}}'| awk '{if ($NF=="PASS" ||
$NF=="FAIL" || $NF=="SKIP" || $NF=="XFAIL" || $NF=="XPASS") {$NF="";print $0}else{print}}'
--
2.40.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188621):
https://lists.openembedded.org/g/openembedded-core/message/188621
Mute This Topic: https://lists.openembedded.org/mt/101653794/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH 1/1] python3-jinja2: fix for the ptest result format
From: Narpat Mali
The output of python3-jinja2 ptest should follow a unified format as below
result: testname
Reference:
https://wiki.yoctoproject.org/wiki/Ptest
Signed-off-by: Narpat Mali
---
meta/recipes-devtools/python/python3-jinja2/run-ptest | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/python/python3-jinja2/run-ptest
b/meta/recipes-devtools/python/python3-jinja2/run-ptest
index 5cec711696..3004024619 100644
--- a/meta/recipes-devtools/python/python3-jinja2/run-ptest
+++ b/meta/recipes-devtools/python/python3-jinja2/run-ptest
@@ -1,3 +1,3 @@
#!/bin/sh
-pytest
+pytest -o log_cli=true -o log_cli_level=INFO | sed -e 's/\[...%\]//g'| sed -e
's/PASSED/PASS/g'| sed -e 's/FAILED/FAIL/g'| sed -e 's/SKIPPED/SKIP/g'| awk
'{if ($NF=="PASS" || $NF=="FAIL" || $NF=="SKIP" || $NF=="XFAIL" ||
$NF=="XPASS"){printf "%s : %s\n", $NF, $0}else{print}}'| awk '{if ($NF=="PASS"
|| $NF=="FAIL" || $NF=="SKIP" || $NF=="XFAIL" || $NF=="XPASS") {$NF="";print
$0}else{print}}'
--
2.40.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188394):
https://lists.openembedded.org/g/openembedded-core/message/188394
Mute This Topic: https://lists.openembedded.org/mt/101653794/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][mickledore][PATCH 1/1] python3-git: upgrade 3.1.32 -> 3.1.37
From: Narpat Mali
The delta between 3.1.32 & 3.1.37 contains the CVE-2023-40590 and
CVE-2023-41040 fixes and other bugfixes.
Changelog:
==
- WIP Quick doc by @LeoDaCoda in #1608
- Partial clean up wrt mypy and black by @bodograumann in #1617
- Disable merge_includes in config writers by @bodograumann in #1618
- feat: full typing for "progress" parameter in Repo class by @madebylydia in
#1634
- Fix CVE-2023-40590 by @EliahKagan in #1636
- #1566 Creating a lock now uses python built-in "open()" method to work arou…
by @HageMaster3108 in #1619
- util: close lockfile after opening successfully by @skshetry in #1639
- Bump actions/checkout from 3 to 4 by @dependabot in #1643
- Fix 'Tree' object has no attribute '_name' when submodule path is normal path
by @CosmosAtlas in #1645
- Fix CVE-2023-41040 by @facutuesca in #1644
- Only make config more permissive in tests that need it by @EliahKagan in #1648
- Added test for PR #1645 submodule path by @CosmosAtlas in #1647
- Fix Windows environment variable upcasing bug by @EliahKagan in #1650
- Improve Python version and OS compatibility, fixing deprecations by
@EliahKagan in #1654
- Better document env_case test/fixture and cwd by @EliahKagan in #1657
- Remove spurious executable permissions by @EliahKagan in #1658
- Fix up checks in Makefile and make them portable by @EliahKagan in #1661
- Fix URLs that were redirecting to another license by @EliahKagan in #1662
- Assorted small fixes/improvements to root dir docs by @EliahKagan in #1663
- Use venv instead of virtualenv in test_installation by @EliahKagan in #1664
- Omit py_modules in setup by @EliahKagan in #1665
- Don't track code coverage temporary files by @EliahKagan in #1666
- Configure tox by @EliahKagan in #1667
- Format tests with black and auto-exclude untracked paths by @EliahKagan in
#1668
- Upgrade and broaden flake8, fixing style problems and bugs by @EliahKagan in
#1673
- Fix rollback bug in SymbolicReference.set_reference by @EliahKagan in #1675
- Remove @NoEffect annotations by @EliahKagan in #1677
- Add more checks for the validity of refnames by @facutuesca in #1672
Note that the changes to the license file are just removal of excess whitespace
(the extra blank line at the end, and spaces appearing at the end of lines).
References:
https://github.com/gitpython-developers/GitPython/releases
https://github.com/gitpython-developers/GitPython/blob/main/doc/source/changes.rst
https://github.com/gitpython-developers/GitPython/commit/e1af18377fd69f9c1007f8abf6ccb95b3c5a6558
Signed-off-by: Narpat Mali
---
.../python/{python3-git_3.1.32.bb => python3-git_3.1.37.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-devtools/python/{python3-git_3.1.32.bb =>
python3-git_3.1.37.bb} (86%)
diff --git a/meta/recipes-devtools/python/python3-git_3.1.32.bb
b/meta/recipes-devtools/python/python3-git_3.1.37.bb
similarity index 86%
rename from meta/recipes-devtools/python/python3-git_3.1.32.bb
rename to meta/recipes-devtools/python/python3-git_3.1.37.bb
index f217577eb8..56a335a79e 100644
--- a/meta/recipes-devtools/python/python3-git_3.1.32.bb
+++ b/meta/recipes-devtools/python/python3-git_3.1.37.bb
@@ -6,13 +6,13 @@ access with big-files support."
HOMEPAGE = "http://github.com/gitpython-developers/GitPython;
SECTION = "devel/python"
LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=8b8d26c37c1d5a04f9b0186edbebc183"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=5279a7ab369ba336989dcf2a107e5c8e"
PYPI_PACKAGE = "GitPython"
inherit pypi python_setuptools_build_meta
-SRC_URI[sha256sum] =
"8d9b8cb1e80b9735e8717c9362079d3ce4c6e5ddeebedd0361b228c3a67a62f6"
+SRC_URI[sha256sum] =
"f9b9ddc0761c125d5780eab2d64be4873fc6817c2899cbcb34b02344bdc7bc54"
DEPENDS += " ${PYTHON_PN}-gitdb"
--
2.40.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188188):
https://lists.openembedded.org/g/openembedded-core/message/188188
Mute This Topic: https://lists.openembedded.org/mt/101573792/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH 1/1] python3-git: upgrade 3.1.32 -> 3.1.37
From: Narpat Mali
The delta between 3.1.32 & 3.1.37 contains the CVE-2023-40590 and
CVE-2023-41040 fixes and other bugfixes.
Changelog:
==
- WIP Quick doc by @LeoDaCoda in #1608
- Partial clean up wrt mypy and black by @bodograumann in #1617
- Disable merge_includes in config writers by @bodograumann in #1618
- feat: full typing for "progress" parameter in Repo class by @madebylydia in
#1634
- Fix CVE-2023-40590 by @EliahKagan in #1636
- #1566 Creating a lock now uses python built-in "open()" method to work arou…
by @HageMaster3108 in #1619
- util: close lockfile after opening successfully by @skshetry in #1639
- Bump actions/checkout from 3 to 4 by @dependabot in #1643
- Fix 'Tree' object has no attribute '_name' when submodule path is normal path
by @CosmosAtlas in #1645
- Fix CVE-2023-41040 by @facutuesca in #1644
- Only make config more permissive in tests that need it by @EliahKagan in #1648
- Added test for PR #1645 submodule path by @CosmosAtlas in #1647
- Fix Windows environment variable upcasing bug by @EliahKagan in #1650
- Improve Python version and OS compatibility, fixing deprecations by
@EliahKagan in #1654
- Better document env_case test/fixture and cwd by @EliahKagan in #1657
- Remove spurious executable permissions by @EliahKagan in #1658
- Fix up checks in Makefile and make them portable by @EliahKagan in #1661
- Fix URLs that were redirecting to another license by @EliahKagan in #1662
- Assorted small fixes/improvements to root dir docs by @EliahKagan in #1663
- Use venv instead of virtualenv in test_installation by @EliahKagan in #1664
- Omit py_modules in setup by @EliahKagan in #1665
- Don't track code coverage temporary files by @EliahKagan in #1666
- Configure tox by @EliahKagan in #1667
- Format tests with black and auto-exclude untracked paths by @EliahKagan in
#1668
- Upgrade and broaden flake8, fixing style problems and bugs by @EliahKagan in
#1673
- Fix rollback bug in SymbolicReference.set_reference by @EliahKagan in #1675
- Remove @NoEffect annotations by @EliahKagan in #1677
- Add more checks for the validity of refnames by @facutuesca in #1672
Note that the changes to the license file are just removal of excess whitespace
(the extra blank line at the end, and spaces appearing at the end of lines).
References:
https://github.com/gitpython-developers/GitPython/releases
https://github.com/gitpython-developers/GitPython/blob/main/doc/source/changes.rst
https://github.com/gitpython-developers/GitPython/commit/e1af18377fd69f9c1007f8abf6ccb95b3c5a6558
Signed-off-by: Narpat Mali
---
.../python/{python3-git_3.1.32.bb => python3-git_3.1.37.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-devtools/python/{python3-git_3.1.32.bb =>
python3-git_3.1.37.bb} (86%)
diff --git a/meta/recipes-devtools/python/python3-git_3.1.32.bb
b/meta/recipes-devtools/python/python3-git_3.1.37.bb
similarity index 86%
rename from meta/recipes-devtools/python/python3-git_3.1.32.bb
rename to meta/recipes-devtools/python/python3-git_3.1.37.bb
index f217577eb8..56a335a79e 100644
--- a/meta/recipes-devtools/python/python3-git_3.1.32.bb
+++ b/meta/recipes-devtools/python/python3-git_3.1.37.bb
@@ -6,13 +6,13 @@ access with big-files support."
HOMEPAGE = "http://github.com/gitpython-developers/GitPython;
SECTION = "devel/python"
LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=8b8d26c37c1d5a04f9b0186edbebc183"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=5279a7ab369ba336989dcf2a107e5c8e"
PYPI_PACKAGE = "GitPython"
inherit pypi python_setuptools_build_meta
-SRC_URI[sha256sum] =
"8d9b8cb1e80b9735e8717c9362079d3ce4c6e5ddeebedd0361b228c3a67a62f6"
+SRC_URI[sha256sum] =
"f9b9ddc0761c125d5780eab2d64be4873fc6817c2899cbcb34b02344bdc7bc54"
DEPENDS += " ${PYTHON_PN}-gitdb"
--
2.40.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188187):
https://lists.openembedded.org/g/openembedded-core/message/188187
Mute This Topic: https://lists.openembedded.org/mt/101572154/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH 1/1] python3-pygments: Fix CVE-2022-40896
From: Narpat Mali
CVE-2022-40896:
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments
through 2.15.0 via SmithyLexer.
The CVE issue is fixed by 3 different commits between the releases 2.14.0
(for Smithy lexer), 2.15.0 (for SQL+Jinja lexers) and 2.15.1 (for Java
properties) as per:
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/
1. Smithy lexer commit from 2.14.0 release applies successfully on 2.11.2
version.
Commit:
https://github.com/pygments/pygments/commit/dd52102c38ebe78cd57748e09f38929fd283ad04
Hence, backported the patch as CVE-2022-40896.patch.
2. SQL+Jinja lexers commit from 2.15.0 release doesn't apply on 2.11.2 version.
Commit:
https://github.com/pygments/pygments/commit/97eb3d5ec7c1b3ea4fcf9dee30a2309cf92bd194
Actually, this code doesn't exist in 2.11.2 version and it has been introduce by
python3-pygments 2.13.0 version. Hence, this is not vulnerable for 2.11.2
version.
SQL+Jinja lexers is introduced by:
https://github.com/pygments/pygments/commit/0bdbd5992baca32d18e01f0ec65337e06abf9456
3. Java properties commit from 2.15.1 release also doesn't apply on 2.11.2
version.
Commit:
https://github.com/pygments/pygments/commit/fdf182a7af85b1deeeb637ca970d31935e7c9d52
Actually, this code also doesn't exist in 2.11.2 version as the code has been
modified
in python3-pygments 2.14.0 by:
https://github.com/pygments/pygments/commit/a38cb38e93c9635240b3ae89d78d38cf182745da
Hence, this is also not vulnerable for 2.11.2 version.
Signed-off-by: Narpat Mali
---
.../python3-pygments/CVE-2022-40896.patch | 124 ++
.../python/python3-pygments_2.11.2.bb | 2 +
2 files changed, 126 insertions(+)
create mode 100644
meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch
diff --git a/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch
b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch
new file mode 100644
index 00..9848072a94
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch
@@ -0,0 +1,124 @@
+From ed61747f328ff6aa343881b269600308ab8eac93 Mon Sep 17 00:00:00 2001
+From: Narpat Mali
+Date: Wed, 6 Sep 2023 10:32:38 +
+Subject: [PATCH] Improve the Smithy metadata matcher.
+
+Previously, metadata foo bar baz = 23 was accepted, but according to
+the definition
https://smithy.io/2.0/spec/idl.html#grammar-token-smithy-MetadataSection
+it should be "metadata"Identifier/String.
+
+CVE: CVE-2022-40896
+
+Upstream-Status: Backport
[https://github.com/pygments/pygments/commit/dd52102c38ebe78cd57748e09f38929fd283ad04]
+
+Signed-off-by: Narpat Mali
+---
+ pygments/lexers/smithy.py| 5 +-
+ tests/examplefiles/smithy/test.smithy| 12 +
+ tests/examplefiles/smithy/test.smithy.output | 52
+ 3 files changed, 67 insertions(+), 2 deletions(-)
+
+diff --git a/pygments/lexers/smithy.py b/pygments/lexers/smithy.py
+index 0f0a912..c5e25cd 100644
+--- a/pygments/lexers/smithy.py
b/pygments/lexers/smithy.py
+@@ -58,8 +58,9 @@ class SmithyLexer(RegexLexer):
+ (words(aggregate_shapes,
+prefix=r'^', suffix=r'(\s+' + identifier + r')'),
+ bygroups(Keyword.Declaration, Name.Class)),
+-(r'^(metadata)(\s+.+)(\s*)(=)',
+-bygroups(Keyword.Declaration, Name.Class, Whitespace,
Name.Decorator)),
++(r'^(metadata)(\s+)((?:\S+)|(?:\"[^"]+\"))(\s*)(=)',
++bygroups(Keyword.Declaration, Whitespace, Name.Class,
++ Whitespace, Name.Decorator)),
+ (r"(true|false|null)", Keyword.Constant),
+ (r"(-?(?:0|[1-9]\d*)(?:\.\d+)?(?:[eE][+-]?\d+)?)", Number),
+ (identifier + ":", Name.Label),
+diff --git a/tests/examplefiles/smithy/test.smithy
b/tests/examplefiles/smithy/test.smithy
+index 3d20f06..9317fee 100644
+--- a/tests/examplefiles/smithy/test.smithy
b/tests/examplefiles/smithy/test.smithy
+@@ -2,6 +2,18 @@ $version: "1.0"
+
+ namespace test
+
++metadata "foo" = ["bar", "baz"]
++metadata validators = [
++{
++name: "ValidatorName"
++id: "ValidatorId"
++message: "Some string"
++configuration: {
++selector: "operation"
++}
++}
++]
++
+ /// Define how an HTTP request is serialized given a specific protocol,
+ /// authentication scheme, and set of input parameters.
+ @trait(selector: "operation")
+diff --git a/tests/examplefiles/smithy/test.smithy.output
b/tests/examplefiles/smithy/test.smithy.output
+index 1f22489..db44a38 100644
+--- a/tests/examplefiles/smithy/test.smithy.output
b/tests/examplefiles/smithy/test.smithy.output
+@@ -7,6 +7,58 @@
+ ' test' Name.Class
+ '\n\n'Text.Whitespace
+
++'metadata'Keyword.Declaration
++' ' Text.Whitespace
++'"foo"' Name.Class
++' ' Text.Whitespace
++'=' Name.Decorator
++' '
[OE-core][mickledore][PATCH 1/1] python3-pygments: fix for CVE-2022-40896
From: Narpat Mali
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments
through 2.15.0 via SmithyLexer.
The CVE issue is fixed by these 3 different commits in different version:
1. Improve the Smithy metadata matcher (These changes are already available as
part
of current python3-pygments_2.14.0 version):
https://github.com/pygments/pygments/commit/dd52102c38ebe78cd57748e09f38929fd283ad04
(2.14.0)
2. SQL+Jinja: use a simpler regex in analyse_text:
https://github.com/pygments/pygments/commit/97eb3d5ec7c1b3ea4fcf9dee30a2309cf92bd194
(2.15.0)
3. Improve Java properties lexer (#2404):
https://github.com/pygments/pygments/commit/fdf182a7af85b1deeeb637ca970d31935e7c9d52
(2.15.1)
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-40896
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/
Signed-off-by: Narpat Mali
---
.../CVE-2022-40896-0001.patch | 49 +++
.../CVE-2022-40896-0002.patch | 301 ++
.../python/python3-pygments_2.14.0.bb | 4 +
3 files changed, 354 insertions(+)
create mode 100644
meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0001.patch
create mode 100644
meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0002.patch
diff --git
a/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0001.patch
b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0001.patch
new file mode 100644
index 00..d7fc87fec8
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0001.patch
@@ -0,0 +1,49 @@
+From 9a73f2a80e5cf869d473ddcbfceaab229fb99b5e Mon Sep 17 00:00:00 2001
+From: Narpat Mali
+Date: Mon, 28 Aug 2023 15:04:14 +
+Subject: [PATCH] SQL+Jinja: use a simpler regex in analyse_text
+
+Fixes catastrophic backtracking
+
+Fixes #2355
+
+CVE: CVE-2022-40896
+
+Upstream-Status: Backport
[https://github.com/pygments/pygments/commit/97eb3d5ec7c1b3ea4fcf9dee30a2309cf92bd194]
+
+Signed-off-by: Narpat Mali
+---
+ CHANGES | 1 +
+ pygments/lexers/templates.py | 6 +-
+ 2 files changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index 2aa54fa..4c84fa6 100644
+--- a/CHANGES
b/CHANGES
+@@ -61,6 +61,7 @@ Version 2.14.0
+ * Spice: Add ``enum`` keyword and fix a bug regarding binary,
+ hexadecimal and octal number tokens (#2227)
+ * YAML: Accept colons in key names (#2277)
++ * SQL+Jinja (``analyse_text`` method): fix catastrophic backtracking
[Backported]
+
+ - Fix `make mapfiles` when Pygments is not installed in editable mode
+ (#2223)
+diff --git a/pygments/lexers/templates.py b/pygments/lexers/templates.py
+index 1fcf708..1066294 100644
+--- a/pygments/lexers/templates.py
b/pygments/lexers/templates.py
+@@ -2291,10 +2291,6 @@ class SqlJinjaLexer(DelegatingLexer):
+ if re.search(r'\{\{\s*source\(.*\)\s*\}\}', text):
+ rv += 0.25
+ # Jinja macro
+-if re.search(
+-r'\{%-?\s*macro
\w+\(.*\)\s*-?%\}\s+.*\s+\{%-?\s*endmacro\s*-?%\}',
+-text,
+-re.S,
+-):
++if re.search(r'\{%-?\s*macro \w+\(.*\)\s*-?%\}', text):
+ rv += 0.15
+ return rv
+--
+2.40.0
diff --git
a/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0002.patch
b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0002.patch
new file mode 100644
index 00..61ebe5dad5
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0002.patch
@@ -0,0 +1,301 @@
+From 45ff8eabe0363f829c397372aefc3b23aeb135b3 Mon Sep 17 00:00:00 2001
+From: Narpat Mali
+Date: Tue, 29 Aug 2023 10:45:34 +
+Subject: [PATCH] Improve Java properties lexer (#2404)
+
+Use special lexer rules for escapes; fixes catastrophic backtracking,
+and highlights them too.
+
+Fixes #2356
+
+CVE: CVE-2022-40896
+
+Upstream-Status: Backport
[https://github.com/pygments/pygments/commit/fdf182a7af85b1deeeb637ca970d31935e7c9d52]
+
+Signed-off-by: Narpat Mali
+---
+ pygments/lexers/configs.py| 50 +---
+ tests/examplefiles/properties/java.properties | 11 ++
+ .../properties/java.properties.output | 110 +++---
+ .../test_escaped_space_in_value.txt | 4 +-
+ .../properties/test_just_key_with_space.txt | 4 +-
+ 5 files changed, 143 insertions(+), 36 deletions(-)
+
+diff --git a/pygments/lexers/configs.py b/pygments/lexers/configs.py
+index e04c722..b28b56a 100644
+--- a/pygments/lexers/configs.py
b/pygments/lexers/configs.py
+@@ -129,26 +129,42 @@ class PropertiesLexer(RegexLexer):
+
+ tokens = {
+ 'root': [
+-(r'\s+', Whitespace),
++# comments
+ (r'[!#].*|/{2}.*', Comment.Single),
+-# search for first separator
+-(r'([^\\\n]|\\.)*?(?=[ \f\t=:])', Name.Attribute, "separator"),
+-# empty key
+-(r'.+?$', Name.Attribute),
++
[OE-core][kirkstone][PATCH 1/1] python3-git: upgrade 3.1.27 -> 3.1.32
From: Narpat Mali
The delta between 3.1.27 & 3.1.32 contains the CVE-2022-24439 &
CVE-2023-40267 fixes and other bugfixes.
Changelog:
https://github.com/gitpython-developers/GitPython/releases/tag/3.1.32
https://gitpython.readthedocs.io/en/stable/changes.html#id5
- Bump cygwin/cygwin-install-action from 3 to 4 by @dependabot in #1572
- Fix up the commit trailers functionality by @itsluketwist in #1576
- Name top-level exceptions as private variables by @Hawk777 in #1590
- fix pypi long description by @eUgEntOptIc44 in #1603
- Don't rely on del by @r-darwish in #1606
- Block insecure non-multi options in clone/clone_from by @Beuc in #1609
- Fix Sphinx rendering errors by @stephan-cr in #1524
- tests: Use command -v instead of third-party which program by @mgorny in #1525
- fix/add allow_unsafe_* params in docstrings + fix typo by @obfusk in #1530
- use tempfile.TemporaryDirectory & fix clone_from_unsafe_protocol tests by
@obfusk in #1531
- Fix some resource leaks by open file handles by @marlamb in #1532
- fix files list on file rename by @teknoraver in #1537
- Declare support for Python 3.11 by @hugovk in #1541
- Fix ignored by @Lightborne in #1545
- Fix timezone parsing functions for non-hour timezones by @jcowgill in #1547
- Enable user to override default diff -M arg by @mellowed100 in #1551
- Remove optional from two member variables by @Sineaggi in #1550
- Fix RecursionError when iterating streams by @eric-wieser in #1554
- Fix get_values() so it correctly loads section names by @Codym48 in #1555
- Add datetime.datetime type to commit_date and author_date by
@SergeantMenacingGarlic in #1501
- Bump cygwin/cygwin-install-action from 2 to 3 by @dependabot in #1514
- Fix command injection by @stsewd in #1518
- Document PushInfoList by @skinitimski in #1522
- Fix type hint on create_tag by @drewcassidy in #1523
- Block insecure options and protocols by default by @stsewd in #1521
- Make the git.__version__ re-appear.
Signed-off-by: Narpat Mali
---
...-git-CVE-2022-24439-fix-from-PR-1518.patch | 97
...-git-CVE-2022-24439-fix-from-PR-1521.patch | 488 --
...n3-git_3.1.27.bb => python3-git_3.1.32.bb} | 6 +-
3 files changed, 1 insertion(+), 590 deletions(-)
delete mode 100644
meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch
delete mode 100644
meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch
rename meta/recipes-devtools/python/{python3-git_3.1.27.bb =>
python3-git_3.1.32.bb} (80%)
diff --git
a/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch
b/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch
deleted file mode 100644
index 16192b22c7..00
---
a/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 6ebe9231cd34dacd32a964859bc509aaa1e3f5fd Mon Sep 17 00:00:00 2001
-From: Narpat Mali
-Date: Fri, 6 Jan 2023 14:13:10 +
-Subject: [PATCH] python3-git: CVE-2022-24439 fix from PR 1518
-
-Fix command injection
-Add `--` in some commands that receive user input
-and if interpreted as options could lead to remote
-code execution (RCE).
-
-There may be more commands that could benefit from `--`
-so the input is never interpreted as an option,
-but most of those aren't dangerous.
-
-Fixed commands:
-
-- push
-- pull
-- fetch
-- clone/clone_from and friends
-- archive (not sure if this one can be exploited, but it doesn't hurt
- adding `--` :))
-
-For anyone using GitPython and exposing any of the GitPython methods to users,
-make sure to always validate the input (like if starts with `--`).
-And for anyone allowing users to pass arbitrary options, be aware
-that some options may lead fo RCE, like `--exc`, `--upload-pack`,
-`--receive-pack`, `--config` (#1516).
-
-Ref #1517
-
-CVE: CVE-2022-24439
-
-Upstream-Status: Backport
[https://github.com/gitpython-developers/GitPython/pull/1518]
-
-Signed-off-by: Narpat Mali
- git/remote.py| 6 +++---
- git/repo/base.py | 4 ++--
- 2 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/git/remote.py b/git/remote.py
-index 56f3c5b..59681bc 100644
a/git/remote.py
-+++ b/git/remote.py
-@@ -881,7 +881,7 @@ class Remote(LazyMixin, IterableObj):
- else:
- args = [refspec]
-
--proc = self.repo.git.fetch(self, *args, as_process=True,
with_stdout=False,
-+proc = self.repo.git.fetch("--", self, *args, as_process=True,
with_stdout=False,
-universal_newlines=True, v=verbose,
**kwargs)
- res = self._get_fetch_info_from_stderr(proc, progress,
-
kill_after_timeout=kill_after_timeout)
-@@ -905,7 +905,7 @@ class Remote(LazyMixin, IterableObj):
- # No argument refspec, then ensure the repo's config has a fetch
[OE-core][mickledore][PATCH 1/1] ffmpeg: add CVE_CHECK_IGNORE for CVE-2023-39018
From: Narpat Mali
CVE-2023-39018 belongs to ffmpeg-cli-wrapper (Java wrapper around the FFmpeg
CLI)
and not ffmpeg itself. As per CVE description, it is mentioned as FFmpeg 0.7.0
which
is the version for ffmpeg-cli-wrapper and ffmpeg don't have 0.7.0 version at
all.
Debian & Bugzilla trackers have already marked as NOT-FOR-US/RESOLVED-INVALID.
As it won't be affecting the ffmpeg package so, we can ignore the CVE-2023-39018
in ffmpeg recipe.
References:
https://github.com/bramp/ffmpeg-cli-wrapper
https://github.com/FFmpeg/FFmpeg
https://security-tracker.debian.org/tracker/CVE-2023-39018
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-39018
Upstream master patch:
https://git.openembedded.org/openembedded-core/commit/?id=c21ed498b423c13463a4ae0bb475883cc7901847
Signed-off-by: Narpat Mali
---
meta/recipes-multimedia/ffmpeg/ffmpeg_5.1.2.bb | 6 ++
1 file changed, 6 insertions(+)
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.1.2.bb
b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.1.2.bb
index cccd9f65ab..aa5a8681cf 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.1.2.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.1.2.bb
@@ -30,6 +30,12 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
SRC_URI[sha256sum] =
"619e706d662c8420859832ddc259cd4d4096a48a2ce1eefd052db9e440eef3dc"
+# CVE-2023-39018 issue belongs to ffmpeg-cli-wrapper (Java wrapper around the
FFmpeg CLI)
+# and not ffmepg itself.
+# https://security-tracker.debian.org/tracker/CVE-2023-39018
+# https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-39018
+CVE_CHECK_IGNORE += "CVE-2023-39018"
+
# Build fails when thumb is enabled:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717
ARM_INSTRUCTION_SET:armv4 = "arm"
ARM_INSTRUCTION_SET:armv5 = "arm"
--
2.40.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#186697):
https://lists.openembedded.org/g/openembedded-core/message/186697
Mute This Topic: https://lists.openembedded.org/mt/100951729/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH 1/1] ffmpeg: add CVE_CHECK_IGNORE for CVE-2023-39018
From: Narpat Mali
CVE-2023-39018 belongs to ffmpeg-cli-wrapper (Java wrapper around the FFmpeg
CLI)
and not ffmpeg itself. As per CVE description, it is mentioned as FFmpeg 0.7.0
which
is the version for ffmpeg-cli-wrapper and ffmpeg don't have 0.7.0 version at
all.
Debian & Bugzilla trackers have already marked as NOT-FOR-US/RESOLVED-INVALID.
As it won't be affecting the ffmpeg package so, we can ignore the CVE-2023-39018
in ffmpeg recipe.
References:
https://github.com/bramp/ffmpeg-cli-wrapper
https://github.com/FFmpeg/FFmpeg
https://security-tracker.debian.org/tracker/CVE-2023-39018
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-39018
Upstream master patch:
https://git.openembedded.org/openembedded-core/commit/?id=c21ed498b423c13463a4ae0bb475883cc7901847
Signed-off-by: Narpat Mali
---
meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 6 ++
1 file changed, 6 insertions(+)
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index 7bd85f312a..8097b78ede 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -33,6 +33,12 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
SRC_URI[sha256sum] =
"ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
+# CVE-2023-39018 issue belongs to ffmpeg-cli-wrapper (Java wrapper around the
FFmpeg CLI)
+# and not ffmepg itself.
+# https://security-tracker.debian.org/tracker/CVE-2023-39018
+# https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-39018
+CVE_CHECK_IGNORE += "CVE-2023-39018"
+
# Build fails when thumb is enabled:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717
ARM_INSTRUCTION_SET:armv4 = "arm"
ARM_INSTRUCTION_SET:armv5 = "arm"
--
2.40.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#186669):
https://lists.openembedded.org/g/openembedded-core/message/186669
Mute This Topic: https://lists.openembedded.org/mt/100936773/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][mickledore][PATCH 1/1] python3-git: upgrade 3.1.31 -> 3.1.32
From: Narpat Mali
The delta between 3.1.31 & 3.1.32 contains the CVE-2023-40267 fix and other
bugfixes.
Changelog:
https://github.com/gitpython-developers/GitPython/releases/tag/3.1.32
- Bump cygwin/cygwin-install-action from 3 to 4 by @dependabot in #1572
- Fix up the commit trailers functionality by @itsluketwist in #1576
- Name top-level exceptions as private variables by @Hawk777 in #1590
- fix pypi long description by @eUgEntOptIc44 in #1603
- Don't rely on del by @r-darwish in #1606
- Block insecure non-multi options in clone/clone_from by @Beuc in #1609
Signed-off-by: Narpat Mali
---
.../python/{python3-git_3.1.31.bb => python3-git_3.1.32.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-devtools/python/{python3-git_3.1.31.bb =>
python3-git_3.1.32.bb} (92%)
diff --git a/meta/recipes-devtools/python/python3-git_3.1.31.bb
b/meta/recipes-devtools/python/python3-git_3.1.32.bb
similarity index 92%
rename from meta/recipes-devtools/python/python3-git_3.1.31.bb
rename to meta/recipes-devtools/python/python3-git_3.1.32.bb
index 08b9f66bcb..f217577eb8 100644
--- a/meta/recipes-devtools/python/python3-git_3.1.31.bb
+++ b/meta/recipes-devtools/python/python3-git_3.1.32.bb
@@ -12,7 +12,7 @@ PYPI_PACKAGE = "GitPython"
inherit pypi python_setuptools_build_meta
-SRC_URI[sha256sum] =
"8ce3bcf69adfdf7c7d503e78fd3b1c492af782d58893b650adb2ac8912ddd573"
+SRC_URI[sha256sum] =
"8d9b8cb1e80b9735e8717c9362079d3ce4c6e5ddeebedd0361b228c3a67a62f6"
DEPENDS += " ${PYTHON_PN}-gitdb"
--
2.40.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#186657):
https://lists.openembedded.org/g/openembedded-core/message/186657
Mute This Topic: https://lists.openembedded.org/mt/100933895/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH 1/1] ffmpeg: add CVE_STATUS for CVE-2023-39018
From: Narpat Mali
CVE-2023-39018 belongs to ffmpeg-cli-wrapper (Java wrapper around the FFmpeg
CLI)
and not ffmpeg itself. As per CVE description, it is mentioned as FFmpeg 0.7.0
which
is the version for ffmpeg-cli-wrapper and ffmpeg don't have 0.7.0 version at
all.
Debian & Bugzilla trackers have already marked as NOT-FOR-US/RESOLVED-INVALID.
As it won't be affecting the ffmpeg package so, we can ignore the CVE-2023-39018
in ffmpeg recipe.
References:
https://github.com/bramp/ffmpeg-cli-wrapper
https://github.com/FFmpeg/FFmpeg
https://security-tracker.debian.org/tracker/CVE-2023-39018
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-39018
Signed-off-by: Narpat Mali
---
meta/recipes-multimedia/ffmpeg/ffmpeg_6.0.bb | 7 +++
1 file changed, 7 insertions(+)
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.0.bb
b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.0.bb
index 07c641dc96..eb8dcad8a2 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.0.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.0.bb
@@ -28,6 +28,13 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
SRC_URI[sha256sum] =
"57be87c22d9b49c112b6d24bc67d42508660e6b718b3db89c44e47e289137082"
+# https://nvd.nist.gov/vuln/detail/CVE-2023-39018
+# https://github.com/bramp/ffmpeg-cli-wrapper/issues/291
+# https://security-tracker.debian.org/tracker/CVE-2023-39018
+# https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-39018
+CVE_STATUS[CVE-2023-39018] = "cpe-incorrect: This issue belongs to
ffmpeg-cli-wrapper \
+(Java wrapper around the FFmpeg CLI) and not ffmepg itself."
+
# Build fails when thumb is enabled:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717
ARM_INSTRUCTION_SET:armv4 = "arm"
ARM_INSTRUCTION_SET:armv5 = "arm"
--
2.40.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#186376):
https://lists.openembedded.org/g/openembedded-core/message/186376
Mute This Topic: https://lists.openembedded.org/mt/100822143/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][mickledore][PATCH 1/1] python3-pygments: upgrade 2.14.0 -> 2.15.1
From: Narpat Mali
* Upstream has dropped setup.py
* Inherit python_setuptools_build_meta instead of setuptools3
* Add self as maintainer, as this is a dependency for python3-sphinx
Adds some new lexers, updates a few others. A handful of bug fixes.
https://github.com/pygments/pygments/blob/2.15.1/CHANGES#L6
https://github.com/pygments/pygments/blob/2.15.1/CHANGES#L18
Have cherry-picked the upgrade commit from upstream/master:
https://git.openembedded.org/openembedded-core/commit/?id=22e2569ae4843071b2b48d026ca4742351baf6d1
Signed-off-by: Narpat Mali
---
meta/conf/distro/include/maintainers.inc | 2 +-
...{python3-pygments_2.14.0.bb => python3-pygments_2.15.1.bb} | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
rename meta/recipes-devtools/python/{python3-pygments_2.14.0.bb =>
python3-pygments_2.15.1.bb} (76%)
diff --git a/meta/conf/distro/include/maintainers.inc
b/meta/conf/distro/include/maintainers.inc
index 07498a23a9..c9d790ca32 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -666,7 +666,7 @@ RECIPE_MAINTAINER:pn-python3-pyasn1 = "Tim Orling
"
RECIPE_MAINTAINER:pn-python3-pycairo = "Zang Ruochen "
RECIPE_MAINTAINER:pn-python3-pycparser = "Tim Orling "
RECIPE_MAINTAINER:pn-python3-pyelftools = "Joshua Watt "
-RECIPE_MAINTAINER:pn-python3-pygments = "Unassigned
"
+RECIPE_MAINTAINER:pn-python3-pygments = "Tim Orling "
RECIPE_MAINTAINER:pn-python3-pygobject = "Zang Ruochen
"
RECIPE_MAINTAINER:pn-python3-pyopenssl = "Tim Orling "
RECIPE_MAINTAINER:pn-python3-pyparsing = "Unassigned
"
diff --git a/meta/recipes-devtools/python/python3-pygments_2.14.0.bb
b/meta/recipes-devtools/python/python3-pygments_2.15.1.bb
similarity index 76%
rename from meta/recipes-devtools/python/python3-pygments_2.14.0.bb
rename to meta/recipes-devtools/python/python3-pygments_2.15.1.bb
index 16769e9263..e0e477100e 100644
--- a/meta/recipes-devtools/python/python3-pygments_2.14.0.bb
+++ b/meta/recipes-devtools/python/python3-pygments_2.15.1.bb
@@ -4,8 +4,8 @@ HOMEPAGE = "http://pygments.org/;
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=36a13c90514e2899f1eba7f41c3ee592"
-inherit setuptools3
-SRC_URI[sha256sum] =
"b3ed06a9e8ac9a9aae5a6f5dbe78a8a58655d17b43b93c078f094ddc476ae297"
+inherit python_setuptools_build_meta
+SRC_URI[sha256sum] =
"8ace4d3c1dd481894b2005f560ead0f9f19ee64fe983366be1a21e171d12775c"
DEPENDS += "\
${PYTHON_PN} \
--
2.40.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#185652):
https://lists.openembedded.org/g/openembedded-core/message/185652
Mute This Topic: https://lists.openembedded.org/mt/100618182/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][mickledore][PATCH 1/1] python3-certifi: upgrade 2022.12.7 -> 2023.7.22
From: Narpat Mali
python3-certifi 2023.7.22 contains the CVE-2023-37920 fix.
No changelog provided. Commits:
8fb96ed (tag: 2023.07.22) 2023.07.22
afe7722 Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)
2038739 Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)
44df761 Hash pin Actions and enable dependabot (#228)
8b3d7ba (tag: 2023.05.07) 2023.05.07
53da240 ci: Add Python 3.12-dev to the testing (#224)
c2fc3b1 Create a Security Policy (#222)
c211ef4 Set up permissions to github workflows (#218)
2087de5 Don't let deprecation warning fail CI (#219)
e0b9fc5 remove paragraphs about 1024-bit roots from README
9427a5a fix CI
fed4048 get CI passing again
9e9e840 (tag: 2022.12.07) 2022.12.07
Signed-off-by: Narpat Mali
---
...ython3-certifi_2022.12.7.bb => python3-certifi_2023.7.22.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-devtools/python/{python3-certifi_2022.12.7.bb =>
python3-certifi_2023.7.22.bb} (86%)
diff --git a/meta/recipes-devtools/python/python3-certifi_2022.12.7.bb
b/meta/recipes-devtools/python/python3-certifi_2023.7.22.bb
similarity index 86%
rename from meta/recipes-devtools/python/python3-certifi_2022.12.7.bb
rename to meta/recipes-devtools/python/python3-certifi_2023.7.22.bb
index dca3d26811..f63b0b6cb8 100644
--- a/meta/recipes-devtools/python/python3-certifi_2022.12.7.bb
+++ b/meta/recipes-devtools/python/python3-certifi_2023.7.22.bb
@@ -7,7 +7,7 @@ HOMEPAGE = " http://certifi.io/;
LICENSE = "ISC"
LIC_FILES_CHKSUM = "file://LICENSE;md5=3c2b7404369c587c3559afb604fce2f2"
-SRC_URI[sha256sum] =
"35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3"
+SRC_URI[sha256sum] =
"539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082"
inherit pypi setuptools3
--
2.40.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#185474):
https://lists.openembedded.org/g/openembedded-core/message/185474
Mute This Topic: https://lists.openembedded.org/mt/100523918/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][kirkstone][PATCH 1/1] python3-certifi: fix CVE-2023-37920
On 03-08-2023 07:43, Mittal, Anuj wrote: CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. I think this recipe should simply be upgraded instead ... The current version python3-certifi_2021.10.8 in kirkstone is very old and I didn't find the release notes for python3-certifi anywhere. So, as per kirkstone policy have sent the patch to backport on current version. @steve is it ok to upgrade python3-certifi 2021.10.8 -> 2023.07.22 version in kirkstone ? ../Narpat Thanks, Anuj On Wed, 2023-08-02 at 17:57 +0000, Narpat Mali via lists.openembedded.org wrote: From: Narpat Mali Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e- Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. References: https://nvd.nist.gov/vuln/detail/CVE-2023-37920 https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7 Signed-off-by: Narpat Mali --- .../python3-certifi/CVE-2023-37920.patch | 301 ++ .../python/python3-certifi_2021.10.8.bb | 4 +- 2 files changed, 304 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/python/python3-certifi/CVE- 2023-37920.patch diff --git a/meta/recipes-devtools/python/python3-certifi/CVE-2023- 37920.patch b/meta/recipes-devtools/python/python3-certifi/CVE-2023- 37920.patch new file mode 100644 index 00..62187ec469 --- /dev/null +++ b/meta/recipes-devtools/python/python3-certifi/CVE-2023- 37920.patch @@ -0,0 +1,301 @@ +From 2dfddd74a75e4a1fa9bb901ba31a96e13b98a4e2 Mon Sep 17 00:00:00 2001 +From: Narpat Mali +Date: Wed, 2 Aug 2023 16:05:04 + +Subject: [PATCH] Certifi is a curated collection of Root Certificates for + validating the trustworthiness of SSL certificates while verifying the + identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes + "e-Tugra" root certificates. e-Tugra's root certificates were subject to an + investigation prompted by reporting of security issues in their systems. + Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root + store. + +CVE: CVE-2023-37920 + +Upstream-Status: Backport [https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed 11bc4d9b19afd7ea5c909] + +Signed-off-by: Narpat Mali +--- + certifi/cacert.pem | 257 -- --- + 1 file changed, 185 insertions(+), 72 deletions(-) + +diff --git a/certifi/cacert.pem b/certifi/cacert.pem +index 6bae3e4..1bec256 100644 +--- a/certifi/cacert.pem b/certifi/cacert.pem +@@ -879,34 +879,6 @@ uLjbvrW5KfnaNwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aULNmLazAZfNou2 + XjG4Kvte9nHfRCaexOYNkbQudZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E= + -END CERTIFICATE- + +-# Issuer: CN=Hongkong Post Root CA 1 O=Hongkong Post +-# Subject: CN=Hongkong Post Root CA 1 O=Hongkong Post +-# Label: "Hongkong Post Root CA 1" +-# Serial: 1000 +-# MD5 Fingerprint: a8:0d:6f:39:78:b9:43:6d:77:42:6d:98:5a:cc:23:ca +-# SHA1 Fingerprint: d6:da:a8:20:8d:09:d2:15:4d:24:b5:2f:cb:34:6e:b2:58:b2:8a:58 +-# SHA256 Fingerprint: f9:e6:7d:33:6c:51:00:2a:c0:54:c6:32:02:2d:66:dd:a2:e7:e3:ff:f1:0a:d0: 61:ed:31:d8:bb:b4:10:cf:b2 +--BEGIN CERTIFICATE- +-MIIDMDCCAhigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCSEsx +-FjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3Qg +-Um9vdCBDQSAxMB4XDTAzMDUxNTA1MTMxNFoXDTIzMDUxNTA0NTIyOVowRzELMAkG +-A1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdr +-b25nIFBvc3QgUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +-AQEArP84tulmAknjorThkPlAj3n54r15/gK97iSSHSL22oVyaf7XPwnU3ZG1ApzQ +-jVrhVcNQhrkpJsLj2aDxaQMoIIBFIi1WpztUlVYiWR8o3x8gPW2iNr4joLFutbEn +-PzlTCeqrauh0ssJlXI6/fMN4hM2eFvz1Lk8gKgifd/PFHsSaUmYeSF7jEAaPIpjh +-ZY4bXSNmO7ilMlHIhqqhqZ5/dpTCpmy3QfDVyAY45tQM4vM7TG1QjMSDJ8EThFk9 +-nnV0ttgCXjqQesBCNnLsak3c78QA3xMYV18meMjWCnl3v/evt3a5pQuEF10Q6m/h +-q5URX208o1xNg1vysxmKgIsLhwIDAQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgED +-MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEADkbVPK7ih9legYsC +-mEEIjEy82tvuJxuC52pF7BaLT4Wg87JwvVqWuspube5Gi27nKi6Wsxkz67SfqLI3 +-7piol7Yutmcn1KZJ/RyTZXaeQi/cImyaT/JaFTmxcdcrUehtHJjA2Sr0oYJ71clB +-oiMBdDhViw+5LmeiIAQ32pwL0xch4I+XeTRvhEgCIDMb5jREn5Fw9IBehEPCKdJs +-EhTkYY2sEJCehFC78JZvRZ+K88psT/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpO +-fMGx+6fWtScvl6tu4B3i0RwsH0Ti/L6RoZz71ilTc4afU9hDDl3WY4JxHYB0yvbi +-AmvZWg== +--END CERTIFICATE- +- + # Issuer: CN=SecureSign RootCA11 O=Japan Certification Services, Inc. + # Subject: CN=SecureSign RootCA11 O=Japan Certification Services, Inc. + # Label: "SecureSign RootCA11" +@@
[OE-core][kirkstone][PATCH 1/1] python3-certifi: fix CVE-2023-37920
From: Narpat Mali Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. References: https://nvd.nist.gov/vuln/detail/CVE-2023-37920 https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7 Signed-off-by: Narpat Mali --- .../python3-certifi/CVE-2023-37920.patch | 301 ++ .../python/python3-certifi_2021.10.8.bb | 4 +- 2 files changed, 304 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/python/python3-certifi/CVE-2023-37920.patch diff --git a/meta/recipes-devtools/python/python3-certifi/CVE-2023-37920.patch b/meta/recipes-devtools/python/python3-certifi/CVE-2023-37920.patch new file mode 100644 index 00..62187ec469 --- /dev/null +++ b/meta/recipes-devtools/python/python3-certifi/CVE-2023-37920.patch @@ -0,0 +1,301 @@ +From 2dfddd74a75e4a1fa9bb901ba31a96e13b98a4e2 Mon Sep 17 00:00:00 2001 +From: Narpat Mali +Date: Wed, 2 Aug 2023 16:05:04 + +Subject: [PATCH] Certifi is a curated collection of Root Certificates for + validating the trustworthiness of SSL certificates while verifying the + identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes + "e-Tugra" root certificates. e-Tugra's root certificates were subject to an + investigation prompted by reporting of security issues in their systems. + Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root + store. + +CVE: CVE-2023-37920 + +Upstream-Status: Backport [https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909] + +Signed-off-by: Narpat Mali +--- + certifi/cacert.pem | 257 - + 1 file changed, 185 insertions(+), 72 deletions(-) + +diff --git a/certifi/cacert.pem b/certifi/cacert.pem +index 6bae3e4..1bec256 100644 +--- a/certifi/cacert.pem b/certifi/cacert.pem +@@ -879,34 +879,6 @@ uLjbvrW5KfnaNwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aULNmLazAZfNou2 + XjG4Kvte9nHfRCaexOYNkbQudZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E= + -END CERTIFICATE- + +-# Issuer: CN=Hongkong Post Root CA 1 O=Hongkong Post +-# Subject: CN=Hongkong Post Root CA 1 O=Hongkong Post +-# Label: "Hongkong Post Root CA 1" +-# Serial: 1000 +-# MD5 Fingerprint: a8:0d:6f:39:78:b9:43:6d:77:42:6d:98:5a:cc:23:ca +-# SHA1 Fingerprint: d6:da:a8:20:8d:09:d2:15:4d:24:b5:2f:cb:34:6e:b2:58:b2:8a:58 +-# SHA256 Fingerprint: f9:e6:7d:33:6c:51:00:2a:c0:54:c6:32:02:2d:66:dd:a2:e7:e3:ff:f1:0a:d0:61:ed:31:d8:bb:b4:10:cf:b2 +--BEGIN CERTIFICATE- +-MIIDMDCCAhigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCSEsx +-FjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3Qg +-Um9vdCBDQSAxMB4XDTAzMDUxNTA1MTMxNFoXDTIzMDUxNTA0NTIyOVowRzELMAkG +-A1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdr +-b25nIFBvc3QgUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +-AQEArP84tulmAknjorThkPlAj3n54r15/gK97iSSHSL22oVyaf7XPwnU3ZG1ApzQ +-jVrhVcNQhrkpJsLj2aDxaQMoIIBFIi1WpztUlVYiWR8o3x8gPW2iNr4joLFutbEn +-PzlTCeqrauh0ssJlXI6/fMN4hM2eFvz1Lk8gKgifd/PFHsSaUmYeSF7jEAaPIpjh +-ZY4bXSNmO7ilMlHIhqqhqZ5/dpTCpmy3QfDVyAY45tQM4vM7TG1QjMSDJ8EThFk9 +-nnV0ttgCXjqQesBCNnLsak3c78QA3xMYV18meMjWCnl3v/evt3a5pQuEF10Q6m/h +-q5URX208o1xNg1vysxmKgIsLhwIDAQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgED +-MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEADkbVPK7ih9legYsC +-mEEIjEy82tvuJxuC52pF7BaLT4Wg87JwvVqWuspube5Gi27nKi6Wsxkz67SfqLI3 +-7piol7Yutmcn1KZJ/RyTZXaeQi/cImyaT/JaFTmxcdcrUehtHJjA2Sr0oYJ71clB +-oiMBdDhViw+5LmeiIAQ32pwL0xch4I+XeTRvhEgCIDMb5jREn5Fw9IBehEPCKdJs +-EhTkYY2sEJCehFC78JZvRZ+K88psT/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpO +-fMGx+6fWtScvl6tu4B3i0RwsH0Ti/L6RoZz71ilTc4afU9hDDl3WY4JxHYB0yvbi +-AmvZWg== +--END CERTIFICATE- +- + # Issuer: CN=SecureSign RootCA11 O=Japan Certification Services, Inc. + # Subject: CN=SecureSign RootCA11 O=Japan Certification Services, Inc. + # Label: "SecureSign RootCA11" +@@ -1836,50 +1808,6 @@ HL/EVlP6Y2XQ8xwOFvVrhlhNGNTkDY6lnVuR3HYkUD/GKvvZt5y11ubQ2egZixVx + SK236thZiNSQvxaz2emsWWFUyBy6ysHK4bkgTI86k4mloMy/0/Z1pHWWbVY= + -END CERTIFICATE- + +-# Issuer: CN=E-Tugra Certification Authority O=E-Tu\u011fra EBG Bili\u015fim Teknolojileri ve Hizmetleri A.\u015e. OU=E-Tugra Sertifikasyon Merkezi +-# Subject: CN=E-Tugra Certification Authority O=E-Tu\u011fra EBG Bili\u015fim Teknolojileri ve Hizmetleri A.\u015e. OU=E-Tugra Sertifikasyon Merkezi +-# Label: "E-Tugra Certification Authority" +-# Serial: 7667447206703254355 +-# MD5 Fingerprint: b8:a1:03:63:b0:bd:21:71:70:8a:6f:13:3a:bb:79:49 +-# SHA1 Fingerprint: 51:c6:e7:08:49:06:6e:f3:92:d4:5c:a0:0d:6d:a3:62:8f:c3:52:39 +-# SHA256 Fingerprint:
[OE-core][kirkstone][PATCH 1/1] openssl: fix for CVE-2023-2975 & CVE-2023-3446
From: Narpat Mali
CVE-2023-2975: AES-SIV implementation ignores empty associated data entries
https://nvd.nist.gov/vuln/detail/CVE-2023-2975
CVE-2023-3446: Excessive time spent checking DH keys and parameters
https://nvd.nist.gov/vuln/detail/CVE-2023-3446
Have also tested openssl ptest with both the CVE patches and it has been
successfully passed.
Signed-off-by: Narpat Mali
---
.../openssl/openssl/CVE-2023-2975.patch | 62 +++
.../openssl/openssl/CVE-2023-3446.patch | 79 +++
.../openssl/openssl_3.0.9.bb | 2 +
3 files changed, 143 insertions(+)
create mode 100644
meta/recipes-connectivity/openssl/openssl/CVE-2023-2975.patch
create mode 100644
meta/recipes-connectivity/openssl/openssl/CVE-2023-3446.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-2975.patch
b/meta/recipes-connectivity/openssl/openssl/CVE-2023-2975.patch
new file mode 100644
index 00..b1c72de111
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-2975.patch
@@ -0,0 +1,62 @@
+From 00e2f5eea29994d19293ec4e8c8775ba73678598 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz
+Date: Tue, 4 Jul 2023 17:30:35 +0200
+Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode
+
+The AES-SIV mode allows for multiple associated data items
+authenticated separately with any of these being 0 length.
+
+The provided implementation ignores such empty associated data
+which is incorrect in regards to the RFC 5297 and is also
+a security issue because such empty associated data then become
+unauthenticated if an application expects to authenticate them.
+
+Fixes CVE-2023-2975
+
+Reviewed-by: Matt Caswell
+Reviewed-by: Paul Dale
+(Merged from https://github.com/openssl/openssl/pull/21384)
+
+(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9)
+
+CVE: CVE-2023-2975
+
+Upstream-Status: Backport
[https://github.com/openssl/openssl/commit/00e2f5eea29994d19293ec4e8c8775ba73678598]
+
+Signed-off-by: Narpat Mali
+---
+ .../implementations/ciphers/cipher_aes_siv.c | 18 +++---
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/providers/implementations/ciphers/cipher_aes_siv.c
b/providers/implementations/ciphers/cipher_aes_siv.c
+index 45010b90db..b396c8651a 100644
+--- a/providers/implementations/ciphers/cipher_aes_siv.c
b/providers/implementations/ciphers/cipher_aes_siv.c
+@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out,
size_t *outl,
+ if (!ossl_prov_is_running())
+ return 0;
+
+-if (inl == 0) {
+-*outl = 0;
+-return 1;
+-}
++/* Ignore just empty encryption/decryption call and not AAD. */
++if (out != NULL) {
++if (inl == 0) {
++if (outl != NULL)
++*outl = 0;
++return 1;
++}
+
+-if (outsize < inl) {
+-ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+-return 0;
++if (outsize < inl) {
++ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
++return 0;
++}
+ }
+
+ if (ctx->hw->cipher(ctx, out, in, inl) <= 0)
+--
+2.40.0
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-3446.patch
b/meta/recipes-connectivity/openssl/openssl/CVE-2023-3446.patch
new file mode 100644
index 00..c34b19a649
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-3446.patch
@@ -0,0 +1,79 @@
+From 1fa20cf2f506113c761777127a38bce5068740eb Mon Sep 17 00:00:00 2001
+From: Matt Caswell
+Date: Thu, 6 Jul 2023 16:36:35 +0100
+Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
+
+The DH_check() function checks numerous aspects of the key or parameters
+that have been supplied. Some of those checks use the supplied modulus
+value even if it is excessively large.
+
+There is already a maximum DH modulus size (10,000 bits) over which
+OpenSSL will not generate or derive keys. DH_check() will however still
+perform various tests for validity on such a large modulus. We introduce a
+new maximum (32,768) over which DH_check() will just fail.
+
+An application that calls DH_check() and supplies a key or parameters
+obtained from an untrusted source could be vulnerable to a Denial of
+Service attack.
+
+The function DH_check() is itself called by a number of other OpenSSL
+functions. An application calling any of those other functions may
+similarly be affected. The other functions affected by this are
+DH_check_ex() and EVP_PKEY_param_check().
+
+CVE-2023-3446
+
+Reviewed-by: Paul Dale
+Reviewed-by: Tom Cosgrove
+Reviewed-by: Bernd Edlinger
+Reviewed-by: Tomas Mraz
+(Merged from https://github.com/openssl/openssl/pull/21451)
+
+(cherry picked from commit 9e0094e2aa1b3428a12d5095132f133c078d3c3d)
+
+CVE: CVE-2023-3446
+
+Upstream-Status: Backport
[https://github.com/openssl/openssl/commit/1fa20cf2f506113c761777127a38bce5068740eb]
+
+Signed-off-by: Narpat Mali
[OE-core][kirkstone][PATCH 1/1] python3-requests: fix for CVE-2023-32681
From: Narpat Mali
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking
Proxy-Authorization headers to destination servers when redirected to an HTTPS
endpoint. This is a product of how we use `rebuild_proxies` to reattach the
`Proxy-Authorization` header to requests. For HTTP connections sent through the
tunnel, the proxy will identify the header in the request itself and remove it
prior to forwarding to the destination server. However when sent over HTTPS,
the `Proxy-Authorization` header must be sent in the CONNECT request as the
proxy
has no visibility into the tunneled request. This results in Requests forwarding
proxy credentials to the destination server unintentionally, allowing a
malicious
actor to potentially exfiltrate sensitive information. This issue has been
patched
in version 2.31.0.
Reference: https://github.com/advisories/GHSA-j8r2-6x86-q33q
Signed-off-by: Narpat Mali
---
.../python3-requests/CVE-2023-32681.patch | 63 +++
.../python/python3-requests_2.27.1.bb | 2 +
2 files changed, 65 insertions(+)
create mode 100644
meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch
diff --git a/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch
b/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch
new file mode 100644
index 00..35b4241bde
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch
@@ -0,0 +1,63 @@
+From cd0128c0becd8729d0f8733bf42fbd333d51f833 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt
+Date: Mon, 5 Jun 2023 09:31:36 +
+Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q
+
+CVE: CVE-2023-32681
+
+Upstream-Status: Backport
[https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5]
+
+Signed-off-by: Narpat Mali
+---
+ requests/sessions.py | 4 +++-
+ tests/test_requests.py | 20
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/requests/sessions.py b/requests/sessions.py
+index 3f59cab..648cffa 100644
+--- a/requests/sessions.py
b/requests/sessions.py
+@@ -293,7 +293,9 @@ class SessionRedirectMixin(object):
+ except KeyError:
+ username, password = None, None
+
+-if username and password:
++# urllib3 handles proxy authorization for us in the standard adapter.
++# Avoid appending this to TLS tunneled requests where it may be
leaked.
++if not scheme.startswith('https') and username and password:
+ headers['Proxy-Authorization'] = _basic_auth_str(username,
password)
+
+ return new_proxies
+diff --git a/tests/test_requests.py b/tests/test_requests.py
+index 29b3aca..6a3 100644
+--- a/tests/test_requests.py
b/tests/test_requests.py
+@@ -601,6 +601,26 @@ class TestRequests:
+
+ assert sent_headers.get("Proxy-Authorization") == proxy_auth_value
+
++
++@pytest.mark.parametrize(
++"url,has_proxy_auth",
++(
++('http://example.com', True),
++('https://example.com', False),
++),
++)
++def test_proxy_authorization_not_appended_to_https_request(self, url,
has_proxy_auth):
++session = requests.Session()
++proxies = {
++'http': 'http://test:pass@localhost:8080',
++'https': 'http://test:pass@localhost:8090',
++}
++req = requests.Request('GET', url)
++prep = req.prepare()
++session.rebuild_proxies(prep, proxies)
++
++assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth
++
+ def test_basicauth_with_netrc(self, httpbin):
+ auth = ('user', 'pass')
+ wrong_auth = ('wronguser', 'wrongpass')
+--
+2.40.0
diff --git a/meta/recipes-devtools/python/python3-requests_2.27.1.bb
b/meta/recipes-devtools/python/python3-requests_2.27.1.bb
index af52b7caf5..635a6af31f 100644
--- a/meta/recipes-devtools/python/python3-requests_2.27.1.bb
+++ b/meta/recipes-devtools/python/python3-requests_2.27.1.bb
@@ -3,6 +3,8 @@ HOMEPAGE = "http://python-requests.org;
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=34400b68072d710fecd0a2940a0d1658"
+SRC_URI += "file://CVE-2023-32681.patch"
+
SRC_URI[sha256sum] =
"68d7c56fd5a8999887728ef304a6d12edc7be74f1cfa47714fc8b414525c9a61"
inherit pypi setuptools3
--
2.40.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182377):
https://lists.openembedded.org/g/openembedded-core/message/182377
Mute This Topic: https://lists.openembedded.org/mt/99338509/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH 1/1] python3-cryptography: fix for CVE-2023-23931
From: Narpat Mali
cryptography is a package designed to expose cryptographic primitives
and recipes to Python developers. In affected versions `Cipher.update_into`
would accept Python objects which implement the buffer protocol, but
provide only immutable buffers. This would allow immutable objects
(such as `bytes`) to be mutated, thus violating fundamental rules of
Python and resulting in corrupted output. This now correctly raises
an exception. This issue has been present since `update_into` was
originally introduced in cryptography 1.8.
Signed-off-by: Narpat Mali
---
.../python3-cryptography/CVE-2023-23931.patch | 49 +++
.../python/python3-cryptography_36.0.2.bb | 1 +
2 files changed, 50 insertions(+)
create mode 100644
meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch
diff --git
a/meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch
b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch
new file mode 100644
index 00..5fc4878978
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch
@@ -0,0 +1,49 @@
+From 9fbf84efc861668755ab645530ec7be9cf3c6696 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor
+Date: Tue, 7 Feb 2023 11:34:18 -0500
+Subject: [PATCH] Don't allow update_into to mutate immutable objects (#8230)
+
+CVE: CVE-2023-23931
+
+Upstream-Status: Backport
[https://github.com/pyca/cryptography/commit/9fbf84efc861668755ab645530ec7be9cf3c6696]
+
+Signed-off-by: Narpat Mali
+---
+ src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
+ tests/hazmat/primitives/test_ciphers.py | 8
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py
b/src/cryptography/hazmat/backends/openssl/ciphers.py
+index 286583f93..075d68fb9 100644
+--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
b/src/cryptography/hazmat/backends/openssl/ciphers.py
+@@ -156,7 +156,7 @@ class _CipherContext:
+ data_processed = 0
+ total_out = 0
+ outlen = self._backend._ffi.new("int *")
+-baseoutbuf = self._backend._ffi.from_buffer(buf)
++baseoutbuf = self._backend._ffi.from_buffer(buf,
require_writable=True)
+ baseinbuf = self._backend._ffi.from_buffer(data)
+
+ while data_processed != total_data_len:
+diff --git a/tests/hazmat/primitives/test_ciphers.py
b/tests/hazmat/primitives/test_ciphers.py
+index 02127dd9c..bf3b047de 100644
+--- a/tests/hazmat/primitives/test_ciphers.py
b/tests/hazmat/primitives/test_ciphers.py
+@@ -318,6 +318,14 @@ class TestCipherUpdateInto:
+ with pytest.raises(ValueError):
+ encryptor.update_into(b"testing", buf)
+
++def test_update_into_immutable(self, backend):
++key = b"\x00" * 16
++c = ciphers.Cipher(AES(key), modes.ECB(), backend)
++encryptor = c.encryptor()
++buf = b"\x00" * 32
++with pytest.raises((TypeError, BufferError)):
++encryptor.update_into(b"testing", buf)
++
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.cipher_supported(
+ AES(b"\x00" * 16), modes.GCM(b"\x00" * 12)
+--
+2.40.0
diff --git a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
index 9ef5ff39c8..c3ae0c1ab9 100644
--- a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
+++ b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
@@ -17,6 +17,7 @@ SRC_URI += " \
file://0001-Cargo.toml-specify-pem-version.patch \
file://0002-Cargo.toml-edition-2018-2021.patch \
file://fix-leak-metric.patch \
+file://CVE-2023-23931.patch \
"
inherit pypi python_setuptools3_rust
--
2.40.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180958):
https://lists.openembedded.org/g/openembedded-core/message/180958
Mute This Topic: https://lists.openembedded.org/mt/98709853/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH 1/1] ffmpeg: fix for CVE-2022-48434
From: Narpat Mali
libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and
other products, leaves stale hwaccel state in worker threads, which
allows attackers to trigger a use-after-free and execute arbitrary
code in some circumstances (e.g., hardware re-initialization upon a
mid-video SPS change when Direct3D11 is used).
Signed-off-by: Narpat Mali
---
.../ffmpeg/ffmpeg/CVE-2022-48434.patch| 130 ++
.../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 3 +-
2 files changed, 132 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
new file mode 100644
index 00..3cd374dc39
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
@@ -0,0 +1,130 @@
+From e40c964a0678908e2c756741343ed50d6a99ee12 Mon Sep 17 00:00:00 2001
+From: Anton Khirnov
+Date: Fri, 28 Apr 2023 11:45:30 +
+Subject: [PATCH] lavc/pthread_frame: avoid leaving stale hwaccel state in
+ worker threads
+
+This state is not refcounted, so make sure it always has a well-defined
+owner.
+
+Remove the block added in 091341f, as
+this commit also solves that issue in a more general way.
+
+CVE:CVE-2022-48434
+
+Upstream-Status: Backport
[https://github.com/FFmpeg/FFmpeg/commit/cc867f2c09d2b69cee8a0eccd62aff002cbbfe11]
+
+Signed-off-by: Narpat Mali
+---
+ libavcodec/pthread_frame.c | 46 +-
+ 1 file changed, 35 insertions(+), 11 deletions(-)
+
+diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c
+index 85a6bc9..e40dced 100644
+--- a/libavcodec/pthread_frame.c
b/libavcodec/pthread_frame.c
+@@ -145,6 +145,12 @@ typedef struct FrameThreadContext {
+ * Set for the first N packets, where N is
the number of threads.
+ * While it is set,
ff_thread_en/decode_frame won't return any results.
+ */
++
++/* hwaccel state is temporarily stored here in order to transfer its
ownership
++ * to the next decoding thread without the need for extra synchronization
*/
++const AVHWAccel *stash_hwaccel;
++void*stash_hwaccel_context;
++void*stash_hwaccel_priv;
+ } FrameThreadContext;
+
+ #if FF_API_THREAD_SAFE_CALLBACKS
+@@ -229,9 +235,17 @@ FF_ENABLE_DEPRECATION_WARNINGS
+ ff_thread_finish_setup(avctx);
+
+ if (p->hwaccel_serializing) {
++/* wipe hwaccel state to avoid stale pointers lying around;
++ * the state was transferred to FrameThreadContext in
++ * ff_thread_finish_setup(), so nothing is leaked */
++avctx->hwaccel = NULL;
++avctx->hwaccel_context = NULL;
++avctx->internal->hwaccel_priv_data = NULL;
++
+ p->hwaccel_serializing = 0;
+ pthread_mutex_unlock(>parent->hwaccel_mutex);
+ }
++av_assert0(!avctx->hwaccel);
+
+ if (p->async_serializing) {
+ p->async_serializing = 0;
+@@ -294,14 +308,10 @@ static int update_context_from_thread(AVCodecContext
*dst, AVCodecContext *src,
+ dst->color_range = src->color_range;
+ dst->chroma_sample_location = src->chroma_sample_location;
+
+-dst->hwaccel = src->hwaccel;
+-dst->hwaccel_context = src->hwaccel_context;
+-
+ dst->channels = src->channels;
+ dst->sample_rate= src->sample_rate;
+ dst->sample_fmt = src->sample_fmt;
+ dst->channel_layout = src->channel_layout;
+-dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data;
+
+ if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx ||
+ (dst->hw_frames_ctx && dst->hw_frames_ctx->data !=
src->hw_frames_ctx->data)) {
+@@ -442,6 +452,12 @@ static int submit_packet(PerThreadContext *p,
AVCodecContext *user_avctx,
+ pthread_mutex_unlock(>mutex);
+ return err;
+ }
++
++/* transfer hwaccel state stashed from previous thread, if any */
++av_assert0(!p->avctx->hwaccel);
++FFSWAP(const AVHWAccel*, p->avctx->hwaccel,
fctx->stash_hwaccel);
++FFSWAP(void*,p->avctx->hwaccel_context,
fctx->stash_hwaccel_context);
++FFSWAP(void*,p->avctx->internal->hwaccel_priv_data,
fctx->stash_hwaccel_priv);
+ }
+
+ av_packet_unref(p->avpkt);
+@@ -647,6 +663,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) {
+ async_lock(p->parent);
+ }
+
++/* save hwaccel state for passing to the next thread;
++ * this is done here so that this worker thread can wipe its own hwaccel
++ * state after decoding, without requiring synchronization */
++av_assert0(!p->parent->stash_hwaccel);
